A Reputation Score Driven E-Mail Mitigation System

E-mail inspection and mitigation systems are necessary in today\u27s world due to frequent bombardment of adversarial attacks leverage phishing techniques. The process and accuracy in identifying a phishing attack present significant challenges due to data encryption hindering the ability to conduct signature matching, context analysis of a message, and synchronization of alerts in distributed detection systems. The author recognizes a grand challenge that the increase in the number of data analysis systems corresponds to an overall increase in the delivery time delay of an e-mail message. This work enhances PhishLimiter as a solution to combat phishing attacks using machine learning techniques to analyze 27 e-mail features and Software-Defined Networking (SDN) to optimize network transactions. PhishLimiter uses a two-lane inspection approach of Store-and-Forward (SF) and Forward-and-Inspect (FI) to distinguish whether traffic is held for analysis or immediately forwarded to the destination. The results of the work demonstrated PhishLimiter as a viable solution to combat Phishing attacks while minimizing delivery time of e-mail messages

Digital Twins for Moving Target Defense Validation in AC Microgrids

Cyber-physical microgrids are vulnerable to stealth attacks that can degrade their stability and operability by performing low-magnitude manipulations in a coordinated manner. This paper formulates the interactions between CSAs and microgrid defenders as a non-cooperative, zero-sum game. Additionally, it presents a hybrid Moving Target Defense (MTD) strategy for distributed microgrids that can dynamically alter local control gains to achieve resiliency against Coordinated Stealth Attacks (CSAs). The proposed strategy reduces the success probability of attack(s) by making system dynamics less predictable. The framework also identifies and removes malicious injections by modifying secondary control weights assigned to them. The manipulated signals are reconstructed using an Artificial Neural Network (ANN)-based Digital Twin (DT) to preserve stability. To guarantee additional immunity against instability arising from gain alterations, MTD decisions are also validated (via utility and best response computations) using the DT before actual implementation. The DT is also used to find the minimum perturbation that defenders must achieve to invalidate an attacker's knowledge effectively.Comment: IEEE Energy Conversion Congress and Expo (ECCE) 202

A Framework for Categorizing Disruptive Cyber Activity and Assessing its Impact

While significant media attention has been given to the volume and range of cyber attacks, the inability to measure and categorize disruptive events has complicated efforts of policy makers to push comprehensive responses that address the range of cyber activity. While organizations and public officials have spent significant time and resources attempting to grapple with the complex nature of these threats, a systematic and comprehensive approach to categorize and measure disruptive attacks remains elusive. This paper addresses this issue by differentiating between exploitive and disruptive cyber events, proposes a formal method to categorize five types of disruptive events, and measures their impact along three dimensions of analysis. Scope, magnitude, and duration of disruptive cyber events are analyzed to locate each event on a Cyber Disruption Index (CDI) so organizations and policymakers can estimate the aggregated effect of a malicious act aimed at impacting their operations. Using the five different event classes and the CDI estimation method makes it easier for organizations and policy makers to disaggregate a complex topic, contextualize and process individual threats to their network, target where increased investment can reduce the risk of specific disruptive cyber events, and distinguish between events that represent a private-sector problem from those that merit a more serious public-sector concern

Identification of misbehavior detection solutions and risk scenarios in advanced connected and automated driving scenarios

The inclusion of 5G cellular communication system into vehicles, combined with other connected-vehicle technology, such as sensors and cameras, makes connected and advanced vehicles a promising application in the Cooperative Intelligent Transport Systems. One of the most challenging task is to provide resilience against misbehavior i.e., against vehicles that intentionally disseminate false information to deceive receivers and induce them to manoeuvre incorrectly or even dangerously. This calls for misbehaviour detection mechanisms, whose purpose is to analyze information semantics to detect and filter attacks. As a result, data correctness and integrity are ensured. Misbehaviour and its detection are rather new concepts in the literature; there is a lack of methods that leverage the available information to prove its trustworthiness. This is mainly because misbehaviour techniques come with several flavours and have different unpredictable purposes, therefore providing precise guidelines is rather ambitious. Moreover, dataset to test detection schemes are rare to find and inconvenient to customize and adapt according to needs. This work presents a misbehaviour detection scheme that exploits information shared between vehicles and received signal properties to investigate the behaviour of transmitters. Differently from most available solutions, this is based on the data of the on-board own resources of the vehicle. Computational effort and resources required are minor concerns, and concurrently time efficiency is gained. Also, the project addresses three different types of attack to show that detecting misbehaviour methods are more vulnerable to some profile of attacker than others. Moreover, a rich dataset was set up to test the scheme. The dataset was created according to the latest standardised evaluation methodologies and provides a valuable starting point for any further development and research

A Denial-of-Service Attack to GSM/UMTS Networks via Attach Procedure

In this thesis I describe an attack to the security of a Public Land Mobile Network allowing an unauthenticated malicious mobile device to inject traffic in the mobile operator's infrastructure. I show that using a few hundreds of malicious devices and without any SIM module it is possible to inject in the mobile infrastructure high levels of signalling traffic targeted at the Home Location Register, thus causing significant service degradation up to a full-fledged Denial-of-Service attack

Reasoning about Cyber Threat Actors

abstract: Reasoning about the activities of cyber threat actors is critical to defend against cyber attacks. However, this task is difficult for a variety of reasons. In simple terms, it is difficult to determine who the attacker is, what the desired goals are of the attacker, and how they will carry out their attacks. These three questions essentially entail understanding the attacker’s use of deception, the capabilities available, and the intent of launching the attack. These three issues are highly inter-related. If an adversary can hide their intent, they can better deceive a defender. If an adversary’s capabilities are not well understood, then determining what their goals are becomes difficult as the defender is uncertain if they have the necessary tools to accomplish them. However, the understanding of these aspects are also mutually supportive. If we have a clear picture of capabilities, intent can better be deciphered. If we understand intent and capabilities, a defender may be able to see through deception schemes. In this dissertation, I present three pieces of work to tackle these questions to obtain a better understanding of cyber threats. First, we introduce a new reasoning framework to address deception. We evaluate the framework by building a dataset from DEFCON capture-the-flag exercise to identify the person or group responsible for a cyber attack. We demonstrate that the framework not only handles cases of deception but also provides transparent decision making in identifying the threat actor. The second task uses a cognitive learning model to determine the intent – goals of the threat actor on the target system. The third task looks at understanding the capabilities of threat actors to target systems by identifying at-risk systems from hacker discussions on darkweb websites. To achieve this task we gather discussions from more than 300 darkweb websites relating to malicious hacking.Dissertation/ThesisDoctoral Dissertation Computer Engineering 201

Deployment of Next Generation Intrusion Detection Systems against Internal Threats in a Medium-sized Enterprise

In this increasingly digital age, companies struggle to understand the origin of cyberattacks. Malicious actions can come from both the outside and the inside the business, so it is necessary to adopt tools that can reduce cyber risks by identifying the anomalies when the first symptoms appear. This thesis deals with the topic of internal attacks and explains how to use innovative Intrusion Detection Systems to protect the IT infrastructure of Medium-sized Enterprises. These types of technologies try to solve issues like poor visibility of network traffic, long response times to security breaches, and the use of inefficient access control mechanisms. In this research, multiple types of internal threats, the different categories of Intrusion Detection Systems and an in-depth analysis of the state-of-the-art IDSs developed during the last few years have been detailed. After that, there will be a brief explanation of the effectiveness of IDSs in both testing and production environments. All the reported phases took place within a company network, starting from the positioning of the IDS, moving on to its configuration and ending with the production environment. There is an analysis of the company expectations, together with an explanation of the different IDSs characteristics. This research shows data about potential attacks, mitigated and resolved threats, as well as network changes made thanks to the information gathered while using a cutting edge IDS. Moreover, the characteristics that a medium-sized company must have in order to be adequately protected by a new generation IDS have been generalized. In the same way, the functionalities that an IDS must possess in order to achieve the set objectives were reported. IDSs are incredibly adaptable to different environments, such as companies of different sectors and sizes, and can be tuned to achieve better results. At the end of this document are reported the potential future developments that should be addressed to improve IDS technologies further

Leveraging VR/AR/MR/XR Technologies to Improve Cybersecurity Education, Training, and Operations

The United States faces persistent threats conducting malicious cyber campaigns that threaten critical infrastructure, companies and their intellectual property, and the privacy of its citizens. Additionally, there are millions of unfilled cybersecurity positions, and the cybersecurity skills gap continues to widen. Most companies believe that this problem has not improved and nearly 44% believe it has gotten worse over the past 10 years. Threat actors are continuing to evolve their tactics, techniques, and procedures for conducting attacks on public and private targets. Education institutions and companies must adopt emerging technologies to develop security professionals and to increase cybersecurity awareness holistically. Leveraging Virtual/ Augmented/Mixed/Extended Reality technologies for education, training, and awareness can augment traditional learning methodologies and improve the nation’s cybersecurity posture. This paper reviews previous research to identify how distance and remote education are conducted generally, and how Virtual/Augmented/Extended/Mixed reality technologies are used to conduct cybersecurity awareness training, cybersecurity training, and conduct operations. Finally, barriers to adopting these technologies will be discussed. Understanding how these technologies can be developed and implemented provides one potential way of overcoming the cybersecurity workforce gap and increasing the competencies and capabilities of cybersecurity professionals