A Hardware-Assisted Insider Threat Detection and Prevention Framework

Today, the USB protocol is among the most widely used protocols. However, the mass-proliferation of USB has led to a threat vector wherein USB devices are assumed innocent, leaving computers open to an attack. Malicious USB devices can disguise themselves as benign devices to insert malicious commands to connected end devices. A rogue device appears benign to the average OS, requiring advanced detection schemes to identify malicious devices. However, using system-level hooks, advanced threats may subvert OS-reliant detection schemes. This thesis showcases USB-Watch, a hardware-based USB threat detection framework. The hardware can collect live USB traffic before the data can be altered in a corrupted OS. Behavioral analysis of USB devices allows for a generalizable anomaly detection classifier in hardware that can detect abnormal behavior from USB devices. The framework tested achieves an ROC AUC of 0.99 against a testbed of live USB devices

Duck Hunt: Memory Forensics of USB Attack Platforms

To explore the memory forensic artifacts generated by USB-based attack platforms, we analyzed two of the most popular commercially available devices, Hak5\u27s USB Rubber Ducky and Bash Bunny. We present two open source Volatility plugins, usbhunt and dhcphunt, which extract artifacts generated by these USB attacks from Windows 10 system memory images. Such artifacts include driver-related diagnostic events, unique device identifiers, and DHCP client logs. Our tools are capable of extracting metadata-rich Windows diagnostic events generated by any USB device. The device identifiers presented in this work may also be used to definitively detect device usage. Likewise, the DHCP logs we carve from memory may be useful in the forensic analysis of other network-connected peripherals. We also quantify how long these artifacts remain recoverable in memory. Our experiments demonstrated that some Indicators of Compromise (IOCs) remain in memory for at least 24 h

Towards Engineering Reliable Keystroke Biometrics Systems

In this thesis, we argue that most of the work in the literature on behavioural-based biometric systems using AI and machine learning is immature and unreliable. Our analysis and experimental results show that designing reliable behavioural-based biometric systems requires a systematic and complicated process. We first discuss the limitation in existing work and the use of conventional machine learning methods. We use the biometric zoos theory to demonstrate the challenge of designing reliable behavioural-based biometric systems. Then, we outline the common problems in engineering reliable biometric systems. In particular, we focus on the need for novelty detection machine learning models and adaptive machine learning algorithms. We provide a systematic approach to design and build reliable behavioural-based biometric systems. In our study, we apply the proposed approach to keystroke dynamics. Keystroke dynamics is behavioural-based biometric that identify individuals by measuring their unique typing behaviours on physical or soft keyboards. Our study shows that it is possible to design reliable behavioral-based biometrics and address the gaps in the literature

A Survey on Security for Mobile Devices

Nowadays, mobile devices are an important part of our everyday lives since they enable us to access a large variety of ubiquitous services. In recent years, the availability of these ubiquitous and mobile services has signicantly increased due to the dierent form of connectivity provided by mobile devices, such as GSM, GPRS, Bluetooth and Wi-Fi. In the same trend, the number and typologies of vulnerabilities exploiting these services and communication channels have increased as well. Therefore, smartphones may now represent an ideal target for malware writers. As the number of vulnerabilities and, hence, of attacks increase, there has been a corresponding rise of security solutions proposed by researchers. Due to the fact that this research eld is immature and still unexplored in depth, with this paper we aim to provide a structured and comprehensive overview of the research on security solutions for mobile devices. This paper surveys the state of the art on threats, vulnerabilities and security solutions over the period 2004-2011. We focus on high-level attacks, such those to user applications, through SMS/MMS, denial-of-service, overcharging and privacy. We group existing approaches aimed at protecting mobile devices against these classes of attacks into dierent categories, based upon the detection principles, architectures, collected data and operating systems, especially focusing on IDS-based models and tools. With this categorization we aim to provide an easy and concise view of the underlying model adopted by each approach

Hardware and User Profiling for Multi-factor Authentication

Most software applications rely on the use of user-name and passwords to authenticate end users. This form of authentication, although used ubiquitously, is widely considered unreliable due to the users inability to keep them secret; passwords being prone to dictionary or rainbow-table attacks; as well as the ease with which social engineering techniques can obtain passwords. This can be mitigated by combining a variety of diferent authentication mechanisms, for example biometric authentication such as fingerprint recognition or physical tokens such as smart cards. The resulting multifactor authentication is typically stronger than any of the techniques used individually. However, it may still be expensive or prohibited to implement and more dificult to deploy due to additional accessories cost, e.g, finger print reader. Multi-modal biometric systems are those which utilise or are capable of utilising, more than one physiological or behavioural characteristic for enrolment, verification, or identification. So, in this research we present a multi-factor authentication scheme that is based on the user's own hardware environment, e.g. laptop with fingerprint reader, thus avoiding the need of deploying tokens and readily available biometrics, e.g., user keystrokes. The aim is to improve the reliability of the authentication using a multi-factor approach without incurring additional cost or making the deployment of the solution overly complex. The presented approach in this research uses unique sequential hardware information available from the user's environment to profile user behaviour. This approach improves upon password mechanisms by introducing a novel Hardware Authentication and User Profiling (HAUP) in form of Multi-Factor Authentication MFA that can be easily integrated into the traditional authentication methods. In addition, this approach observes the advantage of the correlation between user behaviour and hardware environment as an implicit veri_cation identity procedure to discriminate username and password usage, in particular hardware environment by specific pattern. So, the proposed approach uses hardware information to profile the user's environment when user-name and password are typed as part of the log-in process. These Hardware Manufacture Serial Part Numbers (HMSPNs) profiles are then correlated with the users behaviour, e.g., key-stroke behaviour that allows the system to profile user's behaviour dependent on their environment. As a result of this approach, the access control system can determine a particular level of trust for each user and base access control decisions on it in order to reduce potential identity fraud

Behavioural biometric identification based on human computer interaction

As we become increasingly dependent on information systems, personal identification and profiling systems have received an increasing interest, either for reasons of personali- sation or security. Biometric profiling is one means of identification which can be achieved by analysing something the user is or does (e.g., a fingerprint, signature, face, voice). This Ph.D. research focuses on behavioural biometrics, a subset of biometrics that is concerned with the patterns of conscious or unconscious behaviour of a person, involving their style, preference, skills, knowledge, motor-skills in any domain. In this work I explore the cre- ation of user profiles to be applied in dynamic user identification based on the biometric pat- terns observed during normal Human-Computer Interaction (HCI) by continuously logging and tracking the corresponding computer events. Unlike most of the biometrics systems that need special hardware devices (e.g. finger print reader), HCI-based identification sys- tems can be implemented using regular input devices (mouse or keyboard) and they do not require the user to perform specific tasks to train the system. Specifically, three components are studied in-depth: mouse dynamics, keystrokes dynamics and GUI based user behaviour. In this work I will describe my research on HCI-based behavioural biometrics, discuss the features and models I proposed for each component along with the result of experiments. In addition, I will describe the methodology and datasets I gathered using my LoggerMan application that has been developed specifically to passively gather behavioural biometric data for evaluation. Results show that normal Human-Computer Interaction reveals behavioural information with discriminative power sufficient to be used for user modelling for identification purposes

Privacy-aware Security Applications in the Era of Internet of Things

In this dissertation, we introduce several novel privacy-aware security applications. We split these contributions into three main categories: First, to strengthen the current authentication mechanisms, we designed two novel privacy-aware alternative complementary authentication mechanisms, Continuous Authentication (CA) and Multi-factor Authentication (MFA). Our first system is Wearable-assisted Continuous Authentication (WACA), where we used the sensor data collected from a wrist-worn device to authenticate users continuously. Then, we improved WACA by integrating a noise-tolerant template matching technique called NTT-Sec to make it privacy-aware as the collected data can be sensitive. We also designed a novel, lightweight, Privacy-aware Continuous Authentication (PACA) protocol. PACA is easily applicable to other biometric authentication mechanisms when feature vectors are represented as fixed-length real-valued vectors. In addition to CA, we also introduced a privacy-aware multi-factor authentication method, called PINTA. In PINTA, we used fuzzy hashing and homomorphic encryption mechanisms to protect the users\u27 sensitive profiles while providing privacy-preserving authentication. For the second privacy-aware contribution, we designed a multi-stage privacy attack to smart home users using the wireless network traffic generated during the communication of the devices. The attack works even on the encrypted data as it is only using the metadata of the network traffic. Moreover, we also designed a novel solution based on the generation of spoofed traffic. Finally, we introduced two privacy-aware secure data exchange mechanisms, which allow sharing the data between multiple parties (e.g., companies, hospitals) while preserving the privacy of the individual in the dataset. These mechanisms were realized with the combination of Secure Multiparty Computation (SMC) and Differential Privacy (DP) techniques. In addition, we designed a policy language, called Curie Policy Language (CPL), to handle the conflicting relationships among parties. The novel methods, attacks, and countermeasures in this dissertation were verified with theoretical analysis and extensive experiments with real devices and users. We believe that the research in this dissertation has far-reaching implications on privacy-aware alternative complementary authentication methods, smart home user privacy research, as well as the privacy-aware and secure data exchange methods

Utilizing Linguistic Context To Improve Individual and Cohort Identification in Typed Text

The process of producing written text is complex and constrained by pressures that range from physical to psychological. In a series of three sets of experiments, this thesis demonstrates the effects of linguistic context on the timing patterns of the production of keystrokes. We elucidate the effect of linguistic context at three different levels of granularity: The first set of experiments illustrate how the nontraditional syntax of a single linguistic construct, the multi-word expression, can create significant changes in keystroke production patterns. This set of experiments is followed by a set of experiments that test the hypothesis on the entire linguistic output of an individual. By taking into account linguistic context, we are able to create more informative feature-sets, and utilize these to improve the accuracy of keystroke dynamic-based user authentication. Finally, we extend our findings to entire populations, or demographic cohorts. We show that typing patterns can be used to predict a group\u27s gender, native language and dominant hand. In addition, keystroke patterns can shed light on the cognitive complexity of a task that a typist is engaged in. The findings of these experiments have far-reaching implications for linguists, cognitive scientists, computer security researchers and social scientists

Continuous Authentication of Users to Robotic Technologies Using Behavioural Biometrics

Collaborative robots and current human–robot interaction systems, such as exoskeletons and teleoperation, are key technologies with profiles that make them likely security targets. Without sufficient protection, these robotics technologies might become dangerous tools that are capable of causing damage to their environments, increasing defects in work pieces and harming human co-workers. As robotics is a critical component of the current automation drive in many advanced economies, there may be serious economic effects if robot security is not appropriately handled. The development of suitable security for robots, particularly in industrial contexts, is critical. Collaborative robots, exoskeletons and teleoperation are all examples of robotics technologies that might need close collaboration with humans, and these interactions must be appropriately protected. There is a need to guard against both external hackers (as with many industrial systems) and insider malfeasance. Only authorised users should be able to access robots, and they should use only those services and capabilities they are qualified to access (e.g. those for which they are appropriately cleared and trained). Authentication is therefore a crucial enabling mechanism. Robot interaction will largely be ongoing, so continuous rather than one-time authentication is required. In robot contexts, continuous biometrics can be used to provide effective and practical authentication of individuals to robots. In particular, the working behaviour of human co-workers as they interact with robots can be used as a means of biometric authentication. This thesis demonstrates how continuous biometric authentication can be used in three different environments: a direct physical manipulation application, a sensor glove application and a remote access application. We show how information acquired from the collaborative robot's internal sensors, wearable sensors (similar to those found in an exoskeleton), and teleoperated robot control and programming can be harnessed to provide appropriate authentication. Thus, all authentication uses data that are collected or generated as part of the co-worker simply going about their work. No additional action is needed. For manufacturing environments, this lack of intrusiveness is an important feature. The results presented in this thesis show that our approaches can discriminate appropriately between users. We believe that our machine learning-based approaches can provide reasonable and practical solutions for continually authenticating users to robots in many environments, particularly in manufacturing contexts