Topology-Aware Vulnerability Mitigation Worms

In very dynamic Information and Communication Technology (ICT) infrastructures, with rapidly growing applications, malicious intrusions have become very sophisticated, effective, and fast. Industries have suffered billions of US dollars losses due only to malicious worm outbreaks. Several calls have been issued by governments and industries to the research community to propose innovative solutions that would help prevent malicious breaches, especially with enterprise networks becoming more complex, large, and volatile. In this thesis we approach self-replicating, self-propagating, and self-contained network programs (i.e. worms) as vulnerability mitigation mechanisms to eliminate threats to networks. These programs provide distinctive features, including: Short distance communication with network nodes, intermittent network node vulnerability probing, and network topology discovery. Such features become necessary, especially for networks with frequent node association and disassociation, dynamically connected links, and where hosts concurrently run multiple operating systems. We propose -- to the best of our knowledge -- the first computer worm that utilize the second layer of the OSI model (Data Link Layer) as its main propagation medium. We name our defensive worm Seawave, a controlled interactive, self-replicating, self-propagating, and self-contained vulnerability mitigation mechanism. We develop, experiment, and evaluate Seawave under different simulation environments that mimic to a large extent enterprise networks. We also propose a threat analysis model to help identify weaknesses, strengths, and threats within and towards our vulnerability mitigation mechanism, followed by a mathematical propagation model to observe Seawave's performance under large scale enterprise networks. We also preliminary propose another vulnerability mitigation worm that utilizes the Link Layer Discovery Protocol (LLDP) for its propagation, along with an evaluation of its performance. In addition, we describe a preliminary taxonomy that rediscovers the relationship between different types of self-replicating programs (i.e. viruses, worms, and botnets) and redefines these programs based on their properties. The taxonomy provides a classification that can be easily applied within the industry and the research community and paves the way for a promising research direction that would consider the defensive side of self-replicating programs

A Multi Agent System for Flow-Based Intrusion Detection

The detection and elimination of threats to cyber security is essential for system functionality, protection of valuable information, and preventing costly destruction of assets. This thesis presents a Mobile Multi-Agent Flow-Based IDS called MFIREv3 that provides network anomaly detection of intrusions and automated defense. This version of the MFIRE system includes the development and testing of a Multi-Objective Evolutionary Algorithm (MOEA) for feature selection that provides agents with the optimal set of features for classifying the state of the network. Feature selection provides separable data points for the selected attacks: Worm, Distributed Denial of Service, Man-in-the-Middle, Scan, and Trojan. This investigation develops three techniques of self-organization for multiple distributed agents in an intrusion detection system: Reputation, Stochastic, and Maximum Cover. These three movement models are tested for effectiveness in locating good agent vantage points within the network to classify the state of the network. MFIREv3 also introduces the design of defensive measures to limit the effects of network attacks. Defensive measures included in this research are rate-limiting and elimination of infected nodes. The results of this research provide an optimistic outlook for flow-based multi-agent systems for cyber security. The impact of this research illustrates how feature selection in cooperation with movement models for multi agent systems provides excellent attack detection and classification

Moving target defense for securing smart grid communications: Architectural design, implementation and evaluation

Supervisory Control And Data Acquisition (SCADA) communications are often subjected to various kinds of sophisticated cyber-attacks which can have a serious impact on the Critical Infrastructure such as the power grid. Most of the time, the success of the attack is based on the static characteristics of the system, thereby enabling an easier profiling of the target system(s) by the adversary and consequently exploiting their limited resources. In this thesis, a novel approach to mitigate such static vulnerabilities is proposed by implementing a Moving Target Defense (MTD) strategy in a power grid SCADA environment, which leverages the existing communication network with an end-to-end IP Hopping technique among the trusted peer devices. This offers a proactive L3 layer network defense, minimizing IP-specific threats and thwarting worm propagation, APTs, etc., which utilize the cyber kill chain for attacking the system through the SCADA network. The main contribution of this thesis is to show how MTD concepts provide proactive defense against targeted cyber-attacks, and a dynamic attack surface to adversaries without compromising the availability of a SCADA system. Specifically, the thesis presents a brief overview of the different type of MTD designs, the proposed MTD architecture and its implementation with IP hopping technique over a Control Center–Substation network link along with a 3-way handshake protocol for synchronization on the Iowa State’s Power Cyber testbed. The thesis further investigates the delay and throughput characteristics of the entire system with and without the MTD to choose the best hopping rate for the given link. It also includes additional contributions for making the testbed scenarios more realistic to real world scenarios with multi-hop, multi-path WAN. Using that and studying a specific attack model, the thesis analyses the best ranges of IP address for different hopping rate and different number of interfaces. Finally, the thesis describes two case studies to explore and identify potential weaknesses of the proposed mechanism, and also experimentally validate the proposed mitigation alterations to resolve the discovered vulnerabilities. As part of future work, we plan to extend this work by optimizing the MTD algorithm to be more resilient by incorporating other techniques like network port mutation to further increase the attack complexity and cost

Ensemble classification and signal image processing for genus Gyrodactylus (Monogenea)

This thesis presents an investigation into Gyrodactylus species recognition, making use of machine learning classification and feature selection techniques, and explores image feature extraction to demonstrate proof of concept for an envisaged rapid, consistent and secure initial identification of pathogens by field workers and non-expert users. The design of the proposed cognitively inspired framework is able to provide confident discrimination recognition from its non-pathogenic congeners, which is sought in order to assist diagnostics during periods of a suspected outbreak. Accurate identification of pathogens is a key to their control in an aquaculture context and the monogenean worm genus Gyrodactylus provides an ideal test-bed for the selected techniques. In the proposed algorithm, the concept of classification using a single model is extended to include more than one model. In classifying multiple species of Gyrodactylus, experiments using 557 specimens of nine different species, two classifiers and three feature sets were performed. To combine these models, an ensemble based majority voting approach has been adopted. Experimental results with a database of Gyrodactylus species show the superior performance of the ensemble system. Comparison with single classification approaches indicates that the proposed framework produces a marked improvement in classification performance. The second contribution of this thesis is the exploration of image processing techniques. Active Shape Model (ASM) and Complex Network methods are applied to images of the attachment hooks of several species of Gyrodactylus to classify each species according to their true species type. ASM is used to provide landmark points to segment the contour of the image, while the Complex Network model is used to extract the information from the contour of an image. The current system aims to confidently classify species, which is notifiable pathogen of Atlantic salmon, to their true class with high degree of accuracy. Finally, some concluding remarks are made along with proposal for future work

Preparation of diblock copolymer nano-objects via polymerization-induced self-assembly in non-polar media

This Thesis focuses on the synthesis, characterization and potential use of sterically-stabilized diblock copolymer nanoparticles prepared in non-polar solvents via polymerization-induced self-assembly (PISA). This involved chain extension of an oil-soluble poly(n-alkyl methacrylate) precursor via reversible addition-fragmentation chain transfer (RAFT) dispersion polymerization of a carefully selected methacrylic monomer. The growing second block becomes insoluble at a critical degree of polymerization (DP), which leads to in situ self-assembly to form spherical, worm-like or vesicular nanoparticles. Firstly, a poly(stearyl methacrylate)-poly(2-hydroxypropyl methacrylate) [PSMA-PHPMA] formulation was examined using mineral oil as the solvent. 1H NMR kinetic studies conducted during the synthesis of PSMA9-PHPMA150 vesicles confirmed that the polar nature of the HPMA monomer leads to a relatively fast polymerization (94% conversion within 40 min) compared to the corresponding poly(stearyl methacrylate)-poly(benzyl methacrylate) PSMA9-PBzMA150 vesicles, for which only 37% BzMA conversion was achieved within the same timescale. PSMA9-PHPMA70 worms underwent degelation on heating, with transmission electron microscopy (TEM) analysis indicating an unexpected partial worm-to-vesicle transition. Replacing HPMA with 2,2,2-trifluoroethyl methacrylate (TFEMA) enabled ~240 nm diameter PSMA9-PTFEMA300 vesicles to be obtained at 25% w/w solids in n-dodecane as highly transparent dispersion (97% transmittance at 600 nm). This was attributed to the relatively low refractive index of PTFEMA, which matches that of the n-alkane at 25 °C. By varying the type of n-alkane, highly transparent vesicles could also be obtained at either 50 or 90 °C. Examining the synthesis of highly transparent PSMA16-PTFEMA86 spheres via in situ visible spectroscopy in n-hexadecane at 90 °C indicated the premature loss of dithiobenzoate end-groups under such conditions. A more industrially-relevant PISA formulation utilized a poly(lauryl methacrylate) PLMA precursor for the RAFT dispersion polymerization of methyl methacrylate (MMA) in mineral oil at 90 °C. However, only spheres and short worm-like particles could be accessed when using this commodity monomer: targeting higher PMMA DPs unexpectedly produced colloidally unstable spherical aggregates. This morphological constraint was attributed to the high glass transition temperature (Tg) of the PMMA core-forming block and could not be overcome by conducting the synthesis above the Tg of PMMA (115 °C). According to TEM and dynamic light scattering (DLS) analysis, PLMA22-PMMA69 short worms underwent a partially reversible worm-to-sphere transition on heating. Either long worms or vesicles could be accessed by statistically copolymerizing just 10 mol% lauryl methacrylate (LMA) with MMA at 115 °C. This LMA comonomer enhances solvent plasticization of the core-forming copolymer chains. Moreover, differential scanning calorimetry (DSC) studies indicate a significant reduction in the effective Tg to well below the synthesis temperature. The resulting worms and vesicles exhibited thermoreversible worm-to-sphere and vesicle-to-worm transitions on heating. Epoxy-functional spheres were prepared in mineral oil by using glycidyl methacrylate (GlyMA) to grow the core-forming block from a PLMA precursor. Alternatively, a P(LMA-stat-GlyMA) precursor prepared via statistical copolymerization of LMA with GlyMA was used for the RAFT dispersion polymerization of either MMA or BzMA. The potential post-polymerization modification of such spheres was assessed using benzyamine, water or 50% v/v aqueous acetic acid using 1H NMR or Fourier transform infrared spectroscopy (FT-IR) spectroscopy. The surface adsorption of such epoxy-functional spheres onto stainless steel from n-dodecane was compared to non-functional PLMA-PMMA or PLMA-PBzMA spheres using quartz crystal microbalance with dissipation (QCM-D) at 20 °C. Placing epoxy groups within the steric stabilizer chains enhances the extent of adsorption significantly. For example, the adsorbed mass (Γ) obtained for ~50 nm P(LMA50-stat-GlyMA9)-PBzMA245 nanoparticles is more than five-fold higher than that achieved when using the corresponding non-functional PLMA63-PBzMA245 nanoparticles (Γ = 31.3 vs. 6.4 mg m-2). SEM analysis confirmed a comparable enhancement in surface coverage for the epoxy-functional spheres. Furthermore, QCM-D studies performed at 40 °C led to a higher adsorbed mass for the former type of nanoparticles, which suggests that the epoxy groups react with the hydroxyl groups present at the surface of the stainless steel to form covalent bonds. Mini-traction machine (MTM) tribological experiments confirmed that stronger nanoparticle adsorption led to a significantly lower frictional coefficient