Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks

Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines. Research showed that machine-learning algorithms provide effective detection mechanisms against such threats, but the existence of an arms race in adversarial settings has recently challenged such systems. In this work, we focus on malware embedded in PDF files as a representative case of such an arms race. We start by providing a comprehensive taxonomy of the different approaches used to generate PDF malware, and of the corresponding learning-based detection systems. We then categorize threats specifically targeted against learning-based PDF malware detectors, using a well-established framework in the field of adversarial machine learning. This framework allows us to categorize known vulnerabilities of learning-based PDF malware detectors and to identify novel attacks that may threaten such systems, along with the potential defense mechanisms that can mitigate the impact of such threats. We conclude the paper by discussing how such findings highlight promising research directions towards tackling the more general challenge of designing robust malware detectors in adversarial settings

Performing research: four contributions to HCI

This paper identifies a body of HCI research wherein the researchers take part in digitally mediated creative experiences alongside participants. We present our definition and rationale for "self-situated performance research" based on theories in both the HCI and performance literatures. We then analyse four case studies of this type of work, ranging from overtly "performative" staged events to locative audio and public making. We argue that by interrogating experience from within the context of self-situated performance, the 'performer/researcher' extends traditional practices in HCI in the following four ways: developing an intimate relationship between researchers and participants, providing new means of making sense of interactions, shaping participants' relationship to the research, and enabling researchers to refine their work as it is being conducted

Using Games as a Means for Collaboration

The availability of a good interface for online user collaboration has been a sore point for most collaboration applications to date. While MUD's, MOO's, IRC and other chat applications are well suited to impersonal communication, the meaning of a single message can often be misconstrued or misunderstood, and the effort often required to learn control of a new application while understanding navigation in a virtual world, can be difficult to overcome. The Nexus promises to aid in the intuitive act of communication, interaction and movement and in the process enhance the collaboration experience for the user, through the use of a game engine

Nightingallery: theatrical framing and orchestration in participatory performance

The Nightingallery project encouraged participants to converse, sing, and perform with a musically responsive animatronic bird, playfully interacting with the character while members of the public could look on and observe. We used Nightingallery to frame an HCI investigation into how people would engage with one another when confronted with unfamiliar technologies in conspicuously public, social spaces. Structuring performances as improvisational street theatre, we styled our method of exhibiting the bird character. We cast ourselves in supporting roles as carnival barkers and minders of the bird, presenting him as if he were a fantastical creature in a fairground sideshow display, allowing him the agency to shape and maintain dialogues with participants, and positioning him as the focal character upon which the encounter was centred. We explored how the anthropomorphic nature of the bird itself, along with the cultural connotations associated with the carnival/sideshow tradition helped signpost and entice participants through the trajectory of their encounters with the exhibit. Situating ourselves as secondary characters within the narrative defining the performance/use context, our methods of mediation, observation, and evaluation were integrated into the performance frame. In this paper, we explore recent HCI theories in mixed reality performance to reflect upon how genre-based cultural connotations can be used to frame trajectories of experience, and how manipulation of roles and agency in participatory performance can facilitate HCI investigation of social encounters with playful technologies. © 2014 Springer-Verlag London

The Terror Experts: Discourse, Discipline, and the Production of Terrorist Subjects at a University Research Center

This thesis examines the production and circulation of discourses related to (counter)terrorism at a university-affiliated terrorism and security studies research center in eastern Massachusetts. Drawing on participant observation, documentary analysis, and interviews with faculty and students at the research center, I suggest that expert discourses of (counter)terrorism at the center traffic in an archetypal construction of the terrorist that I call the “depoliticized radical.” This construction locates the root of terrorism in individual morality and psychology, tending to abstract the terrorist from the political conditions in which they enact violence. I further propose that the depoliticized radical functions as a boundary object in Star and Griesemer’s (1989) conception, serving the interests of both expert regimes that take the terrorist as a subject to be known and counterterror regimes that take the terrorist as a subject to be controlled and/or corrected. Through fine-grained case studies, I track the strategic deployment of the depoliticized radical by different actors at the center within distinctive professional contexts. My discussion of the practices by which actors at the center seek to consolidate their expertise within the contested fields of terrorism studies and security studies draws on and develops Gieryn’s (1983) concept of “boundary-work” as a rhetorical and theatrical strategy for demarcating legitimate from illegitimate knowledges. I conclude by contemplating the political stakes of terrorism expertise as a project of knowledge production that seeks to establish the terrorist as an archetypal subject to be both known and controlled

The Terror Experts: Discourse, Discipline, and the Production of Terrorist Subjects at a University Research Center

This thesis examines the production and circulation of discourses related to (counter)terrorism at a university-affiliated terrorism and security studies research center in eastern Massachusetts. Drawing on participant observation, documentary analysis, and interviews with faculty and students at the research center, I suggest that expert discourses of (counter)terrorism at the center traffic in an archetypal construction of the terrorist that I call the “depoliticized radical.” This construction locates the root of terrorism in individual morality and psychology, tending to abstract the terrorist from the political conditions in which they enact violence. I further propose that the depoliticized radical functions as a boundary object in Star and Griesemer’s (1989) conception, serving the interests of both expert regimes that take the terrorist as a subject to be known and counterterror regimes that take the terrorist as a subject to be controlled and/or corrected. Through fine-grained case studies, I track the strategic deployment of the depoliticized radical by different actors at the center within distinctive professional contexts. My discussion of the practices by which actors at the center seek to consolidate their expertise within the contested fields of terrorism studies and security studies draws on and develops Gieryn’s (1983) concept of “boundary-work” as a rhetorical and theatrical strategy for demarcating legitimate from illegitimate knowledges. I conclude by contemplating the political stakes of terrorism expertise as a project of knowledge production that seeks to establish the terrorist as an archetypal subject to be both known and controlled

A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

The relentless and often haphazard process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge they face is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the single point of failure in an otherwise formidable defense. This means one of the biggest challenges in vulnerability management relates to prioritization. Given that so few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We identify the data mining steps needed to acquire, standardize, and integrate publicly available cyber intelligence data sets into a robust knowledge graph from which stakeholders can infer business logic related to known threats. We tested our approach by identifying vulnerabilities in academic and common software associated with six universities and four government facilities. Ranking policy performance was measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% to 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The ROI of patching using our policies resulted in a savings in the range of 23.3% to 25.5% in annualized unit costs. Our results demonstrate the efficiency of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies. Additionally, our framework uses only open standards, making implementation and improvement feasible for cyber practitioners and academia

Performing research: four contributions to HCI

This paper identifies a body of HCI research wherein the researchers take part in digitally mediated creative experiences alongside participants. We present our definition and rationale for "self-situated performance research" based on theories in both the HCI and performance literatures. We then analyse four case studies of this type of work, ranging from overtly "performative" staged events to locative audio and public making. We argue that by interrogating experience from within the context of self-situated performance, the 'performer/researcher' extends traditional practices in HCI in the following four ways: developing an intimate relationship between researchers and participants, providing new means of making sense of interactions, shaping participants' relationship to the research, and enabling researchers to refine their work as it is being conducted

Vulnerability modelling and mitigation strategies for hybrid networks

Hybrid networks nowadays consist of traditional IT components, Internet of Things (IoT) and industrial control systems (ICS) nodes with varying characteristics, making them genuinely heterogeneous in nature. Historically evolving from traditional internet-enabled IT servers, hybrid networks allow organisations to strengthen cybersecurity, increase flexibility, improve efficiency, enhance reliability, boost remote connectivity and easy management. Though hybrid networks offer significant benefits from business and operational perspectives, this integration has increased the complexity and security challenges to all connected nodes. The IT servers of these hybrid networks are high-budget devices with tremendous processing power and significant storage capacity. In contrast, IoT nodes are low-cost devices with limited processing power and capacity. In addition, the ICS nodes are programmed for dedicated functions with the least interference. The available cybersecurity solutions for hybrid networks are either for specific node types or address particular weaknesses. Due to these distinct characteristics, these solutions may place other nodes in vulnerable positions. This study addresses this gap by proposing a comprehensive vulnerability modelling and mitigation strategy. This proposed solution equally applies to each node type of hybrid network while considering their unique characteristics. For this purpose, the industry-wide adoption of the Common Vulnerability Scoring System (CVSS) has been extended to embed the distinct characteristics of each node type in a hybrid network. To embed IoT features, the ‘attack vectors’ and ‘attack complexity vectors’ are modified and another metric “human safety index”, is integrated in the ‘Base metric group’ of CVSS. In addition, the ICS related characteristics are included in the ‘Environmental metric group’ of CVSS. This metric group is further enhanced to reflect the node resilience capabilities when evaluating the vulnerability score. The resilience of a node is evaluated by analysing the complex relationship of numerous contributing cyber security factors and practices. The evolved CVSSR-IoT-ICS framework proposed in the thesis measures the given vulnerabilities by adopting the unique dynamics of each node. These vulnerability scores are then mapped in the attack tree to reveal the critical nodes and shortest path to the target node. The mitigating strategy framework suggests the most efficient mitigation strategy to counter vulnerabilities by examining the node’s functionality, its locality, centrality, criticality, cascading impacts, available resources, and performance thresholds. Various case studies were conducted to analyse and evaluate our proposed vulnerability modelling and mitigation strategies on realistic supply chain systems. These analyses and evaluations confirm that the proposed solutions are highly effective for modelling the vulnerabilities while the mitigation strategies reduce the risks in dynamic and resource-constrained environments. The unified vulnerability modelling of hybrid networks minimises ambiguities, reduces complexities and identifies hidden deficiencies. It also improves system reliability and performance of heterogeneous networks while at the same time gaining acceptance for a universal vulnerability modelling framework across the cyber industry. The contributions have been published in reputable journals and conferences.Doctor of Philosoph