The entangled cyberspace: an integrated approach for predicting cyber-attacks

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonSignificant studies in cyber defence analysis have predominantly revolved around a single linear analysis of information from a single source of evidence (The Network). These studies were limited in their ability to understand the dynamics of entanglements related to cyber-incidents. This research integrates evidence beyond the network in an attempt to understand and predict phases of the kill-chain across the information space. This research provides a multi-dimensional phased analysis of the traditional kill-chain model using structural vector autoregressive models. In the ‘Entangled Cyberspace Framework’, each phase of the kill-chain corresponds to a single dimension of the information space based on time observations of certain events. Events are represented as time signals, where each phase is characterised by multiple time signals representing multiple events on that phase. Multiple time signals are analysed using structural models for multiple time series analysis (Vector Auto-Regressive models). At each phase of the kill-chain, we perform a lagged co-integration analysis of events across the information space. This nature of analysis detects hidden entanglements that characterise events in the kill-chain beyond the network. The measured prediction accuracy and error measured at each stage of the experiment represents the usefulness of selected events in characterising the defined stage of the kill-chain. The entangled cyberspace, in theory, is the fusion of three conceptual foundations: a) A multi-dimensional characterisation of cyberspace, b) A sequential phased model for perpetrating cyber-attacks and c) A structural model for integrating and simultaneously analysing multiple sources of evidence. It starts with the characterisation of the information space into different dimensions of interest. The framework goes further to identify evidence sources across these characterised dimensions and integrates them in the analytical context under consideration (e.g. Malware Injection). The concrete findings show that our approach and analytical methodology are capable of detecting entanglements when applied to a set of entangled activities across the information space. The findings also prove that activities beyond the network have significant effects on the nature of the unfolding cyber-attack vector. The predictive features of events across the kill-chain were also presented in this research as opinion and emotion drivers on the social dimension, packet data details and social and cultural events on the economic layer. Finally, co-integration detected between events across and within dimensions of the information space proves the existence of both inter-dimensional and intra-dimensional entanglements that affect the nature of events unfolding during the kill-chain (from the adversary’s point of view). The novelty of this research rests in the ability to hop across the information space for detecting evidential clues of activities that are related-to cyber-incidents. This research also expands the standard multi-dimensional information space to include SPEC factors as indicators of cyber-incidents. This research improves the current information security management model, specifically in the monitoring, analysis and detection phases. This research provides a methodology that accommodates a robust evidence base for understanding the attack surface. Practically, this research provides a basis for creating applications and tools for protecting critical national infrastructure by integrating data from social platforms, real-world political, cultural and economic events and the cyber-physical

Identifying human trafcking indicators in the UK online sex market

This study identifes the presence of human trafcking indicators in a UK-based sample of sex workers who advertise their services online. To this end, we developed a crawling and scraping software that enabled the collection of information from 17, 362 advertisements for female sex workers posted on the largest dedicated platform for sex work services in the UK. We then established a set of 10 indicators of human trafcking and a transparent and replicable methodology through which to detect their presence in our sample. Most of the advertisements (58.3%) contained only one indicator, while 3,694 of the advertisements (21.3%) presented 2 indicators of human trafcking. Only 1.7% of the advertisements reported three or more indicators, while there were no advertisements that featured more than four. 3, 255 advertisements (19.0%) did not contain any indicators of human trafcking. Based on this analysis, we propose that this approach constitutes an efective screening process for quickly identifying suspicious cases, which can then be examined by more comprehensive and accurate tools to identify if human trafcking is occurring. We conclude by calling for more empirical research into human trafcking indicators

Digital fingerprinting for identifying malicious collusive groups on Twitter

Propagation of malicious code on online social networks (OSN) is often a coordinated effort by collusive groups of malicious actors hiding behind multiple online identities (or digital personas). Increased interaction in OSN have made them reliable for the efficient orchestration of cyber-attacks such as phishing click bait and drive-by downloads. URL shortening enables obfuscation of such links to malicious websites and massive interaction with such embedded malicious links in OSN guarantees maximum reach. These malicious links lure users to malicious endpoints where attackers can exploit system vulnerabilities. Identifying the organised groups colluding to spread malware is non-trivial owing to the fluidity and anonymity of criminal digital personas on OSN. This paper proposes a methodology for identifying such organised groups of criminal actors working together to spread malicious links on OSN. Our approach focuses on understanding malicious users as ‘digital criminal personas’ and characteristics of their online existence. We first identify those users engaged in propagating malicious links on OSN platforms, and further develop a methodology to create a digital fingerprint for each malicious OSN account/digital persona. We create similarity clusters of malicious actors based on these unique digital fingerprints to establish ‘collusive’ behaviour. We evaluate the ability of a cluster-based approach on OSN digital fingerprinting to identify collusive behaviour in OSN by estimating within-cluster similarity measures and testing it on a ground truth dataset of five known colluding groups on Twitter. Our results show that our digital fingerprints can identify 90% of cyber-personas engaged in collusive behaviour 75% of collusion in a given sample set

Disrupting drive-by download networks on Twitter.

This paper tests disruption strategies in Twitter networks contain-ing malicious URLs used in drive-by download attacks. Cybercriminals usepopular events that attract a large number of Twitter users to infect andpropagate malware by using trending hashtags and creating misleading tweetsto lure users to malicious webpages. Due to Twitter’s 280 character restric-tion and automatic shortening of URLs, it is particularly susceptible to thepropagation of malware involved in drive-by download attacks. Consideringthe number of online users and the network formed by retweeting a tweet, acybercriminal can infect millions of users in a short period. Policymakers andresearchers have struggled to develop an efficient network disruption strategyto stop malware propagation effectively. We define an efficient strategy as onethat considers network topology and dependency on network resilience, whereresilience is the ability of the network to continue to disseminate informationeven when users are removed from it. One of the challenges faced while curbingmalware propagation on online social platforms is understanding the cyber-criminal network spreading the malware. Combining computational modellingand social network analysis we identify the most effective strategy for dis-rupting networks of malicious URLs. Our results emphasise the importanceof specific network disruption parameters such as network and emotion fea-tures, which have proven to be more effective in disrupting malicious networkscompared to random strategies. In conclusion, disruption strategies force cy-bercriminal networks to become more vulnerable by strategically removing malicious users, which causes successful network disruption to become a long-term effort