Towards private and robust machine learning for information security

Many problems in information security are pattern recognition problems. For example, determining if a digital communication can be trusted amounts to certifying that the communication does not carry malicious or secret content, which can be distilled into the problem of recognising the difference between benign and malicious content. At a high level, machine learning is the study of how patterns are formed within data, and how learning these patterns generalises beyond the potentially limited data pool at a practitioner’s disposal, and so has become a powerful tool in information security. In this work, we study the benefits machine learning can bring to two problems in information security. Firstly, we show that machine learning can be used to detect which websites are visited by an internet user over an encrypted connection. By analysing timing and packet size information of encrypted network traffic, we train a machine learning model that predicts the target website given a stream of encrypted network traffic, even if browsing is performed over an anonymous communication network. Secondly, in addition to studying how machine learning can be used to design attacks, we study how it can be used to solve the problem of hiding information within a cover medium, such as an image or an audio recording, which is commonly referred to as steganography. How well an algorithm can hide information within a cover medium amounts to how well the algorithm models and exploits areas of redundancy. This can again be reduced to a pattern recognition problem, and so we apply machine learning to design a steganographic algorithm that efficiently hides a secret message with an image. Following this, we proceed with discussions surrounding why machine learning is not a panacea for information security, and can be an attack vector in and of itself. We show that machine learning can leak private and sensitive information about the data it used to learn, and how malicious actors can exploit vulnerabilities in these learning algorithms to compel them to exhibit adversarial behaviours. Finally, we examine the problem of the disconnect between image recognition systems learned by humans and by machine learning models. While human classification of an image is relatively robust to noise, machine learning models do not possess this property. We show how an attacker can cause targeted misclassifications against an entire data distribution by exploiting this property, and go onto introduce a mitigation that ameliorates this undesirable trait of machine learning

A Novel User Oriented Network Forensic Analysis Tool

In the event of a cybercrime, it is necessary to examine the suspect’s digital device(s) in a forensic fashion so that the culprit can be presented in court along with the extracted evidence(s). But, factors such as existence and availability of anti-forensic tools/techniques and increasing replacement of hard disk drives with solid state disks have the ability to eradicate critical evidences and/or ruin their integrity. Therefore, having an alternative source of evidence with a lesser chance of being tampered with can be beneficial for the investigation. The organisational network traffic can fit into this role as it is an independent source of evidence and will contain a copy of all online user activities. Limitations of prevailing network traffic analysis techniques – packet based and flow based – are reflected as certain challenges in the investigation. The enormous volume and increasing encrypted nature of traffic, the dynamic nature of IP addresses of users’ devices, and the difficulty in extracting meaningful information from raw traffic are among those challenges. Furthermore, current network forensic tools, unlike the sophisticated computer forensic tools, are limited in their capability to exhibit functionalities such as collaborative working, visualisation, reporting and extracting meaningful user-level information. These factors increase the complexity of the analysis, and the time and effort required from the investigator. The research goal was set to design a system that can assist in the investigation by minimising the effects of the aforementioned challenges, thereby reducing the cognitive load on the investigator, which, the researcher thinks, can take the investigator one step closer to the culprit. The novelty of this system comes from a newly proposed interaction based analysis approach, which will extract online user activities from raw network metadata. Practicality of the novel interaction-based approach was tested by designing an experimental methodology, which involved an initial phase of the researcher looking to identify unique signatures for activities performed on popular Internet applications (BBC, Dropbox, Facebook, Hotmail, Google Docs, Google Search, Skype, Twitter, Wikipedia, and YouTube) from the researcher’s own network metadata. With signatures obtained, the project moved towards the second phase of the experiment in which a much larger dataset (network traffic collected from 27 users for over 2 months) was analysed. Results showed that it is possible to extract unique signature of online user activities from raw network metadata. However, due to the complexities of the applications, signatures were not found for some activities. The interaction-based approach was able to reduce the data volume by eliminating the noise (machine to machine communication packets) and to find a way around the encryption issue by using only the network metadata. A set of system requirements were generated, based on which a web based, client-server architecture for the proposed system (i.e. the User-Oriented Network Forensic Analysis Tool) was designed. The system functions in a case management premise while minimising the challenges that were identified earlier. The system architecture led to the development of a functional prototype. An evaluation of the system by academic experts from the field acted as a feedback mechanism. While the evaluators were satisfied with the system’s capability to assist in the investigation and meet the requirements, drawbacks such as inability to analyse real-time traffic and meeting the HCI standards were pointed out. The future work of the project will involve automated signature extraction, real-time processing and facilitation of integrated visualisation

Tight Arms Race: Overview of Current Malware Threats and Trends in Their Detection

Cyber attacks are currently blooming, as the attackers reap significant profits from them and face a limited risk when compared to committing the "classical" crimes. One of the major components that leads to the successful compromising of the targeted system is malicious software. It allows using the victim's machine for various nefarious purposes, e.g., making it a part of the botnet, mining cryptocurrencies, or holding hostage the data stored there. At present, the complexity, proliferation, and variety of malware pose a real challenge for the existing countermeasures and require their constant improvements. That is why, in this paper we first perform a detailed meta-review of the existing surveys related to malware and its detection techniques, showing an arms race between these two sides of a barricade. On this basis, we review the evolution of modern threats in the communication networks, with a particular focus on the techniques employing information hiding. Next, we present the bird's eye view portraying the main development trends in detection methods with a special emphasis on the machine learning techniques. The survey is concluded with the description of potential future research directions in the field of malware detection

An authentication scheme to defend against UDP DrDoS attacks in 5G networks

5th generation wireless systems are coming. While we are excited about the delay-free high speeds 5G will bring, security problems are becoming more and more serious. Increasingly rampant Distributed Denial of service (DDoS) attacks, particularly Distributed Reflection Denial of Service (DrDoS) attacks with User Datagram Protocols (UDPs) have developed into a global problem. This article presents a design, implementation, analysis, and experimental evaluation of an authentication scheme, a defense against UDP DrDoS attacks, by which attackers cleverly use rebound server farms to bounce a flood of packets to a target host. We call our solution IEWA because it combines the concepts of increasing expenses and weak authentication. In this paper, we apply IEWA to Network Time Protocol (NTP). First, we simulate and compare the original and improved protocols. Next, we verify the effectiveness of our proposed scheme. We show that our improved scheme is safer than the original scheme. Finally, we compare our solution with existing state-of-the-art schemes, using indicators such as communication overhead, server storage costs, client storage costs, computation costs of server and computation costs of client. We find that our scheme improves system stability and security, reduces communication overhead, server storage cost and computational costs. Our solution not only improves the NTP protocol to mitigate DrDoS attacks, but also strengthens other UDP protocols that are vulnerable to DrDoS attacks. Therefore, our solution can be used as a solution to UDP DrDoS attacks in 5G Network

Data-driven framework and experimental validation for security monitoring of networked systems

Cyber attacks have become more prevalent in the last few years, and several attacks have made headlines worldwide. It has become a lucrative business for cybercriminals who are motivated by financial gains. Other motives include political, social and espionage. Organisations are spending a vast amount of money from their IT budget to secure their critical assets from such attacks, but attackers still find ways to compromise these assets. According to a recent data breach report from IBM, the cost of a data breach is estimated to be around $4.24 million, and on average, it takes 287 days to detect and contain such breaches. Cyber attacks are continuing to increase, and no organisation is immune to such attacks, as demonstrated recently by the cyber attack on FireEye, a leading global cybersecurity firm. This thesis aims to develop a data-driven framework for the security monitoring of networked systems. In this framework, models for detecting cyberattack stages, predicting cyber attacks using time series forecasting and the IoC model were developed to detect attacks that the security monitoring tools may have missed. In the cyberattack stage detection, the Cyber Kill Chain was leveraged and then mapped the detection modules to the various stages of the APT lifecycle. In the cyber prediction model, time series based feature forecasting was utilised to predict attacks to help system administrators take preventative measures. The Indicator of Compromise (IoC) model used host-based features to help detect IoCs more accurately. The main framework utilises network, host and IoC features. In these three models, the prediction accuracy of 91.1% and 98.8% was achieved for the APT and IoC models, while the time series forecasting model produced a reasonable low mean absolute error (MAE) and root mean square error (RMSE) score. The author also contributed to another paper on effective feature selection methods using deep feature abstraction in the form of unsupervised auto-encoders to extract more features. Wrapper-based feature selection techniques were then utilised using Support Vector Machine (SVM), Naive Bayes and Decision tree to select the highest-ranking features. Artificial Neural Networks (ANN) classifier was then used to distinguish impersonation from normal traffic. The contribution of the author to this paper was on the feature selection methods. This model achieved an overall accuracy of 99.5%. It is anticipated that these models will allow decision-makers and systems administrators to take proactive approaches to secure their systems and reduce data breaches