Biblio

Underpinning the operation of Bitcoin is a peer-to-peer (P2P) network [1] that facilitates the execution of transactions by end users, as well as the transaction confirmation process known as bitcoin mining. The security of this P2P network is vital for the currency to function and subversion of the underlying network can lead to attacks on bitcoin users including theft of bitcoins, manipulation of the mining process and denial of service (DoS). As part of this paper the network protocol and bitcoin core software are analysed, with three bitcoin message exchanges (the connection handshake, GETHEADERS/HEADERS and MEMPOOL/INV) found to be potentially vulnerable to spoofing and use in distributed denial of service (DDoS) attacks. Possible solutions to the identified weaknesses and vulnerabilities are evaluated, such as the introduction of random nonces into network messages exchanges.

The normal operation of key measurement and control equipment in power grid (KMCEPG) is of great significance for safe and stable operation of power grid. Firstly, this paper gives a systematic overview of KMCEPG. Secondly, the cyber security risks of KMCEPG on the main station / sub-station side, channel side and terminal side are analyzed and the related vulnerabilities are discovered. Thirdly, according to the risk analysis results, the attack process construction technology of KMCEPG is proposed, which provides the test process and attack ideas for the subsequent KMCEPG-related attack penetration. Fourthly, the simulation penetration test environment is built, and a series of attack tests are carried out on the terminal key control equipment by using the attack flow construction technology proposed in this paper. The correctness of the risk analysis and the effectiveness of the attack process construction technology are verified. Finally, the attack test results are analyzed, and the attack test cases of terminal critical control devices are constructed, which provide the basis for the subsequent attack test. The attack flow construction technology and attack test cases proposed in this paper improve the network security defense capability of key equipment of power grid, ensure the safe and stable operation of power grid, and have strong engineering application value.

Cyber defense can no longer be limited to intrusion detection methods. These systems require malicious activity to enter an internal network before an attack can be detected. Having advanced, predictive knowledge of future attacks allow a potential victim to heighten security and possibly prevent any malicious traffic from breaching the network. This paper investigates the use of Auto-Regressive Integrated Moving Average (ARIMA) models and Bayesian Networks (BN) to predict future cyber attack occurrences and intensities against two target entities. In addition to incident count forecasting, categorical and binary occurrence metrics are proposed to better represent volume forecasts to a victim. Different measurement periods are used in time series construction to better model the temporal patterns unique to each attack type and target configuration, seeing over 86% improvement over baseline forecasts. Using ground truth aggregated over different measurement periods as signals, a BN is trained and tested for each attack type and the obtained results provided further evidence to support the findings from ARIMA. This work highlights the complexity of cyber attack occurrences; each subset has unique characteristics and is influenced by a number of potential external factors.

The rapid rise of cyber-crime activities and the growing number of devices threatened by them place software security issues in the spotlight. As around 90% of all attacks exploit known types of security issues, finding vulnerable components and applying existing mitigation techniques is a viable practical approach for fighting against cyber-crime. In this paper, we investigate how the state-of-the-art machine learning techniques, including a popular deep learning algorithm, perform in predicting functions with possible security vulnerabilities in JavaScript programs. We applied 8 machine learning algorithms to build prediction models using a new dataset constructed for this research from the vulnerability information in public databases of the Node Security Project and the Snyk platform, and code fixing patches from GitHub. We used static source code metrics as predictors and an extensive grid-search algorithm to find the best performing models. We also examined the effect of various re-sampling strategies to handle the imbalanced nature of the dataset. The best performing algorithm was KNN, which created a model for the prediction of vulnerable functions with an F-measure of 0.76 (0.91 precision and 0.66 recall). Moreover, deep learning, tree and forest based classifiers, and SVM were competitive with F-measures over 0.70. Although the F-measures did not vary significantly with the re-sampling strategies, the distribution of precision and recall did change. No re-sampling seemed to produce models preferring high precision, while re-sampling strategies balanced the IR measures.

The Java platform and its third-party libraries provide useful features to facilitate secure coding. However, misusing them can cost developers time and effort, as well as introduce security vulnerabilities in software. We conducted an empirical study on StackOverflow posts, aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices. We observed a wide adoption of the authentication and authorization features provided by Spring Security - a third-party framework designed to secure enterprise applications. We found that programming challenges are usually related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring Security. In addition, we reported multiple security vulnerabilities in the suggested code of accepted answers on the StackOverflow forum. The vulnerabilities included disabling the default protection against Cross-Site Request Forgery (CSRF) attacks, breaking SSL/TLS security through bypassing certificate validation, and using insecure cryptographic hash functions. Our findings reveal the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

The Internet of Things (IoT) is changing the way we interact with everyday objects. "Smart" devices will reduce energy use, keep our homes safe, and improve our health. However, as recent attacks have shown, these devices also create tremendous security vulnerabilities in our computing networks. Securing all of these devices is a daunting task. In this paper, we argue that IoT device communications should be default-off and desired network communications must be explicitly enabled. Unlike traditional networked applications or devices like a web browser or PC, IoT applications and devices serve narrowly defined purposes and do not require access to all services in the network. Our proposal, Bark, a policy language and runtime for specifying and enforcing minimal access permissions in IoT networks, exploits this fact. Bark phrases access control policies in terms of natural questions (who, what, where, when, and how) and transforms them into transparently enforceable rules for IoT application protocols. Bark can express detailed rules such as "Let the lights see the luminosity of the bedroom sensor at any time" and "Let a device at my front door, if I approve it, unlock my smart lock for 30 seconds" in a way that is presentable and explainable to users. We implement Bark for Wi-Fi/IP and Bluetooth Low Energy (BLE) networks and evaluate its efficacy on several example applications and attacks.

Many governments organizations in Libya have started transferring traditional government services to e-government. These e-services will benefit a wide range of public. However, deployment of e-government bring many new security issues. Attackers would take advantages of vulnerabilities in these e-services and would conduct cyber attacks that would result in data loss, services interruptions, privacy loss, financial loss, and other significant loss. The number of vulnerabilities in e-services have increase due to the complexity of the e-services system, a lack of secure programming practices, miss-configuration of systems and web applications vulnerabilities, or not staying up-to-date with security patches. Unfortunately, there is a lack of study being done to assess the current security level of Libyan government websites. Therefore, this study aims to assess the current security of 16 Libyan government websites using penetration testing framework. In this assessment, no exploits were committed or tried on the websites. In penetration testing framework (pen test), there are four main phases: Reconnaissance, Scanning, Enumeration, Vulnerability Assessment and, SSL encryption evaluation. The aim of a security assessment is to discover vulnerabilities that could be exploited by attackers. We also conducted a Content Analysis phase for all websites. In this phase, we searched for security and privacy policies implementation information on the government websites. The aim is to determine whether the websites are aware of current accepted standard for security and privacy. From our security assessment results of 16 Libyan government websites, we compared the websites based on the number of vulnerabilities found and the level of security policies. We only found 9 websites with high and medium vulnerabilities. Many of these vulnerabilities are due to outdated software and systems, miss-configuration of systems and not applying the latest security patches. These vulnerabilities could be used by cyber hackers to attack the systems and caused damages to the systems. Also, we found 5 websites didn't implement any SSL encryption for data transactions. Lastly, only 2 websites have published security and privacy policies on their websites. This seems to indicate that these websites were not concerned with current standard in security and privacy. Finally, we classify the 16 websites into 4 safety categories: highly unsafe, unsafe, somewhat unsafe and safe. We found only 1 website with a highly unsafe ranking. Based on our finding, we concluded that the security level of the Libyan government websites are adequate, but can be further improved. However, immediate actions need to be taken to mitigate possible cyber attacks by fixing the vulnerabilities and implementing SSL encryption. Also, the websites need to publish their security and privacy policy so the users could trust their websites.

In this cyber era, the cyber threats have reached a new level of menace and maturity. One of the major threat in this cyber world nowadays is ransomware attack which had affected millions of computers. Ransomware locks the valuable data with often unbreakable encryption codes making it inaccessible for both organization and consumers, thus demanding heavy ransom to decrypt the data. In this paper, advanced and improved version of the Petya ransomware has been introduced which has a reduced anti-virus detection of 33% which actually was 71% with the original version. System behavior is also monitored during the attack and analysis of this behavior is performed and described. Along with the behavioral analysis two mitigation strategies have also been proposed to defend the systems from the ransomware attack. This multi-layered approach for the security of the system will minimize the rate of infection as cybercriminals continue to refine their tactics, making it difficult for the organization's complacent development.

Cyber criminals have been extensively using malicious Ransomware software for years. Ransomware is a subset of malware in which the data on a victim's computer is locked, typically by encryption, and payment is demanded before the ransomed data is decrypted and access returned to the victim. The motives for such attacks are not only limited to economical scumming. Illegal attacks on official databases may also target people with political or social power. Although billions of dollars have been spent for preventing or at least reducing the tremendous amount of losses, these malicious Ransomware attacks have been expanding and growing. Therefore, it is critical to perform technical analysis of such malicious codes and, if possible, determine the source of such attacks. It might be almost impossible to recover the affected files due to the strong encryption imposed on such files, however the determination of the source of Ransomware attacks have been becoming significantly important for criminal justice. Unfortunately, there are only a few technical analysis of real life attacks in the literature. In this work, a real life Ransomware attack on an official institute is investigated and fully analyzed. The analysis have been performed by both static and dynamic methods. The results show that the source of the Ransomware attack has been shown to be traceable from the server's whois information.

We consider a moving-target defense of a proxied multiserver tenant of the cloud where the proxies dynamically change to defeat reconnaissance activity by a botnet planning a DDoS attack targeting the tenant. Unlike the system of [4] where all proxies change simultaneously at a fixed rate, we consider a more “responsive” system where the proxies may change more rapidly and selectively based on the current session request intensity, which is expected to be abnormally large during active reconnaissance. In this paper, we study a tractable “adversarial” coupon-collector model wherein proxies change after a random period of time from the latest request, i.e., asynchronously. In addition to determining the stationary mean number of proxies discovered by the attacker, we study the age of a proxy (coupon type) when it has been identified (requested) by the botnet. This gives us the rate at which proxies change (cost to the defender) when the nominal client request load is relatively negligible.

The pervasive use of databases for the storage of critical and sensitive information in many organizations has led to an increase in the rate at which databases are exploited in computer crimes. While there are several techniques and tools available for database forensic analysis, such tools usually assume an apriori database preparation, such as relying on tamper-detection software to already be in place and the use of detailed logging. Further, such tools are built-in and thus can be compromised or corrupted along with the database itself. In practice, investigators need forensic and security audit tools that work on poorlyconfigured systems and make no assumptions about the extent of damage or malicious hacking in a database.In this paper, we present our database forensics methods, which are capable of examining database content from a storage (disk or RAM) image without using any log or file system metadata. We describe how these methods can be used to detect security breaches in an untrusted environment where the security threat arose from a privileged user (or someone who has obtained such privileges). Finally, we argue that a comprehensive and independent audit framework is necessary in order to detect and counteract threats in an environment where the security breach originates from an administrator (either at database or operating system level).

Malicious software or malware is one of the most significant dangers facing the Internet today. In the fight against malware, users depend on anti-malware and anti-virus products to proactively detect threats before damage is done. Those products rely on static signatures obtained through malware analysis. Unfortunately, malware authors are always one step ahead in avoiding detection. This research deals with dynamic malware analysis, which emphasizes on: how the malware will behave after execution, what changes to the operating system, registry and network communication take place. Dynamic analysis opens up the doors for automatic generation of anomaly and active signatures based on the new malware's behavior. The research includes a design of honeypot to capture new malware and a complete dynamic analysis laboratory setting. We propose a standard analysis methodology by preparing the analysis tools, then running the malicious samples in a controlled environment to investigate their behavior. We analyze 173 recent Phishing emails and 45 SPIM messages in search for potentially new malwares, we present two malware samples and their comprehensive dynamic analysis.

Cybercrime has been regarded understandably as a consequent compromise that follows the advent and perceived success of the computer and internet technologies. Equally effecting the privacy, trust, finance and welfare of the wealthy and low-income individuals and organizations, this menace has shown no indication of slowing down. Reports across the world have consistently shown exponential increase in the numbers and costs of cyber-incidents, and more worriedly low conviction rates of cybercriminals, over the years. Stakeholders increasingly explore ways to keep up with containing cyber-incidents by devising tools and techniques to increase the overall efficiency of investigations, but the gap keeps getting wider. However, criminal profiling - an investigative technique that has been proven to provide accurate and valuable directions to traditional crime investigations - has not seen a widespread application, including a formal methodology, to cybercrime investigations due to difficulties in its seamless transference. This paper, in a bid to address this problem, seeks to preliminarily identify the exact benefits criminal profiling has brought to successful traditional crime investigations and the benefits it can translate to cybercrime investigations, identify the challenges posed by the cyber-scene to its implementation in cybercrime investigations, and proffer a practicable solution.

T138 combat cyber crimes, electronic evidence have played an increasing role, but in judicial practice the electronic evidence were not highly applied because of the natural contradiction between the epistemic uncertainty of electronic evidence and the principle of discretionary evidence of judge in the court. in this paper, we put forward a layer-built method to analyze the relevancy of electronic evidence, and discussed their analytical process combined with the case study. The initial practice shows the model is feasible and has a consulting value in analyzing the relevancy of electronic evidence.

Phishing has increased tremendously over last few years and it has become a serious threat to global security and economy. Existing literature dealing with the problem of phishing is scarce. Phishing is a deception technique that uses a combination of technology and social engineering to acquire sensitive information such as online banking passwords, credit card or bank account details [2]. Phishing can be done through emails and websites to collect confidential information. Phishers design fraudulent websites which look similar to the legitimate websites and lure the user to visit the malicious website. Therefore, the users must be aware of malicious websites to protect their sensitive data [1]. But it is very difficult to distinguish between legitimate and fake website especially for nontechnical users [4]. Moreover, phishing sites are growing rapidly. The aim of this paper is to demonstrate phishing detection using fuzzy logic and interpreting results using different defuzzification methods.

Nowadays, most of the world's population has become much dependent on computers for banking, healthcare, shopping, and telecommunication. Security has now become a basic norm for computers and its resources since it has become inherently insecure. Security issues like Denial of Service attacks, TCP SYN Flooding attacks, Packet Dropping attacks and Distributed Denial of Service attacks are some of the methods by which unauthorized users make the resource unavailable to authorized users. There are several security mechanisms like Intrusion Detection System, Anomaly detection and Trust model by which we can be able to identify and counter the abuse of computer resources by unauthorized users. This paper presents a survey of several security mechanisms which have been implemented using Fuzzy logic. Fuzzy logic is one of the rapidly developing technologies, which is used in a sophisticated control system. Fuzzy logic deals with the degree of truth rather than the Boolean logic, which carries the values of either true or false. So instead of providing only two values, we will be able to define intermediate values.

Cisco Adaptive Security Appliance (ASA) 5500 Series Firewall is amongst the most popular and technically advanced for securing organisational networks and systems. One of its most valuable features is its threat detection function which is available on every version of the firewall running a software version of 8.0(2) or higher. Threat detection operates at layers 3 and 4 to determine a baseline for network traffic, analysing packet drop statistics and generating threat reports based on traffic patterns. Despite producing a large volume of statistical information relating to several security events, further effort is required to mine and visually report more significant information and conclude the security status of the network. There are several commercial off-the-shelf tools available to undertake this task, however, they are expensive and may require a cloud subscription. Furthermore, if the information transmitted over the network is sensitive or requires confidentiality, the involvement of a third party or a third-party tool may place organisational security at risk. Therefore, this paper presents a fuzzy logic aided intelligent threat detection solution, which is a cost-free, intuitive and comprehensible solution, enhancing and simplifying the threat detection process for all. In particular, it employs a fuzzy reasoning system based on the threat detection statistics, and presents results/threats through a developed dashboard user interface, for ease of understanding for administrators and users. The paper further demonstrates the successful utilisation of a fuzzy reasoning system for selected and prioritised security events in basic threat detection, although it can be extended to encompass more complex situations, such as complete basic threat detection, advanced threat detection, scanning threat detection, and customised feature based threat detection.

Given the high frequency of information security incidents, feeling that we may soon become innocent victims of these events may be justified. Perpetrators of information security offenses take advantage of several methods to leave no evidence of their crimes, and this pattern of hiding tracks has caused difficulties for investigators searching for digital evidence. Use of the onion router (Tor) is a common way for criminals to conceal their identities and tracks. This paper aims to explain the composition and operation of onion routing; we conduct a forensic experiment to detect the use of the Tor browser and compare several browser modes, including incognito and normal. Through the experimental method described in this paper, investigators can learn to identify perpetrators of Internet crimes, which will be helpful in future endeavors in digital forensics.

The paper presents a new technique for the botnets' detection in the corporate area networks. It is based on the usage of the algorithms of the artificial immune systems. Proposed approach is able to distinguish benign network traffic from malicious one using the clonal selection algorithm taking into account the features of the botnet's presence in the network. An approach present the main improvements of the BotGRABBER system. It is able to detect the IRC, HTTP, DNS and P2P botnets.

Botnet is one of the major threats on the Internet for committing cybercrimes, such as DDoS attacks, stealing sensitive information, spreading spams, etc. It is a challenging issue to detect modern botnets that are continuously improving for evading detection. In this paper, we propose a machine learning based botnet detection system that is shown to be effective in identifying P2P botnets. Our approach extracts convolutional version of effective flow-based features, and trains a classification model by using a feed-forward artificial neural network. The experimental results show that the accuracy of detection using the convolutional features is better than the ones using the traditional features. It can achieve 94.7% of detection accuracy and 2.2% of false positive rate on the known P2P botnet datasets. Furthermore, our system provides an additional confidence testing for enhancing performance of botnet detection. It further classifies the network traffic of insufficient confidence in the neural network. The experiment shows that this stage can increase the detection accuracy up to 98.6% and decrease the false positive rate up to 0.5%.

CAPTCHAs have become an ubiquitous defense used to protect open web resources from being exploited at scale. Traditionally, attackers have developed automatic programs known as CAPTCHA solvers to bypass the mechanism. With the presence of cheap labor in developing countries, hackers now have options to use human solvers. In this research, we develop a game theoretical framework to model the interactions between the defender and the attacker regarding the design and countermeasure of CAPTCHA system. With the result of equilibrium analysis, both parties can determine the optimal allocation of software-based or human-based CAPTCHA solvers. Counterintuitively, instead of the traditional wisdom of making CAPTCHA harder and harder, it may be of best interest of the defender to make CAPTCHA easier. We further suggest a welfare-improving CAPTCHA business model by involving decentralized cryptocurrency computation.

As modern societies become more dependent on IT services, the potential impact both of adversarial cyberattacks and non-adversarial service management mistakes grows. This calls for better cyber situational awareness-decision-makers need to know what is going on. The main focus of this paper is to examine the information elements that need to be collected and included in a common operational picture in order for stakeholders to acquire cyber situational awareness. This problem is addressed through a survey conducted among the participants of a national information assurance exercise conducted in Sweden. Most participants were government officials and employees of commercial companies that operate critical infrastructure. The results give insight into information elements that are perceived as useful, that can be contributed to and required from other organizations, which roles and stakeholders would benefit from certain information, and how the organizations work with creating cyber common operational pictures today. Among findings, it is noteworthy that adversarial behavior is not perceived as interesting, and that the respondents in general focus solely on their own organization.

The following topics are dealt with: security of data; risk management; decision making; computer crime; invasive software; critical infrastructures; data privacy; insurance; Internet of Things; learning (artificial intelligence).

Machine-to-Machine (M2M) networks being connected to the internet at large, inherit all the cyber-vulnerabilities of the standard Information Technology (IT) systems. Since perfect cyber-security and robustness is an idealistic construct, it is worthwhile to design intrusion detection schemes to quickly detect and mitigate the harmful consequences of cyber-attacks. Volumetric anomaly detection have been popularized due to their low-complexity, but they cannot detect low-volume sophisticated attacks and also suffer from high false-alarm rate. To overcome these limitations, feature-based detection schemes have been studied for IT networks. However these schemes cannot be easily adapted to M2M systems due to the fundamental architectural and functional differences between the M2M and IT systems. In this paper, we propose novel feature-based detection schemes for a general M2M uplink to detect Distributed Denial-of-Service (DDoS) attacks, emergency scenarios and terminal device failures. The detection for DDoS attack and emergency scenarios involves building up a database of legitimate M2M connections during a training phase and then flagging the new M2M connections as anomalies during the evaluation phase. To distinguish between DDoS attack and emergency scenarios that yield similar signatures for anomaly detection schemes, we propose a modified Canberra distance metric. It basically measures the similarity or differences in the characteristics of inter-arrival time epochs for any two anomalous streams. We detect device failures by inspecting for the decrease in active M2M connections over a reasonably large time interval. Lastly using Monte-Carlo simulations, we show that the proposed anomaly detection schemes have high detection performance and low-false alarm rate.

While advances in cyber-security defensive mechanisms have substantially prevented malware from penetrating into organizational Information Systems (IS) networks, organizational users have found themselves vulnerable to threats emanating from Advanced Persistent Threat (APT) vectors, mostly in the form of spear phishing. In this respect, the question of how an organizational user can differentiate between a genuine communication and a similar looking fraudulent communication in an email/APT threat vector remains a dilemma. Therefore, identifying and evaluating the APT vector attributes and assigning relative weights to them can assist the user to make a correct decision when confronted with a scenario that may be genuine or a malicious APT vector. In this respect, we propose an APT Decision Matrix model which can be used as a lens to build multiple APT threat vector scenarios to identify threat attributes and their weights, which can lead to systems compromise.