Adaptive Traffic Fingerprinting for Darknet Threat Intelligence

Darknet technology such as Tor has been used by various threat actors for organising illegal activities and data exfiltration. As such, there is a case for organisations to block such traffic, or to try and identify when it is used and for what purposes. However, anonymity in cyberspace has always been a domain of conflicting interests. While it gives enough power to nefarious actors to masquerade their illegal activities, it is also the cornerstone to facilitate freedom of speech and privacy. We present a proof of concept for a novel algorithm that could form the fundamental pillar of a darknet-capable Cyber Threat Intelligence platform. The solution can reduce anonymity of users of Tor, and considers the existing visibility of network traffic before optionally initiating targeted or widespread BGP interception. In combination with server HTTP response manipulation, the algorithm attempts to reduce the candidate data set to eliminate client-side traffic that is most unlikely to be responsible for server-side connections of interest. Our test results show that MITM manipulated server responses lead to expected changes received by the Tor client. Using simulation data generated by shadow, we show that the detection scheme is effective with false positive rate of 0.001, while sensitivity detecting non-targets was 0.016+-0.127. Our algorithm could assist collaborating organisations willing to share their threat intelligence or cooperate during investigations.Comment: 26 page

Who let the trolls out? Towards understanding state-sponsored trolls

Recent evidence has emerged linking coordinated campaigns by state-sponsored actors to manipulate public opinion on the Web. Campaigns revolving around major political events are enacted via mission-focused ?trolls." While trolls are involved in spreading disinformation on social media, there is little understanding of how they operate, what type of content they disseminate, how their strategies evolve over time, and how they influence the Web's in- formation ecosystem. In this paper, we begin to address this gap by analyzing 10M posts by 5.5K Twitter and Reddit users identified as Russian and Iranian state-sponsored trolls. We compare the behavior of each group of state-sponsored trolls with a focus on how their strategies change over time, the different campaigns they embark on, and differences between the trolls operated by Russia and Iran. Among other things, we find: 1) that Russian trolls were pro-Trump while Iranian trolls were anti-Trump; 2) evidence that campaigns undertaken by such actors are influenced by real-world events; and 3) that the behavior of such actors is not consistent over time, hence detection is not straightforward. Using Hawkes Processes, we quantify the influence these accounts have on pushing URLs on four platforms: Twitter, Reddit, 4chan's Politically Incorrect board (/pol/), and Gab. In general, Russian trolls were more influential and efficient in pushing URLs to all the other platforms with the exception of /pol/ where Iranians were more influential. Finally, we release our source code to ensure the reproducibility of our results and to encourage other researchers to work on understanding other emerging kinds of state-sponsored troll accounts on Twitter.https://arxiv.org/pdf/1811.03130.pdfAccepted manuscrip

Proactive cloud management for highly heterogeneous multi-cloud infrastructures

Various literature studies demonstrated that the cloud computing paradigm can help to improve availability and performance of applications subject to the problem of software anomalies. Indeed, the cloud resource provisioning model enables users to rapidly access new processing resources, even distributed over different geographical regions, that can be promptly used in the case of, e.g., crashes or hangs of running machines, as well as to balance the load in the case of overloaded machines. Nevertheless, managing a complex geographically-distributed cloud deploy could be a complex and time-consuming task. Autonomic Cloud Manager (ACM) Framework is an autonomic framework for supporting proactive management of applications deployed over multiple cloud regions. It uses machine learning models to predict failures of virtual machines and to proactively redirect the load to healthy machines/cloud regions. In this paper, we study different policies to perform efficient proactive load balancing across cloud regions in order to mitigate the effect of software anomalies. These policies use predictions about the mean time to failure of virtual machines. We consider the case of heterogeneous cloud regions, i.e regions with different amount of resources, and we provide an experimental assessment of these policies in the context of ACM Framework

Proactive services ecosystem framework

Dissertation presented to obtain the degree of Doctor in Electrical and Computer Engineering, specialization on Collaborative Enterprise NetworksCollaborative-Networks (CN) have experienced a fast evolution in the last two decades. The collaboration among independent entities or professionals supported by Information and Communication Technology (ICT) has attracted the research community to establish the conceptual basis for this scientific discipline. Service Orientation has been one of the key selected paradigms for that conceptual basis. Nevertheless, the service concept itself does not have a common understanding in the Business and ICT worlds. In the former, client satisfaction, resources management and business process models are some example concerns, whilst the later deals with interoperability, remote function calling or communication protocols. If for example an enterprise provides some service, it may hire specialists to wrap such service into web-services, expecting to reach worldwide potential new clients. In fact, nowadays Web Services and Service Oriented Architectures (SOA) are the technological elements most commonly used. However, these are passive elements in the sense they do not perform any action towards pursuing business interests, which constitute a limiting factor from a business perspective. Another approach for the above mentioned enterprise is to follow the Multi-Agent Systems (MAS) approach, as the pro-activity is a keyword in such contexts. Nevertheless, as MAS approaches are not so commonly used and not so robust yet, the worldwide potential set of new clients is reduced; which also constitutes an inhibitor factor from the business perspective. This dissertation proposes a Pro-Active Services Ecosystem Framework, gathering inspiration from both the SOA and MAS research areas, trying to bridge the business and ICT worlds through the base concepts for the creation of a Services’ Ecosystem where business services are represented in a pro-active manner towards pursuing business interests, like finding collaboration opportunities or improving the chances each CN member has to see its services selected among competitors, for example. This work also includes a prototype system applied / validated in the area of a Professional Virtual Community of Senior Professionals