PROACTIVE VULNERABILITY IDENTIFICATION AND DEFENSE CONSTRUCTION -- THE CASE FOR CAN

Khaled Serag Alsharif (8384187)

25 July 2023

<p>The progressive integration of microcontrollers into various domains has transformed traditional mechanical systems into modern cyber-physical systems. However, the beginning of this transformation predated the era of hyper-interconnectedness that characterizes our contemporary world. As such, the principles and visions guiding the design choices of this transformation had not accounted for many of today's security challenges. Many designers had envisioned their systems to operate in an air-gapped-like fashion where few security threats loom. However, with the hyper-connectivity of today's world, many CPS find themselves in uncharted territory for which they are unprepared.</p> <p><br></p> <p>An example of this evolution is the Controller Area Network (CAN). CAN emerged during the transformation of many mechanical systems into cyber-physical systems as a pivotal communication standard, reducing vehicle wiring and enabling efficient data exchange. CAN's features, including noise resistance, decentralization, error handling, and fault confinement mechanisms, made it a widely adopted communication medium not only in transportation but also in diverse applications such as factories, elevators, medical equipment, avionic systems, and naval applications.</p> <p><br></p> <p>The increasing connectivity of modern vehicles through CD players, USB sticks, Bluetooth, and WiFi access has exposed CAN systems to unprecedented security challenges and highlighted the need to bolster their security posture. This dissertation addresses the urgent need to enhance the security of modern cyber-physical systems in the face of emerging threats by proposing a proactive vulnerability identification and defense construction approach and applying it to CAN as a lucid case study. By adopting this proactive approach, vulnerabilities can be systematically identified, and robust defense mechanisms can be constructed to safeguard the resilience of CAN systems.</p> <p><br></p> <p>We focus on developing vulnerability scanning techniques and innovative defense system designs tailored for CAN systems. By systematically identifying vulnerabilities before they are discovered and exploited by external actors, we minimize the risks associated with cyber-attacks, ensuring the longevity and reliability of CAN systems. Furthermore, the defense mechanisms proposed in this research overcome the limitations of existing solutions, providing holistic protection against CAN threats while considering its performance requirements and operational conditions.</p> <p><br></p> <p>It is important to emphasize that while this dissertation focuses on CAN, the techniques and rationale used here could be replicated to secure other cyber-physical systems. Specifically, due to CAN's presence in many cyber-physical systems, it shares many performance and security challenges with those systems, which makes most of the techniques and approaches used here easily transferrable to them. By accentuating the importance of proactive security, this research endeavors to establish a foundational approach to cyber-physical systems security and resiliency. It recognizes the evolving nature of cyber-physical systems and the specific security challenges facing each system in today's hyper-connected world and hence focuses on a single case study. </p>

System and network security

CAN

Controller Area Network

Cyber Physical Systems (CPS)

Vulnerability Identification

Protocol Testing

Protocol Fuzzing

Intrusion Detection / Prevention Systems

Cyber Security

Building the Intelligent IoT-Edge: Balancing Security and Functionality using Deep Reinforcement Learning

Anand A Mudgerikar (11791094)

19 December 2021

<div>The exponential growth of Internet of Things (IoT) and cyber-physical systems is resulting in complex environments comprising of various devices interacting with each other and with users. In addition, the rapid advances in Artificial Intelligence are making those devices able to autonomously modify their behaviors through the use of techniques such as reinforcement learning (RL). There is thus the need for an intelligent monitoring system on the network edge with a global view of the environment to autonomously predict optimal device actions. However, it is clear however that ensuring safety and security in such environments is critical. To this effect, we develop a constrained RL framework for IoT environments that determines optimal devices actions with respect to user-defined goals or required functionalities using deep Q learning. We use anomaly based intrusion detection on the network edge to dynamically generate security and safety policies to constrain the RL agent in the framework. We analyze the balance required between ‘safety/security’ and ‘functionality’ in IoT environments by manipulating the exploration of safe and unsafe benefit state spaces in the RL framework. We instantiate the framework for testing on application layer control in smart home environments, and network layer control including network functionalities like rate control and routing, for SDN based environments.</div>

Theoretical Computer Science

Applied Computer Science

Internet of Things (IoT),

Deep Reinforcement Learning (DRL)

Network security

IOT SECURITY

Software Defined Networks

Longitudinal analysis of the certificate chains of big tech company domains / Longitudinell analys av certifikatkedjor till domäner tillhörande stora teknikföretag

Klasson, Sebastian, Lindström, Nina

January 2021

The internet is one of the most widely used mediums for communication in modern society and it has become an everyday necessity for many. It is therefore of utmost importance that it remains as secure as possible. SSL and TLS are the backbones of internet security and an integral part of these technologies are the certificates used. Certificate authorities (CAs) can issue certificates that validate that domains are who they claim to be. If a user trusts a CA they can in turn also trust domains that have been validated by them. CAs can in turn trust other CAs and this, in turn, creates a chain of trust called a certificate chain. In this thesis, the structure of these certificate chains is analysed and a longitudinal dataset is created. The analysis looks at how the certificate chains have changed over time and puts extra focus on the domains of big tech companies. The dataset created can also be used for further analysis in the future and will be a useful tool in the examination of historical certificate chains. Our findings show that the certificate chains of the domains studied do change over time; both their structure and the lengths of them vary noticeably. Most of the observed domains show a decrease in average chain length between the years of 2013 and 2020 and the structure of the chains vary significantly over the years.

certificate authorities

CA

certificate chains

certificates

certificate validation

HTTPS

network security

internet security

PKI

Project Sonar

SSL

TLS

X.509

Computer Sciences

Datavetenskap (datalogi)

Quantifying Trust and Reputation for Defense against Adversaries in Multi-Channel Dynamic Spectrum Access Networks

Bhattacharjee, Shameek

01 January 2015

Dynamic spectrum access enabled by cognitive radio networks are envisioned to drive the next generation wireless networks that can increase spectrum utility by opportunistically accessing unused spectrum. Due to the policy constraint that there could be no interference to the primary (licensed) users, secondary cognitive radios have to continuously sense for primary transmissions. Typically, sensing reports from multiple cognitive radios are fused as stand-alone observations are prone to errors due to wireless channel characteristics. Such dependence on cooperative spectrum sensing is vulnerable to attacks such as Secondary Spectrum Data Falsification (SSDF) attacks when multiple malicious or selfish radios falsify the spectrum reports. Hence, there is a need to quantify the trustworthiness of radios that share spectrum sensing reports and devise malicious node identification and robust fusion schemes that would lead to correct inference about spectrum usage. In this work, we propose an anomaly monitoring technique that can effectively capture anomalies in the spectrum sensing reports shared by individual cognitive radios during cooperative spectrum sensing in a multi-channel distributed network. Such anomalies are used as evidence to compute the trustworthiness of a radio by its neighbours. The proposed anomaly monitoring technique works for any density of malicious nodes and for any physical environment. We propose an optimistic trust heuristic for a system with a normal risk attitude and show that it can be approximated as a beta distribution. For a more conservative system, we propose a multinomial Dirichlet distribution based conservative trust framework, where Josang*s Belief model is used to resolve any uncertainty in information that might arise during anomaly monitoring. Using a machine learning approach, we identify malicious nodes with a high degree of certainty regardless of their aggressiveness and variations introduced by the pathloss environment. We also propose extensions to the anomaly monitoring technique that facilitate learning about strategies employed by malicious nodes and also utilize the misleading information they provide. We also devise strategies to defend against a collaborative SSDF attack that is launched by a coalition of selfish nodes. Since, defense against such collaborative attacks is difficult with popularly used voting based inference models or node centric isolation techniques, we propose a channel centric Bayesian inference approach that indicates how much the collective decision on a channels occupancy inference can be trusted. Based on the measured observations over time, we estimate the parameters of the hypothesis of anomalous and non-anomalous events using a multinomial Bayesian based inference. We quantitatively define the trustworthiness of a channel inference as the difference between the posterior beliefs associated with anomalous and non-anomalous events. The posterior beliefs are updated based on a weighted average of the prior information on the belief itself and the recently observed data. Subsequently, we propose robust fusion models which utilize the trusts of the nodes to improve the accuracy of the cooperative spectrum sensing decisions. In particular, we propose three fusion models: (i) optimistic trust based fusion, (ii) conservative trust based fusion, and (iii) inversion based fusion. The former two approaches exclude untrustworthy sensing reports for fusion, while the last approach utilizes misleading information. All schemes are analyzed under various attack strategies. We propose an asymmetric weighted moving average based trust management scheme that quickly identifies on-off SSDF attacks and prevents quick trust redemption when such nodes revert back to temporal honest behavior. We also provide insights on what attack strategies are more effective from the adversaries* perspective. Through extensive simulation experiments we show that the trust models are effective in identifying malicious nodes with a high degree of certainty under variety of network and radio conditions. We show high true negative detection rates even when multiple malicious nodes launch collaborative attacks which is an improvement over existing voting based exclusion and entropy divergence techniques. We also show that we are able to improve the accuracy of fusion decisions compared to other popular fusion techniques. Trust based fusion schemes show worst case decision error rates of 5% while inversion based fusion show 4% as opposed majority voting schemes that have 18% error rate. We also show that the proposed channel centric Bayesian inference based trust model is able to distinguish between attacked and non-attacked channels for both static and dynamic collaborative attacks. We are also able to show that attacked channels have significantly lower trust values than channels that are not– a metric that can be used by nodes to rank the quality of inference on channels.

Engineering

"(Un-)making" data to "make" security: A discursive and visual inquiry into the production, circulation and use of data across the pan-European information infrastructure

Ugolini, Vanessa

01 March 2023

To counter hybrid threats – for example, international terrorism, transnational organised crime and (cyber-)attacks – security and intelligence communities increasingly gather, process and exchange vast amounts of data on presumably suspect individuals. This trend has been enabled by recent developments in surveillance capacities related to Information and Communications Technologies (ICTs). As a result, cross-border data transfers have become not only an element of international trade but also an important component of law enforcement strategies. Nevertheless, the exchange of data for policing purposes is not always smooth. Rather, there are frictions that emerge therein as well as technical and legal issues relating to the combination of data from different information systems and under different formats. This study advances the concept of data lifecycle in relation to the practices, such as the collection, entry, processing, storing, and analysis that direct data in specific ways to create multiple “cycles” of uses. Through the analytical lens of the lifecycle I aim to examine specifically how data are repurposed, not only by digital technologies, but also by provisions regulating access, storage and use of information for criminal matters. The core task consists in identifying the socio-political, legal and technical conditions of possibility that allow for the exchange of data at the pan-European level. By bringing together multiple conceptual and methodological subfields, I shed light on the politicality of EU data infrastructures that appear physically very remote or less visible, yet in a way that people do not realise how mundane they have become. Investigating the data lifecycle as a network of practices generates findings that are useful for understanding how security is enacted through the collection and use of different forms of data and hence for interpreting the evolving landscape of data-driven security governance in the EU.

The Shifting Web of Trust : Exploring the Transformative Journey of Certificate Chains in Prominent Domains / Förtroendets Föränderliga Väv : Att Utforska den Transformativa Resan av Certifikatkedjor av Populära Domäner

Döberl, Marcus, Freiherr von Wangenheim, York

January 2023

The security and integrity of TLS certificates are essential for ensuring secure transmission over the internet and protecting millions of people from man-in-the-middle attacks. Certificate Authorities (CA) play a crucial role in issuing and managing thesecertificates. This bachelor thesis presents a longitudinal analysis of certificate chains forpopular domains, examining their evolution over time and across different categories. Using publicly available certificate data from sources such as crt.sh and censys.io, we createda longitudinal dataset of certificate chains for domains from the Top 1-M list of Tranco.We categorized the certificates based on their type, and the particular service categories.We analyzed a selected set of domains over time and identified the patterns and trendsthat emerged in their certificate chains. Our analysis revealed several noteworthy trends,including an increase in the use of new CAs and a shift of which types of certificates areused, we also found a trend in shorter certificate chains and fewer paths from domain toroot certificate. This implies a more streamlined and simplified certificate process overtime until today. Our findings have implications for the broader cybersecurity communityand demonstrate the importance of ongoing monitoring and analysis of certificate chainsfor popular domains.

Certificate Authority

CA

Let's Encrypt

Network modelling

analysis

and measurement; Network security

authentication

measurement

trust and privacy; Web technologies

Internet säkerhet

Certifikat

Cybersäkerhet

Nätverk

Internet

Computer and Information Sciences

Data- och informationsvetenskap

Using machine learning to visualize and analyze attack graphs

Cottineau, Antoine

January 2021

In recent years, the security of many corporate networks have been compromised by hackers who managed to obtain important information by leveraging the vulnerabilities of those networks. Such attacks can have a strong economic impact and affect the image of the entity whose network has been attacked. Various tools are used by network security analysts to study and improve the security of networks. Attack graphs are among these tools. Attack graphs are graphs that show all the possible chains of exploits an attacker could follow to access an important host on a network. While attack graphs are useful for network security, they may become hard to read because of their size when networks become larger. Previous work tried to deal with this issue by applying simplification algorithms on graphs. Experience shows that even if these algorithms can help improve the visualization of attack graphs, we believe that improvements can be made, especially by relying on Machin Learning (ML) algorithms. Thus, the goal of this thesis is to investigate how ML can help improve the visualization of attack graphs and the security analysis of networks based on their attack graph. To reach this goal, we focus on two main areas. First we used graph clustering which is the process of creating a partition of the nodes based on their position in the graph. This improves visualization by allowing network analysts to focus on a set of related nodes instead of visualizing the whole graph. We also design several metrics for security analysis based on attack graphs. We show that the ML algorithms in both areas. The ML clustering algorithms even produce better clusters than non-ML algorithms with respect to the coverage metric, at the cost of computation time. Moreover, the ML security evaluation algorithms show faster computation times on dense attack graphs than the non-ML baseline, while producing similar results. Finally, a user interface that permits the application of the methods presented   in the thesis is also developed, with the goal of making the use of such methods easier by network analysts. / Under de senaste åren har säkerheten för många företagsnätverk äventyrats av hackare som lyckats få fram viktig information genom att utnyttja sårbarheterna i dessa nätverk. Sådana attacker kan ha en stark ekonomisk inverkan och påverka bilden av den enhet vars nätverk har angripits. Olika verktyg användes av nätverkssäkerhetsanalytiker för att studera och förbättra säkerheten i nätverken. Attackgrafer ät bland dessa verktyg. Attackgrafer är diagram som visar alla möjliga kedjor av utnyttjande en angripare kan följa för att komma åt en viktig värd i ett nätverk. Även om attackgrafer är användbara för nätverkssäkerhet, kan de bli svåra att läsa på grund av deras storlek när nätverk blir större. Tidigare arbete försökte hantera detta problem genom att tillämpa förenklingsalgoritmer på grafer. Erfarenheten visar att även om dessa algoritmer kan hjälpa till att förbättra visualiseringen av attackgrafer tror vi att förbättringar kan göras, särskilt genom att förlita sig på Machine Learning  (ML) algoritmer. Således är målet med denna avhandling att undersöka hur ML kan hjälpa till att förbättra visualiseringen av attackgrafer och säkerhetsanalys av nätverk baserat på deras attackgraf. För att nå detta mål fokuserar vi på två huvudområden. Först använder vi grafklustering som är processen för att skapa en partition av noderna baserat på deras position i grafen. Detta förbättrar visualiseringen genom att låta nätverksanalytiker fokusera på en uppsättning relaterade noder istället för att visualisera hela grafen. Vi utformar också flera mätvärden för säkerhetsanalys baserat på attackgrafer. Vi visar att ML-algoritmerna är lika effektiva som icke-LM-algoritmer inom båda områdena. Klusteringsalgoritmerna ML producerar till och med bättre kluster än icke-ML-algoritmer med avseende på täckningsvärdet, till kostnaden för beräkningstid. Dessutom visar ML säkerhetsutvärderingsalgoritmerna snabbare beräkningstider på täta attackgrafer än icke-ML baslinjen, samtidigt som de ger liknande resultat. Slutligen utvecklas också ett användargränssnitt som tillåter tillämpning av metoderna som presenteras i avhandlingen, med målet att göra användningen av sådana metoder enklare för nätverksanalytiker.

Attack graph

Graph visualization

Graph clustering

Network security

Node embedding

Attackgraf

grafvisualisering

grafklustering

nätverkssäkerhet

inbäddning av noder

Computer and Information Sciences

Data- och informationsvetenskap

Improved performance high speed network intrusion detection systems (NIDS). A high speed NIDS architectures to address limitations of Packet Loss and Low Detection Rate by adoption of Dynamic Cluster Architecture and Traffic Anomaly Filtration (IADF).

Akhlaq, Monis

January 2011

Intrusion Detection Systems (IDS) are considered as a vital component in network security architecture. The system allows the administrator to detect unauthorized use of, or attack upon a computer, network or telecommunication infrastructure. There is no second thought on the necessity of these systems however; their performance remains a critical question. This research has focussed on designing a high performance Network Intrusion Detection Systems (NIDS) model. The work begins with the evaluation of Snort, an open source NIDS considered as a de-facto IDS standard. The motive behind the evaluation strategy is to analyze the performance of Snort and ascertain the causes of limited performance. Design and implementation of high performance techniques are considered as the final objective of this research. Snort has been evaluated on highly sophisticated test bench by employing evasive and avoidance strategies to simulate real-life normal and attack-like traffic. The test-methodology is based on the concept of stressing the system and degrading its performance in terms of its packet handling capacity. This has been achieved by normal traffic generation; fussing; traffic saturation; parallel dissimilar attacks; manipulation of background traffic, e.g. fragmentation, packet sequence disturbance and illegal packet insertion. The evaluation phase has lead us to two high performance designs, first distributed hardware architecture using cluster-based adoption and second cascaded phenomena of anomaly-based filtration and signature-based detection. The first high performance mechanism is based on Dynamic Cluster adoption using refined policy routing and Comparator Logic. The design is a two tier mechanism where front end of the cluster is the load-balancer which distributes traffic on pre-defined policy routing ensuring maximum utilization of cluster resources. The traffic load sharing mechanism reduces the packet drop by exchanging state information between load-balancer and cluster nodes and implementing switchovers between nodes in case the traffic exceeds pre-defined threshold limit. Finally, the recovery evaluation concept using Comparator Logic also enhance the overall efficiency by recovering lost data in switchovers, the retrieved data is than analyzed by the recovery NIDS to identify any leftover threats. Intelligent Anomaly Detection Filtration (IADF) using cascaded architecture of anomaly-based filtration and signature-based detection process is the second high performance design. The IADF design is used to preserve resources of NIDS by eliminating large portion of the traffic on well defined logics. In addition, the filtration concept augment the detection process by eliminating the part of malicious traffic which otherwise can go undetected by most of signature-based mechanisms. We have evaluated the mechanism to detect Denial of Service (DoS) and Probe attempts based by analyzing its performance on Defence Advanced Research Projects Agency (DARPA) dataset. The concept has also been supported by time-based normalized sampling mechanisms to incorporate normal traffic variations to reduce false alarms. Finally, we have observed that the IADF has augmented the overall detection process by reducing false alarms, increasing detection rate and incurring lesser data loss. / National University of Sciences & Technology (NUST), Pakistan

Intrusion Detection Systems (IDS)

Dynamic Cluster Architecture

Low detection rate

Packet loss

Network security

Telecommunication infrastructure

Network performance

Traffic Anomaly Filtration (IADF)

Denial of Service (DoS)

Increasing detection rate

TRACE DATA-DRIVEN DEFENSE AGAINST CYBER AND CYBER-PHYSICAL ATTACKS.pdf

Abdulellah Abdulaziz M Alsaheel (17040543)

11 October 2023

<p dir="ltr">In the contemporary digital era, Advanced Persistent Threat (APT) attacks are evolving, becoming increasingly sophisticated, and now perilously targeting critical cyber-physical systems, notably Industrial Control Systems (ICS). The intersection of digital and physical realms in these systems enables APT attacks on ICSs to potentially inflict physical damage, disrupt critical infrastructure, and jeopardize human safety, thereby posing severe consequences for our interconnected world. Provenance tracing techniques are essential for investigating these attacks, yet existing APT attack forensics approaches grapple with scalability and maintainability issues. These approaches often hinge on system- or application-level logging, incurring high space and run-time overheads and potentially encountering difficulties in accessing source code. Their dependency on heuristics and manual rules necessitates perpetual updates by domain-knowledge experts to counteract newly developed attacks. Additionally, while there have been efforts to verify the safety of Programming Logic Controller (PLC) code as adversaries increasingly target industrial environments, these works either exclusively consider PLC program code without connecting to the underlying physical process or only address time-related physical safety issues neglecting other vital physical features.</p><p dir="ltr">This dissertation introduces two novel frameworks, ATLAS and ARCHPLC, to address the aforementioned challenges, offering a synergistic approach to fortifying cybersecurity in the face of evolving APT and ICS threats. ATLAS, an effective and efficient multi-host attack investigation framework, constructs end-to-end APT attack stories from audit logs by combining causality analysis, Natural Language Processing (NLP), and machine learning. Identifying key attack patterns, ATLAS proficiently analyzes and pinpoints attack events, minimizing alert fatigue for cyber analysts. During evaluations involving ten real-world APT attacks executed in a realistic virtual environment, ATLAS demonstrated an ability to recover attack steps and construct attack stories with an average precision of 91.06%, a recall of 97.29%, and an F1-score of 93.76%, providing a robust framework for understanding and mitigating cyber threats.</p><p dir="ltr">Concurrently, ARCHPLC, an advanced approach for enhancing ICS security, combines static analysis of PLC code and data mining from ICS data traces to derive accurate invariants, providing a comprehensive understanding of ICS behavior. ARCHPLC employs physical causality graph analysis techniques to identify cause-effect relationships among plant components (e.g., sensors and actuators), enabling efficient and quantitative discovery of physical causality invariants. Supporting patching and run-time monitoring modes, ARCHPLC inserts derived invariants into PLC code using program synthesis in patching mode and inserts invariants into a dedicated monitoring program for continuous safety checks in run-time monitoring mode. ARCHPLC adeptly detects and mitigates run-time anomalies, providing exceptional protection against cyber-physical attacks with minimal overhead. In evaluations against 11 cyber-physical attacks on a Fischertechnik manufacturing plant and a chemical plant simulator, ARCHPLC protected the plants without any false positives or negatives, with an average run-time overhead of 14.31% in patching mode and 0.4% in run-time monitoring mode.</p><p dir="ltr">In summary, this dissertation provides invaluable solutions that equip cybersecurity professionals to enhance APT attack investigation, enabling them to identify and comprehend complex attacks with heightened accuracy. Moreover, these solutions significantly bolster the safety and security of ICS infrastructure, effectively protecting critical systems and strengthening defenses against cyber-physical attacks, thereby contributing substantially to the field of cybersecurity.</p>

Software and application security

System and network security

ICS Security

forensics investigation

attack detection

Securing resource constrained platforms with low-cost solutions.

Arslan Khan (17592498)

11 December 2023

<p dir="ltr">This thesis focuses on securing different attack surfaces of embedded systems while meeting the stringent requirements imposed by these systems. Due to the specialized architecture of embedded systems, the security measures should be customized to match the unique requirements of each specific domain. To this end, this thesis identified novel security architectures using techniques such as anomaly detection, program analysis, compartmentalization, etc. This thesis synergizes work at the intersection of programming languages, compilers, computer architecture, operating systems, and embedded systems. </p>

System and network security

Operating systems

embeded system

systems security

programming language correction

compartmentalization concept

Operating systems (Computers)

firmware security inspection techno...