Biblio

Internet Protocol (IP) address holds a probative value to the identification process in digital forensics. The decimal digit is a unique identifier that is beneficial in many investigations (i.e., network, email, memory). IP addresses can reveal important information regarding the device that the user uses during Internet activity. One of the things that IP addresses can essentially help digital forensics investigators in is the identification of the user machine and tracing evidence based on network artifacts. Unfortunately, it appears that some of the well-known digital forensic tools only provide functions to recover IP addresses from a given forensic image. Thus, there is still a gap in answering if IP addresses found in a smartphone can help reveal the user’s location and be used to aid investigators in identifying IP addresses that complement the user’s physical location. Furthermore, the lack of utilizing IP mapping and visualizing techniques has resulted in the omission of such digital evidence. This research aims to emphasize the importance of geolocation data in digital forensic investigations, propose an IP visualization technique considering several sources of evidence, and enhance the investigation process’s speed when its pertained to IP addresses using spatial analysis. Moreover, this research proposes a proof-of-concept (POC) standalone tool that can match critical IP addresses with approximate geolocations to fill the gap in this area.

Many IoT devices are part of fixed critical infrastructure, where the mere act of moving an IoT device may constitute an attack. Moving pressure, chemical and radiation sensors in a factory can have devastating consequences. Relocating roadside speed sensors, or smart meters without knowledge of command and control center can similarly wreck havoc. Consequently, authenticating geolocation of IoT devices is an important problem. Unfortunately, an IoT device itself may be compromised by an adversary. Hence, location information from the IoT device cannot be trusted. Thus, we have to rely on infrastructure to obtain a proximal location. Infrastructure routers may similarly be compromised. Therefore, there must be a way to authenticate trusted routers remotely. Unfortunately, IP packets may be blocked, hijacked or forged by an adversary. Therefore IP packets are not trustworthy either. Thus, we resort to covert channels for authenticating Internet packet routers as an intermediate step towards proximal geolocation of IoT devices. Several techniques have been proposed in the literature to obtain the geolocation of an edge device, but it has been shown that a knowledgeable adversary can circumvent these techniques. In this paper, we survey the state-of-the-art geolocation techniques and corresponding adversarial countermeasures to evade geolocation to justify the use of covert channels on networks. We propose a technique for determining proximal geolocation using covert channel. Challenges and directions for future work are also explored.

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.
 

Recognizing activities in wide aerial/overhead imagery remains a challenging problem due in part to low-resolution video and cluttered scenes with a large number of moving objects. In the context of this research, we deal with two un-synchronized data sources collected in real-world operating scenarios: full-motion videos (FMV) and analyst call-outs (ACO) in the form of chat messages (voice-to-text) made by a human watching the streamed FMV from an aerial platform. We present a multi-source multi-modal activity/event recognition system for surveillance applications, consisting of: (1) detecting and tracking multiple dynamic targets from a moving platform, (2) representing FMV target tracks and chat messages as graphs of attributes, (3) associating FMV tracks and chat messages using a probabilistic graph-based matching approach, and (4) detecting spatial-temporal activity boundaries. We also present an activity pattern learning framework which uses the multi-source associated data as training to index a large archive of FMV videos. Finally, we describe a multi-intelligence user interface for querying an index of activities of interest (AOIs) by movement type and geo-location, and for playing-back a summary of associated text (ACO) and activity video segments of targets-of-interest (TOIs) (in both pixel and geo-coordinates). Such tools help the end-user to quickly search, browse, and prepare mission reports from multi-source data.

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo- location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.