Global ETD Search

21	GAINING MONITORING CAPABILITIES AND INSIGHTS INTO RESPONSES FROM PHISHING DATA Raqab, Alah 09 July 2014 (has links) No description available. Industrial Engineering Statistics Operations Research Cyber-attacks phishing design for six sigma quality contorl
22	Detection of advanced persistent threat using machine-learning correlation analysis Ghafir, Ibrahim, Hammoudeh, M., Prenosil, V., Han, L., Hegarty, R., Rabie, K., Aparicio-Navarro, F.J. 24 January 2020 (has links) Yes / As one of the most serious types of cyber attack, Advanced Persistent Threats (APT) have caused major concerns on a global scale. APT refers to a persistent, multi-stage attack with the intention to compromise the system and gain information from the targeted system, which has the potential to cause significant damage and substantial financial loss. The accurate detection and prediction of APT is an ongoing challenge. This work proposes a novel machine learning-based system entitled MLAPT, which can accurately and rapidly detect and predict APT attacks in a systematic way. The MLAPT runs through three main phases: (1) Threat detection, in which eight methods have been developed to detect different techniques used during the various APT steps. The implementation and validation of these methods with real traffic is a significant contribution to the current body of research; (2) Alert correlation, in which a correlation framework is designed to link the outputs of the detection methods, aims to identify alerts that could be related and belong to a single APT scenario; and (3) Attack prediction, in which a machine learning-based prediction module is proposed based on the correlation framework output, to be used by the network security team to determine the probability of the early alerts to develop a complete APT attack. MLAPT is experimentally evaluated and the presented system is able to predict APT in its early steps with a prediction accuracy of 84.8%. Cyber attacks Advanced persistent threat Malware Intrusion detection system Alert correlation Machine learning
23	BotDet: a system for real time Botnet command and control traffic detection Ghafir, Ibrahim, Prenosil, V., Hammoudeh, M., Baker, T., Jabbar, S., Khalid, S., Jaf, S. 24 January 2020 (has links) Yes / Over the past decade, the digitization of services transformed the healthcare sector leading to a sharp rise in cybersecurity threats. Poor cybersecurity in the healthcare sector, coupled with high value of patient records attracted the attention of hackers. Sophisticated advanced persistent threats and malware have significantly contributed to increasing risks to the health sector. Many recent attacks are attributed to the spread of malicious software, e.g., ransomware or bot malware. Machines infected with bot malware can be used as tools for remote attack or even cryptomining. This paper presents a novel approach, called BotDet, for botnet Command and Control (C&C) traffic detection to defend against malware attacks in critical ultrastructure systems. There are two stages in the development of the proposed system: 1) we have developed four detection modules to detect different possible techniques used in botnet C&C communications and 2) we have designed a correlation framework to reduce the rate of false alarms raised by individual detection modules. Evaluation results show that BotDet balances the true positive rate and the false positive rate with 82.3% and 13.6%, respectively. Furthermore, it proves BotDet capability of real time detection. Critical infrastructure security Healthcare cyber attacks Malware Botnet Command and control server Intrusion detection system Alert correlation
24	Cyber Threat Intelligence from Honeypot Data using Elasticsearch Al-Mohannadi, Hamad, Awan, Irfan U., Al Hamar, J., Cullen, Andrea J., Disso, Jules P., Armitage, Lorna 18 May 2018 (has links) yes / Cyber attacks are increasing in every aspect of daily life. There are a number of different technologies around to tackle cyber-attacks, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, switches, routers etc., which are active round the clock. These systems generate alerts and prevent cyber attacks. This is not a straightforward solution however, as IDSs generate a huge volume of alerts that may or may not be accurate: potentially resulting in a large number of false positives. In most cases therefore, these alerts are too many in number to handle. In addition, it is impossible to prevent cyber-attacks simply by using tools. Instead, it requires greater intelligence in order to fully understand an adversary’s motive by analysing various types of Indicator of Compromise (IoC). Also, it is important for the IT employees to have enough knowledge to identify true positive attacks and act according to the incident response process. In this paper, we have proposed a new threat intelligence technique which is evaluated by analysing honeypot log data to identify behaviour of attackers to find attack patterns. To achieve this goal, we have deployed a honeypot on an AWS cloud to collect cyber incident log data. The log data is analysed by using elasticsearch technology namely an ELK (Elasticsearch, Logstash and Kibana) stack. Cyber attacks Cyber threats Honeypot data Elasticsearch Cyber threat intelligence technique
25	Malware Analysis using Profile Hidden Markov Models and Intrusion Detection in a Stream Learning Setting Saradha, R January 2014 (has links) (PDF) In the last decade, a lot of machine learning and data mining based approaches have been used in the areas of intrusion detection, malware detection and classification and also traffic analysis. In the area of malware analysis, static binary analysis techniques have become increasingly difficult with the code obfuscation methods and code packing employed when writing the malware. The behavior-based analysis techniques are being used in large malware analysis systems because of this reason. In prior art, a number of clustering and classification techniques have been used to classify the malwares into families and to also identify new malware families, from the behavior reports. In this thesis, we have analysed in detail about the use of Profile Hidden Markov models for the problem of malware classification and clustering. The advantage of building accurate models with limited examples is very helpful in early detection and modeling of malware families. The thesis also revisits the learning setting of an Intrusion Detection System that employs machine learning for identifying attacks and normal traffic. It substantiates the suitability of incremental learning setting(or stream based learning setting) for the problem of learning attack patterns in IDS, when large volume of data arrive in a stream. Related to the above problem, an elaborate survey of the IDS that use data mining and machine learning was done. Experimental evaluation and comparison show that in terms of speed and accuracy, the stream based algorithms perform very well as large volumes of data are presented for classification as attack or non-attack patterns. The possibilities for using stream algorithms in different problems in security is elucidated in conclusion. Malware (Malicious Software) Malware, Cyber Attacks Malware Analysis Profile Hidden Markov Models Intrusion Detection Systems Data Mining Malware Classification and Clustering Machine Learning Malware Detection Cyber Attacks Stream-based Learning Polymorphic Malware Detection Huffman Encoding Stream Algorithms Computer Science
26	Web-based prototype for protecting controllers from existing cyber-attacks in an industrial control system / Webbaserad prototyp för att skydda styrsystem från förekommande cyberattacker i ett industriellt kontrollsystem Sanyang, Pa January 2020 (has links) Industrial control system or ICS is a critical part of the infrastructure in society. An example of ICS is the rail networks or energy plants like the nuclear plant. SCADA is an ICS system following a hierarchical structure. Due to the fact that a control system can be very large, monitoring remote through networks is an effective way to do so. But because of digitalization ICS or SCADA systems are vulnerable to cyber attacks that can hijack or intercept network traffic or deny legitimate user services. SCADA protocols (e.g. Modbus, DNP3) that are prone to get attacks due to not being a secure protocol make a SCADA system even more vulnerable to attacks. The paper focuses on how to best protect the network traffic between an HMI as the client and a different controller as the server from attacks. The proposed solution, the prototype, is based on the reverse proxy server setup to protect controllers from the external network traffic. Only the reverse proxy server, or gateway server, can forward a client request to the intended controller. The gateway server, a web-based solution, will be the additional security layer that encrypts the payload in the application layer using TLS version 1.2 by using HTTPS protocol, thereby protect from usual security threats. The prototype went through a penetration testing of MITM (Based on ARP-poisoning), SYN flooding, slow HTTP POST attacks. And the result indicated that the prototype was vulnerable to SYN flooding and the network traffic was intercepted by the MITM. But from the Confidentiality-Integrity-Availability (C.I.A) criteria, the prototype did uphold the integrity and confidentiality due to the TLS security and successful mitigation of certain attacks. The results and suggestions on how to improve the gateway server security were discussed, including that the testing was not comprehensive but that the result is still valuable. In conclusion, more testing in the future would most likely showcase different results, but that will only mean to better the security of the gateway server, the network that the client and gateway server runs in and the physical security of the location where the client and gateway server is located. / Industrial Control System (ICS, sve. Industriella Kontrollsystem) är en kritisk del av infrastrukturen i samhället. Ett exempel på ICS är järnvägsnät eller energianläggningar som kärnkraftverket. SCADA är ett ICS-system som följer en hierarkisk struktur. Eftersom ett kontrollsystem kan täcka stora ytor är fjärrövervakning och fjärrstyrning via nätverk ett effektivt sätt att göra det på. Men på grund av digitalisering är ICS- eller SCADA-system sårbara för cyberattacker som kan kapa nätverkstrafik eller förneka legitima användare från att nå vissa tjänster. SCADA-protokoll (t.ex. Modbus, DNP3) som är benägna att få attacker på grund av att de inte är ett säkert protokoll gör SCADA-system ännu mer sårbart för attacker. Uppsatsen fokuserar huvudsakligen på hur man bäst skyddar nätverkstrafiken mellan en HMI som klient och en annan controller som servern från attacker. Den föreslagna lösningen, prototypen, är baserad på hur en reverse proxy server är uppsatt för att skydda styrenheter från den externa nätverkstrafiken. Endast reverse proxy servern eller gateway-servern kan vidarebefordra en begäran från en klient till den avsedda styrenheten. Gateway-servern, en webbaserad lösning, kommer att vara det extra säkerhetslagret som krypterar nyttolasten (eng. payload) i applikationslagret med TLS version 1.2 med hjä lp av protokollet HTTPS, och därmed skyddar mot de mest förekommande säkerhetshot som vill se och påverka skyddad information. Prototypen genomgick en penetrationstestning av MITM (Baserat på ARP-poisoning), SYN-flooding, slow HTTP POST-attacker. Och resultatet indikerade att prototypen var sårbar för SYN-flooding och nätverkstrafiken avlyssnades genom MITM. Men baserad på kriterierna för C.I.A (sve. Konfidentialitet, Integritet och Tillgänglighet) upprätthöllprototypen integriteten och konfidentialiteten på grund av säkerhetsprotokollen TLSv1.2 och framgångsrika minskningar av vissa attacker. Resultaten och förslag på hur man kan förbättra prototypen diskuterades, inklusive att testningen inte var omfattande men att resultatet fortfarande är värdefullt. Sammanfattningsvis skulle fler tester i framtiden sannolikt visa ett helt annat resultat, men det kommer bara att innebära att förbättra säkerheten för gateway-servern, nätverket som klienten och gateway-servern kör i och den fysiska säkerheten för platsen där klienten och gateway-servern befinner sig inom. ICS SCADA Modbus Honeypot Conpot Cyber attacks MITM DoS Flooding Reverse proxy server AWS ICS SCADA Modbus Honeypot Conpot Cyber attacks MITM DoS Flooding Reverse proxy server AWS Computer and Information Sciences Data- och informationsvetenskap
27	The Rise of China's Hacking Culture: Defining Chinese Hackers Howlett, William, IV 01 June 2016 (has links) China has been home to some of the most prominent hackers and hacker groups of the global community throughout the last decade. In the last ten years, countless attacks globally have been linked to the People’s Republic of China (PRC) or those operating within the PRC. This exploration attempts to investigate the story, ideology, institutions, actions, and motivations of the Chinese hackers collectively, as sub-groups, and as individuals. I will do this using sources ranging from basic news coverage, interviews with experts and industry veterans, secondary reportage, leaked documents from government and private sources, government white papers, legal codes, blogs and microblogs, a wide array of materials from the darker corners of the online world, and many other materials. The work will begin to sketch for the reader some of the general and specific aspects of the shadowy world of cybercrime and hacker culture in China in recent years. One of the most prevalent beliefs is that the Chinese government is in fact the one responsible, whether directly or by sponsor, for cyber-attacks on foreign systems. My careful analysis has revealed is not always the case, or at least more complex than simply labeling the group as a state actor. At the root of these attacks is a social movement of "hacktivists," a patriotic sub-culture of Chinese hackers. It is incorrect to allege that all attacks are performed by state-sponsored individuals or groups, because there are many individuals and groups that are motivated by other factors. China Cyber-attacks Cyber-warfare Hackers Internet Asian Studies Criminology and Criminal Justice International Relations Politics and Social Change Science and Technology Studies
28	Impact of mobile botnet on long term evolution networks: a distributed denial of service attack perspective Kitana, Asem 31 March 2021 (has links) In recent years, the advent of Long Term Evolution (LTE) technology as a prominent component of 4G networks and future 5G networks, has paved the way for fast and new mobile web access and application services. With these advantages come some security concerns in terms of attacks that can be launched on such networks. This thesis focuses on the impact of the mobile botnet on LTE networks by implementing a mobile botnet architecture that initiates a Distributed Denial of Service (DDoS) attack. First, in the quest of understanding the mobile botnet behavior, a correlation between the mobile botnet impact and different mobile device mobility models, is established, leading to the study of the impact of the random patterns versus the uniform patterns of movements on the mobile botnet’s behavior under a DDoS attack. Second, the impact of two base transceiver station selection mechanisms on a mobile botnet behavior launching a DDoS attack on a LTE network is studied, the goal being to derive the effect of the attack severity of the mobile botnet. Third, an epidemic SMS-based cellular botnet that uses an epidemic command and control mechanism to initiate a short message services (SMS) phishing attack, is proposed and its threat impact is studied and simulated using three random graphs models. The simulation results obtained reveal that (1) in terms of users’ mobility patterns, the impact of the mobile botnet behavior under a DDoS attack on a victim web server is more pronounced when an asymmetric mobility model is considered compared to a symmetric mobility model; (2) in terms of base transceiver station selection mechanisms, the Distance-Based Model mechanism yields a higher threat impact on the victim server compared to the Signal Power Based Model mechanism; and (3) under the Erdos-and-Reyni Topology, the proposed epidemic SMS-based cellular botnet is shown to be resistant and resilient to random and selective cellular device failures. / Graduate Mobile Botnet LTE Long Term Evolution Network Distributed Denial of Service Attack DDoS Cellular Botnet Botnet Cybersecurity Cyber Security Cyber Attacks
29	Honeypot study of threats targeting critical infrastructure / Honeypot studie av cyberhot riktade mot kritisk infrastruktur Alberto Scola, Carlo January 2023 (has links) Honeypots are systems with the intent of gathering information about potential threats and, at the same time, shifting part of the attention away from the real targets. In industrial control system environments, honeypots play a significant role and can lead to further threat study while distracting potential attackers away from critical physical systems. Low-interaction honeypots are emulated systems that try to recreate a real environment by simulating applications and protocols. These types of honeypots still need improvements to be efficient, and during this thesis work the focus has been on the Conpot open-source ICS honeypot. Due to their nature, low-interaction honeypots are less appealing to potential attackers than high-interaction honeypots since they do not provide the same level of realism and can be easier discovered. Earlier works showed ways to increase the ability to attract more visitors and an improved setup of Conpot has been evaluated. Its results have been analyzed and compared with the default installation. Several advancements have been implemented as well as custom features and working functionalities, such as a customized industrial system design, improved logging, and a web API proxy. The goal of this work is to answer the investigated hypothesis which consists in finding out if an improved version of the low-interaction honeypot can yield more significant results. By evaluating the network traffic received, the outcome has been insightful and showcased a distinguished improvement over the original version of the honeypot. The ICS protocols displayed a more considerable number of interactions along with an increased amount of attacks. In conclusion, further development for the Conpot honeypot is desirable which would largely improve its performance and practicality in real-world deployments. / Honeypots är ett system med avsikten att samla information om potentiella hot och samtidigt avleda uppmärksamheten från de verkliga målen. I industriella kontrollsystemsmiljöer spelar honungskrukor en viktig roll och kan leda till ytterligare hotstudier samtidigt som potentiella angripare distraheras från viktiga fysiska system. Honeypots med låg interaktion är emulerade system som försöker återskapa verkliga miljöer genom att simulera applikationer och protokoll. Dessa typer av honeypots behöver fortfarande förbättringar för att vara effektiva, och under detta examensarbete har fokus legat på Conpot open source ICS honeypots. På grund av designbegränsningar är honeypots med låg interaktion mindre tilltalande för potentiella angripare än honeypots med hög interaktion. Tidigare arbeten har visat sätt att öka möjligheten att locka fler besökare och en förbättrad installation av Conpot har utvärderats och dess resultat har analyserats och jämförts med standardinstallationen. Flera framsteg har implementerats samt anpassade funktioner och fungerande funktioner, såsom en anpassad industriell systemdesign, förbättrad loggning och en webb-API-proxy. Målet med detta arbete är att svara på den undersökta hypotesen som går ut på att ta reda på om en förbättrad version av honungskrukan med låg interaktion kan ge mer signifikanta resultat. Genom att utvärdera den mottagna nätverkstrafiken har resultatet varit insiktsfullt och visat upp en stor förbättring jämfört med den ursprungliga versionen av honeypot. ICS-protokollen visade ett större antal interaktioner tillsammans med en ökad mängd attacker. Sammanfattningsvis är det önskvärt med en vidareutveckling av Conpot honeypot som avsevärt skulle förbättra dess prestanda och praktiska användning i den verkliga världen. ICS Honeypots Modbus SCADA Enip Conpot Bacnet FTP IPMI Network security Cyber attacks Computer and Information Sciences Data- och informationsvetenskap
30	EVALUATING CRYSTAL FRAMEWORK IN PRACTICE Mertala, Victor, Christopher, Nordin January 2024 (has links) Cyber-physical systems (CPSs) are used in several industries, such as healthcare, automotive, manufacturing, and more. The fact that CPSs often contain components integrated via communication networks means that malicious actors can exploit vulnerabilities in these components through cyber attacks. CRYSTAL Framework has been shown in previous research to be able to detect cyber attacks on CPSs. However, this has only been proven in simulation. Our research builds upon these previous research as we aim to prove that CRYSTAL Framework is a viable method for monitoring real systems to detect abnormal behaviours. The Tiny Twin is an abstract behavioral model that defines normal running behaviour of a system, which can then be used by to compare the current state of a monitored system to detect possible attacks and abnormal behaviours. We built a monitor that integrates such a Tiny Twin, working by passively listening on input and output of components in a monitored system. We designed and implemented two different scenarios, a security alarm system and a temperature control system (TCS), to test the CRYSTAL Framework. In testing both implemented scenarios our monitor successfully detected all but one attacks during runtime by comparing the system's current state with the expected state as defined in the Tiny Twin. CRYSTAL Framework Tiny Twin Tiny Digital Twin Rebeca Timed Rebeca monitor cyber attacks Engineering and Technology Teknik och teknologier

Search results