Generation of cyber attack data using generative techniques

Nidhi Nandkishor Sakhala (6636128)

15 May 2019

<div><div><div><p>The presence of attacks in day-to-day traffic flow in connected networks is considerably less compared to genuine traffic flow. Yet, the consequences of these attacks are disastrous. It is very important to identify if the network is being attacked and block these attempts to protect the network system. Failure to block these attacks can lead to loss of confidential information and reputation and can also lead to financial loss. One of the strategies to identify these attacks is to use machine learning algorithms that learn to identify attacks by looking at previous examples. But since the number of attacks is small, it is difficult to train these machine learning algorithms. This study aims to use generative techniques to create new attack samples that can be used to train the machine learning based intrusion detection systems to identify more attacks. Two metrics are used to verify that the training has improved and a binary classifier is used to perform a two-sample test for verifying the generated attacks.</p></div></div></div>

Computer System Security

Intrusion Detection System

Generative Adversarial Networks

WGAN

PERCEPTIONS OF PURPLE TEAMS AMONG CYBERSECURITY PROFESSIONALS

Siddharth Chowdhury (6613439)

15 May 2019

With constant technological advancements, the attacks against existing infrastructure is constantly increasing and causing more damage. The current Red and Blue team approach to cybersecurity assessments is used to test the effectiveness of security defenses and in identifying vulnerabilities before they are exploited. Due to a lack of collaboration and inherently contradicting natures of these teams, the credibility of audits is impacted. While this has led to the synergistic and collaborative Purple team, it is important to understand how cybersecurity professionals perceive this new concept and its function. Analyzing perceptions of self-reported cybersecurity professionals via an online survey showed most believed Purple teams were beneficial and should be created from and collaborate with Red and Blue teams. However, past Red team experience was negatively linked to perceived benefit. Those who had more years of experience or had been on Red teams were more likely to believe Purple teams may have ownership or learning issues. Furthermore, professionals identified active managerial involvement and project clarity as critical success factors for Purple teams. Alongside these, management could help find the right skillset, provide resources, and offer active direction in order to avoid issues and maximize outcomes. Based on assessment relevance, a collaborative agreed-upon methodology for Red, Blue, and Purple teams was provided.

Computer System Security

Innovation and Technology Management

purple team

cybersecurity

red team

blue team

perception

methodology

assessment

Nasazení DNSSEC na klientské straně / Client side DNSSEC deployment

Nekuža, Karel

January 2018

Diplomová práce se zabývá problémem přístupu koncového uživatele k odpovědím ověřeným pomocí protokolu DNSSEC. Práce posuzuje možnosti nasazení a nastavování resolveru za účelem zlepšení bezpečnosti pro koncové uživatele. V práci je navrhnuto řešení problému pro operační systém Fedora Workstation. Navrhnuté řešení je realizováno a porovnáno s již existujícím řesením.

Návrh zabezpečení průmyslového řídícího systému / Industrial control system security design

Strnad, Matěj

January 2019

The subject of the master's thesis is a design of security measures for securing of an industrial control system. It includes an analysis of characteristics of communication environment and specifics of industrial communication systems, a comparison of available technological means and a design of a solution according to investor's requirements.

Usage of Dynamic Analysis to Strengthen Control-Flow Analysis

Priyam Biswas (9761951)

14 December 2020

<div>System programming languages such as C and C++ are ubiquitously used for systems software such as browsers and servers due to their flexibility and high performance. However, this flexibility comes with a price of lack of memory and type safety.</div><div><br></div><div>Control-Flow Hijacking (CFH), by taking advantage of the inherent lack of memory and type safety, has become one of the most common attack vectors against C/C++ programs. In such attacks, an attacker attempts to divert the normal control flow of the program to an attacker-controlled location. The most prominent defense against these kind of attacks is Control-Flow Integrity (CFI), which restricts the attack surface by limiting the set of possible targets for each indirect control-flow transfer. However, current analyses for the CFI target sets are highly conservative. Due to the ambiguity and imprecision in the analyses, CFI restricts adversaries to an over-approximation of the possible targets of individual indirect call sites. State-of-the-art CFI approaches fail to protect against special attack classes such as over-writing variadic function arguments. Furthermore, mitigation of control-flow attacks is not explored to its full potential in the context of language boundaries in current literature. Hence, we need effective solution to improve the precision of the CFI approaches as well as strong protection mechanisms against commonly abused corner cases.</div><div><br></div><div>We leverage the effectiveness of dynamic analysis in deriving a new approach to efficiently mitigate control-flow hijacking attacks. We present Ancile, a novel mechanism to improve the precision of the CFI mechanism by debloating any extraneous targets from the indirect control-flow transfers. We replaced the traditional static analysis approach for target discovery with seed demonstrated fuzzing. We have evaluated the effectiveness of our proposed mechanism with standard SPEC CPU benchmarks and other popular C and C++ applications.</div><div><br></div><div>To ensure complete security of C and C++ programs, we need to shield commonly exploited corners of C/C++ such as variadic functions. We performed extensive case studies to show the prevalence of such functions and their exploits. We also developed a sanitizer, HexVASAN, to effectively type-check and prevent any attack via variadic functions. CFH attacks, by abusing the difference of managed languages and their underlying system languages, are very frequent in client and server side programs. In order to safe-guard the control-flows in language boundaries, we propose a new mechanism, FitJit, to enforce type integrity. Finally, to understand the effectiveness of the dynamic analysis, we present Artemis, a comprehensive study of binary analysis on real world applications.</div>

Computer System Security

Dynamic Analysis

CFI

control-flow integrity

control-flow hijacking

Static Analysis

Variadic function

ADVANCED LOW-COST ELECTRO-MAGNETIC AND MACHINE LEARNING SIDE-CHANNEL ATTACKS

Josef A Danial (9520181)

16 December 2020

Side-channel analysis (SCA) is a prominent tool to break mathematically secure cryptographic engines, especially on resource-constrained devices. SCA attacks utilize physical leakage vectors like the power consumption, electromagnetic (EM) radiation, timing, cache hits/misses, that reduce the complexity of determining a secret key drastically, going from 2¹²⁸ for brute force attacks to 2¹² for SCA in the case of AES-128. Additionally, EM SCA attacks can be performed non-invasively without any modifications to the target under attack, unlike power SCA. To develop defenses against EM SCA, designers must evaluate the cryptographic implementations against the most powerful side-channel attacks. In this work, systems and techniques that improve EM side-channel analysis have been explored, making it lower-cost and more accessible to the research community to develop better countermeasures against such attacks. The first chapter of this thesis presents SCNIFFER, a platform to perform efficient end-to-end EM SCA attacks. SCNIFFER introduces leakage localization – an often-overlooked step in EM attacks – into the loop of an attack. Following SCNIFFER, the second chapter presents a practical machine learning (ML) based EM SCA attack on AES-128. This attack addresses issues dealing with low signal-to-noise ratio (SNR) EM measurements, proposing training and pre-processing techniques to perform an efficient profiling attack. In the final chapter, methods for mapping from power to EM measurements, are analyzed, which can enable training a ML model with much lower number of encryption traces. Additionally, SCA evaluation of high-level synthesis (HLS) based cryptographic algorithms is performed, along with the study of futuristic neural encryption techniques.

Computer Engineering

Computer System Security

Hardware Security

Side-channel analysis

Side-channel attacks

Machine Learning

Privacy Preserving Systems With Crowd Blending

Mohsen Minaei (9525917)

16 December 2020

<p>Over the years, the Internet has become a platform where individuals share their thoughts and personal information. In some cases, these content contain some damaging or sensitive information, which a malicious data collector can leverage to exploit the individual. Nevertheless, what people consider to be sensitive is a relative matter: it not only varies from one person to another but also changes through time. Therefore, it is hard to identify what content is considered sensitive or damaging, from the viewpoint of a malicious entity that does not target specific individuals, rather scavenges the data-sharing platforms to identify sensitive information as a whole. However, the actions that users take to change their privacy preferences or hide their information assists these malicious entities in discovering the sensitive content. </p><p><br></p><p>This thesis offers Crowd Blending techniques to create privacy-preserving systems while maintaining platform utility. In particular, we focus on two privacy tasks for two different data-sharing platforms— i) concealing content deletion on social media platforms and ii) concealing censored information in cryptocurrency blockchains. For the concealment of the content deletion problem, first, we survey the users of social platforms to understand their deletion privacy expectations. Second, based on the users’ needs, we propose two new privacy-preserving deletion mechanisms for the next generation of social platforms. Finally, we compare the effectiveness and usefulness of the proposed mechanisms with the current deployed ones through a user study survey. For the second problem of concealing censored information in cryptocurrencies, we present a provably secure stenography scheme using cryptocurrencies. We show the possibility of hiding censored information among transactions of cryptocurrencies.</p>

Applied Computer Science

Computer System Security

Crowd Blending

Privacy

Deletion Privacy

Censorship

Social Media

On Cyber-Physical Forensics, Attacks, and Defenses

Rohit Bhatia (8083268)

06 December 2019

<div>Cyber-physical systems, through various sensors and actuators, are used to handle interactions of the cyber-world with the physical-world. Conventionally, the temporal component of the physical-world has been used only for estimating real-time deadlines and responsiveness of control-loop algorithms. However, there are various other applications where the relationship of the temporal component and the cyber-world are of interest. An example is the ability to reconstruct a sequence of past temporal activities from the current state of the cyber-world, which is of obvious interest to cyber-forensic investigators. Another example is the ability to control the temporal components in broadcast communication networks, which leads to new attack and defense capabilities. These relationships have not been explored traditionally.</div><div><br></div><div>To address this gap, this dissertation proposes three systems that cast light on the effect of temporal component of the physical-world on the cyber-world. First, we present Timeliner, a smartphone cyber-forensics technique that recovers past actions from a single static memory image. Following that, we present work on CAN (Controller Area Network), a broadcast communication network used in automotive applications. We show in DUET that the ability to control communication temporally allows two compromised ECUs, an attacker and an accomplice, to stealthily suppress and impersonate a victim ECU, even in the presence of a voltage-based intrusion detection system. In CANDID, we show that the ability to temporally control CAN communication opens up new defensive capabilities that make the CAN much more secure.</div><div><br></div><div>The evaluation results show that Timeliner is very accurate and can reveal past evidence (up to an hour) of user actions across various applications on Android devices. The results also show that DUET is highly effective at impersonating victim ECUs while evading both message-based and voltage-based intrusion detection systems, irrespective of the features and the training algorithms used. Finally, CANDID is able to provide new defensive capabilities to CAN environments with reasonable communication and computational overheads.</div><div><br></div>

Computer System Security

Cyber Physical System

Controller Area Network

Memory Forensics

Detection of IoT Botnets using Decision Trees

Meghana Raghavendra (10723905)

29 April 2021

<p>International Data Corporation^[3] (IDC) data estimates that 152,200 Internet of things (IoT) devices will be connected to the Internet every minute by the year 2025. This rapid expansion in the utilization of IoT devices in everyday life leads to an increase in the attack surface for cybercriminals. IoT devices are frequently compromised and used for the creation of botnets. However, it is difficult to apply the traditional methods to counteract IoT botnets and thus calls for finding effective and efficient methods to mitigate such threats. In this work, the network snapshots of IoT traffic infected with two botnets, i.e., Mirai and Bashlite, are studied. Specifically, the collected datasets include network traffic from 9 different IoT devices such as baby monitor, doorbells, thermostat, web cameras, and security cameras. Each dataset consists of 115 stream aggregation feature statistics like weight, mean, covariance, correlation coefficient, standard deviation, radius, and magnitude with a timeframe decay factor, along with a class label defining the traffic as benign or anomalous.</p><p>The goal of the research is to identify a proper machine learning method that can detect IoT botnet traffic accurately and in real-time on IoT edge devices with low computation power, in order to form the first line of defense in an IoT network. The initial step is to identify the most important features that distinguish between benign and anomalous traffic for IoT devices. Specifically, the Input Perturbation Ranking algorithm^[12] with XGBoost^[26]is applied to find the 9 most important features among the 115 features. These 9 features can be collected in real time and be applied as inputs to any detection method. Next, a supervised predictive machine learning method, i.e., Decision Trees, is proposed for faster and accurate detection of botnet traffic. The advantage of using decision trees over other machine learning methodologies, is that it achieves accurate results with low computation time and power. Unlike deep learning methodologies, decision trees can provide visual representation of the decision making and detection process. This can be easily translated into explicit security policies in the IoT environment. In the experiments conducted, it can be clearly seen that decision trees can detect anomalous traffic with an accuracy of 99.997% and takes 59 seconds for training and 0.068 seconds for prediction, which is much faster than the state-of-art deep-learning based detector, i.e., Kitsune^[4]. Moreover, our results show that decision trees have an extremely low false positive rate of 0.019%. Using the 9 most important features, decision trees can further reduce the processing time while maintaining the accuracy. Hence, decision trees with important features are able to accurately and efficiently detect IoT botnets in real time and on a low performance edge device such as Raspberry Pi^[9].</p>

Computer System Security

Internet of Things

Botnets

Decision Trees

Input Perturbation Ranking Algorithm

ASSESSING AND IMPROVING SECURITY AWARENESS AND CONCERNS IN TELEWORKING

Biliangyu Wu (10716789)

29 April 2021

<p>The unexpected and unprecedented global pandemic of COVID-19 has brought dramatic changes to the whole world. As a result of social distancing instituted to slow the pandemic, teleworking has become the new norm in many organizations. The prevalence of teleworking has brought not only benefits to organizations, but also security risks. Although teleworking has existed for decades and many security related issues have been studied by previous research, the researcher didn’t find any studies that have assessed organization employee’s security awareness and concerns in teleworking. Considering the vital importance of human security awareness in protecting information security, it is necessary to learn the security awareness situation in teleworking. Furthermore, employees with low security awareness should be trained to improve the awareness level. Therefore, this research intends to examine the current teleworking security awareness and concerns in organizations by conducting a survey of workers. Through the survey answers, the researcher found that the security awareness varies in groups of teleworkers who are at different ages, from different industries and different-sized organizations. Meanwhile, the researcher also found that COVID-19 pandemic does not have much impact on people’s security concern in teleworking scenarios. <br></p>

Computer System Security

Private Policing and Security Services

Teleworking

Security Awareness

Assessment

Security Concern