Comprehensive Security Framework for Global Threats Analysis

Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios

Modeling systemic risks in financial markets

We survey systemic risks to financial markets and present a high-level description of an algorithm that measures systemic risk in terms of coupled networks.Comment: 9 pages, discussion pape

Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

Optimal Secure Multi-Layer IoT Network Design

With the remarkable growth of the Internet and communication technologies over the past few decades, Internet of Things (IoTs) is enabling the ubiquitous connectivity of heterogeneous physical devices with software, sensors, and actuators. IoT networks are naturally two-layer with the cloud and cellular networks coexisting with the underlaid device-to-device (D2D) communications. The connectivity of IoTs plays an important role in information dissemination for mission-critical and civilian applications. However, IoT communication networks are vulnerable to cyber attacks including the denial-of-service (DoS) and jamming attacks, resulting in link removals in IoT network. In this work, we develop a heterogeneous IoT network design framework in which a network designer can add links to provide additional communication paths between two nodes or secure links against attacks by investing resources. By anticipating the strategic cyber attacks, we characterize the optimal design of secure IoT network by first providing a lower bound on the number of links a secure network requires for a given budget of protected links, and then developing a method to construct networks that satisfy the heterogeneous network design specifications. Therefore, each layer of the designed heterogeneous IoT network is resistant to a predefined level of malicious attacks with minimum resources. Finally, we provide case studies on the Internet of Battlefield Things (IoBT) to corroborate and illustrate our obtained results.Comment: 12 pages, to appear in IEEE Transactions on Control of Network System

The Spatial Ecology of War and Peace

Human flourishing is often severely limited by persistent violence. Quantitative conflict research has found common temporal and other statistical patterns in warfare, but very little is understood about its general spatial patterns. While the importance of topology in geostrategy has long been recognised, the role of spatial patterns of cities in determining a region's vulnerability to conflict has gone unexplored. Here, we show that global patterns in war and peace are closely related to the relative position of cities in a global interaction network. We find that regions with betweenness centrality above a certain threshold are often engulfed in entrenched conflict, while a high degree correlates with peace. In fact, betweenness accounts for over 80% of the variance in number of attacks. This metric is also a good predictor of the distance to a conflict zone and can estimate the risk of conflict. We conjecture that a high betweenness identifies areas with fuzzy cultural boundaries, whereas high degree cities are in cores where peace is more easily maintained. This is supported by a simple agent-based model in which cities influence their neighbours, which exhibits the same threshold behaviour with betweenness as seen in conflict data. These findings not only shed new light on the causes of violence, but could be used to estimate the risk associated with actions such as the merging of cities, construction of transportation infrastructure, or interventions in trade or migration patterns.Comment: current preprint version (v3) June 2017 (v1 Apr 2016). Supplementary Information available on reques

Attack Vulnerability of Public Transport Networks

The behavior of complex networks under attack depends strongly on the specific attack scenario. Of special interest are scale-free networks, which are usually seen as robust under random failure or attack but appear to be especially vulnerable to targeted attacks. In a recent study of public transport networks of 14 major cities of the world we have shown that these networks may exhibit scale-free behaviour [Physica A 380, 585 (2007)]. Our further analysis, subject of this report, focuses on the effects that defunct or removed nodes have on the properties of public transport networks. Simulating different attack strategies we elaborate vulnerability criteria that allow to find minimal strategies with high impact on these systems.Comment: 10 pages, 6 figure

Automatic Construction of Statechart-Based Anomaly Detection Models for Multi-Threaded Industrial Control Systems

Traffic of Industrial Control System (ICS) between the Human Machine Interface (HMI) and the Programmable Logic Controller (PLC) is known to be highly periodic. However, it is sometimes multiplexed, due to asynchronous scheduling. Modeling the network traffic patterns of multiplexed ICS streams using Deterministic Finite Automata (DFA) for anomaly detection typically produces a very large DFA, and a high false-alarm rate. We introduce a new modeling approach that addresses this gap. Our Statechart DFA modeling includes multiple DFAs, one per cyclic pattern, together with a DFA-selector that de-multiplexes the incoming traffic into sub-channels and sends them to their respective DFAs. We demonstrate how to automatically construct the Statechart from a captured traffic stream. Our unsupervised learning algorithm builds a Discrete-Time Markov Chain (DTMC) from the stream. Next it splits the symbols into sets, one per multiplexed cycle, based on symbol frequencies and node degrees in the DTMC graph. Then it creates a sub-graph for each cycle, and extracts Euler cycles for each sub-graph. The final Statechart is comprised of one DFA per Euler cycle. The algorithms allow for non-unique symbols, that appear in more than one cycle, and also for symbols that appear more than once in a cycle. We evaluated our solution on traces from a production ICS using the Siemens S7-0x72 protocol. We also stress-tested our algorithms on a collection of synthetically-generated traces that simulated multiplexed ICS traces with varying levels of symbol uniqueness and time overlap. The algorithms were able to split the symbols into sets with 99.6% accuracy. The resulting Statechart modeled the traces with a low median false-alarm rate of 0.483%. In all but the most extreme scenarios the Statechart model drastically reduced both the false-alarm rate and the learned model size in compare to a naive single-DFA mode

A Framework for Developing and Integrating Effective Routing Strategies Within the Emergency Management Decision-Support System, Research Report 11-12

This report describes the modeling, calibration, and validation of a VISSIM traffic-flow simulation of the San José, California, downtown network and examines various evacuation scenarios and first-responder routings to assess strategies that would be effective in the event of a no-notice disaster. The modeled network required a large amount of data on network geometry, signal timings, signal coordination schemes, and turning-movement volumes. Turning-movement counts at intersections were used to validate the network with the empirical formula-based measure known as the GEH statistic. Once the base network was tested and validated, various scenarios were modeled to estimate evacuation and emergency vehicle arrival times. Based on these scenarios, a variety of emergency plans for San José’s downtown traffic circulation were tested and validated. The model could be used to evaluate scenarios in other communities by entering their community-specific data

CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP

The Internet routing protocol BGP expresses topological reachability and policy-based decisions simultaneously in path vectors. A complete view on the Internet backbone routing is given by the collection of all valid routes, which is infeasible to obtain due to information hiding of BGP, the lack of omnipresent collection points, and data complexity. Commonly, graph-based data models are used to represent the Internet topology from a given set of BGP routing tables but fall short of explaining policy contexts. As a consequence, routing anomalies such as route leaks and interception attacks cannot be explained with graphs. In this paper, we use formal languages to represent the global routing system in a rigorous model. Our CAIR framework translates BGP announcements into a finite route language that allows for the incremental construction of minimal route automata. CAIR preserves route diversity, is highly efficient, and well-suited to monitor BGP path changes in real-time. We formally derive implementable search patterns for route leaks and interception attacks. In contrast to the state-of-the-art, we can detect these incidents. In practical experiments, we analyze public BGP data over the last seven years

Intrusion Detection Mechanism Using Fuzzy Rule Interpolation

Fuzzy Rule Interpolation (FRI) methods can serve deducible (interpolated) conclusions even in case if some situations are not explicitly defined in a fuzzy rule based knowledge representation. This property can be beneficial in partial heuristically solved applications; there the efficiency of expert knowledge representation is mixed with the precision of machine learning methods. The goal of this paper is to introduce the benefits of FRI in the Intrusion Detection Systems (IDS) application area, in the design and implementation of the detection mechanism for Distributed Denial of Service (DDOS) attacks. In the example of the paper as a test-bed environment an open source DDOS dataset and the General Public License (GNU) FRI Toolbox was applied. The performance of the FRI-IDS example application is compared to other common classification algorithms used for detecting DDOS attacks on the same open source test-bed environment. According to the results, the overall detection rate of the FRI-IDS is in pair with other methods. On the example dataset it outperforms the detection rate of the support vector machine algorithm, whereas other algorithms (neural network, random forest and decision tree) recorded lightly higher detection rate. Consequently, the FRI inference system could be a suitable approach to be implemented as a detection mechanism for IDS; it effectively decreases the false positive rate value. Moreover, because of its fuzzy rule base knowledge representation nature, it can easily adapt expert knowledge, and also be-suitable for predicting the level of degree for threat possibility