Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats

Clarke, Karla A.

01 January 2018

Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems. Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat. Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed. This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs.

Information technology cybersecurity

insider threat

Intrusion Detection

malicious insider

visualization

vital signs

Computer Sciences

Detecting Malicious Behavior in OpenWrt with QEMU Tracing

Porter, Jeremy

06 August 2019

No description available.

Computer Engineering

Computer Science

embedded devices

malware

rootkits

malicious router

QEMU

OpenWrt

HTTP request

Applying Push-Pull-Mooring model to investigate non-malicious workarounds behavior

Aljohani, Nawaf Rasheed

08 August 2023

More than half of the violations of information systems security policies are initiated by non-malicious activities of insiders. To investigate these non-malicious activities, we utilized the theory of workaround and argued that the application of neutralization techniques impacts the use of workarounds. We built our model using three theories: the theory of workaround, push-pull-mooring theory, and techniques of neutralization. We identified the elements of workarounds related to non-malicious violations and proposed a theoretical perspective using the push-pull-mooring theory to investigate non-malicious workarounds empirically. We propose that non-malicious activities of insiders can be seen as a switching behavior, with push factors such as system dissatisfaction and time pressure, and pull factors such as convenience and alternative attractiveness. The mooring factors in our model are techniques of neutralization, including denial of injury, denial of responsibility, and defense of necessity. We employed the scenario-based factorial survey method to mitigate the effect of social desirability bias. Our mixed model analysis indicates that time pressure, convenience, denial of injury, and defense of necessity significantly impact an individual's likelihood of engaging in non-malicious workarounds. Additionally, the relative weight analysis of our model shows that convenience and time pressure explain most of the variance in our model.

Insider

non-malicious

threat

workaround

push-pull-mooring

techniques of neutralization

factorial survey method

Evaluation of machine learning models for classifying malicious URLs

Abad, Shayan, Gholamy, Hassan

January 2023

Millions of new websites are created daily, making it challenging to determine which ones are safe. Cybersecurity involves protecting companies and users from cyberattacks. Cybercriminals exploit various methods, including phishing attacks, to trick users into revealing sensitive information. In Australia alone, there were over 74,000 reported phishing attacks in 2022, resulting in a financial loss of over $24 million. Artificial intelligence (AI) and machine learning are effective tools in various domains, such as cancer detection, financial fraud detection, and chatbot development. Machine learning models, such as Random Forest and Support Vector Machines, are commonly used for classification tasks. With the rise of cybercrime, it is crucial to use machine learning to identify both known and new malicious URLs. The purpose of the study is to compare different instance selection methods and machine learning models for classifying malicious URLs. In this study, a dataset containing approximately 650,000 URLs from Kaggle was used. The dataset consisted of four categories: phishing, defacement, malware, and benign URLs. Three datasets, each consisting of around 170,000 URLs, were generated using instance selection methods (DRLSH, BPLSH, and random selection) implemented in MATLAB. Machine learning models, including SVM, DT, KNNs, and RF, were employed. The study applied these instance selection methods to a dataset of malicious URLs, trained the machine learning models on the resulting datasets, and evaluated their performance using 16 features and one output feature. In the process of hyperparameter tuning, the training dataset was used to train four models with different hyperparameter settings. Bayesian optimization was employed to find the best hyperparameters for each model. The classification process was then conducted, and the results were compared. The study found that the random instance selection method outperformed the other two methods, BPLSH and DRLSH, in terms of both accuracy and elapsed time for data selection. The lower accuracies achieved by the DRLSH and BPLSH methods may be attributed to the imbalanced dataset, which led to poor sample selection.

Machine learning

Cyber security

Classification

Malicious URL

Instance selection

Computer Engineering

Datorteknik

Study of Information Behavior of Opportunistic Insiders with Malicious Intent

Sinha, Vikas

05 1900

Enterprises have focused on mechanisms to track insiders who may intentionally exceed and misuse their authorized access. However, there is an opportunity to understand why a trusted individual would want to exploit the trust and seek information with the intent of a malicious outcome. The detection of insider rogue or nefarious activities with information to which a user is already authorized is extremely difficult. Such insider threats require more deliberation than just considering it to be a problem that can be mitigated only by software or hardware enhancements. This research expects to help gain an early understanding of antecedents to such information behavior and provide an opportunity to develop approaches to address relevant character traits which could lead to a higher propensity of information misuse. This research proposes a theoretical framework and a conceptual research model to understand the antecedent factors to opportunistic information-seeking behavior of individuals. The study follows the three-essay format. Essay 1 explores the scholarly literature published about insider behavior to understand information behavior and proposes the theoretical framework for the study. PRISMA methodology was used for the thematic literature review. Essay 2 is a quantitative study of 424 university students surveyed using an online instrument for their responses to various scenarios in the context of academic dishonesty. Academic dishonesty is proposed as a proxy for information misuse. Essay 3 is a qualitative study engaging senior executives from various industries to understand their perspectives on the behavioral characteristics of individuals as they try to protect their corporate information from being misused and protect their reputation and liability from malicious use of their information.

Malicious Information Behavior

Opportunistic Information Behavior

Insider Threat

Information Security

Moral Resiliency

Social Resiliency

Zero-Trust

The Everyday Internet, a Minefield in Disguise : Characterization of different types of domains including malicious and popularity / Internet, ett minfält i förklädnad.

Petersson, Linn, Lindkvist, Rebecka

January 2022

Today, security has become a growing concern for all internet users, where technology is developing faster than its security is implemented, which leads to insecure domains. In this thesis, we look at the reality of today’s domains and research if some categories of domains are safer than others and the reason behind it. The total amount of researched domains was 8080 divided into four categories; popular, categories, continents, and malicious. The analysis was made by looking closer at default protocols, cipher suites, certificate authorities (CAs), certificate classifications, page loading times, and vulnerabilities. Our result indicated that TLS 1.2 and TLS 1.3 are the most commonly used protocol. The largest difference between the domains could be seen among the CAs, even though no definite reason for this could be found. The most popular cipher suite for popular, categories, and malicious belonged to TLS 1.3 meanwhile, continents had a cipher suite belonging to TLS 1.2. All four categories were vulnerable to at least five out of eight different types of attacks. The least commonly used certificate classification is EV certificates, while DV is the most commonly used. Through our data collection and analysis, we could conclude that all domains are not as safe as one might think, while the underlying security infrastructure of malicious domains might be better than anyone expects.

characterisation

malicious

domains

vulnerabilities

cipher suites

TLS

protocols

security

certificates

Computer and Information Sciences

Data- och informationsvetenskap

Algorithmic Mechanism Design for Data Replication Problems

Guo, Minzhe

13 September 2016

No description available.

Computer Science

algorithmic mechanism design

content delivery

data replica placement

malicious

peer-assisted

self-interested

Detekce škodlivých webových stránek pomocí strojového učení / Detection of Malicious Websites using Machine Learning

Šulák, Ladislav

January 2018

Táto práca sa zaoberá problematikou škodlivého kódu na webe so zameraním na analýzu a detekciu škodlivého JavaScriptu umiestneného na strane klienta s využitím strojového učenia. Navrhnutý prístup využíva známe i nové pozorovania s ohľadom na rozdiely medzi škodlivými a legitímnymi vzorkami. Tento prístup má potenciál detekovať nové exploity i zero-day útoky. Systém pre takúto detekciu bol implementovaný a využíva modely strojového učenia. Výkon modelov bol evaluovaný pomocou F1-skóre na základe niekoľkých experimentov. Použitie rozhodovacích stromov sa podľa experimentov ukázalo ako najefektívnejšia možnosť. Najefektívnejším modelom sa ukázal byť Adaboost klasifikátor s dosiahnutým F1-skóre až 99.16 %. Tento model pracoval s 200 inštanciami randomizovaného rozhodovacieho stromu založeného na algoritme Extra-Trees. Viacvrstvový perceptrón bol druhým najlepším modelom s dosiahnutým F1-skóre 97.94 %.

Network layer reliability and security in energy harvesting wireless sensor networks

Yang, Jing

08 December 2023

Wireless sensor networks (WSNs) have become pivotal in precision agriculture, environmental monitoring, and smart healthcare applications. However, the challenges of energy consumption and security, particularly concerning the reliance on large battery-operated nodes, pose significant hurdles for these networks. Energy-harvesting wireless sensor networks (EH-WSNs) emerged as a solution, enabling nodes to replenish energy from the environment remotely. Yet, the transition to EH-WSNs brought forth new obstacles in ensuring reliable and secure data transmission. In our initial study, we tackled the intermittent connectivity issue prevalent in EH-WSNs due to the dynamic behavior of energy harvesting nodes. Rapid shifts between ON and OFF states led to frequent changes in network topology, causing reduced link stability. To counter this, we introduced the hybrid routing method (HRM), amalgamating grid-based and opportunistic-based routing. HRM incorporated a packet fragmentation mechanism and cooperative localization for both static and mobile networks. Simulation results demonstrated HRM's superior performance, enhancing key metrics such as throughput, packet delivery ratio, and energy consumption in comparison to existing energy-aware adaptive opportunistic routing approaches. Our second research focused on countering emerging threats, particularly the malicious energy attack (MEA), which remotely powers specific nodes to manipulate routing paths. We developed intelligent energy attack methods utilizing Q-learning and Policy Gradient techniques. These methods enhanced attacking capabilities across diverse network settings without requiring internal network information. Simulation results showcased the efficacy of our intelligent methods in diverting traffic loads through compromised nodes, highlighting their superiority over traditional approaches. In our third study, we developed a deep learning-based two-stage framework to detect MEAs. Utilizing a stacked residual network (SR-Net) for global classification and a stacked LSTM network (SL-Net) to pinpoint specific compromised nodes, our approach demonstrated high detection accuracy. By deploying trained models as defenses, our method outperformed traditional threshold filtering techniques, emphasizing its accuracy in detecting MEAs and securing EH-WSNs. In summary, our research significantly advances the reliability and security of EH-WSN, particularly focusing on enhancing the network layer. These findings offer promising avenues for securing the future of wireless sensor technologies.

Hybrid Routing Method (HRM)

Intermittent Connectivity

Energy Harvesting

Malicious Energy Attack (MEA)

Reinforcement Learning (RL)

Malicious Energy Attack Detection

Deep Learning(DL)

Feature selection and clustering for malicious and benign software characterization

Chhabra, Dalbir Kaur R

13 August 2014

Malware or malicious code is design to gather sensitive information without knowledge or permission of the users or damage files in the computer system. As the use of computer systems and Internet is increasing, the threat of malware is also growing. Moreover, the increase in data is raising difficulties to identify if the executables are malicious or benign. Hence, we have devised a method that collects features from portable executable file format using static malware analysis technique. We have also optimized the important or useful features by either normalizing or giving weightage to the feature. Furthermore, we have compared accuracy of various unsupervised learning algorithms for clustering huge dataset of samples. So once the clusters are created we can use antivirus (AV) to identify one or two file and if they are detected by AV then all the files in cluster are malicious even if the files contain novel or unknown malware; otherwise all are benign.

Static malware analysis

Portable Executable

unsupervised learning algorithm

malicious or benign samples

feature selection

clustering

Information Security