Biblio

Due to the increased diversity and complexity of cyberattacks, innovative and effective analytics are needed in order to identify critical cyber incidents on a corporate network even if no ground truth data is available. This paper develops an automated system which processes a set of intrusion alerts to create behavior aggregates and then classifies these aggregates into empirical attack models through a dynamic Bayesian approach with innovative feature engineering methods. Each attack model represents a unique collective attack behavior that helps to identify critical activities on the network. Using 2017 National Collegiate Penetration Testing Competition data, it is demonstrated that the developed system is capable of generating and refining unique attack models that make sense to human, without a priori knowledge.

In the process of diagnosing the culture of information security in an organization, it is considered two methods, the first one is the application of an ISCA (Information Security Culture Assessment) survey questionnaire and the second one based on social engineering techniques such as phishing, answering the question, How can a diagnosis be made effectively of the level of information security culture within an organization? with the objective of determining which of the two methods is the most effective and realistic for the diagnosis of the information security culture. This helps to understand and have a real and complete perception of the behavior and reaction of the users against the attacks of threat actors who make use of persuasion and manipulation tactics in order to obtain confidential or sensitive information. A description of these two methods is applied to a case study (public university). As a result, it is obtained that it is not enough to perform a diagnosis based on questionnaires because they can be relatively subjective in the sense of the way in which users respond to questions or statements. Evidence of controlled social engineering attacks that demonstrate in more detail the real behavior of users should be considered. Based on this more complete knowledge, appropriate strategies can be formulated for the change or strengthening of the security culture that ultimately contributes to the purpose of protecting information assets.

The last decade has witnessed an increase in online human interactions, covering all aspects of personal and professional activities. Identification of people based on their behavior rather than physical traits is a growing industry, spanning diverse spheres such as online education, e-commerce and cyber security. One prominent behavior is the expression of opinions, commonly as a reaction to images posted online. Visual aesthetic is a soft, behavioral biometric that refers to a person's sense of fondness to a certain image. Identifying individuals using their visual aesthetics as discriminatory features is an emerging domain of research. This paper introduces a new method for aesthetic feature dimensionality reduction using gene expression programming. The advantage of this method is that the resulting system is capable of using a tree-based genetic approach for feature recombination. Reducing feature dimensionality improves classifier accuracy, reduces computation runtime, and minimizes required storage. The results obtained on a dataset of 200 Flickr users evaluating 40000 images demonstrates a 94% accuracy of identity recognition based solely on users' aesthetic preferences. This outperforms the best-known method by 13.5%.

This study was conducted in order to assess the E-security behavior of students in a large higher educational institutions in the United Arab Emirates (UAE). Specifically, it sought to determine the current state of students' E-security behavior in the aspects of malware, password usage, data handling, phishing, social engineering, and online scam. An E- Security Behavior Survey Instrument (EBSI) was used to determine the status of security behavior of the participants in doing their computing activities. To complement the survey tool, focus group discussions were conducted to elicit specific experiences and insights of the participants relative to E-security. The results of the study shows that the overall E-security behavior among students in higher education in the United Arab Emirates (UAE) is moderately favorable. Specifically, the investigation reveals that the students favorably behave when it comes to phishing, social engineering, and online scam. However, they uncertainly behave on malware issues, password usage, and data handling.

The human side of cyber is fundamentally important to understanding and improving cyber operations. With the exception of Capture the Flag (CTF) exercises, cyber testing and experimentation tends to ignore the human attacker. While traditional CTF events include a deeply rooted human component, they rarely aim to measure human performance, cognition, or psychology. We argue that CTF is not sufficient for measuring these aspects of the human; instead, we examine the value in performing red team behavioral and cognitive testing in a large-scale, controlled human-subject experiment. In this paper we describe the pros and cons of performing this type of experimentation and provide detailed exposition of the data collection and experimental controls used during a recent cyber deception experiment-the Tularosa Study. Finally, we will discuss lessons learned and how our experiences can inform best practices in future cyber operations studies of human behavior and cognition.

Cybersecurity cannot be addressed by technology alone; the most intractable aspects are in fact sociotechnical. As a result, the 'human factor' has been recognised as being the weakest and most obscure link in creating safe and secure digital environments. This study examines the subjective and often complex nature of human factors in the cybersecurity context through a systematic literature review of 27 articles which span across technical, behavior and social sciences perspectives. Results from our study suggest that there is still a predominately a technical focus, which excludes the consideration of human factors in cybersecurity. Our literature review suggests that this is due to a lack of consolidation of the attributes pertaining to human factors; the application of theoretical frameworks; and a lack of in-depth qualitative studies. To ensure that these gaps are addressed, we propose that future studies take into consideration (a) consolidating the human factors; (b) examining cyber security from an interdisciplinary approach; (c) conducting additional qualitative research whilst investigating human factors in cybersecurity.

We propose a novel visualization technique (Eagle-Eye) for intrusion detection, which visualizes a host as a commu- nity of system call traces in two-dimensional space. The goal of EagleEye is to visually cluster the system call traces. Although human eyes can easily perceive anomalies using EagleEye view, we propose two different methods called SAM and CPM that use the concept of data depth to help administrators distinguish between normal and abnormal behaviors. Our experimental results conducted on Australian Defence Force Academy Linux Dataset (ADFA-LD), which is a modern system calls dataset that includes new exploits and attacks on various programs, show EagleEye's efficiency in detecting diverse exploits and attacks.

Financial fraud is commonly represented by the use of illegal practices where they can intervene from senior managers until payroll employees, becoming a crime punishable by law. There are many techniques developed to analyze, detect and prevent this behavior, being the most important the fraud triangle theory associated with the classic financial audit model. In order to perform this research, a survey of the related works in the existing literature was carried out, with the purpose of establishing our own framework. In this context, this paper presents FraudFind, a conceptual framework that allows to identify and outline a group of people inside an banking organization who commit fraud, supported by the fraud triangle theory. FraudFind works in the approach of continuous audit that will be in charge of collecting information of agents installed in user's equipment. It is based on semantic techniques applied through the collection of phrases typed by the users under study for later being transferred to a repository for later analysis. This proposal encourages to contribute with the field of cybersecurity, in the reduction of cases of financial fraud.

Over the past few years, botnets have emerged as one of the most serious cybersecurity threats faced by individuals and organizations. After infecting millions of servers and workstations worldwide, botmasters have started to develop botnets for mobile devices. Mobile botnets use different mediums to communicate with their botmasters. Although significant research has been done to detect mobile botnets that use the Internet as their command and control (C&C) channel, little research has investigated SMS botnets per se. In order to fill this gap, in this paper, we first divide SMS botnets based on their characteristics into three families, namely, info stealer, SMS stealer, and SMS spammer. Then, we propose SMSBotHunter, a novel anomaly detection technique that detects SMS botnets using textual and behavioral features and one-class classification. We experimentally evaluate the detection performance of SMSBotHunter by simulating the behavior of human users and SMS botnets. The experimental results demonstrate that most of the SMS messages sent or received by info stealer and SMS spammer botnets can be detected using textual features exclusively. It is also revealed that behavioral features are crucial for the detection of SMS stealer botnets and will improve the overall detection performance.

Capturing the patterns in adversarial movement can provide valuable information regarding how the adversaries progress through cyberattacks. This information can be further employed for making comparisons and interpretations of decision making of the adversaries. In this study, we propose a framework based on concepts of social networks to characterize and compare the patterns, variations and shifts in the movements made by an adversarial team during a real-time cybersecurity exercise. We also explore the possibility of movement association with the skill sets using topological sort networks. This research provides preliminary insight on adversarial movement complexity and linearity and decision-making as cyberattacks unfold.

Social media are increasingly reflecting and influencing the behavior of human and financial market. Cognitive hacking leverages the influence of social media to spread deceptive information with an intent to gain abnormal profits illegally or to cause losses. Measuring the information content in financial social media can be useful for identifying these attacks. In this paper, we developed an approach to identifying social media features that correlate with abnormal returns of the stocks of companies vulnerable to be targets of cognitive hacking. To test the approach, we collected price data and 865,289 social media messages on four technology companies from July 2017 to June 2018, and extracted features that contributed to abnormal stock movements. Preliminary results show that terms that are simple, motivate actions, incite emotion, and uses exaggeration are ranked high in the features of messages associated with abnormal price movements. We also provide selected messages to illustrate the use of these features in potential cognitive hacking attacks.

As the Internet of Things (IoT) era raise, billions of additional connected devices in new locations and applications will create new challenges. Security and privacy are among the major challenges in IoT as any breaches and misuse in those aspects will have the adverse impact on users. Among many factors that determine the security of any system, human factor is the most important aspect to be considered; as it is renowned that human is the weakest link in the information security cycle. Experts express the need to increase cyber resilience culture and a focus on the human factors involved in cybersecurity to counter cyber risks. The aim of this study is to propose a conceptual model to improve cyber resilience in IoT users that is adapted from a model in public health sector. Cyber resilience is improved through promoting security behavior by gathering the existing knowledge and gain understanding about every contributing aspects. The proposed approach is expected to be used as foundation for government, especially in Indonesia, to derive strategies in improving cyber resilience of IoT users.

Recognising user behaviour in real time is an important element of providing appropriate information and help to take suitable action or decision regarding cybersecurity threats. A user's security behaviour profile is a set of structured data and information to describe a user in an interactive environment between the user and computer. The first step for behaviour profiling is user behaviour model development including data collection. The data collection should be transparent as much as possible with minimum user interaction. Monitoring individual actions to obtain labelled training data is less costly and more effective in creating a behaviour profile. The most challenging issue in computer user security can be identifying suitable data. This research aims to determine required observation measures to capture user-system interactions to understand user's behaviour and create a user profile for cybersecurity purposes.

Human is the weakest link in information security. Even with strong cyber security policies an organization can still be hacked because of a human error. Even if people are aware of the policies and their importance they might not behave accordingly. This shows to the importance of studying and measuring human behavior toward cyber security policies. This paper introduces a new instrument that can be used to measure human behavior toward cybersecurity policies through creative measures. The goal is to gather data about human behaviors toward cybersecurity policies in natural environment. This method of gathering information allows people to behave normally and don't feel the need to answer perfectly. The paper illustrates all the previous work related to the subject, summarizing previous work in order to improve what have been previously done. The methodology seeks on measuring behavior based on specific measures. These measures are the password, email, identity, sensitive data, and physical/resource security. Each measure has a number of policies used to measure behavior. These policies were selected among several policies based on literature from the same field and the opinion of experts in the field. These question that went through several rounds of check were used to build the proposed-instrument. This instrument then shall be used by researchers to collect data and perform the required analysis. This paper discusses the behavior pattern in a detail and concise manner. The paper demonstrates that it is posable to measure behavior if the right we questions were asked in the right way.

Cybersecurity is a growing concern for private individuals and professional entities. Thereby, reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind insecure HCS behavior. However, as our review reveals, studies on the role of time pressure in HCS are scant and there is no framework that can inform researchers and practitioners on this matter. In this paper, we present a conceptual framework consisting of contexts, psychological constructs, and boundary conditions pertaining to the role time pressure plays on HCS behavior. The framework is also validated and extended by findings from semi-structured interviews of different stakeholder groups comprising of cybersecurity experts, professionals, and general users. The framework will serve as a guideline for future studies exploring different aspects of time pressure in cybersecurity contexts and also to identify potential countermeasures for the detrimental impact of time pressure on HCS behavior.

Cyber Physical Systems (CPS)-Internet of Things (IoT) enabled healthcare services and infrastructures improve human life, but are vulnerable to a variety of emerging cyber-attacks. Cybersecurity specialists are finding it hard to keep pace of the increasingly sophisticated attack methods. There is a critical need for innovative cognitive cybersecurity for CPS-IoT enabled healthcare ecosystem. This paper presents a cognitive cybersecurity framework for simulating the human cognitive behaviour to anticipate and respond to new and emerging cybersecurity and privacy threats to CPS-IoT and critical infrastructure systems. It includes the conceptualisation and description of a layered architecture which combines Artificial Intelligence, cognitive methods and innovative security mechanisms.

One of the latest emerging technologies is artificial intelligence, which makes the machine mimic human behavior. The most important component used to detect cyber attacks or malicious activities is the Intrusion Detection System (IDS). Artificial intelligence plays a vital role in detecting intrusions and widely considered as the better way in adapting and building IDS. In trendy days, artificial intelligence algorithms are rising as a brand new computing technique which will be applied to actual time issues. In modern days, neural network algorithms are emerging as a new artificial intelligence technique that can be applied to real-time problems. The proposed system is to detect a classification of botnet attack which poses a serious threat to financial sectors and banking services. The proposed system is created by applying artificial intelligence on a realistic cyber defense dataset (CSE-CIC-IDS2018), the very latest Intrusion Detection Dataset created in 2018 by Canadian Institute for Cybersecurity (CIC) on AWS (Amazon Web Services). The proposed system of Artificial Neural Networks provides an outstanding performance of Accuracy score is 99.97% and an average area under ROC (Receiver Operator Characteristic) curve is 0.999 and an average False Positive rate is a mere value of 0.001. The proposed system using artificial intelligence of botnet attack detection is powerful, more accurate and precise. The novel proposed system can be implemented in n machines to conventional network traffic analysis, cyber-physical system traffic data and also to the real-time network traffic analysis.

Phishing attacks are prevalent and humans are central to this online identity theft attack, which aims to steal victims' sensitive and personal information such as username, password, and online banking details. There are many antiphishing tools developed to thwart against phishing attacks. Since humans are the weakest link in phishing, it is important to educate them to detect and avoid phishing attacks. One can argue self-efficacy is one of the most important determinants of individual's motivation in phishing threat avoidance behaviour, which has co-relation with knowledge. The proposed research endeavours on the user's self-efficacy in order to enhance the individual's phishing threat avoidance behaviour through their motivation. Using social cognitive theory, we explored that various knowledge attributes such as observational (vicarious) knowledge, heuristic knowledge and structural knowledge contributes immensely towards the individual's self-efficacy to enhance phishing threat prevention behaviour. A theoretical framework is then developed depicting the mechanism that links knowledge attributes, self-efficacy, threat avoidance motivation that leads to users' threat avoidance behaviour. Finally, a gaming prototype is designed incorporating the knowledge elements identified in this research that aimed to enhance individual's self-efficacy in phishing threat avoidance behaviour.

Monitoring systems are essential to understand and control the behaviour of systems and networks. Cyber-physical systems (CPS) are particularly delicate under that perspective since they involve real-time constraints and physical phenomena that are not usually considered in common IT solutions. Therefore, there is a need for publicly available monitoring tools able to contemplate these aspects. In this poster/demo, we present our initiative, called CPS-MT, towards a versatile, real-time CPS monitoring tool, with a particular focus on security research. We first present its architecture and main components, followed by a MiniCPS-based case study. We also describe a performance analysis and preliminary results. During the demo, we will discuss CPS-MT's capabilities and limitations for security applications.