A Characterization of Cybersecurity Posture from Network Telescope Data

Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA's network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of {\em sweep-time}, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope

ENSURING SPECIFICATION COMPLIANCE, ROBUSTNESS, AND SECURITY OF WIRELESS NETWORK PROTOCOLS

Several newly emerged wireless technologies (e.g., Internet-of-Things, Bluetooth, NFC)—extensively backed by the tech industry—are being widely adopted and have resulted in a proliferation of diverse smart appliances and gadgets (e.g., smart thermostat, wearables, smartphones), which has ensuingly shaped our modern digital life. These technologies include several communication protocols that usually have stringent requirements stated in their specifications. Failing to comply with such requirements can result in incorrect behaviors, interoperability issues, or even security vulnerabilities. Moreover, lack of robustness of the protocol implementation to malicious attacks—exploiting subtle vulnerabilities in the implementation—mounted by the compromised nodes in an adversarial environment can limit the practical utility of the implementation by impairing the performance of the protocol and can even have detrimental effects on the availability of the network. Even having a compliant and robust implementation alone may not suffice in many cases because these technologies often expose new attack surfaces as well as new propagation vectors, which can be exploited by unprecedented malware and can quickly lead to an epidemic

Shadow Honeypots

We present Shadow Honeypots, a novel hybrid architecture that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network or service. Traffic that is considered anomalous is processed by a "shadow honeypot" to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular ("production") instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Our architecture allows system designers to fine-tune systems for performance, since false positives will be filtered by the shadow. We demonstrate the feasibility of our approach in a proof-of-concept implementation of the Shadow Honeypot architecture for the Apache web server and the Mozilla Firefox browser. We show that despite a considerable overhead in the instrumentation of the shadow honeypot (up to 20% for Apache), the overall impact on the system is diminished by the ability to minimize the rate of false-positives

Master of Science

thesisThe current study assessed the Superhero Social Skills program as an evidencebased practice for teaching social skills to elementary children with Autism Spectrum Disorder (ASD) in a clinical out-patient setting. The program consists of many research validated components, including peer mediation, video-modeling, and social stories. There were 4 participants with ASD and 4 "peer buddies," all between the ages of 5 and 10. Intervention sessions took place at an outpatient clinical setting over 8 weeks. One lesson was taught per week and incorporated components from the program's typical two lesson per week format. After each session, analog free play observations were conducted and coded by the researcher and another graduate student to achieve interrater reliability. Parents reported the number of spontaneous uses of skills at home to measure generalization. Effect size and percentage of nonoverlapping data points were calculated to determine changes in social engagement and generalization. There were also pre- and postmeasures of social behaviors completed by parents and consumer satisfaction measures completed after the intervention by parents and children. The results of this study indicate increased levels of social initiations, social responses, and social engagement during free play observations. For most participants, there was also an increase in generalized use of the skills. Parents and children reported high levels of satisfaction with the program. Overall, results suggest that the "superhero social skills" program is effective for children with ASD

Search for Subsolar Mass Ultracompact Binaries in Advanced LIGO’s Second Observing Run

We present a search for subsolar mass ultracompact objects in data obtained during Advanced LIGO’s second observing run. In contrast to a previous search of Advanced LIGO data from the first observing run, this search includes the effects of component spin on the gravitational waveform. We identify no viable gravitational-wave candidates consistent with subsolar mass ultracompact binaries with at least one component between 0.2  M⊙–1.0  M⊙. We use the null result to constrain the binary merger rate of (0.2  M⊙, 0.2  M⊙) binaries to be less than 3.7×105  Gpc−3 yr−1 and the binary merger rate of (1.0  M⊙, 1.0  M⊙) binaries to be less than 5.2×103  Gpc−3 yr−1. Subsolar mass ultracompact objects are not expected to form via known stellar evolution channels, though it has been suggested that primordial density fluctuations or particle dark matter with cooling mechanisms and/or nuclear interactions could form black holes with subsolar masses. Assuming a particular primordial black hole (PBH) formation model, we constrain a population of merging 0.2  M⊙ black holes to account for less than 16% of the dark matter density and a population of merging 1.0  M⊙ black holes to account for less than 2% of the dark matter density. We discuss how constraints on the merger rate and dark matter fraction may be extended to arbitrary black hole population models that predict subsolar mass binaries

DETECTION AND INFERENCE IN GRAVITATIONAL WAVE ASTRONOMY

We explore the detection and astrophysical modeling of gravitational waves de- tected by the Advanced Laser Interferometer Gravitational wave Observatory (LIGO) and Virgo. We discuss the techniques used in the PyCBC search pipeline to discover the first gravitational wave detection GW150914, and estimate the statistical signifi- cance of GW150914, and the marginal trigger LVT151012. During Advanced LIGO’s first observing run there were no detections of mergers from binary neutron star and neutron star-black hole binaries. We use Bayesian inference to place upper limits on the rate of coalescence of these binaries. We use developments made in the PyCBC search pipeline during Advanced LIGO and Virgo’s second observing run to re-analyze Advanced LIGO’s first observing run and re-estimate the statistical significance of LVT151012. We present sufficient evidence to claim LVT151012 as a gravitational wave event. In Advanced LIGO and Virgo’s 2nd observing run a gravitational wave due to the merger of two binary neutron stars, known as GW170817, was discov- ered. We develop tools for Bayesian hypothesis testing so that we can investigate the interior dynamics of neutron stars using the GW170817 signal. Finally, we use Bayesian parameter estimation from PyCBC with tools of Bayesian hypothesis testing to investigate the presence of nonlinear tidal dynamics from a pressure – gravity mode instability in GW170817. We find that significant waveform degeneracies allow the effect of nonlinear tides to be compatible with the data at the level of nonsignificance (Bayes factor of unity). We also investigate further constraints on these nonlinear tides

Characterizing the IRC-based Botnet Phenomenon

Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures

Graph-theoretic Approach To Modeling Propagation And Control Of Network Worms

In today\u27s network-dependent society, cyber attacks with network worms have become the predominant threat to confidentiality, integrity, and availability of network computing resources. Despite ongoing research efforts, there is still no comprehensive network-security solution aimed at controling large-scale worm propagation. The aim of this work is fivefold: (1) Developing an accurate combinatorial model of worm propagation that can facilitate the analysis of worm control strategies, (2) Building an accurate epidemiological model for the propagation of a worm employing local strategies, (3) Devising distributed architecture and algorithms for detection of worm scanning activities, (4) Designing effective control strategies against the worm, and (5) Simulation of the developed models and strategies on large, scale-free graphs representing real-world communication networks. The proposed pair-approximation model uses the information about the network structure--order, size, degree distribution, and transitivity. The empirical study of propagation on large scale-free graphs is in agreement with the theoretical analysis of the proposed pair-approximation model. We, then, describe a natural generalization of the classical cops-and-robbers game--a combinatorial model of worm propagation and control. With the help of this game on graphs, we show that the problem of containing the worm is NP-hard. Six novel near-optimal control strategies are devised: combination of static and dynamic immunization, reactive dynamic and invariant dynamic immunization, soft quarantining, predictive traffic-blocking, and contact-tracing. The analysis of the predictive dynamic traffic-blocking, employing only local information, shows that the worm can be contained so that 40\% of the network nodes are not affected. Finally, we develop the Detection via Distributed Blackholes architecture and algorithm which reflect the propagation strategy used by the worm and the salient properties of the network. Our distributed detection algorithm can detect the worm scanning activity when only 1.5% of the network has been affected by the propagation. The proposed models and algorithms are analyzed with an individual-based simulation of worm propagation on realistic scale-free topologies

A critical review of intrusion detection systems in the internet of things : techniques, deployment strategy, validation strategy, attacks, public datasets and challenges

The Internet of Things (IoT) has been rapidly evolving towards making a greater impact on everyday life to large industrial systems. Unfortunately, this has attracted the attention of cybercriminals who made IoT a target of malicious activities, opening the door to a possible attack on the end nodes. To this end, Numerous IoT intrusion detection Systems (IDS) have been proposed in the literature to tackle attacks on the IoT ecosystem, which can be broadly classified based on detection technique, validation strategy, and deployment strategy. This survey paper presents a comprehensive review of contemporary IoT IDS and an overview of techniques, deployment Strategy, validation strategy and datasets that are commonly applied for building IDS. We also review how existing IoT IDS detect intrusive attacks and secure communications on the IoT. It also presents the classification of IoT attacks and discusses future research challenges to counter such IoT attacks to make IoT more secure. These purposes help IoT security researchers by uniting, contrasting, and compiling scattered research efforts. Consequently, we provide a unique IoT IDS taxonomy, which sheds light on IoT IDS techniques, their advantages and disadvantages, IoT attacks that exploit IoT communication systems, corresponding advanced IDS and detection capabilities to detect IoT attacks. © 2021, The Author(s)