Reinforcement learning for efficient network penetration testing

Penetration testing (also known as pentesting or PT) is a common practice for actively assessing the defenses of a computer network by planning and executing all possible attacks to discover and exploit existing vulnerabilities. Current penetration testing methods are increasingly becoming non-standard, composite and resource-consuming despite the use of evolving tools. In this paper, we propose and evaluate an AI-based pentesting system which makes use of machine learning techniques, namely reinforcement learning (RL) to learn and reproduce average and complex pentesting activities. The proposed system is named Intelligent Automated Penetration Testing System (IAPTS) consisting of a module that integrates with industrial PT frameworks to enable them to capture information, learn from experience, and reproduce tests in future similar testing cases. IAPTS aims to save human resources while producing much-enhanced results in terms of time consumption, reliability and frequency of testing. IAPTS takes the approach of modeling PT environments and tasks as a partially observed Markov decision process (POMDP) problem which is solved by POMDP-solver. Although the scope of this paper is limited to network infrastructures PT planning and not the entire practice, the obtained results support the hypothesis that RL can enhance PT beyond the capabilities of any human PT expert in terms of time consumed, covered attacking vectors, accuracy and reliability of the outputs. In addition, this work tackles the complex problem of expertise capturing and re-use by allowing the IAPTS learning module to store and re-use PT policies in the same way that a human PT expert would learn but in a more efficient way

Electronic titling: Potential and risks

Initiatives in electronic conveyancing and registration show the potential of new technologies to transform such systems, reducing costs and enhancing legal security. However, they also incur substantial risks of transferring costs and risks among registries, conveyancers and rightholders, instead of reducing them; entrenching the private interests of conveyancers, instead of increasing competition and disintermediating them; modifying the allocation of tasks in a way that leads in the long term to the debasement of registries of rights with indefeasible title into mere recordings of deeds; and empowering conveyancers instead of transactors and rightholders, which increases costs and reduces security. Fulfilling the promise of new technologies in both costs and security requires strengthening registries’ incentives and empowering rightholders in their interaction with registries.Electronic Conveyancing, Electronic Registration, Lawyers, Notaries, Digital Signatures

Link Before You Share: Managing Privacy Policies through Blockchain

With the advent of numerous online content providers, utilities and applications, each with their own specific version of privacy policies and its associated overhead, it is becoming increasingly difficult for concerned users to manage and track the confidential information that they share with the providers. Users consent to providers to gather and share their Personally Identifiable Information (PII). We have developed a novel framework to automatically track details about how a users' PII data is stored, used and shared by the provider. We have integrated our Data Privacy ontology with the properties of blockchain, to develop an automated access control and audit mechanism that enforces users' data privacy policies when sharing their data across third parties. We have also validated this framework by implementing a working system LinkShare. In this paper, we describe our framework on detail along with the LinkShare system. Our approach can be adopted by Big Data users to automatically apply their privacy policy on data operations and track the flow of that data across various stakeholders.Comment: 10 pages, 6 figures, Published in: 4th International Workshop on Privacy and Security of Big Data (PSBD 2017) in conjunction with 2017 IEEE International Conference on Big Data (IEEE BigData 2017) December 14, 2017, Boston, MA, US

Carbon Trading with Blockchain

Blockchain has the potential to accelerate the deployment of emissions trading systems (ETS) worldwide and improve upon the efficiency of existing systems. In this paper, we present a model for a permissioned blockchain implementation based on the successful European Union (EU) ETS and discuss its potential advantages over existing technology. We propose an ETS model that is both backwards compatible and future-proof, characterised by interconnectedness, transparency, tamper-resistance and high liquidity. Further, we identify key challenges to implementation of a blockchain ETS, as well as areas of future work required to enable a fully-decentralised blockchain ETS

Treatment of palm oil mill secondary effluent (POMSE) using ultrafiltration and nanofiltration membranes

Malaysian palm oil industry has grown rapidly over the last few decades, to becoming the world’s largest producer and exporter of palm oil. This success story however, comes with a greater challenge and equally required more sacrifices in order to maintain the tempo. In the year of 2004, it has been recorded that 26.7 million tons of solid biomass and approximately a 30 million tons of palm oil mill effluent (POME) were generated from 381 palm oil mills in Malaysia [1]. Although different kind of wastes are generated in the palm oil mills, the perceived harmful waste among all the waste generated is the palm oil mill effluent (POME) due to its associated harm if discharged into the environment untreated [2]. POME is a colloidal suspension originating from mixture of sterilizer condensate, separator sludge and hydro cyclone wastewater in a ratio of 9:15:1 respectively [3]. It is a brownish colored, thick liquid that is containing high amount of oil, solids, and grease with high Chemical Oxygen Demand (COD) and Biological Oxygen Demand (BOD) values. Table 15.1 describes the characteristic of POME obtained from Malaysian Palm Oil Board

Trade compliance management: exploring the role of in-house trade compliance

The study aims to explore the role of in-house trade compliance and how it operates in multinational companies. As such, the study's main research question is “What is the role of in- house trade compliance in multinational companies?”. Trade compliance oversees that business activities comply with regulatory requirements. In addition, trade compliance activities include optimization of supply chains. The in-house teams are involved in activities such as tariff classification, incoterms consultation, preferential treatment activities, license management, export controls, customs management, screening, and valuation. However, academic research on this topic remains relatively limited despite the acknowledged importance of trade compliance to efficient trading operations and global supply chains. Therefore, this study aims to address this research gap and provide insights into the role of in-house trade compliance. Based on the study results, in-house trade compliance is both operational and advisory, and companies often emphasize the role of automation and outsourcing in their trade compliance functions. Automation ensures that human error is limited and errors are noticed proactively. Outsourcing releases resourced for more consulting work. However, compliance responsibility remains with the company, and the management level should be in-house. As such, it is common for in-house teams to perform audits and spot checks on reported documentation. A common approach to in-house trade compliance is to have a global team overseeing global guidelines and area-specific teams or managers to support and implement compliance in other departments. However, the approach to in-house trade compliance may vary across different companies and industries, and each company may have its unique perspective on trade compliance. Therefore, it is important for companies to carefully consider their specific trade compliance requirements and tailor their approach accordingly

Moving from a "human-as-problem" to a "human-as-solution" cybersecurity mindset

Cybersecurity has gained prominence, with a number of widely publicised security incidents, hacking attacks and data breaches reaching the news over the last few years. The escalation in the numbers of cyber incidents shows no sign of abating, and it seems appropriate to take a look at the way cybersecurity is conceptualised and to consider whether there is a need for a mindset change.To consider this question, we applied a "problematization" approach to assess current conceptualisations of the cybersecurity problem by government, industry and hackers. Our analysis revealed that individual human actors, in a variety of roles, are generally considered to be "a problem". We also discovered that deployed solutions primarily focus on preventing adverse events by building resistance: i.e. implementing new security layers and policies that control humans and constrain their problematic behaviours. In essence, this treats all humans in the system as if they might well be malicious actors, and the solutions are designed to prevent their ill-advised behaviours. Given the continuing incidences of data breaches and successful hacks, it seems wise to rethink the status quo approach, which we refer to as "Cybersecurity, Currently". In particular, we suggest that there is a need to reconsider the core assumptions and characterisations of the well-intentioned human's role in the cybersecurity socio-technical system. Treating everyone as a problem does not seem to work, given the current cyber security landscape.Benefiting from research in other fields, we propose a new mindset i.e. "Cybersecurity, Differently". This approach rests on recognition of the fact that the problem is actually the high complexity, interconnectedness and emergent qualities of socio-technical systems. The "differently" mindset acknowledges the well-intentioned human's ability to be an important contributor to organisational cybersecurity, as well as their potential to be "part of the solution" rather than "the problem". In essence, this new approach initially treats all humans in the system as if they are well-intentioned. The focus is on enhancing factors that contribute to positive outcomes and resilience. We conclude by proposing a set of key principles and, with the help of a prototypical fictional organisation, consider how this mindset could enhance and improve cybersecurity across the socio-technical system

Using the blockchain to enable transparent and auditable processing of personal data in cloud- based services: Lessons from the Privacy-Aware Cloud Ecosystems (PACE) project

The architecture of cloud-based services is typically opaque and intricate. As a result, data subjects cannot exercise adequate control over their personal data, and overwhelmed data protection authorities must spend their limited resources in costly forensic efforts to ascertain instances of non-compliance. To address these data protection challenges, a group of computer scientists and socio-legal scholars joined forces in the Privacy-Aware Cloud Ecosystems (PACE) project to design a blockchain-based privacy-enhancing technology (PET). This article presents the fruits of this collaboration, highlighting the capabilities and limits of our PET, as well as the challenges we encountered during our interdisciplinary endeavour. In particular, we explore the barriers to interdisciplinary collaboration between law and computer science that we faced, and how these two fields’ different expectations as to what technology can do for data protection law compliance had an impact on the project's development and outcome. We also explore the overstated promises of techno-regulation, and the practical and legal challenges that militate against the implementation of our PET: most industry players have no incentive to deploy it, the transaction costs of running it make it prohibitively expensive, and there are significant clashes between the blockchain's decentralised architecture and GDPR's requirements that hinder its deployability. We share the insights and lessons we learned from our efforts to overcome these challenges, hoping to inform other interdisciplinary projects that are increasingly important to shape a data ecosystem that promotes the protection of our personal data