Biblio

Cyber attacks are becoming increasingly frequent, sophisticated, and stealthy. This makes it harder for cyber defence teams to keep up, forcing them to automate their defence capabilities in order to improve their reactivity and efficiency. Therefore, we propose a fully automated cyber defence framework that no longer needs support from humans to detect and mitigate attacks within a complex infrastructure. We design our framework based on a real-world case - Locked Shields - the world's largest cyber defence exercise. In this exercise, teams have to defend their networked infrastructure against attacks, while maintaining operational services for their users. Our framework architecture connects various cyber sensors with network, device, application, and user actuators through an artificial intelligence (AI)-powered automated team in order to dynamically secure the cyber environment. To the best of our knowledge, our framework is the first attempt towards a fully automated cyber defence team that aims at protecting complex environments from sophisticated attacks.

Antifragile systems enhance their capabilities and become stronger when exposed to adverse conditions, stresses or attacks, making antifragility a desirable property for cyber defence systems that operate in contested military environments. Self-improvement in autonomic systems refers to the improvement of their self-* capabilities, so that they are able to (a) better handle previously known (anticipated) situations, and (b) deal with previously unknown (unanticipated) situations. In this position paper, we present a vision of using self-improvement through learning to achieve antifragility in autonomic cyber defence systems. We first enumerate some of the major challenges associated with realizing distributed self-improvement. We then propose a reference model for middleware frameworks for self-improving autonomic systems and a set of desirable features of such frameworks.

Information Technology (IT) security is a growing concern for governments around the world. Cyber terrorism poses a direct threat to the security of the nations' critical infrastructures and ITs as a low-cost asymmetric warfare element. Most of these nations are aware of the vulnerability of the information technologies and the significance of protecting critical infrastructures. To counteract the threat of potentially disastrous cyber attacks, nations' policy makers are increasingly pondering on the use of deterrence strategies to supplement cyber defense. Nations create their own national policies and strategies which cover cyber security countermeasures including cyber defense and deterrence against cyber threats. But it is rather hard to cope with the threat by means of merely `national' cyber defense policies and strategies, since the cyberspace spans worldwide and attack's origin can even be overseas. The term “cyber terrorism” is another source of controversy. An agreement on a common definition of cyber terrorism among the nations is needed. However, the international community has not been able to succeed in developing a commonly accepted comprehensive definition of “terrorism” itself. This paper evaluates the importance of building international cooperation on cyber defense and deterrence against cyber terrorism. It aims to improve and further existing contents and definitions of cyber terrorism; discusses the attractiveness of cyber attacks for terrorists and past experiences on cyber terrorism. It emphasizes establishing international legal measures and cooperation between nations against cyber terrorism in order to maintain the international stability and prosperity. In accordance with NATO's new strategic concept, it focuses on developing the member nations' ability to prevent, detect, defend against and recover from cyber attacks to enhance and coordinate national cyber defense capabilities. It provides necessary steps that have to be taken globally in order to counter cyber terrorism.

Internet infrastructure developments and the rise of the IoT Socio-Technical Systems (STS) have frequently generated more unsecure protocols to facilitate the rapid intercommunication between the plethoras of IoT devices. Whereas, current development of the IoT has been mainly focused on enabling and effectively meeting the functionality requirement of digital-enabled enterprises we have seen scant regard to their IA architecture, marginalizing system resilience with blatant afterthoughts to cyber defence. Whilst interconnected IoT devices do facilitate and expand information sharing; they further increase of risk exposure and potential loss of trust to their Socio-Technical Systems. A change in the IoT paradigm is needed to enable a security-first mind-set; if the trusted sharing of information built upon dependable resilient growth of IoT is to be established and maintained. We argue that Information Assurance is paramount to the success of IoT, specifically its resilience and dependability to continue its safe support for our digital economy.

In a continually evolving cyber-threat landscape, the detection and prevention of cyber attacks has become a complex task. Technological developments have led organisations to digitise the majority of their operations. This practice, however, has its perils, since cybespace offers a new attack-surface. Institutions which are tasked to protect organisations from these threats utilise mainly network data and their incident response strategy remains oblivious to the needs of the organisation when it comes to protecting operational aspects. This paper presents a system able to combine threat intelligence data, attack-trend data and organisational data (along with other data sources available) in order to achieve automated network-defence actions. Our approach combines machine learning, visual analytics and information from business processes to guide through a decision-making process for a Security Operation Centre environment. We test our system on two synthetic scenarios and show that correlating network data with non-network data for automated network defences is possible and worth investigating further.

This paper presents a detection and containment mechanism for fast self-propagating network worm malware. The detection part of the mechanism uses two categories of network host activities to identify worm behaviour in a network. Upon an identified worm activity in a network, a data-link containment system is used to isolate the internal source of infection, and a network level containment system is used to block inbound worm datagrams. The mechanism has been demonstrated using a software prototype. A number of worm experiments have been conducted to evaluate the prototype. The empirical results show the effectiveness of the developed mechanism in containing fast network worm malware at an early stage with almost no false positives.