Assessment of cyber threats discovered by OSINT

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2022Despite the high maturity levels of CTI (Cyber Threat Intelligence) tools, techniques, procedures and frameworks, there are still gaps that must be considered and addressed. More than 50% of the world’s population is now online and growing, as the COVID-19 pandemic is pushing the large-scale adoption of technology in the most diverse areas. This context, aligned to the emerging technologies (e.g.: Cloud-computing, IoT, 5G) is enabling, allowing, and amplifying more complex and faster cyber-attacks. “Security-by design” is not yet the main principle, as products need to be quickly deployed into the market, delivering vulnerable targets into the Internet ecosystem. It is estimated that cy bercrime inflict damages of 6 billion USD in 2021, growing 15% per year, positioning it as the world’ third-largest economy, reaching 10.5 billion USD in 2025 [1]. Cyberattacks on critical infrastructures was considered the fifth top risk in 2020, as structural industries and sectors are juicy targets. On the other hand, the likelihood of detection and prosecu tion is estimated to be 0.05% in the USA [2]. To fight this threat and reduce the risk, it is essential that CTI parties join forces to improve coordination and cooperation, to reduce the time between the generation of CTI and its dissemination and achieve the balance between CTI in-time-dissemination and high-quality CTI. The quality of CTI is a huge barrier: most of the platforms ingest data from paid feeds and OSINT sources, gathering, filtering, analyzing, and aggregating, usually with little or no data-quality assessment. This increases the pressure on cyber-security analysts, who deal with plenty of generated alerts. IoCs (Indicator of Compromise) must go through an assessment process and be scored, so CTI consumers can decide and suit the measures accordingly. According to ENISA 2020 CTI survey [3], only 4% of CTI users can implement processes to measure CTI efficiency. This dissertation presents an overview of the existing CTI methodologies and technologies, proposing one solution to be adopted and integrated in CTI tools to assess, qualify, score and advise cyber-security analysts

Pengembangan Perangkat Lunak Manajemen Koneksi Internet Untuk Soho

Untuk bisa mengakses Internet, komputer harus terhubung ke Internet melalui Internet Service Provider dan menggunakan IP address Internet. Jumlah IP address Internet saat ini (IPv4) sangat terbatas, oleh karena itu penggunaannya dibatasi dan diatur dengan sistem sewa yang cukup mahal. Alternatif koneksi Internet yang paling murah dan umum digunakan adalah Dial-up, komputer client akan otomatis menggunakan IP address dynamic yang disewakan selama kita terkoneksi. Apabila pada Local Area Network terdapat beberapa komputer yang ingin menggunakan Internet secara bersamaan apakah harus dilakukan Dial-up untuk tiap komputer ? Tidak, terdapat 2 alternativ Internet-Sharing yakni Masquerading dan Proxy. Saat ini terdapat beberapa software yang menyediakan solusi Internet-Sharing dengan Masquerading atau Proxy yang berbasis sistem operasi Windows. Permasalahannya software tersebut tidak handal (lambat dan sering hang) dan tidak aman karena banyaknya celah keamanan pada sistem operasi Windows seperti Denial-of-Service dan Trojan. Penggunaan Internet yang tidak terkontrol pada suatu Perusahaan dapat menyebabkan efek yang kontraproduktiv pada karyawan, oleh karena itu diperlukan manajemen akses Internet yang efektiv, efisien dan mudah digunakan. Pada makalah ini dikembangkan solusi Internet-Sharing dan Manajemen Koneksi Internet yang handal, aman, fleksibel dan mudah digunakan. Untuk Internet-Sharing menggunakan fasilitas Masquerading yang terdapat pada kernel Linux 2.2 yang terbukti handal dan aman. Sistem manajemen koneksi dan konfigurasi didesain berbasis Web agar mudah digunakan oleh network administrator dan karyawan. Sistem ini juga cocok diaplikasikan pada Internet Café/Warung Internet

A survey of VoIP intrusions and intrusion detection systems

ABSTRACT This poper presents R survey of the securiv problems in VoIP networks, with an emphasis on both intrusions and intrusion detection methods. It examines the intrusion issues in diflerent components of VoIP systems, points to the strengths and shortcomings in the existing intrusion detection methods and intrusion detection systems and suggests possible future research directions

Security-Driven Software Evolution Using A Model Driven Approach

High security level must be guaranteed in applications in order to mitigate risks during the deployment of information systems in open network environments. However, a significant number of legacy systems remain in use which poses security risks to the enterprise’ assets due to the poor technologies used and lack of security concerns when they were in design. Software reengineering is a way out to improve their security levels in a systematic way. Model driven is an approach in which model as defined by its type directs the execution of the process. The aim of this research is to explore how model driven approach can facilitate the software reengineering driven by security demand. The research in this thesis involves the following three phases. Firstly, legacy system understanding is performed using reverse engineering techniques. Task of this phase is to reverse engineer legacy system into UML models, partition the legacy system into subsystems with the help of model slicing technique and detect existing security mechanisms to determine whether or not the provided security in the legacy system satisfies the user’s security objectives. Secondly, security requirements are elicited using risk analysis method. It is the process of analysing key aspects of the legacy systems in terms of security. A new risk assessment method, taking consideration of asset, threat and vulnerability, is proposed and used to elicit the security requirements which will generate the detailed security requirements in the specific format to direct the subsequent security enhancement. Finally, security enhancement for the system is performed using the proposed ontology based security pattern approach. It is the stage that security patterns derived from security expertise and fulfilling the elicited security requirements are selected and integrated in the legacy system models with the help of the proposed security ontology. The proposed approach is evaluated by the selected case study. Based on the analysis, conclusions are drawn and future research is discussed at the end of this thesis. The results show this thesis contributes an effective, reusable and suitable evolution approach for software security

Зв’язок пристроїв IoT без підключення до мережі через мобільні мережі LTE

Мета роботи: У цій роботі запропоновано та проаналізовано нову техніку для забезпечення невеликого шлицевого ALOHA-подібного каналу зв'язку, вбудованого в кожному LTE eNB, забезпечуючи засоби для зв'язку без обмежень для пристроїв loT. Дослідження системи зв’язку M2M (“машина-машина”). Представлення нової методики передачі даних M2M через безпроводовий доступ LTE без дорогого обміну сигналами на мобільному ядрі. В ході виконання роботи представлено новий протокол зв'язку без з’єднання для пристроїв loT через мобільні мережі LTE, який не вимагає сигналізації площини управління на EPC.. Проведено моделювання запропонованої моделі.Goal: This paper proposes and analyzes a new technique for providing a small splined ALOHA-like communication channel embedded in each LTE eNB, providing unrestricted communication means for loT devices. Research of the M2M ("machine machine") communication system. Introduction of a new M2M data transmission technique via wireless LTE access without expensive signal exchange on the mobile core. In the course of the work, a new connectionless communication protocol for loT devices via LTE mobile networks was introduced, which does not require control plane signaling on the EPC. The proposed model is modeled

Semantic Description of IoT Security for Smart Grid

Master's thesis Information- and communication technology IKT590 - University of Agder 2017This research work proposed, developed and evaluated IoT Security ontology for smart home energy management system (SHEMS) in smart grids. The ontology description includes infrastructure, attacks, vulnerabilities and counter measures for the main components of SHEMS such as Smart Meter, Smart Appliance, Home Gateway, and Billing data. The ontology extends the SAREF energy management ontology with security features. We have two main reasons for selecting SAREF ontology to base our work on. First, SAREF is standardized by ETSI. Second, it is specifically designed for energy management and efficiency. We checked the correctness of our ontology by running SWRL rules and SPARQL queries. Our test results showed that our ontology is useful to analyse and infer IoT security for smart home and can be extended to more complex reasoning of IoT security features. Keyword: IoT, Security, Smart Grid, Smart Home, Ontology, Energy Managemen

A Cloud-based Intrusion Detection and Prevention System for Mobile Voting in South Africa

Publishe ThesisInformation and Communication Technology (ICT) has given rise to new technologies and solutions that were not possible a few years ago. One of these new technologies is electronic voting, also known as e-voting, which is the use of computerised equipment to cast a vote. One of the subsets of e-voting is mobile voting (m-voting). M-voting is the use of mobile phones to cast a vote outside the restricted electoral boundaries. Mobile phones are pervasive; they offer connection anywhere, at any time. However, utilising a fast-growing medium such as the mobile phone to cast a vote, poses various new security threats and challenges. Mobile phones utilise equivalent software design used by personal computers which makes them vulnerable or exposed to parallel security challenges like viruses, Trojans and worms. In the past, security solutions for mobile phones encountered several restrictions in practice. Several methods were used; however, these methods were developed to allow lightweight intrusion detection software to operate directly on the mobile phone. Nevertheless, such security solutions are bound to fail securing a device from intrusions as they are constrained by the restricted memory, storage, computational resources, and battery power of mobile phones. This study compared and evaluated two intrusion detection systems (IDSs), namely Snort and Suricata, in order to propose a cloud-based intrusion detection and prevention system (CIDPS) for m-voting in South Africa. It employed simulation as the primary research strategy to evaluate the IDSs. A quantitative research method was used to collect and analyse data. The researcher established that as much as Snort has been the preferred intrusion detection and prevention system (IDPS) in the past, Suricata presented more effective and accurate results close to what the researcher anticipated. The results also revealed that, though Suricata was proven effective enough to protect m-voting while saving the computational resources of mobile phones, more work needs to be done to alleviate the false-negative alerts caused by the anomaly detection method. This study adopted Suricata as a suitable cloud-based analysis engine to protect a mobile voting application like XaP

DoSSEC : proposta de detecção e mitigação de ataques SYN Flood em redes SDN

As redes definidas por software (SDN) representam uma nova arquitetura de rede que fornece controle central sobre a rede. Ela é caracterizada pela separação entre o plano de dados e o plano de controle, o que define um ambiente programável. No plano de controle,ocontroladorpermiteaexecuçãodeserviçosquedefinemaspolíticasdecontrole e as distribui no plano de dados por meio de um protocolo padrão, como o OpenFlow. Apesardosinúmerosbenefíciosfornecidosporessaarquitetura,asegurançaemredesSDN ainda é um importante motivo de preocupação. Em particular, os ataques de negação de serviço(DoS)desafiamasarquiteturasSDNdeváriasmaneiras,devidoàsvulnerabilidades existentes entre os planos. Este trabalho propõe uma solução de segurança denominada DoSSEC, composta por dois módulos (detecção e mitigação) que atuam diretamente no plano de dados. O primeiro módulo fornece como saída as alterações no volume do tráfego que indicam um possível ataque em andamento, por meio das estatísticas geradas pelos switches programáveis. O segundo módulo tem como objetivo priorizar os fluxos já validadospormeiodeummétodobaseadoemreputação,queutilizafilasnosswitchespara denotar o nível de confiança dos fluxos, preservando e priorizando um conjunto benigno do tráfego. Os resultados experimentais obtidos mostram que, o DoSSEC reduz o tempo de resposta em média 30% em comparação com outra solução do estado da arte. Além disso, o DoSSEC melhora a taxa de conexões TCPs realizadas com sucesso e diminui o congestionamento de fluxos, reduzindo os impactos causados pelo ataque DoS (SYN Flood).CAPESSoftware-definednetworks(SDN)representanewnetworkarchitecturethatprovidescentral control over the network. It is characterized by the separation between data plane and control plane, which defines a programmable environment. In the control plane, the controllerallowstheexecutionofservicesthatdefinecontrolpoliciesanddistributesthem inthedataplanethroughastandardprotocol,suchasOpenFlow. Despitenumerousbenefitsprovidedbythisarchitecture,securityonSDNnetworksisstillanimportantconcern. Inparticular, denialofservice(DoS)attackschallengeSDNarchitecturesinseveralways, due to the vulnerabilities that exist between the plans. This work proposes a security solution called DoSSEC, composed of two modules (detection and mitigation) and acts directlyonthedataplane. Thefirstmoduleprovidesasoutputthechangesinthevolume of traffic that indicate a possible attack in progress, through the statistics generated by theprogrammableswitches. Thesecondmoduleaimstoprioritizeflowsthathavealready been validated through a reputation-based method, which uses queues at the switches to denote the level of confidence of the flows, preserving and prioritizing a benign set of traffic. The experimental results obtained show that DoSSEC reduces the response time byanaverageof30%comparedtoanotherstate-of-the-artsolution. Inaddition,DoSSEC improves the rate of successful TCP connections and reduces flow congestion, reducing the impacts caused by the DoS (SYN Flood) attack

Detección y mitigación de anomalías en un firewall de red

RESUMEN: Para alcanzar la resiliencia en redes de telecomunicaciones es necesario el planteamiento de metodologías que persigan este objetivo desde cada una de las etapas y dispositivos de la red, proporcionando la capacidad de seguir operando a niveles aceptables de servicio ante la ocurrencia de eventos infortunados que comprometen su correcto funcionamiento. El Firewall de red es uno de los dispositivos más importantes dentro del esquema de seguridad y protección de una red; es concebido como la primera línea de defensa del sistema, jugando un rol crucial al proteger la red de los flujos de tráfico que ingresan. El Firewall es por tanto el blanco de ataques maliciosos que buscan doblegar su capacidad de filtrar tráfico; de lograr la salida de operación de este servicio, la red estaría a merced de nuevos ataques con consecuencias que pueden llegar a ser devastadoras. En consecuencia, es necesario el planteamiento de metodologías que provean la capacidad de sobreponerse a este tipo de eventos manteniendo niveles mínimos de operación, resiliencia. En este trabajo se propone una metodología de dos etapas. En primer lugar, la detección temprana de anomalías en los niveles de utilización de los recursos computacionales del Firewall, ocasionadas quizá, por ataques DoS que apuntan a las últimas reglas del mecanismo de seguridad del Firewall, a fin de generar la saturación de los recursos computacionales hasta colapsar el servicio. Tal detección se da mediante el monitoreo en tiempo real del nivel de utilización de la \cpu; de superar un umbral definido, se lanza una alarma que informa de la ocurrencia del evento. Para definir el umbral, se derivó un modelo teórico para el estudio de rendimiento del sistema en diferentes escenarios, haciendo posible una clasificación de comportamiento normal o atípico en la utilización de recursos. La segunda etapa consiste en la mitigación o remediación de las anomalías. Se desarrolló un algoritmo de planificación del orden de interrogación de las reglas del Firewall. El problema fue formulado como un programa entero binario sobre un grafo bipartito entre el conjunto de reglas, y una entidad definida en el marco de este proyecto denominada los estados de servicio. Se trata de una particularización del problema Maximum Weight Match; dada la complejidad computacional de este problema, se plantea un algoritmo para la obtención de una solución aproximada mediante la adaptación del Greedy Maximal Match Scheduling. Los resultados obtenidos evidencian que bajo la influencia de un ataque DoS, se logra mitigar las posibles anomalías en la utilización de la CPU, retornando rápidamente a valores de comportamiento normal, y garantizando la operabilidad del sistema incluso ante la presencia de eventos infortunados