-
Cyber-Security Challenges in Aviation Industry: A Review of Current and Future Trends
Authors:
Elochukwu Ukwandu,
Mohamed Amine Ben Farah,
Hanan Hindy,
Miroslav Bures,
Robert Atkinson,
Christos Tachtatzis,
Xavier Bellekens
Abstract:
The integration of Information and Communication Technology (ICT) tools into mechanical devices found in aviation industry has raised security concerns. The more integrated the system, the more vulnerable due to the inherent vulnerabilities found in ICT tools and software that drives the system. The security concerns have become more heightened as the concept of electronic-enabled aircraft and sma…
▽ More
The integration of Information and Communication Technology (ICT) tools into mechanical devices found in aviation industry has raised security concerns. The more integrated the system, the more vulnerable due to the inherent vulnerabilities found in ICT tools and software that drives the system. The security concerns have become more heightened as the concept of electronic-enabled aircraft and smart airports get refined and implemented underway. In line with the above, this paper undertakes a review of cyber-security incidence in the aviation sector over the last 20 years. The essence is to understand the common threat actors, their motivations, the type of attacks, aviation infrastructure that is commonly attacked and then match these so as to provide insight on the current state of the cyber-security in the aviation sector. The review showed that the industry's threats come mainly from Advance Persistent Threat (APT) groups that work in collaboration with some state actors to steal intellectual property and intelligence, in order to advance their domestic aerospace capabilities as well as possibly monitor, infiltrate and subvert other nations' capabilities. The segment of the aviation industry commonly attacked is the Information Technology infrastructure, and the prominent type of attacks is malicious hacking activities that aim at gaining unauthorised access using known malicious password cracking techniques such as Brute force attacks, Dictionary attacks and so on. The review further analysed the different attack surfaces that exist in aviation industry, threat dynamics, and use these dynamics to predict future trends of cyberattacks in the industry. The aim is to provide information for the cybersecurity professionals and aviation stakeholders for proactive actions in protecting these critical infrastructures against cyberincidence for an optimal customer service oriented industry.
△ Less
Submitted 10 July, 2021;
originally announced July 2021.
-
Securing the Electric Vehicle Charging Infrastructure
Authors:
Roberto Metere,
Myriam Neaimeh,
Charles Morisset,
Carsten Maple,
Xavier Bellekens,
Ricardo M. Czekster
Abstract:
Electric Vehicles (EVs) can help alleviate our reliance on fossil fuels for transport and electricity systems. However, charging millions of EV batteries requires management to prevent overloading the electricity grid and minimise costly upgrades that are ultimately paid for by consumers.
Managed chargers, such as Vehicle-to-Grid (V2G) chargers, allow control over the time, speed and direction o…
▽ More
Electric Vehicles (EVs) can help alleviate our reliance on fossil fuels for transport and electricity systems. However, charging millions of EV batteries requires management to prevent overloading the electricity grid and minimise costly upgrades that are ultimately paid for by consumers.
Managed chargers, such as Vehicle-to-Grid (V2G) chargers, allow control over the time, speed and direction of charging. Such control assists in balancing electricity supply and demand across a green electricity system and could reduce costs for consumers.
Smart and V2G chargers connect EVs to the power grid using a charging device which includes a data connection to exchange information and control commands between various entities in the EV ecosystem. This introduces data privacy concerns and is a potential target for cyber-security attacks. Therefore, the implementation of a secure system is crucial to permit both consumers and electricity system operators to trust smart charging and V2G.
In principle, we already have the technology needed for a connected EV charging infrastructure to be securely enabled, borrowing best practices from the Internet and industrial control systems. We must properly adapt the security technology to take into account the challenges peculiar to the EV charging infrastructure. Challenges go beyond technical considerations and other issues arise such as balancing trade-offs between security and other desirable qualities such as interoperability, scalability, crypto-agility, affordability and energy efficiency.
This document reviews security and privacy topics relevant to the EV charging ecosystem with a focus on smart charging and V2G.
△ Less
Submitted 6 July, 2022; v1 submitted 6 May, 2021;
originally announced May 2021.
-
Utilising Flow Aggregation to Classify Benign Imitating Attacks
Authors:
Hanan Hindy,
Robert Atkinson,
Christos Tachtatzis,
Ethan Bayne,
Miroslav Bures,
Xavier Bellekens
Abstract:
Cyber-attacks continue to grow, both in terms of volume and sophistication. This is aided by an increase in available computational power, expanding attack surfaces, and advancements in the human understanding of how to make attacks undetectable. Unsurprisingly, machine learning is utilised to defend against these attacks. In many applications, the choice of features is more important than the cho…
▽ More
Cyber-attacks continue to grow, both in terms of volume and sophistication. This is aided by an increase in available computational power, expanding attack surfaces, and advancements in the human understanding of how to make attacks undetectable. Unsurprisingly, machine learning is utilised to defend against these attacks. In many applications, the choice of features is more important than the choice of model. A range of studies have, with varying degrees of success, attempted to discriminate between benign traffic and well-known cyber-attacks. The features used in these studies are broadly similar and have demonstrated their effectiveness in situations where cyber-attacks do not imitate benign behaviour. To overcome this barrier, in this manuscript, we introduce new features based on a higher level of abstraction of network traffic. Specifically, we perform flow aggregation by grou** flows with similarities. This additional level of feature abstraction benefits from cumulative information, thus qualifying the models to classify cyber-attacks that mimic benign traffic. The performance of the new features is evaluated using the benchmark CICIDS2017 dataset, and the results demonstrate their validity and effectiveness. This novel proposal will improve the detection accuracy of cyber-attacks and also build towards a new direction of feature extraction for complex ones.
△ Less
Submitted 6 March, 2021;
originally announced March 2021.
-
PatrIoT: IoT Automated Interoperability and Integration Testing Framework
Authors:
Miroslav Bures,
Bestoun S. Ahmed,
Vaclav Rechtberger,
Matej Klima,
Michal Trnka,
Miroslav Jaros,
Xavier Bellekens,
Dani Almog,
Pavel Herout
Abstract:
With the rapid growth of the contemporary Internet of Things (IoT) market, the established systems raise a number of concerns regarding the reliability and the potential presence of critical integration defects. In this paper, we present a PatrIoT framework that aims to provide flexible support to construct an effective IoT system testbed to implement automated interoperability and integration tes…
▽ More
With the rapid growth of the contemporary Internet of Things (IoT) market, the established systems raise a number of concerns regarding the reliability and the potential presence of critical integration defects. In this paper, we present a PatrIoT framework that aims to provide flexible support to construct an effective IoT system testbed to implement automated interoperability and integration testing. The framework allows scaling from a pure physical testbed to a simulated environment using a number of predefined modules and elements to simulate an IoT device or part of the tested infrastructure. PatrIoT also contains a set of reference example testbeds and several sets of example automated tests for a smart street use case.
△ Less
Submitted 27 January, 2021;
originally announced January 2021.
-
Review of Specific Features and Challenges in the Current Internet of Things Systems Impacting their Security and Reliability
Authors:
Miroslav Bures,
Matej Klima,
Vaclav Rechtberger,
Bestoun S. Ahmed,
Hanan Hindy,
Xavier Bellekens
Abstract:
The current development of the Internet of Things (IoT) technology poses significant challenges to researchers and industry practitioners. Among these challenges, security and reliability particularly deserve attention. In this paper, we provide a consolidated analysis of the root causes of these challenges, their relations, and their possible impacts on IoT systems' general quality characteristic…
▽ More
The current development of the Internet of Things (IoT) technology poses significant challenges to researchers and industry practitioners. Among these challenges, security and reliability particularly deserve attention. In this paper, we provide a consolidated analysis of the root causes of these challenges, their relations, and their possible impacts on IoT systems' general quality characteristics. Further understanding of these challenges is useful for IoT quality engineers when defining testing strategies for their systems and researchers to consider when discussing possible research directions. In this study, twenty specific features of current IoT systems are discussed, divided into five main categories: (1) Economic, managerial and organisational aspects, (2) Infrastructural challenges, (3) Security and privacy challenges, (4) Complexity challenges and (5) Interoperability problems.
△ Less
Submitted 5 January, 2021;
originally announced January 2021.
-
Quality and Reliability Metrics for IoT Systems: A Consolidated View
Authors:
Matej Klima,
Vaclav Rechtberger,
Miroslav Bures,
Xavier Bellekens,
Hanan Hindy,
Bestoun S. Ahmed
Abstract:
Quality and reliability metrics play an important role in the evaluation of the state of a system during the development and testing phases, and serve as tools to optimize the testing process or to define the exit or acceptance criteria of the system. This study provides a consolidated view on the available quality and reliability metrics applicable to Internet of Things (IoT) systems, as no compr…
▽ More
Quality and reliability metrics play an important role in the evaluation of the state of a system during the development and testing phases, and serve as tools to optimize the testing process or to define the exit or acceptance criteria of the system. This study provides a consolidated view on the available quality and reliability metrics applicable to Internet of Things (IoT) systems, as no comprehensive study has provided such a view specific to these systems. The quality and reliability metrics categorized and discussed in this paper are divided into three categories: metrics assessing the quality of an IoT system or service, metrics for assessing the effectiveness of the testing process, and metrics that can be universally applied in both cases. In the discussion, recommendations of proper usage of discussed metrics in a testing process are then given.
△ Less
Submitted 21 November, 2020;
originally announced November 2020.
-
A Review of Cyber-Ranges and Test-Beds: Current and Future Trends
Authors:
Elochukwu Ukwandu,
Mohamed Amine Ben Farah,
Hanan Hindy,
David Brosset,
Dimitris Kavallieros,
Robert Atkinson,
Christos Tachtatzis,
Miroslav Bures,
Ivan Andonovic,
Xavier Bellekens
Abstract:
Cyber situational awareness has been proven to be of value in forming a comprehensive understanding of threats and vulnerabilities within organisations, as the degree of exposure is governed by the prevailing levels of cyber-hygiene and established processes. A more accurate assessment of the security provision informs on the most vulnerable environments that necessitate more diligent management.…
▽ More
Cyber situational awareness has been proven to be of value in forming a comprehensive understanding of threats and vulnerabilities within organisations, as the degree of exposure is governed by the prevailing levels of cyber-hygiene and established processes. A more accurate assessment of the security provision informs on the most vulnerable environments that necessitate more diligent management. The rapid proliferation in the automation of cyber-attacks is reducing the gap between information and operational technologies and the need to review the current levels of robustness against new sophisticated cyber-attacks, trends, technologies and mitigation countermeasures has become pressing. A deeper characterisation is also the basis with which to predict future vulnerabilities in turn guiding the most appropriate deployment technologies. Thus, refreshing established practices and the scope of the training to support the decision making of users and operators. The foundation of the training provision is the use of Cyber-Ranges (CRs) and Test-Beds (TBs), platforms/tools that help inculcate a deeper understanding of the evolution of an attack and the methodology to deploy the most impactful countermeasures to arrest breaches. In this paper, an evaluation of documented CR and TB platforms is evaluated. CRs and TBs are segmented by type, technology, threat scenarios, applications and the scope of attainable training. To enrich the analysis of documented CR and TB research and cap the study, a taxonomy is developed to provide a broader comprehension of the future of CRs and TBs. The taxonomy elaborates on the CRs/TBs different dimensions, as well as, highlighting a diminishing differentiation between application areas.
△ Less
Submitted 14 October, 2020;
originally announced October 2020.
-
Interoperability and Integration Testing Methods for IoT Systems: a Systematic Map** Study
Authors:
Miroslav Bures,
Matej Klima,
Vaclav Rechtberger,
Xavier Bellekens,
Christos Tachtatzis,
Robert Atkinson,
Bestoun S. Ahmed
Abstract:
The recent active development of Internet of Things (IoT) solutions in various domains has led to an increased demand for security, safety, and reliability of these systems. Security and data privacy are currently the most frequently discussed topics; however, other reliability aspects also need to be focused on to maintain the smooth and safe operation of IoT systems. Until now, there has been no…
▽ More
The recent active development of Internet of Things (IoT) solutions in various domains has led to an increased demand for security, safety, and reliability of these systems. Security and data privacy are currently the most frequently discussed topics; however, other reliability aspects also need to be focused on to maintain the smooth and safe operation of IoT systems. Until now, there has been no systematic map** study dedicated to the topic of interoperability and integration testing of IoT systems specifically; therefore, we present such an overview in this study. We analyze 803 papers from four major primary databases and perform detailed assessment and quality check to find 115 relevant papers. In addition, recently published testing techniques and approaches are analyzed and classified; the challenges and limitations in the field is also identified and discussed. Research trends related to publication time, active researchers, and publication media are presented in this study. The results suggest that studies mainly focus only on general testing methods, which can be applied to integration and interoperability testing of IoT systems; thus, there are research opportunities to develop additional testing methods focused specifically on IoT systems, so that they are more effective in the IoT context.
△ Less
Submitted 22 July, 2020;
originally announced July 2020.
-
Utilising Deep Learning Techniques for Effective Zero-Day Attack Detection
Authors:
Hanan Hindy,
Robert Atkinson,
Christos Tachtatzis,
Jean-Noël Colin,
Ethan Bayne,
Xavier Bellekens
Abstract:
Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDSs that are capable of flagging zero-day attacks is growing. Current outl…
▽ More
Machine Learning (ML) and Deep Learning (DL) have been used for building Intrusion Detection Systems (IDS). The increase in both the number and sheer variety of new cyber-attacks poses a tremendous challenge for IDS solutions that rely on a database of historical attack signatures. Therefore, the industrial pull for robust IDSs that are capable of flagging zero-day attacks is growing. Current outlier-based zero-day detection research suffers from high false-negative rates, thus limiting their practical use and performance. This paper proposes an autoencoder implementation for detecting zero-day attacks. The aim is to build an IDS model with high recall while kee** the miss rate (false-negatives) to an acceptable minimum. Two well-known IDS datasets are used for evaluation-CICIDS2017 and NSL-KDD. In order to demonstrate the efficacy of our model, we compare its results against a One-Class Support Vector Machine (SVM). The manuscript highlights the performance of a One-Class SVM when zero-day attacks are distinctive from normal behaviour. The proposed model benefits greatly from autoencoders encoding-decoding capabilities. The results show that autoencoders are well-suited at detecting complex zero-day attacks. The results demonstrate a zero-day detection accuracy of [89-99%] for the NSL-KDD dataset and [75-98%] for the CICIDS2017 dataset. Finally, the paper outlines the observed trade-off between recall and fallout.
△ Less
Submitted 16 November, 2020; v1 submitted 27 June, 2020;
originally announced June 2020.
-
Leveraging Siamese Networks for One-Shot Intrusion Detection Model
Authors:
Hanan Hindy,
Christos Tachtatzis,
Robert Atkinson,
David Brosset,
Miroslav Bures,
Ivan Andonovic,
Craig Michie,
Xavier Bellekens
Abstract:
The use of supervised Machine Learning (ML) to enhance Intrusion Detection Systems has been the subject of significant research. Supervised ML is based upon learning by example, demanding significant volumes of representative instances for effective training and the need to re-train the model for every unseen cyber-attack class. However, retraining the models in-situ renders the network susceptibl…
▽ More
The use of supervised Machine Learning (ML) to enhance Intrusion Detection Systems has been the subject of significant research. Supervised ML is based upon learning by example, demanding significant volumes of representative instances for effective training and the need to re-train the model for every unseen cyber-attack class. However, retraining the models in-situ renders the network susceptible to attacks owing to the time-window required to acquire a sufficient volume of data. Although anomaly detection systems provide a coarse-grained defence against unseen attacks, these approaches are significantly less accurate and suffer from high false-positive rates. Here, a complementary approach referred to as 'One-Shot Learning', whereby a limited number of examples of a new attack-class is used to identify a new attack-class (out of many) is detailed. The model grants a new cyber-attack classification without retraining. A Siamese Network is trained to differentiate between classes based on pairs similarities, rather than features, allowing to identify new and previously unseen attacks. The performance of a pre-trained model to classify attack-classes based only on one example is evaluated using three datasets. Results confirm the adaptability of the model in classifying unseen attacks and the trade-off between performance and the need for distinctive class representation.
△ Less
Submitted 5 November, 2022; v1 submitted 27 June, 2020;
originally announced June 2020.
-
Machine Learning Based IoT Intrusion Detection System: An MQTT Case Study (MQTT-IoT-IDS2020 Dataset)
Authors:
Hanan Hindy,
Ethan Bayne,
Miroslav Bures,
Robert Atkinson,
Christos Tachtatzis,
Xavier Bellekens
Abstract:
The Internet of Things (IoT) is one of the main research fields in the Cybersecurity domain. This is due to (a) the increased dependency on automated device, and (b) the inadequacy of general purpose Intrusion Detection Systems (IDS) to be deployed for special purpose networks usage. Numerous lightweight protocols are being proposed for IoT devices communication usage. One of the distinguishable I…
▽ More
The Internet of Things (IoT) is one of the main research fields in the Cybersecurity domain. This is due to (a) the increased dependency on automated device, and (b) the inadequacy of general purpose Intrusion Detection Systems (IDS) to be deployed for special purpose networks usage. Numerous lightweight protocols are being proposed for IoT devices communication usage. One of the distinguishable IoT machine-to-machine communication protocols is Message Queuing Telemetry Transport (MQTT) protocol. However, as per the authors best knowledge, there are no available IDS datasets that include MQTT benign or attack instances and thus, no IDS experimental results available. In this paper, the effectiveness of six Machine Learning (ML) techniques to detect MQTT-based attacks is evaluated. Three abstraction levels of features are assessed, namely, packet-based, unidirectional flow, and bidirectional flow features. An MQTT simulated dataset is generated and used for the training and evaluation processes. The dataset is released with an open access licence to help the research community further analyse the accompanied challenges. The experimental results demonstrated the adequacy of the proposed ML models to suit MQTT-based networks IDS requirements. Moreover, the results emphasise on the importance of using flow-based features to discriminate MQTT-based attacks from benign traffic, while packet-based features are sufficient for traditional networking attacks.
△ Less
Submitted 16 November, 2020; v1 submitted 27 June, 2020;
originally announced June 2020.
-
Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic
Authors:
Har**der Singh Lallie,
Lynsay A. Shepherd,
Jason R. C. Nurse,
Arnau Erola,
Gregory Epiphaniou,
Carsten Maple,
Xavier Bellekens
Abstract:
The COVID-19 pandemic was a remarkable unprecedented event which altered the lives of billions of citizens globally resulting in what became commonly referred to as the new-normal in terms of societal norms and the way we live and work. Aside from the extraordinary impact on society and business as a whole, the pandemic generated a set of unique cyber-crime related circumstances which also affecte…
▽ More
The COVID-19 pandemic was a remarkable unprecedented event which altered the lives of billions of citizens globally resulting in what became commonly referred to as the new-normal in terms of societal norms and the way we live and work. Aside from the extraordinary impact on society and business as a whole, the pandemic generated a set of unique cyber-crime related circumstances which also affected society and business. The increased anxiety caused by the pandemic heightened the likelihood of cyber-attacks succeeding corresponding with an increase in the number and range of cyber-attacks.
This paper analyses the COVID-19 pandemic from a cyber-crime perspective and highlights the range of cyber-attacks experienced globally during the pandemic. Cyber-attacks are analysed and considered within the context of key global events to reveal the modus-operandi of cyber-attack campaigns. The analysis shows how following what appeared to be large gaps between the initial outbreak of the pandemic in China and the first COVID-19 related cyber-attack, attacks steadily became much more prevalent to the point that on some days, 3 or 4 unique cyber-attacks were being reported. The analysis proceeds to utilise the UK as a case study to demonstrate how cyber-criminals leveraged key events and governmental announcements to carefully craft and design cyber-crime campaigns.
△ Less
Submitted 21 June, 2020;
originally announced June 2020.
-
A Security Perspective on Unikernels
Authors:
Joshua Talbot,
Przemek Pikula,
Craig Sweetmore,
Samuel Rowe,
Hanan Hindy,
Christos Tachtatzis,
Robert Atkinson,
Xavier Bellekens
Abstract:
Cloud-based infrastructures have grown in popularity over the last decade leveraging virtualisation, server, storage, compute power and network components to develop flexible applications. The requirements for instantaneous deployment and reduced costs have led the shift from virtual machine deployment to containerisation, increasing the overall flexibility of applications and increasing performan…
▽ More
Cloud-based infrastructures have grown in popularity over the last decade leveraging virtualisation, server, storage, compute power and network components to develop flexible applications. The requirements for instantaneous deployment and reduced costs have led the shift from virtual machine deployment to containerisation, increasing the overall flexibility of applications and increasing performances. However, containers require a fully fleshed operating system to execute, increasing the attack surface of an application. Unikernels, on the other hand, provide a lightweight memory footprint, ease of application packaging and reduced start-up times. Moreover, Unikernels reduce the attack surface due to the self-contained environment only enabling low-level features. In this work, we provide an exhaustive description of the unikernel ecosystem; we demonstrate unikernel vulnerabilities and further discuss the security implications of Unikernel-enabled environments through different use-cases.
△ Less
Submitted 14 November, 2019;
originally announced November 2019.
-
Cyber-Security Internals of a Skoda Octavia vRS: A Hands on Approach
Authors:
Colin Urquhart,
Xavier Bellekens,
Christos Tachtatzis,
Robert Atkinson,
Hanan Hindy,
Amar Seeam
Abstract:
The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can…
▽ More
The convergence of information technology and vehicular technologies are a growing paradigm, allowing information to be sent by and to vehicles. This information can further be processed by the Electronic Control Unit (ECU) and the Controller Area Network (CAN) for in-vehicle communications or through a mobile phone or server for out-vehicle communication. Information sent by or to the vehicle can be life-critical (e.g. breaking, acceleration, cruise control, emergency communication, etc. . . ). As vehicular technology advances, in-vehicle networks are connected to external networks through 3 and 4G mobile networks, enabling manufacturer and customer monitoring of different aspects of the car. While these services provide valuable information, they also increase the attack surface of the vehicle, and can enable long and short range attacks. In this manuscript, we evaluate the security of the 2017 Skoda Octavia vRS 4x4. Both physical and remote attacks are considered, the key fob rolling code is successfully compromised, privacy attacks are demonstrated through the infotainment system, the Volkswagen Transport Protocol 2.0 is reverse engineered. Additionally, in-car attacks are highlighted and described, providing an overlook of potentially deadly threats by modifying ECU parameters and components enabling digital forensics investigation are identified.
△ Less
Submitted 21 October, 2019;
originally announced October 2019.
-
Improving SIEM for Critical SCADA Water Infrastructures Using Machine Learning
Authors:
Hanan Hindy,
David Brosset,
Ethan Bayne,
Amar Seeam,
Xavier Bellekens
Abstract:
Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc…
▽ More
Network Control Systems (NAC) have been used in many industrial processes. They aim to reduce the human factor burden and efficiently handle the complex process and communication of those systems. Supervisory control and data acquisition (SCADA) systems are used in industrial, infrastructure and facility processes (e.g. manufacturing, fabrication, oil and water pipelines, building ventilation, etc.) Like other Internet of Things (IoT) implementations, SCADA systems are vulnerable to cyber-attacks, therefore, a robust anomaly detection is a major requirement. However, having an accurate anomaly detection system is not an easy task, due to the difficulty to differentiate between cyber-attacks and system internal failures (e.g. hardware failures). In this paper, we present a model that detects anomaly events in a water system controlled by SCADA. Six Machine Learning techniques have been used in building and evaluating the model. The model classifies different anomaly events including hardware failures (e.g. sensor failures), sabotage and cyber-attacks (e.g. DoS and Spoofing). Unlike other detection systems, our proposed work focuses on notifying the operator when an anomaly occurs with a probability of the event occurring. This additional information helps in accelerating the mitigation process. The model is trained and tested using a real-world dataset.
△ Less
Submitted 6 March, 2019;
originally announced April 2019.
-
From Cyber-Security Deception To Manipulation and Gratification Through Gamification
Authors:
Xavier Bellekens,
Gayan Jayasekara,
Hanan Hindy,
Miroslav Bures,
David Brosset,
Christos Tachtatzis,
Robert Atkinson
Abstract:
With the ever growing networking capabilities and services offered to users, attack surfaces have been increasing exponentially, additionally, the intricacy of network architectures has increased the complexity of cyber-defenses, to this end, the use of deception has recently been trending both in academia and industry. Deception enables to create proactive defense systems, luring attackers in ord…
▽ More
With the ever growing networking capabilities and services offered to users, attack surfaces have been increasing exponentially, additionally, the intricacy of network architectures has increased the complexity of cyber-defenses, to this end, the use of deception has recently been trending both in academia and industry. Deception enables to create proactive defense systems, luring attackers in order to better defend the systems at hand. Current applications of deception, only rely on static, or low interactive environments. In this paper we present a platform that combines human-computer-interaction, analytics, gamification and deception to lure malicious users into selected traps while piquing their interests. Furthermore we analyse the interactive deceptive aspects of the platform through the addition of a narrative, further engaging malicious users into following a predefined path and deflecting attacks from key network systems.
△ Less
Submitted 21 March, 2019;
originally announced March 2019.
-
A Comprehensive View on Quality Characteristics of the IoT Solutions
Authors:
Miroslav Bures,
Xavier Bellekens,
Karel Frajtak,
Bestoun S. Ahmed
Abstract:
Categorization of quality characteristics helps in a more effective structuring of the testing process and in the determination of properties, which can be verified in the system under test. In the emerging area of Internet of Things (IoT) systems, several individual attempts have been made to summarize these aspects, but the previous work is rather heterogenic and focuses on specific subareas. He…
▽ More
Categorization of quality characteristics helps in a more effective structuring of the testing process and in the determination of properties, which can be verified in the system under test. In the emerging area of Internet of Things (IoT) systems, several individual attempts have been made to summarize these aspects, but the previous work is rather heterogenic and focuses on specific subareas. Hence, we consolidated the quality characteristics into one unified view, which specifically emphasizes the aspects of security, privacy, reliability and usability, as these aspects are of often quoted as major challenges in the quality of contemporary IoT systems. The consolidated view also covers other areas of system quality, which are relevant for IoT system testing and quality assurance. In the paper, we also discuss relevant synonyms of particular quality characteristics as presented in the literature or being used in the current industry praxis. The consolidated view uses two levels of characteristics to maintain a suitable level of granularity and specificity in the discussed quality characteristics.
△ Less
Submitted 23 December, 2018;
originally announced December 2018.
-
Mayall: A Framework for Desktop JavaScript Auditing and Post-Exploitation Analysis
Authors:
Adam Rapley,
Xavier Bellekens,
Lynsay A. Shepherd,
Colin McLean
Abstract:
Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based…
▽ More
Writing desktop applications in JavaScript offers developers the opportunity to write cross-platform applications with cutting edge capabilities. However in doing so, they are potentially submitting their code to a number of unsanctioned modifications from malicious actors. Electron is one such JavaScript application framework which facilitates this multi-platform out-the-box paradigm and is based upon the Node.js JavaScript runtime --- an increasingly popular server-side technology. In bringing this technology to the client-side environment, previously unrealized risks are exposed to users due to the powerful system programming interface that Node.js exposes. In a concerted effort to highlight previously unexposed risks in these rapidly expanding frameworks, this paper presents the Mayall Framework, an extensible toolkit aimed at JavaScript security auditing and post-exploitation analysis. The paper also exposes fifteen highly popular Electron applications and demonstrates that two thirds of applications were found to be using known vulnerable elements with high CVSS scores. Moreover, this paper discloses a wide-reaching and overlooked vulnerability within the Electron Framework which is a direct byproduct of ship** the runtime unaltered with each application, allowing malicious actors to modify source code and inject covert malware inside verified and signed applications without restriction. Finally, a number of injection vectors are explored and appropriate remediations are proposed.
△ Less
Submitted 15 November, 2018; v1 submitted 14 November, 2018;
originally announced November 2018.
-
A Taxonomy of Network Threats and the Effect of Current Datasets on Intrusion Detection Systems
Authors:
Hanan Hindy,
David Brosset,
Ethan Bayne,
Amar Seeam,
Christos Tachtatzis,
Robert Atkinson,
Xavier Bellekens
Abstract:
As the world moves towards being increasingly dependent on computers and automation, building secure applications, systems and networks are some of the main challenges faced in the current decade. The number of threats that individuals and businesses face is rising exponentially due to the increasing complexity of networks and services of modern networks. To alleviate the impact of these threats,…
▽ More
As the world moves towards being increasingly dependent on computers and automation, building secure applications, systems and networks are some of the main challenges faced in the current decade. The number of threats that individuals and businesses face is rising exponentially due to the increasing complexity of networks and services of modern networks. To alleviate the impact of these threats, researchers have proposed numerous solutions for anomaly detection; however, current tools often fail to adapt to ever-changing architectures, associated threats and zero-day attacks. This manuscript aims to pinpoint research gaps and shortcomings of current datasets, their impact on building Network Intrusion Detection Systems (NIDS) and the growing number of sophisticated threats. To this end, this manuscript provides researchers with two key pieces of information; a survey of prominent datasets, analyzing their use and impact on the development of the past decade's Intrusion Detection Systems (IDS) and a taxonomy of network threats and associated tools to carry out these attacks. The manuscript highlights that current IDS research covers only 33.3% of our threat taxonomy. Current datasets demonstrate a clear lack of real-network threats, attack representation and include a large number of deprecated threats, which together limit the detection accuracy of current machine learning IDS approaches. The unique combination of the taxonomy and the analysis of the datasets provided in this manuscript aims to improve the creation of datasets and the collection of real-world data. As a result, this will improve the efficiency of the next generation IDS and reflect network threats more accurately within new datasets.
△ Less
Submitted 5 June, 2020; v1 submitted 9 June, 2018;
originally announced June 2018.
-
A Taxonomy of Malicious Traffic for Intrusion Detection Systems
Authors:
Hanan Hindy,
Elike Hodo,
Ethan Bayne,
Amar Seeam,
Robert Atkinson,
Xavier Bellekens
Abstract:
With the increasing number of network threats it is essential to have a knowledge of existing and new network threats in order to design better intrusion detection systems. In this paper we propose a taxonomy for classifying network attacks in a consistent way, allowing security researchers to focus their efforts on creating accurate intrusion detection systems and targeted datasets.
With the increasing number of network threats it is essential to have a knowledge of existing and new network threats in order to design better intrusion detection systems. In this paper we propose a taxonomy for classifying network attacks in a consistent way, allowing security researchers to focus their efforts on creating accurate intrusion detection systems and targeted datasets.
△ Less
Submitted 9 June, 2018;
originally announced June 2018.
-
Deep Learning Based Cryptographic Primitive Classification
Authors:
Gregory D. Hill,
Xavier J. A. Bellekens
Abstract:
Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentrici…
▽ More
Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentricities and obfuscated transmutation mechanisms, hence requiring smarter, more efficient detection strategies. The following manuscript presents a novel approach for the classification of cryptographic primitives in compiled binary executables using deep learning. The model blueprint, a DCNN, is fittingly configured to learn from variable-length control flow diagnostics output from a dynamic trace. To rival the size and variability of contemporary data compendiums, hence feeding the model cognition, a methodology for the procedural generation of synthetic cryptographic binaries is defined, utilising core primitives from OpenSSL with multivariate obfuscation, to draw a vastly scalable distribution. The library, CryptoKnight, rendered an algorithmic pool of AES, RC4, Blowfish, MD5 and RSA to synthesis combinable variants which are automatically fed in its core model. Converging at 91% accuracy, CryptoKnight is successfully able to classify the sample algorithms with minimal loss.
△ Less
Submitted 25 September, 2017;
originally announced September 2017.
-
Machine Learning Approach for Detection of nonTor Traffic
Authors:
Elike Hodo,
Xavier Bellekens,
Ephraim Iorkyase,
Andrew Hamilton,
Christos Tachtatzis,
Robert Atkinson
Abstract:
Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in providing privacy and security to end user by anon…
▽ More
Intrusion detection has attracted a considerable interest from researchers and industries. After many years of research the community still faces the problem of building reliable and efficient intrusion detection systems (IDS) capable of handling large quantities of data with changing patterns in real time situations. The Tor network is popular in providing privacy and security to end user by anonymising the identity of internet users connecting through a series of tunnels and nodes. This work focuses on the classification of Tor traffic and nonTor traffic to expose the activities within Tor traffic that minimizes the protection of users. A study to compare the reliability and efficiency of Artificial Neural Network and Support vector machine in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset is presented in this paper. The results are analysed based on the overall accuracy, detection rate and false positive rate of the two algorithms. Experimental results show that both algorithms could detect nonTor traffic in the dataset. A hybrid Artificial neural network proved a better classifier than SVM in detecting nonTor traffic in UNB-CIC Tor Network Traffic dataset.
△ Less
Submitted 29 August, 2017;
originally announced August 2017.
-
Threat analysis of IoT networks Using Artificial Neural Network Intrusion Detection System
Authors:
Elike Hodo,
Xavier Bellekens,
Andrew Hamilton,
Pierre-louis Dubouilh,
Ephraim Iorkyase,
Christos Tachtatzis,
Robert Atkinson
Abstract:
The Internet of things (IoT) is still in its infancy and has attracted much interest in many industrial sectors including medical fields, logistics tracking, smart cities and automobiles. However as a paradigm, it is susceptible to a range of significant intrusion threats. This paper presents a threat analysis of the IoT and uses an Artificial Neural Network (ANN) to combat these threats. A multi-…
▽ More
The Internet of things (IoT) is still in its infancy and has attracted much interest in many industrial sectors including medical fields, logistics tracking, smart cities and automobiles. However as a paradigm, it is susceptible to a range of significant intrusion threats. This paper presents a threat analysis of the IoT and uses an Artificial Neural Network (ANN) to combat these threats. A multi-level perceptron, a type of supervised ANN, is trained using internet packet traces, then is assessed on its ability to thwart Distributed Denial of Service (DDoS/DoS) attacks. This paper focuses on the classification of normal and threat patterns on an IoT Network. The ANN procedure is validated against a simulated IoT network. The experimental results demonstrate 99.4% accuracy and can successfully detect various DDoS/DoS attacks.
△ Less
Submitted 7 April, 2017;
originally announced April 2017.
-
GLoP: Enabling Massively Parallel Incident Response Through GPU Log Processing
Authors:
Xavier Bellekens,
Christos Tachtatzis,
Robert Atkinson,
Craig Renfrew,
Tony Kirkham
Abstract:
Large industrial systems that combine services and applications, have become targets for cyber criminals and are challenging from the security, monitoring and auditing perspectives. Security log analysis is a key step for uncovering anomalies, detecting intrusion, and enabling incident response. The constant increase of link speeds, threats and users, produce large volumes of log data and become i…
▽ More
Large industrial systems that combine services and applications, have become targets for cyber criminals and are challenging from the security, monitoring and auditing perspectives. Security log analysis is a key step for uncovering anomalies, detecting intrusion, and enabling incident response. The constant increase of link speeds, threats and users, produce large volumes of log data and become increasingly difficult to analyse on a Central Processing Unit (CPU). This paper presents a massively parallel Graphics Processing Unit (GPU) LOg Processing (GLoP) library and can also be used for Deep Packet Inspection (DPI), using a prefix matching technique, harvesting the full power of off-the-shelf technologies. GLoP implements two different algorithm using different GPU memory and is compared against CPU counterpart implementations. The library can be used for processing nodes with single or multiple GPUs as well as GPU cloud farms. The results show throughput of 20Gbps and demonstrate that modern GPUs can be utilised to increase the operational speed of large scale log processing scenarios, saving precious time before and after an intrusion has occurred.
△ Less
Submitted 7 April, 2017;
originally announced April 2017.
-
A Highly-Efficient Memory-Compression Scheme for GPU-Accelerated Intrusion Detection Systems
Authors:
Xavier Bellekens,
Christos Tachtatzis,
Robert Atkinson,
Craig Renfrew,
Tony Kirkham
Abstract:
Pattern Matching is a computationally intensive task used in many research fields and real world applications. Due to the ever-growing volume of data to be processed, and increasing link speeds, the number of patterns to be matched has risen significantly. In this paper we explore the parallel capabilities of modern General Purpose Graphics Processing Units (GPGPU) applications for high speed patt…
▽ More
Pattern Matching is a computationally intensive task used in many research fields and real world applications. Due to the ever-growing volume of data to be processed, and increasing link speeds, the number of patterns to be matched has risen significantly. In this paper we explore the parallel capabilities of modern General Purpose Graphics Processing Units (GPGPU) applications for high speed pattern matching. A highly compressed failure-less Aho-Corasick algorithm is presented for Intrusion Detection Systems on off-the-shelf hardware. This approach maximises the bandwidth for data transfers between the host and the Graphics Processing Unit (GPU). Experiments are performed on multiple alphabet sizes, demonstrating the capabilities of the library to be used in different research fields, while sustaining an adequate throughput for intrusion detection systems or DNA sequencing. The work also explores the performance impact of adequate prefix matching for alphabet sizes and varying pattern numbers achieving speeds up to 8Gbps and low memory consumption for intrusion detection systems.
△ Less
Submitted 7 April, 2017;
originally announced April 2017.
-
Trie Compression for GPU Accelerated Multi-Pattern Matching
Authors:
Xavier Bellekens,
Amar Seeam,
Christos Tachtatzis,
Robert Atkinson
Abstract:
Graphics Processing Units allow for running massively parallel applications offloading the CPU from computationally intensive resources, however GPUs have a limited amount of memory. In this paper a trie compression algorithm for massively parallel pattern matching is presented demonstrating 85% less space requirements than the original highly efficient parallel failure-less aho-corasick, whilst d…
▽ More
Graphics Processing Units allow for running massively parallel applications offloading the CPU from computationally intensive resources, however GPUs have a limited amount of memory. In this paper a trie compression algorithm for massively parallel pattern matching is presented demonstrating 85% less space requirements than the original highly efficient parallel failure-less aho-corasick, whilst demonstrating over 22 Gbps throughput. The algorithm presented takes advantage of compressed row storage matrices as well as shared and texture memory on the GPU.
△ Less
Submitted 13 February, 2017;
originally announced February 2017.
-
Shallow and Deep Networks Intrusion Detection System: A Taxonomy and Survey
Authors:
Elike Hodo,
Xavier Bellekens,
Andrew Hamilton,
Christos Tachtatzis,
Robert Atkinson
Abstract:
Intrusion detection has attracted a considerable interest from researchers and industries. The community, after many years of research, still faces the problem of building reliable and efficient IDS that are capable of handling large quantities of data, with changing patterns in real time situations. The work presented in this manuscript classifies intrusion detection systems (IDS). Moreover, a ta…
▽ More
Intrusion detection has attracted a considerable interest from researchers and industries. The community, after many years of research, still faces the problem of building reliable and efficient IDS that are capable of handling large quantities of data, with changing patterns in real time situations. The work presented in this manuscript classifies intrusion detection systems (IDS). Moreover, a taxonomy and survey of shallow and deep networks intrusion detection systems is presented based on previous and current works. This taxonomy and survey reviews machine learning techniques and their performance in detecting anomalies. Feature selection which influences the effectiveness of machine learning (ML) IDS is discussed to explain the role of feature selection in the classification and training phase of ML IDS. Finally, a discussion of the false and true positive alarm rates is presented to help researchers model reliable and efficient machine learning based intrusion detection systems.
△ Less
Submitted 9 January, 2017;
originally announced January 2017.