Biblio

Cybersecurity plays a critical role in protecting sensitive information and the structural integrity of networked systems. As networked systems continue to expand in numbers as well as in complexity, so does the threat of malicious activity and the necessity for advanced cybersecurity solutions. Furthermore, both the quantity and quality of available data on malicious content as well as the fact that malicious activity continuously evolves makes automated protection systems for this type of environment particularly challenging. Not only is the data quality a concern, but the volume of the data can be quite small for some of the classes. This creates a class imbalance in the data used to train a classifier; however, many classifiers are not well equipped to deal with class imbalance. One such example is detecting malicious HMTL files from static features. Unfortunately, collecting malicious HMTL files is extremely difficult and can be quite noisy from HTML files being mislabeled. This paper evaluates a specific application that is afflicted by these modern cybersecurity challenges: detection of malicious HTML files. Previous work presented a general framework for malicious HTML file classification that we modify in this work to use a $\chi$2 feature selection technique and synthetic minority oversampling technique (SMOTE). We experiment with different classifiers (i.e., AdaBoost, Gentle-Boost, RobustBoost, RusBoost, and Random Forest) and a pure detection model (i.e., Isolation Forest). We benchmark the different classifiers using SMOTE on a real dataset that contains a limited number of malicious files (40) with respect to the normal files (7,263). It was found that the modified framework performed better than the previous framework's results. However, additional evidence was found to imply that algorithms which train on both the normal and malicious samples are likely overtraining to the malicious distribution. We demonstrate the likely overtraining by determining that a subset of the malicious files, while suspicious, did not come from a malicious source.

The Internet of Things (IoT) will connect not only computers and mobile devices, but it will also interconnect smart buildings, houses, and cities, as well as electrical grids, gas plants, and water networks, automobiles, airplanes, etc. IoT will lead to the development of a wide range of advanced information services that are pervasive, cost-effective, and can be accessed from anywhere and at any time. However, due to the exponential number of interconnected devices, cyber-security in the IoT is a major challenge. It heavily relies on the digital identity concept to build security mechanisms such as authentication and authorization. Current centralized identity management systems are built around third party identity providers, which raise privacy concerns and present a single point of failure. In addition, IoT unconventional characteristics such as scalability, heterogeneity and mobility require new identity management systems to operate in distributed and trustless environments, and uniquely identify a particular device based on its intrinsic digital properties and its relation to its human owner. In order to deal with these challenges, we present a Blockchain-based Identity Framework for IoT (BIFIT). We show how to apply our BIFIT to IoT smart homes to achieve identity self-management by end users. In the context of smart home, the framework autonomously extracts appliances signatures and creates blockchain-based identifies for their appliance owners. It also correlates appliances signatures (low level identities) and owners identifies in order to use them in authentication credentials and to make sure that any IoT entity is behaving normally.

The Internet of Things (IoT) connects not only computers and mobile devices, but it also interconnects smart buildings, homes, and cities, as well as electrical grids, gas, and water networks, automobiles, airplanes, etc. However, IoT applications introduce grand security challenges due to the increase in the attack surface. Current security approaches do not handle cybersecurity from a holistic point of view; hence a systematic cybersecurity mechanism needs to be adopted when designing IoTbased applications. In this work, we present a risk management framework to deploy secure IoT-based applications for Smart Infrastructures at the design time and the runtime. At the design time, we propose a risk management method that is appropriate for smart infrastructures. At the design time, our framework relies on the Anomaly Behavior Analysis (ABA) methodology enabled by the Autonomic Computing paradigm and an intrusion detection system to detect any threat that can compromise IoT infrastructures by. Our preliminary experimental results show that our framework can be used to detect threats and protect IoT premises and services.

Most of the social media platforms generate a massive amount of raw data that is slow-paced. On the other hand, Internet Relay Chat (IRC) protocol, which has been extensively used by hacker community to discuss and share their knowledge, facilitates fast-paced and real-time text communications. Previous studies of malicious IRC behavior analysis were mostly either offline or batch processing. This results in a long response time for data collection, pre-processing, and threat detection. However, since the threats can use the latest vulnerabilities to exploit systems (e.g. zero-day attack) and which can spread fast using IRC channels. Current IRC channel monitoring techniques cannot provide the required fast detection and alerting. In this paper, we present an alternative approach to overcome this limitation by providing real-time and autonomic threat detection in IRC channels. We demonstrate the capabilities of our approach using as an example the shadow brokers' leak exploit (the exploit leveraged by WannaCry ransomware attack) that was captured and detected by our framework.

To overcome the current cybersecurity challenges of protecting our cyberspace and applications, we present an innovative cloud-based architecture to offer resilient Dynamic Data Driven Application Systems (DDDAS) as a cloud service that we refer to as resilient DDDAS as a Service (rDaaS). This architecture integrates Service Oriented Architecture (SOA) and DDDAS paradigms to offer the next generation of resilient and agile DDDAS-based cyber applications, particularly convenient for critical applications such as Battle and Crisis Management applications. Using the cloud infrastructure to offer resilient DDDAS routines and applications, large scale DDDAS applications can be developed by users from anywhere and by using any device (mobile or stationary) with the Internet connectivity. The rDaaS provides transformative capabilities to achieve superior situation awareness (i.e., assessment, visualization, and understanding), mission planning and execution, and resilient operations.

As the use of wireless technologies increases significantly due to ease of deployment, cost-effectiveness and the increase in bandwidth, there is a critical need to make the wireless communications secure, and resilient to attacks or faults (malicious or natural). Wireless communications are inherently prone to cyberattacks due to the open access to the medium. While current wireless protocols have addressed the privacy issues, they have failed to provide effective solutions against denial of service attacks, session hijacking and jamming attacks. In this paper, we present a resilient wireless communication architecture based on Moving Target Defense, and Software Defined Radios (SDRs). The approach achieves its resilient operations by randomly changing the runtime characteristics of the wireless communications channels between different wireless nodes to make it extremely difficult to succeed in launching attacks. The runtime characteristics that can be changed include packet size, network address, modulation type, and the operating frequency of the channel. In addition, the lifespan for each configuration will be random. To reduce the overhead in switching between two consecutive configurations, we use two radio channels that are selected at random from a finite set of potential channels, one will be designated as an active channel while the second acts as a standby channel. This will harden the wireless communications attacks because the attackers have no clue on what channels are currently being used to exploit existing vulnerability and launch an attack. The experimental results and evaluation show that our approach can tolerate a wide range of attacks (Jamming, DOS and session attacks) against wireless networks.

The explosive growth of IT infrastructures, cloud systems, and Internet of Things (IoT) have resulted in complex systems that are extremely difficult to secure and protect against cyberattacks that are growing exponentially in the complexity and also in the number. Overcoming the cybersecurity challenges require cybersecurity environments supporting the development of innovative cybersecurity algorithms and evaluation of the experiments. In this paper, we present the design, analysis, and evaluation of the Cybersecurity Lab as a Service (CLaaS) which offers virtual cybersecurity experiments as a cloud service that can be accessed from anywhere and from any device (desktop, laptop, tablet, smart mobile device, etc.) with Internet connectivity. We exploit cloud computing systems and virtualization technologies to provide isolated and virtual cybersecurity experiments for vulnerability exploitation, launching cyberattacks, how cyber resources and services can be hardened, etc. We also present our performance evaluation and effectiveness of CLaaS experiments used by students.

The explosive growth of IT infrastructures, cloud systems, and Internet of Things (IoT) have resulted in complex systems that are extremely difficult to secure and protect against cyberattacks which are growing exponentially in complexity and in number. Overcoming the cybersecurity challenges is even more complicated due to the lack of training and widely available cybersecurity environments to experiment with and evaluate new cybersecurity methods. The goal of our research is to address these challenges by exploiting cloud services. In this paper, we present the design, analysis, and evaluation of a cloud service that we refer to as Cybersecurity Lab as a Service (CLaaS) which offers virtual cybersecurity experiments that can be accessed from anywhere and from any device (desktop, laptop, tablet, smart mobile device, etc.) with Internet connectivity. In CLaaS, we exploit cloud computing systems and virtualization technologies to provide virtual cybersecurity experiments and hands-on experiences on how vulnerabilities are exploited to launch cyberattacks, how they can be removed, and how cyber resources and services can be hardened or better protected. We also present our experimental results and evaluation of CLaaS virtual cybersecurity experiments that have been used by graduate students taking our cybersecurity class as well as by high school students participating in GenCyber camps.

Cloud Computing is emerging as a new paradigm that aims delivering computing as a utility. For the cloud computing paradigm to be fully adopted and effectively used, it is critical that the security mechanisms are robust and resilient to faults and attacks. Securing cloud systems is extremely complex due to the many interdependent tasks such as application layer firewalls, alert monitoring and analysis, source code analysis, and user identity management. It is strongly believed that we cannot build cloud services that are immune to attacks. Resiliency to attacks is becoming an important approach to address cyber-attacks and mitigate their impacts. Resiliency for mission critical systems is demanded higher. In this paper, we present a methodology to develop an Autonomic Resilient Cloud Management (ARCM) based on moving target defense, cloud service Behavior Obfuscation (BO), and autonomic computing. By continuously and randomly changing the cloud execution environments and platform types, it will be difficult especially for insider attackers to figure out the current execution environment and their existing vulnerabilities, thus allowing the system to evade attacks. We show how to apply the ARCM to one class of applications, Map/Reduce, and evaluate its performance and overhead.