Design requirements for generating deceptive content to protect document repositories

For nearly 30 years, fake digital documents have been used to identify external intruders and malicious insider threats. Unfortunately, while fake files hold potential to assist in data theft detection, there is little evidence of their application outside of niche organisations and academic institutions. The barrier to wider adoption appears to be the difficulty in constructing deceptive content. The current generation of solutions principally: (1) use unrealistic random data; (2) output heavily formatted or specialised content, that is difficult to apply to other environments; (3) require users to manually build the content, which is not scalable, or (4) employ an existing production file, which creates a protection paradox. This paper introduces a set of requirements for generating automated fake file content: (1) enticing, (2) realistic, (3) minimise disruption, (4) adaptive, (5) scalable protective coverage, (6) minimise sensitive artefacts and copyright infringement, and (7) contain no distinguishable characteristics. These requirements have been drawn from literature on natural science, magical performances, human deceit, military operations, intrusion detection and previous fake file solutions. These requirements guide the design of an automated fake file content construction system, providing an opportunity for the next generation of solutions to find greater commercial application and widespread adoption

Towards a set of metrics to guide the generation of fake computer file systems

Fake file systems are used in the field of cyber deception to bait intruders and fool forensic investigators. File system researchers also frequently generate their own synthetic document repositories, due to data privacy and copyright concerns associated with experimenting on real-world corpora. For both these fields, realism is critical. Unfortunately, after creating a set of files and folders, there are no current testing standards that can be applied to validate their authenticity, or conversely, reliably automate their detection. This paper reviews the previous 30 years of file system surveys on real world corpora, to identify a set of discrete measures for generating synthetic file systems. Statistical distributions, such as size, age and lifetime of files, common file types, compression and duplication ratios, directory distribution and depth (and its relationship with numbers of files and sub-directories) were identified and the respective merits discussed. Additionally, this paper highlights notable absences in these surveys, which could be beneficial, such as analysing, on mass, the text content distribution, file naming habits, and comparing file access times against traditional working hours

Behaviour based ransomware detection

Ransomware is an ever-increasing threat in the world of cyber security targeting vulnerable users and companies, but what is lacking is an easier way to group, and devise practical and easy solutions which every day users can utilise. In this paper we look at the different characteristics of ransomware, and present preventative techniques to tackle these ransomware attacks. More specifically our techniques are based on ransomware behaviour as opposed to the signature based detection used by most anti-malware software. We further discuss the implementation of these techniques and their effectiveness. We have tested the techniques on four prominent ransomware strains, WannaCry, TeslaCrypt, Cerber and Petya. In this paper we discuss how our techniques dealt with these ransomware strains and the performance impact of these techniques

EclipseIoT: A secure and adaptive hub for the Internet of Things

With the proliferation in the quantity and types of devices that may be included in an Internet of Things (IoT) ecosystem, particularly in the context of a smart home, it is essential to provide mechanisms to deal with the heterogeneity which such devices encompass. Variations can occur in data formats, frequency of operation, or type of communication protocols supported. The ability to support integration between sensors using a “hub” has become central to address many of these issues. The implementation of such a hub can provide both the ability to act as an aggregator for various sensors, and also limit an attacker’s visibility into locally provisioned sensing capability. This paper introduces EclipseIoT, an adaptive hub which uses dynamically loadable add-on modules to communicate with diverse IoT devices, provides policy-based access control, limits exposure of local IoT devices through cloaking, and offers a canary-function based capability to monitor attack behaviours. Its architecture and implementation are discussed, along with its use within a smart home testbed consisting of commercially available devices such as Phillips Hue Bridge, Samsung Smart Things Hub, TP-Link Smart Plug, and TP-Link Smart Camera. The effectiveness of EclipseIoT is further evaluated by simulating various attacks such as Address Resolution Protocol (ARP) spoofing, Media Access Control (MAC) address spoofing, Man-In-The-Middle (MITM), port scanning, capturing handshakes, sniffing, and Denial of Service (DoS). It is demonstrated that direct attacks upon EclipseIoT components are mitigated due to the security techniques being used

Modeling Deception for Cyber Security

In the era of software-intensive, smart and connected systems, the growing power and so- phistication of cyber attacks poses increasing challenges to software security. The reactive posture of traditional security mechanisms, such as anti-virus and intrusion detection systems, has not been sufficient to combat a wide range of advanced persistent threats that currently jeopardize systems operation. To mitigate these extant threats, more ac- tive defensive approaches are necessary. Such approaches rely on the concept of actively hindering and deceiving attackers. Deceptive techniques allow for additional defense by thwarting attackers’ advances through the manipulation of their perceptions. Manipu- lation is achieved through the use of deceitful responses, feints, misdirection, and other falsehoods in a system. Of course, such deception mechanisms may result in side-effects that must be handled. Current methods for planning deception chiefly portray attempts to bridge military deception to cyber deception, providing only high-level instructions that largely ignore deception as part of the software security development life cycle. Con- sequently, little practical guidance is provided on how to engineering deception-based techniques for defense. This PhD thesis contributes with a systematic approach to specify and design cyber deception requirements, tactics, and strategies. This deception approach consists of (i) a multi-paradigm modeling for representing deception requirements, tac- tics, and strategies, (ii) a reference architecture to support the integration of deception strategies into system operation, and (iii) a method to guide engineers in deception mod- eling. A tool prototype, a case study, and an experimental evaluation show encouraging results for the application of the approach in practice. Finally, a conceptual coverage map- ping was developed to assess the expressivity of the deception modeling language created.Na era digital o crescente poder e sofisticação dos ataques cibernéticos apresenta constan- tes desafios para a segurança do software. A postura reativa dos mecanismos tradicionais de segurança, como os sistemas antivírus e de detecção de intrusão, não têm sido suficien- tes para combater a ampla gama de ameaças que comprometem a operação dos sistemas de software actuais. Para mitigar estas ameaças são necessárias abordagens ativas de defesa. Tais abordagens baseiam-se na ideia de adicionar mecanismos para enganar os adversários (do inglês deception). As técnicas de enganação (em português, "ato ou efeito de enganar, de induzir em erro; artimanha usada para iludir") contribuem para a defesa frustrando o avanço dos atacantes por manipulação das suas perceções. A manipula- ção é conseguida através de respostas enganadoras, de "fintas", ou indicações erróneas e outras falsidades adicionadas intencionalmente num sistema. É claro que esses meca- nismos de enganação podem resultar em efeitos colaterais que devem ser tratados. Os métodos atuais usados para enganar um atacante inspiram-se fundamentalmente nas técnicas da área militar, fornecendo apenas instruções de alto nível que ignoram, em grande parte, a enganação como parte do ciclo de vida do desenvolvimento de software seguro. Consequentemente, há poucas referências práticas em como gerar técnicas de defesa baseadas em enganação. Esta tese de doutoramento contribui com uma aborda- gem sistemática para especificar e desenhar requisitos, táticas e estratégias de enganação cibernéticas. Esta abordagem é composta por (i) uma modelação multi-paradigma para re- presentar requisitos, táticas e estratégias de enganação, (ii) uma arquitetura de referência para apoiar a integração de estratégias de enganação na operação dum sistema, e (iii) um método para orientar os engenheiros na modelação de enganação. Uma ferramenta protó- tipo, um estudo de caso e uma avaliação experimental mostram resultados encorajadores para a aplicação da abordagem na prática. Finalmente, a expressividade da linguagem de modelação de enganação é avaliada por um mapeamento de cobertura de conceitos

Viera y Clavijo: Historiador ilustrado del Atlántico

We analyze the historiographical production of Viera y Clavijo, enlightenment canary that had an outstanding work in the whole of Spain. We have made a hermeneutic work with this work, as well as the incorporation of information that Canary files have. There is a need to deepen their philosophy of history. Historiographical work of Viera y Clavijo was the first overview of the history of the Canary Islands in accordance with the enlightened ideas, especially influenced by French historians, without being the most avant-garde in Europe, was a huge step forward in the Canary thought of the second half of the eighteenth century. While stressing the Atlanticism of Canarias, also it highlights the characteristics conferred by insularity. Geography was an aspect that Viera estimated that hindered the spread of religious and enlightened ideas. The island apart with a rugged terrain, made certain places inaccessible. The Canarian identity is indebted to the work of Viera y Clavijo, many of their myths and imaginary tearAnalizamos la producción historiográfica de Viera y Clavijo, ilustrado canario que tuvo una obradestacada en el conjunto de España. Hemos hecho una labor hermenéutica de su obra, así como la incorporación de informaciones que están en archivos canarios. Creemos que hace falta profundizar en su filosofía de la historia. La obra historiográfica de Viera y Clavijo fue la primera visión de conjunto de la Historia de Canarias en concordancia con las ideas ilustradas, especialmente influenciado por historiadores franceses, que sin ser la más vanguardista en Europa, supuso un enorme paso adelante en el pensamiento canario de la segunda mitad del siglo XVIII. Al tiempo que destaca la atlanticidad de Canarias, también destaca las características conferidas por la insularidad. La geografía fue un aspecto que Viera y Clavijo estimaba que dificultaba la propagación de las ideas religiosas e ilustradas. La separación insular, con una orografía accidentada, hacía que determinados lugares fueran inaccesibles. La identidad canaria es deudora de la obra de Viera y Clavijo, muchos de sus mitos e imagin

Monitorización, detección y bloqueo de procesos de cifrado malicioso

Treballs Finals de Grau d'Enginyeria Informàtica, Facultat de Matemàtiques, Universitat de Barcelona, Any: 2017, Director: Francesc Dantí EspinasaThis project wants to give a solution to Ransomware, a problem that in 2016 is affecting the biggest amount of users in malware's world. Ransomware is a kind of malware characterized by asking a ransom payment after infecting a device. Firstly they just block the device showing a full screen message until receiving the payment but, in a while, they started using file encryption. Once the files have been encrypted, it is virtually impossible to decipher them without the decryption key. That leaves only the possibility of ransom to recover lost files. During the investigation about ransomware, we found that the vast majority of them used fixed extensions and patterns to rename encrypted files. Somehow, we could use this feature to identify the encryption process in its initial state and kill it. RaMON is a reactive tool that doesn't require installation and designed to consume very little resources. These characteristics make possible to work together with an antivirus as a light and transparent application. We must remember that RaMON has been designed to fight against a very specific type of malware. For this reason, it should be viewed as an additional security layer and in no way a replacing for an antivirus. RaMON has a blacklist with extensions we consider as IOC (Indicator of Compromise). When one of this extensions is detected, a malicious encryption process is taking place. From them, the functionality of the tool follows these steps: - Monitoring File System for detecting creation/rename of new executable files (.exe) - Monitoring creation/rename files with dangerous extensions. - Matching the “Last created EXE’s” list with current process list, in order to find encryption process. - Once found, matches the “Last created EXE’s” list with current process list, in order to find encryption process. After that, it sends a kill signal to it, his sons and threads. - In parallel, disables network interfaces to avoid expansion of the infection. - Sends a shutdown informing the user about the infection. We make this in order to avoid to keep modifying the system, just in case of an eventual forensic analysis. As a last line of defense tool, its performance will only take place if the ransomware has bypassed all other security layers (UAC, execution prevention, antivirus, firewall, etc.). We should note that the computer world in general, and malware in particular, improves at high speed and what is effective today, probably tomorrow will not. The same sources of information serve the blackhat and the whitehat hackers, fueling the fast evolution in the world of security. Most of time we are thinking about improving security applications but sometimes we forget to work hardly in user education, that is always the weakest link in the infection chain

Self-configurable cyber-physical intrusion detection for smart homes using reinforcement learning

The modern Internet of Things (IoT)-based smart home is a challenging environment to secure: devices change, new vulnerabilities are discovered and often remain unpatched, and different users interact with their devices differently and have different cyber risk attitudes. A security breach’s impact is not limited to cyberspace, as it can also affect or be facilitated in physical space, for example, via voice. In this environment, intrusion detection cannot rely solely on static models that remain the same over time and are the same for all users. We present MAGPIE, the first smart home intrusion detection system that is able to autonomously adjust the decision function of its underlying anomaly classification models to a smart home’s changing conditions (e.g., new devices, new automation rules and user interaction with them). The method achieves this goal by applying a novel probabilistic cluster-based reward mechanism to non-stationary multi-armed bandit reinforcement learning. MAGPIE rewards the sets of hyperparameters of its underlying isolation forest unsupervised anomaly classifiers based on the cluster silhouette scores of their output. Experimental evaluation in a real household shows that MAGPIE exhibits high accuracy because of two further innovations: it takes into account both cyber and physical sources of data; and it detects human presence to utilise models that exhibit the highest accuracy in each case. MAGPIE is available in open source format, together with its evaluation datasets, so it can benefit from future advances in unsupervised and reinforcement learning and be able to be enriched with further sources of data as smart home environments and attacks evolve

Detecting and defending against cyber attacks in a smart home Internet of Things ecosystem

The proliferation in Internet of Things (IoT) devices is demonstrated by their prominence in our daily lives. Although such devices simplify and automate everyday tasks, they also introduce tremendous security flaws. Current security measures are insufficient, making IoT one of the weakest links to breaking into a secure infrastructure which can have serious consequences. Subsequently, this thesis is motivated by the need to develop and further enhance novel mechanisms tailored towards strengthening the overall security infrastructures of IoT ecosystems. To estimate the degree to which a hub can improve the overall security of the ecosystem, this thesis presents a design and prototype implementation of a novel secure IoT hub, consisting of various built-in security mechanisms that satisfy key security properties (e.g. authentication, confidentiality, access control) applicable to a range of devices. The effectiveness of the hub was evaluated within a smart home IoT network upon which popular cyber attacks were deployed. To further enhance the security of the IoT environment, the initial experiments towards the development of a three-layered Intrusion Detection System (IDS) is proposed. The IDS aims to: 1) classify IoT devices, 2) identify malicious or benign network packets, and 3) identify the type of attack which has occurred. To support the classification experiments, real network data was collected from a smart home testbed, where a range of cyber attacks from four main attack types were targeted towards the devices. Lastly, the robustness of the IDS was further evaluated against Adversarial Machine Learning (AML) attacks. Such attacks may target models by generating adversarial samples which aim to exploit the weaknesses of the pre-trained model, consequently bypassing the detector. This thesis presents a first approach towards automatically generating adversarial malicious DoS IoT network packets. The analysis further explores how adversarial training can enhance the robustness of the IDS

Movement patterns, behaviors, and whistle sounds of dolphin groups off Kaikoura, New Zealand

Due to the character of the original source materials and the nature of batch digitization, quality control issues may be present in this document. Please report any quality issues you encounter to [email protected], referencing the URI of the item.Includes bibliographical references (leaves 80-91).Issued also on microfiche from Lange Micrographics.The dusky dolphin (Lagenorhynchus obscures) is a small delphinid that occurs in temperate waters near Southern Hemisphere land masses. Off Kaikoura, New Zealand, duskies are targeted for interactions by tourist vessels, swimmers and recreational vessels. To determine if human activity influenced dolphin behavior, I conducted shore- and vessel-based studies to examine movement patterns and acoustic behavior of huskies during three field seasonal Small groups of 25 or fewer dolphins were tracked from shore with a theodolite. Three variables; mean leg speed, linearity, and reorientation rate, were examined to determine possible influence of year, season, presence of a calf, time of day, group size, or presence of vessels within 100m, 101-300m and 301-1,000m. Mean leg speeds did not differ significantly by year, season, presence of a calf, or time of day. For group size comparisons, a post-hoc linear regression found a significant relationship between mean leg speeds and group size (p=0.0472). Mean speeds for groups containing 6-10, 11-15, and 16-20 animals increased as group sizes increased. Mean leg speeds did not differ by presence of a vessel within 100m, 101-300m, or 300-1,000m. For shore-based studies, mean leg speed may not be the most appropriate parameter to determine effects of human activity. Linearity, a measure of how straight a course was traveled, increased when boats were within 100-300m. Higher values were recorded during boat and post boat conditions than during no boat conditions, indicating that dolphin groups traveled in a more direct fashion during these times. A post-hoc analysis revealed a significant difference between no boat and a combined boat/post boat condition (p=0.0419). Reorientation rates were higher when boats were within 101-300m, indicating that dolphins changed course more often when boats were present. Whistles were recorded when duskies were associated with common dolphins (Delphius delphis), with swimmers, or when duskies were alone. Over 97% of analyzed whistles were recorded when duskies were found in inter-species groups. Whistles may be an indication of excitement levels within the group. More work is necessary to determine if whistles can be used as a reliable indicator of disturbance