9 research outputs found
Towards a Virtual Machine Introspection Based Multi-Service, Multi-Architecture, High-Interaction Honeypot for IOT Devices
Internet of Things (IoT) devices are quickly growing in adoption. The use case for IoT devices runs the gamut from household applications (such as toasters, lighting, and thermostats) to medical, battlefield, or Industrial Control System (ICS) applications that are used in life or death situations. A disturbing trend for IoT devices is that they are not developed with security in mind. This lack of security has led to the creation of massive botnets that are used for nefarious acts. To address these issues, it’s important to have a good understanding of the threat landscape that IoT devices face. A commonly used security control to monitor and gain insight into threats is a honeypot. This research explores the creation of a VMI-based high-interaction honeypot for IoT devices that is capable of monitoring multiple services simultaneously
Security in Process: Detecting Attacks in Industrial Process Data
Due to the fourth industrial revolution, industrial applications make use of
the progress in communication and embedded devices. This allows industrial
users to increase efficiency and manageability while reducing cost and effort.
Furthermore, the fourth industrial revolution, creating the so-called Industry
4.0, opens a variety of novel use and business cases in the industrial
environment. However, this progress comes at the cost of an enlarged attack
surface of industrial companies. Operational networks that have previously been
phyiscally separated from public networks are now connected in order to make
use of new communication capabilites. This motivates the need for industrial
intrusion detection solutions that are compatible to the long-term operation
machines in industry as well as the heterogeneous and fast-changing networks.
In this work, process data is analysed. The data is created and monitored on
real-world hardware. After a set up phase, attacks are introduced into the
systems that influence the process behaviour. A time series-based anomaly
detection approach, the Matrix Profiles, are adapted to the specific needs and
applied to the intrusion detection. The results indicate an applicability of
these methods to detect attacks in the process behaviour. Furthermore, they are
easily integrated into existing process environments. Additionally, one-class
classifiers One-Class Support Vector Machines and Isolation Forest are applied
to the data without a notion of timing. While Matrix Profiles perform well in
terms of creating and visualising results, the one-class classifiers perform
poorly
A Flexible Laboratory Environment Supporting Honeypot Deployment for Teaching Real-World Cybersecurity Skills
In the practical study of cybersecurity, students benefit greatly from having full control of physical equipment and services. However, this presents far too great a risk to security to be permitted on university campus networks. This paper describes an approach, used successfully at Northumbria University, in which students have control of an off-campus network laboratory, with a dedicated connection to the Internet. The laboratory is flexible enough to allow the teaching of general purpose networking and operating systems courses, while also supporting the teaching of cybersecurity through the safe integration of honeypot devices. In addition, the paper gives an analysis of honeypot architectures and presents two in detail. One of these offers students the opportunity to study cybersecurity attacks and defences at very low cost. It has been developed as a stand-alone device that also can be integrated safely into the laboratory environment for the study of more complex scenarios. The main contributions of this paper are the design and implementation of: an off-campus, physical network laboratory; a small, low-cost, configurable platform for use as a “lightweight” honeypot; and a laboratory-based, multi-user honeypot for large-scale, concurrent, cybersecurity experiments. The paper outlines how the laboratory environment has been successfully deployed within a university setting to support the teaching and learning of cybersecurity. It highlights the type of experiments and projects that have been supported and can be supported in the future
Distributed Analysis of SSH Brute Force and Dictionary Based Attacks
When designing and implementing a new system, one of the most common misuse cases a system administrator or security architect anticipates is the fact that their system will be attacked with brute force and dictionary-based methods. These attack vectors are commonplace and as such, common defenses have been designed to help mitigate a successful attack. However, the common defenses employed are anticipated and mitigated by even the most novice of attackers. In order to better understand that nature and evolution of brute-force and dictionary attacks, research needs to evaluate the progression of the attack vectors as well as new variables to identify the risk of systems. The research that follows is designed to look at brute force and dictionary-based attacks from a geographical standpoint. Specifically, the data gathered will be analyzed to define attack anomalies based on date, time, location, operating system, and attacking clients in order to ascertain if such variables are viable attack indication markers for defense purposes
Computer Criminal Profiling applied to Digital Investigations
This PhD thesis aims to contribute to the Cyber Security body of knowledge and its
Computer Forensic field, still in its infancy when comparing with other forensic
sciences.
With the advancements of computer technology and the proliferation of cyber crime,
offenders making use of computers range from state-sponsored cyber squads to
organized crime rings; from cyber paedophiles to crypto miners abusing third-party
computer resources. Cyber crime is not only impacting the global economy in billions of
dollars annually; it is also a life-threatening risk as society is increasingly dependent on
critical systems like those in air traffic control, hospitals or connected cars. Achieving
cyber attribution is a step towards to identify, deter and prosecute offenders in the
cyberspace, a domain among the top priorities for the UK National Security Strategy.
However, the rapid evolution of cyber crime may be an unprecedented challenge in the
forensic science history. Attempts to keep up with this pace often result in computer
forensic practices limited to technical outcomes, like user accounts or IP addresses
used by the offenders. Limitations are intensified when the current cyber security skill
shortage contrasts with the vastness of digital crime scenes presented by cloud
providers and extensive storage capacities or with the wide range of available
anonymizing mechanisms. Quite often, offenders are remaining unidentified,
unpunished, and unstoppable.
As these anonymising mechanisms conceal offenders from a technological
perspective, it was considered that they would not offer the same level of concealment
from a behavioural standpoint. Therefore, in addition to the analysis of the state-of-theart
of cyber crimes and anonymising mechanisms, the literature of traditional crimes
and criminal psychology was reviewed, in an attempt to known what traits of human
behaviour could be revealed by the evidence at a crime scene and how to recognize
them. It was identified that the subdiscipline of criminology called criminal profiling
helps providing these answers. Observing its success rate and benefits as a support
tool in traditional investigations, it was hypothesized that a similar outcome could be
achieved while investigating cyber crimes, providing that a framework could enable
digital investigators to apply criminal profiling concepts in digital investigations.
2
Before developing the framework, the scope of this thesis was delimited to a subset of
cyber crimes, consisting exclusively of computer intrusions cases. Also, among
potential criminal profiling benefits, the reduction of the suspect pool, case linkage and
optimization of investigative efforts were included in the scope. A SSH honeypot
experiment based on Cowrie was designed and deployed in a public cloud
infrastructure. In its first phase, a single honeypot instance was launched, protected by
username and password and accepting connection attempts from any Internet address.
Users that were able to guess a valid pair of credentials, after a random number of
attempts providing strong passwords, were presented to a simple file system, in which
all their interactions within the system were recorded and all downloaded attack tools
were isolated and securely stored for their posterior analysis. In the second phase of
the experiment, the honeypot infrastructure was expanded to a honeynet with 18
(eighteen) nodes, running in a total of 6 (six) geographic regions and making it possible
the analysis of additional variables like location of the “victim” system, perceived
influence from directory/file structure/contents and resistance levels to password
attacks.
After a period of approximately 18 (eighteen) months, more than 7 million connection
attempts and 12 million authentication attempts were received by the honeynet, where
more than 85,000 were able to successfully log into one of the honeynet servers.
Offenders were able to interact with the simulated operating systems and their files,
while enabling this research to identify behavioural patterns that proved to be useful not
only to group offenders, but also to enrich individual offender profiles. Among these
behavioural patterns, the choice of which commands and which parameters to run, the
basis of the attack on automated versus manual means, the pairs of usernames and
passwords that were provided to try to break the honeypot authentication, their
response once a command was not successful, their intent on using specific attack
tools and the motivation behind it, any level of caution presented and, finally,
preferences for naming tools, temporary files or customized ports were some of the
most relevant attributes. Based on the collected data set, such attributes successfully
make it possible to narrow down the pools of suspects, to link different honeypot breakins
to a same offender and to optimize investigative efforts by enabling the researcher
to focus the analysis in a reduced area while searching for evidence.
3
In times when cyber security skills shortage is a concerning challenge and where
profiling can play a critical role, it is believed that such a structured framework for
criminal profiling within cyber investigations can help to make investigation of cyber
crimes quicker, cheaper and more effective