An Anomaly Behavior Analysis Methodology for the Internet of Things: Design, Analysis, and Evaluation

Pacheco Ramirez, Jesus Horacio, Pacheco Ramirez, Jesus Horacio

January 2017

Advances in mobile and pervasive computing, social network technologies and the exponential growth in Internet applications and services will lead to the development of the Internet of Things (IoT). The IoT services will be a key enabling technology to the development of smart infrastructures that will revolutionize the way we do business, manage critical services, and how we secure, protect, and entertain ourselves. Large-scale IoT applications, such as critical infrastructures (e.g., smart grid, smart transportation, smart buildings, etc.) are distributed systems, characterized by interdependence, cooperation, competition, and adaptation. The integration of IoT premises with sensors, actuators, and control devices allows smart infrastructures to achieve reliable and efficient operations, and to significantly reduce operational costs. However, with the use of IoT, we are experiencing grand challenges to secure and protect such advanced information services due to the significant increase in the attack surface. The interconnections between a growing number of devices expose the vulnerability of IoT applications to attackers. Even devices which are intended to operate in isolation are sometimes connected to the Internet due to careless configuration or to satisfy special needs (e.g., they need to be remotely managed). The security challenge consists of identifying accurately IoT devices, promptly detect vulnerabilities and exploitations of IoT devices, and stop or mitigate the impact of cyberattacks. An Intrusion Detection System (IDS) is in charge of monitoring the behavior of protected systems and is looking for malicious activities or policy violations in order to produce reports to a management station or even perform proactive countermeasures against the detected threat. Anomaly behavior detection is a technique that aims at creating models for the normal behavior of the network and detects any significant deviation from normal operations. With the ability to detect new and novel attacks, the anomaly detection is a promising IDS technique that is actively pursued by researchers. Since each IoT application has its own specification, it is hard to develop a single IDS which works properly for all IoT layers. A better approach is to design customized intrusion detection engines for different layers and then aggregate the analysis results from these engines. On the other hand, it would be cumbersome and takes a lot of effort and knowledge to manually extract the specification of each system. So it will be appropriate to formulate our methodology based on machine learning techniques which can be applied to produce efficient detection engines for different IoT applications. In this dissertation we aim at formalizing a general methodology to perform anomaly behavior analysis for IoT. We first introduce our IoT architecture for smart infrastructures that consists of four layers: end nodes (devices), communications, services, and application. Then we show our multilayer IoT security framework and IoT architecture that consists of five planes: function specification or model plane, attack surface plane, impact plane, mitigation plane, and priority plane. We then present a methodology to develop a general threat model in order to recognize the vulnerabilities in each layer and the possible countermeasures that can be deployed to mitigate their exploitation. In this scope, we show how to develop and deploy an anomaly behavior analysis based intrusion detection system (ABA-IDS) to detect anomalies that might be triggered by attacks against devices, protocols, information or services in our IoT framework. We have evaluated our approach by launching several cyberattacks (e.g. Sensor Impersonation, Replay, and Flooding attacks) against our testbeds developed at the University of Arizona Center for Cloud and Autonomic Computing. The results show that our approach can be used to deploy effective security mechanisms to protect the normal operations of smart infrastructures integrated to the IoT. Moreover, our approach can detect known and unknown attacks against IoT with high detection rate and low false alarms.

Abnormal Behavior Analysis

Autonomic Computing

Cybersecurity

Internet of Things

Security Framework

Threat Model

A Formal Approach to Combining Prospective and Retrospective Security

Amir-Mohammadian, Sepehr

01 January 2017

The major goal of this dissertation is to enhance software security by provably correct enforcement of in-depth policies. In-depth security policies allude to heterogeneous specification of security strategies that are required to be followed before and after sensitive operations. Prospective security is the enforcement of security, or detection of security violations before the execution of sensitive operations, e.g., in authorization, authentication and information flow. Retrospective security refers to security checks after the execution of sensitive operations, which is accomplished through accountability and deterrence. Retrospective security frameworks are built upon auditing in order to provide sufficient evidence to hold users accountable for their actions and potentially support other remediation actions. Correctness and efficiency of audit logs play significant roles in reaching the accountability goals that are required by retrospective, and consequently, in-depth security policies. This dissertation addresses correct audit logging in a formal framework. Leveraging retrospective controls beside the existing prospective measures enhances security in numerous applications. This dissertation focuses on two major application spaces for in-depth enforcement. The first is to enhance prospective security through surveillance and accountability. For example, authorization mechanisms could be improved by guaranteed retrospective checks in environments where there is a high cost of access denial, e.g., healthcare systems. The second application space is the amelioration of potentially flawed prospective measures through retrospective checks. For instance, erroneous implementations of input sanitization methods expose vulnerabilities in taint analysis tools that enforce direct flow of data integrity policies. In this regard, we propose an in-depth enforcement framework to mitigate such problems. We also propose a general semantic notion of explicit flow of information integrity in a high-level language with sanitization. This dissertation studies the ways by which prospective and retrospective security could be enforced uniformly in a provably correct manner to handle security challenges in legacy systems. Provable correctness of our results relies on the formal Programming Languages-based approach that we have taken in order to provide software security assurance. Moreover, this dissertation includes the implementation of such in-depth enforcement mechanisms for a medical records web application.

Break the glass policies

Cybersecurity

Integrity

Prospective security

Retrospective security

Taint analysis

Computer Sciences

Lightweight Environment for Cyber Security Education

Oliparambil Shanmughan, Vivek

09 August 2017

The use of physical systems and Virtual Machines has become inefficient and expensive for creating tailored, hands-on exercises for providing cyber security training. The main purpose of this project is to directly address these issues faced in cyber security education with the help of Docker containers. Using Docker, a lightweight and automated platform was developed for creating, sharing, and managing hands-on exercises. With the help of orchestration tools, this platform provides a centralized point to monitor and control the systems and exercises with a high degree of automation. In a classroom/lab environment, this infrastructure enables instructors and students not only to share exercises but also helps create and deploy exercises more easily. By streamlining the end to end delivery and deployment of the exercises, instructors can now efficiently make use of the class/lab hours in educating the students rather than performing system administration tasks.

Information Security

Social Cybersecurity: Reshaping Security Through An Empirical Understanding of Human Social Behavior

Das, Sauvik

01 May 2017

Despite substantial effort made by the usable security community at facilitating the use of recommended security systems and behaviors, much security advice is ignored and many security systems are underutilized. I argue that this disconnect can partially be explained by the fact that security behaviors have myriad unaccounted for social consequences. For example, by using two-factor authentication, one might be perceived as “paranoid”. By encrypting an e-mail correspondence, one might be perceived as having something to hide. Yet, to date, little theoretical work in usable security has applied theory from social psychology to understand how these social consequences affect people’s security behaviors. Likewise, little systems work in usable security has taken social factors into consideration. To bridge these gaps in literature and practice, I begin to build a theory of social cybersecurity and apply those theoretical insights to create systems that encourage better cybersecurity behaviors. First, through a series of interviews, surveys and a large-scale analysis of how security tools diffuse through the social networks of 1.5 million Facebook users, I empirically model how social influences affect the adoption of security behaviors and systems. In so doing, I provide some of the first direct evidence that security behaviors are strongly driven by social influence, and that the design of a security system strongly influences its potential for social spread. Specifically, security systems that are more observable, inclusive, and stewarded are positively affected by social influence, while those that are not are negatively affected by social influence. Based on these empirical results, I put forth two prescriptions: (i) creating socially grounded interface “nudges” that encourage better cybersecurity behaviors, and (ii) designing new, more socially intelligent end-user facing security systems. As an example of a social “nudge”, I designed a notification that informs Facebook users that their friends use optional security systems to protect their own accounts. In an experimental evaluation with 50,000 Facebook users, I found that this social notification was significantly more effective than a non-social control notification at attracting clicks to improve account security and in motivating the adoption of promoted, optional security tools. As an example of a socially intelligent cybersecurity system, I designed Thumprint: an inclusive authentication system that authenticates and identifies individual group members of a small, local group through a single, shared secret knock. Through my evaluations, I found that Thumprint is resilient to casual but motivated adversaries and that it can reliably differentiate multiple group members who share the same secret knock. Taken together, these systems point towards a future of socially intelligent cybersecurity that encourages better security behaviors. I conclude with a set of descriptive and prescriptive takeaways, as well as a set of open problems for future work. Concretely, this thesis provides the following contributions: (i) an initial theory of social cybersecurity, developed from both observational and experimental work, that explains how social influences affect security behaviors; (ii) a set of design recommendations for creating socially intelligent security systems that encourage better cybersecurity behaviors; (iii) the design, implementation and comprehensive evaluation of two such systems that leverage these design recommendations; and (iv) a reflection on how the insights uncovered in this work can be utilized alongside broader design considerations in HCI, security and design to create an infrastructure of useful, usable and socially intelligent cybersecurity systems.

Cybersecurity

Usable Privacy and Security

Social Psychology

HCI

Data Science

Ubiquitous Computing

PERCEPTIONS OF PURPLE TEAMS AMONG CYBERSECURITY PROFESSIONALS

Siddharth Chowdhury (6613439)

15 May 2019

With constant technological advancements, the attacks against existing infrastructure is constantly increasing and causing more damage. The current Red and Blue team approach to cybersecurity assessments is used to test the effectiveness of security defenses and in identifying vulnerabilities before they are exploited. Due to a lack of collaboration and inherently contradicting natures of these teams, the credibility of audits is impacted. While this has led to the synergistic and collaborative Purple team, it is important to understand how cybersecurity professionals perceive this new concept and its function. Analyzing perceptions of self-reported cybersecurity professionals via an online survey showed most believed Purple teams were beneficial and should be created from and collaborate with Red and Blue teams. However, past Red team experience was negatively linked to perceived benefit. Those who had more years of experience or had been on Red teams were more likely to believe Purple teams may have ownership or learning issues. Furthermore, professionals identified active managerial involvement and project clarity as critical success factors for Purple teams. Alongside these, management could help find the right skillset, provide resources, and offer active direction in order to avoid issues and maximize outcomes. Based on assessment relevance, a collaborative agreed-upon methodology for Red, Blue, and Purple teams was provided.

Computer System Security

Innovation and Technology Management

purple team

cybersecurity

red team

blue team

perception

methodology

assessment

The importance of risk awareness in cybersecurity among companies : A perspective on the role of top management

Stefanska, Beata, Al-Dawod, Fatimah Laura

January 2021

Background: Today´s world is characterized by a high level of digitalization that contributes to the development of new and effective technologies. However, this digital success requires knowledge and awareness about cybersecurity. Previous studies have shown that during 2020 the number of cyber-attacks among Swedish companies have increased. Due to digitalization, external parties find new methods to enter a company's systems and take advantage of its innovations and valuable information. That can affect the company's value negatively by ruining its reputation and making the stakeholders mistrust it. Purpose: The purpose of the study is to contribute to an increased understanding of strategic leadership´s influence on cyber risk awareness. Methodology: This study follows a qualitative research method. The data have been conducted through semi-structured interviews, based on 11 respondents consisting of experts whose professional background is anchored in cybersecurity. The research process follows an abductive approach. Conclusion: This study concludes that the current state of cyber risk awareness is not sufficient although it is increasing. Risk awareness is dependent on knowledge and organizational culture. This study concludes that the top management has a significant role in the influence of organizational culture and knowledge and thereby the risk awareness of a company, which in turn has an impact ontheir cybersecurity. It is the responsibility of the top management to delegate tasks that enhance riskawareness. Therefore, cyber risk awareness is to be treated as a top management issue. As a contribution, the study provides an insight on how humans, in this case, the top managementinfluences a company's cybersecurity through risk awareness.

Risk awareness

top management

the tone from the top

cybersecurity

knowledge

organizational culture

Business Administration

Företagsekonomi

Kriminologické aspekty kybernetické kriminality / Criminological aspects of cybercrime

Gemeri, Peter

January 2021

Criminological aspects of cybercrime Abstract (EN) This thesis is a study of specific aspects of cybercrime in regards to banking and non- banking financial institutions in Czech republic. By comparing results of third-party analytical resources and own findings obtained by strategically performed interviews with personnel in leading positions in cyber-security careers, the thesis describes causes and results of cyber-attacks and related preventive measures with emphasis on their respective place and priority in the cybersecurity policy of the organization. The main finding is that the biggest risk to the organization seems to be its own employees. That is why the entity cannot simply trust in the security of its perimeter by protecting only its border, but has to also consider its internal part. An equally important finding is the fact that mechanisms for the prevention of cybercrime take a large number of non-mutually exclusive forms, and in order to maintain the highest possible level of security, it is appropriate to layer these measures into complex units. Keywords Cybercrime, cybersecurity, criminology, financial organizations, cybercrime prevention

Context-Awareness for Adversarial and Defensive Machine Learning Methods in Cybersecurity

Quintal, Kyle

14 August 2020

Machine Learning has shown great promise when combined with large volumes of historical data and produces great results when combined with contextual properties. In the world of the Internet of Things, the extraction of information regarding context, or contextual information, is increasingly prominent with scientific advances. Combining such advancements with artificial intelligence is one of the themes in this thesis. Particularly, there are two major areas of interest: context-aware attacker modelling and context-aware defensive methods. Both areas use authentication methods to either infiltrate or protect digital systems. After a brief introduction in chapter 1, chapter 2 discusses the current extracted contextual information within cybersecurity studies, and how machine learning accomplishes a variety of cybersecurity goals. Chapter 3 introduces an attacker injection model, championing the adversarial methods. Then, chapter 4 extracts contextual data and provides an intelligent machine learning technique to mitigate anomalous behaviours. Chapter 5 explores the feasibility of adopting a similar defensive methodology in the cyber-physical domain, and future directions are presented in chapter 6. Particularly, we begin this thesis by explaining the need for further improvements in cybersecurity using contextual information and discuss its feasibility, now that ubiquitous sensors exist in our everyday lives. These sensors often show a high correlation with user identity in surprising combinations. Our first contribution lay within the domain of Mobile CrowdSensing (MCS). Despite its benefits, MCS requires proper security solutions to prevent various attacks, notably injection attacks. Our smart-injection model, SINAM, monitors data traffic in an online-learning manner, simulating an injection model with undetection rates of 99%. SINAM leverages contextual similarities within a given sensing campaign to mimic anomalous injections. On the flip-side, we investigate how contextual features can be utilized to improve authentication methods in an enterprise context. Also motivated by the emergence of omnipresent mobile devices, we expand the Spatio-temporal features of unfolding contexts by introducing three contextual metrics: document shareability, document valuation, and user cooperation. These metrics are vetted against modern machine learning techniques and achieved an average of 87% successful authentication attempts. Our third contribution aims to further improve such results but introducing a Smart Enterprise Access Control (SEAC) technique. Combining the new contextual metrics with SEAC achieved an authenticity precision of 99% and a recall of 97%. Finally, the last contribution is an introductory study on risk analysis and mitigation using context. Here, cyber-physical coupling metrics are created to extract a precise representation of unfolding contexts in the medical field. The presented consensus algorithm achieves initial system conveniences and security ratings of 88% and 97% with these news metrics. Even as a feasibility study, physical context extraction shows good promise in improving cybersecurity decisions. In short, machine learning is a powerful tool when coupled with contextual data and is applicable across many industries. Our contributions show how the engineering of contextual features, adversarial and defensive methods can produce applicable solutions in cybersecurity, despite minor shortcomings.

Continuous Authentication

Machine Learning

Cybersecurity

Artificial Intelligence

Online Learning

Feature Engineering

Context Awareness

Adversarial Methods

Zvýšení bezpečnosti nasazením SIEM systému v prostředí malého poskytovatele internetu / Security Enhancement Deploying SIEM in a Small ISP Environment

Bělousov, Petr

January 2019

Diplomová práce se zaměřuje na zvýšení bezpečnosti v prostředí malého poskytovatele internetu nasazením SIEM systému. Dostupné systémy jsou porovnány a zhodnoceny v souladu s požadavky zadávající firmy. Projekt nasazení systému SIEM je navržen, implementován a zhodnocen v souladu s unikátním prostředím firmy.

Bezpečnostní cvičení pro etický hacking / Security exercises for ethical hacking

Paučo, Daniel

January 2020

This master thesis deals with penetration testing and ethical hacking. Regarding to the layout of the thesis there was prepared appropiate enviroment to realize Red/Blue team exercise, where Red team is in a role of the attacker and Blue team is in a role of defender of the network infrastructure. Whole infrastructure is implemented in a cloud virtual enviroment of VMware vSphere. Second part of the thesis consists of preparation and creation of the exercise to test web application security. Third part of the thesis is dedicating to the automatization of redteaming. Main focus of this master thesis is to demonstrate different attack vectors how to attack the network infrastructure and web applications and use of the defense mechanisms to avoid this kinds of attacks.