The cyber simulation terrain: Towards an open source cyber effects simulation ontology

Cyber resilience is characterised by an ability to understand and adapt to changing network conditions, including cyber attacks. Cyber resilience may be characterised by an effects-based approach to missions or processes. One of the fundamental preconditions underpinning cyber resilience is an accurate representation of current network and machine states and what missions they are supporting. This research outlines the need for an ontological network representation, drawing on existing literature and implementations in the domain. This work then introduces an open-source ontological representation for modelling cyber assets for the purposes of Computer Network Defence. This representation encompasses computers, network connectivity, users, software, vulnerabilities and exploits and aims for interoperability with related representations in common use. The utility of this work is highlighted against a functional use-case depicting a realistic operational network and mission. Finally, a future research direction is defined

Method and tool for generating table of relevance in literature review (MTTR)

Every day, researchers in computing and IT are challenged with several articles that they need to rate, classify and separate quickly and effectively to contextualize and further advance their research effectively. It is considered that literature review is the most important step of discovery. Notably, a literature review is a part that allows the researcher to adjust the perspectives and limitations of an area of study. However, there is a lack of effective methods and tools for this activity. Often, traditional knowledge management techniques result in the “Gordian Knot” slowing down the process of literature review considerably. In this article, we present a Method and Tool for Generating Table of Relevance in Literature Review (MTTR). The MTTR is an innovative organizing method supported by software tools that make the literature review activity more efficient, faster and cheaper. An interesting feature of MTTR is data visualization using the Heat Map technique, Word Cloud and statistical techniques in designating and comparing each scientific article with the other relevant articles. The productivity gains in MTTR occur due to the automation in structuring and sorting scientific articles. In addition to efficiency, the lowest cost has the potential to place the MTTR as a preferred tool for the researcher. The anecdotal evidence reported in this article suggests that it is possible to carry out a literature review in a much shorter time with MTTR than in the traditional manner

Guide to Developing Cybersecurity Programs for NSF Science and Engineering Projects, v1

This document is a product of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC). CTSC is supported by the National Science Foundation under Grant Number OCI-1234408. Any opinions,findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation

Developing Network Situational Awareness through Visualization of Fused Intrusion Detection System Alerts

With networks increasing in physical size, bandwidth, traffic volume, and malicious activity, network analysts are experiencing greater difficulty in developing network situational awareness. Traditionally, network analysts have used Intrusion Detection Systems to gain awareness but this method is outdated when analysts are unable to process the alerts at the rate they are being generated. Analysts are unwittingly placing the computer assets they are charged to protect at risk when they are unable to detect these network attacks. This research effort examines the theory, application, and results of using visualizations of fused alert data to develop network situational awareness. The fused alerts offer analysts fewer false-positives, less redundancy and alert quantity due to the pre-processing. Visualization offers the analyst quicker visual processing and potential pattern recognition. This research utilized the Visual Information Management toolkit created by Stanfield Systems Inc. to generate meaningful visualizations of the fused alert data. The fused alert data was combined with other network data such as IP address information, network topology and network traffic in the form of tcpdump data. The process of building Situational Awareness is an active process between the toolkit and the analyst. The analyst loads the necessary data into the visualization(s), he or she configures the visualization properties and filters the visualization(s). Results from generating visualizations of the network attack scenarios were positive. The analyst gained more awareness through the process of defining visualization properties. The analyst was able to filter the network data sources effectively to focus on the important alerts. Ultimately, the analyst was able to follow the attacker through the entry point in the network to the victims. The analyst was able to determine that the victims were compromised by the attacker. The analyst wasn\u27t able to definitively label the attack specifically yet the analyst was able to follow the attack effectively leading to Situational Awareness

The Challenge of Resilience in a Globalised World

Resilience determines the capacity to successfully deal with difficult events and to adapt and overcome adversity. It creates stability in a changing world which in turn promotes job creation, economic growth and environmental sustainability. Resilience is a fundamental prerequisite for Europe as the largest integrated economic area in the world and has an important social dimension which requires the active cooperation of all stakeholders; citizens, the private sector, governments and NGOs included. This report discusses the concept of resilience from different perspectives and the role of science in the continuous process of building a resilient, stable, competitive and prosperous Europe.JRC.G-Institute for the Protection and Security of the Citizen (Ispra

Report of the 2014 NSF Cybersecurity Summit for Large Facilities and Cyberinfrastructure

This event was supported in part by the National Science Foundation under Grant Number 1234408. Any opinions, findings, and conclusions or recommendations expressed at the event or in this report are those of the authors and do not necessarily reflect the views of the National Science Foundation

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424

Towards a systematic security evaluation of the automotive Bluetooth interface

In-cabin connectivity and its enabling technologies have increased dramatically in recent years. Security was not considered an essential property, a mind-set that has shifted significantly due to the appearance of demonstrated vulnerabilities in these connected vehicles. Connectivity allows the possibility that an external attacker may compromise the security - and therefore the safety - of the vehicle. Many exploits have already been demonstrated in literature. One of the most pervasive connective technologies is Bluetooth, a short-range wireless communication technology. Security issues with this technology are well-documented, albeit in other domains. A threat intelligence study was carried out to substantiate this motivation and finds that while the general trend is towards increasing (relative) security in automotive Bluetooth implementations, there is still significant technological lag when compared to more traditional computing systems. The main contribution of this thesis is a framework for the systematic security evaluation of the automotive Bluetooth interface from a black-box perspective (as technical specifications were loose or absent). Tests were performed through both the vehicle’s native connection and through Bluetoothenabled aftermarket devices attached to the vehicle. This framework is supported through the use of attack trees and principles as outlined in the Penetration Testing Execution Standard. Furthermore, a proof-of-concept tool was developed to implement this framework in a semi-automated manner, to carry out testing on real-world vehicles. The tool also allows for severity classification of the results acquired, as outlined in the SAE J3061 Cybersecurity Guidebook for Cyber-Physical Vehicle Systems. Results of the severity classification are validated through domain expert review. Finally, how formal methods could be integrated into the framework and tool to improve confidence and rigour, and to demonstrate how future iterations of design could be improved is also explored. In conclusion, there is a need for systematic security testing, based on the findings of the threat intelligence study. The systematic evaluation and the developed tool successfully found weaknesses in both the automotive Bluetooth interface and in the vehicle itself through Bluetooth-enabled aftermarket devices. Furthermore, the results of applying this framework provide a focus for counter-measure development and could be used as evidence in a security assurance case. The systematic evaluation framework also allows for formal methods to be introduced for added rigour and confidence. Demonstrations of how this might be performed (with case studies) were presented. Future recommendations include using this framework with more test vehicles and expanding on the existing attack trees that form the heart of the evaluation. Further work on the tool chain would also be desirable. This would enable further accuracy of any testing or modelling required, and would also take automation of the entire process further