Defending against large-scale and coordinated attacks in the ubiquitous environments

Ubiquitous computing is an exciting paradigm shift where technology becomes virtually invisible in our lives. In the increasingly interconnected world, threats to our daily lives can come from unexpected sources and universal directions. Criminals and terrorists have recognized the value of leveraging the ubiquitous computing environments to facilitate the commission of crimes. The cyber criminals typically launch different forms of large-scale and coordinated attacks, causing huge financial loss and potential life hazard. In this talk, we report two innovative approaches to defend against large-scale and coordinated attacks in the ubiquitous environments: 1) Inferring the cyber crime's intent through network traffic classification to enable the early warning of potential attacks, and 2) Profiling the large-scale and coordinated cyber attacks through both microscopic and macroscopic modeling to provide better control of such attacks. These approaches are effective in finding weak symptoms caused by the attacks thus can successfully defend against the large-scale and coordinated attacks at their early stages.

An approach for profiling phishing activities

Phishing attacks continue unabated to plague Internet users and trick them into providing personal and confidential information to phishers. In this paper, an approach for email-born phishing detection based on profiling and clustering techniques is proposed. We formulate the profiling problem as a clustering problem using various features present in the phishing emails as feature vectors and generate profiles based on clustering predictions. These predictions are further utilized to generate complete profiles of the emails. We carried out extensive experimental analysis of the proposed approach in order to evaluate its effectiveness to various factors such as sensitivity to the type of data, number of data sizes and cluster sizes. We compared the performance of the proposed approach against the Modified Global Kmeans (MGKmeans) approach. The results show that the proposed approach is efficient as compared to the baseline approach. © 2014 Elsevier Ltd. All rights reserved.

Cyber security and protection of ICS systems: An australian example

Many aspects of our modern society now have either a direct or implicit dependence upon information technology. As such, a compromise of the availability or integrity in relation to these systems (which may encompass such diverse domains as banking, government, health care, and law enforcement) could have dramatic consequences from a societal perspective. These key systems are often referred to as critical infrastructure. Critical infrastructure can consist of corporate information systems or systems that control key industrial processes; these specific systems are referred to as ICS (Industry Control Systems) systems. ICS systems have devolved since the 1960s from standalone systems to networked architectures that communicate across large distances, utilise wireless network and can be controlled via the Internet. ICS systems form part of many countries’ key critical infrastructure, including Australia. They are used to remotely monitor and control the delivery of essential services and products, such as electricity, gas, water, waste treatment and transport systems. The need for security measures within these systems was not anticipated in the early development stages as they were designed to be closed systems and not open systems to be accessible via the Internet. We are also seeing these ICS and their supporting systems being integrated into organisational corporate systems.

A feasible IP traceback framework through dynamic deterministic packet marking

DDoS attack source traceback is an open and challenging problem. Deterministic packet marking (DPM) is a simple and effective traceback mechanism, but the current DPM based traceback schemes are not practical due to their scalability constraint. We noticed a factor that only a limited number of computers and routers are involved in an attack session. Therefore, we only need to mark these involved nodes for traceback purpose, rather than marking every node of the Internet as the existing schemes doing. Based on this finding, we propose a novel marking on demand (MOD) traceback scheme based on the DPM mechanism. In order to traceback to involved attack source, what we need to do is to mark these involved ingress routers using the traditional DPM strategy. Similar to existing schemes, we require participated routers to install a traffic monitor. When a monitor notices a surge of suspicious network flows, it will request a unique mark from a globally shared MOD server, and mark the suspicious flows with the unique marks. At the same time, the MOD server records the information of the marks and their related requesting IP addresses. Once a DDoS attack is confirmed, the victim can obtain the attack sources by requesting the MOD server with the marks extracted from attack packets. Moreover, we use the marking space in a round-robin style, which essentially addresses the scalability problem of the existing DPM based traceback schemes. We establish a mathematical model for the proposed traceback scheme, and thoroughly analyze the system. Theoretical analysis and extensive real-world data experiments demonstrate that the proposed traceback method is feasible and effective.