Data Mining for Network Intrusion Detection : A comparison of data mining algorithms and an analysis of relevant features for detecting cyber-attacks

Data mining can be defined as the extraction of implicit, previously un-known, and potentially useful information from data. Numerous re-searchers have been developing security technology and exploring new methods to detect cyber-attacks with the DARPA 1998 dataset for Intrusion Detection and the modified versions of this dataset KDDCup99 and NSL-KDD, but until now no one have examined the performance of the Top 10 data mining algorithms selected by experts in data mining. The compared classification learning algorithms in this thesis are: C4.5, CART, k-NN and Naïve Bayes. The performance of these algorithms are compared with accuracy, error rate and average cost on modified versions of NSL-KDD train and test dataset where the instances are classified into normal and four cyber-attack categories: DoS, Probing, R2L and U2R. Additionally the most important features to detect cyber-attacks in all categories and in each category are evaluated with Weka’s Attribute Evaluator and ranked according to Information Gain. The results show that the classification algorithm with best performance on the dataset is the k-NN algorithm. The most important features to detect cyber-attacks are basic features such as the number of seconds of a network connection, the protocol used for the connection, the network service used, normal or error status of the connection and the number of data bytes sent. The most important features to detect DoS, Probing and R2L attacks are basic features and the least important features are content features. Unlike U2R attacks, where the content features are the most important features to detect attacks.

Passivity Framework for Modeling, Composing and Mitigating Cyber Attacks

Thesis (Ph.D.)--University of Washington, 2016-08

The war of attrition in cyber-space or "cyber-attacks", "cyber-war" and "cyber-terrorism"

Nos últimos anos tornou-se óbvio que o mundo virtual das bases de dados e do software – popularmente denominado como ciberespaço – tem um lado negro. Este lado negro tem várias dimensões, nomeadamente perda de produtividade, crime financeiro, furto de propriedade intelectual, de identidade, bullying e outros. Empresas, governos e outras entidades são cada vez mais alvo de ataques de terceiros com o fim de penetrarem as suas redes de dados e sistemas de informação. Estes vão desde os adolescentes a grupos organizados e extremamente competentes, sendo existem indicações de que alguns Estados têm vindo a desenvolver “cyber armies” com capacidades defensivas e ofensivas. Legisladores, políticos e diplomatas têm procurado estabelecer conceitos e definições, mas apesar da assinatura da Convenção do Conselho da Europa sobre Cibercrime em 2001 por vários Estados, não existiram novos desenvolvimentos desde então. Este artigo explora as várias dimensões deste domínio e enfatiza os desafios que se colocam a todos aqueles que são responsáveis pela proteção diária da informação das respetivas organizações contra ataques de origem e objetivos muitas vezes desconhecidos.

The regulation of cyber warfare under the jus ad bellum

This chapter evaluates the potential for legal regulation of the resort to cyber warfare between states under the ‘jus ad bellum’ (the law on the use of force). Debate in the literature has largely concerned whether cyber warfare falls within the scope of Article 2(4) UNC. The first part of this chapter sets out this debate. It then goes on to argue that the ‘Article 2(4) debate’ often misses the fact that an act of cyber warfare can be considered a breach of a different legal rule: the principle of non-intervention. The chapter further considers some of the issues in applying either the prohibition of the use of force or the principle of non-intervention to cyber warfare, and then concludes by arguing that the debate should be reoriented to focus on another existing international legal obligation: the duty to prevent cyber-attacks.

Military objectives in cyber warfare

This Chapter discusses the possible problems arising from the application of the principle of distinction under the law of armed conflict to cyber attacks. It first identifies when cyber attacks qualify as ‘attacks’ under the law of armed conflict and then examines the two elements of the definition of ‘military objective’ contained in Article 52(2) of the 1977 Protocol I additional to the 1949 Geneva Conventions on the Protection of Victims of War. The Chapter concludes that this definition is flexible enough to apply in the cyber context without significant problems and that none of the challenges that characterize cyber attacks hinders the application of the principle of distinction.

Cyber security in home and small office local area networks - Attack vectors and vulnerabilities

This thesis presents security issues and vulnerabilities in home and small office local area networks that can be used in cyber-attacks. There is previous research done on single vulnerabilities and attack vectors, but not many papers present full scale attack examples towards LAN. First this thesis categorizes different security threads and later in the paper methods to launch the attacks are shown by example. Offensive security and penetration testing is used as research methods in this thesis. As a result of this thesis an attack is conducted using vulnerabilities in WLAN, ARP protocol, browser as well as methods of social engineering. In the end reverse shell access is gained to the target machine. Ready-made tools are used in the attack and their inner workings are described. Prevention methods are presented towards the attacks in the end of the thesis.

Estudo de vulnerabilidades em aplicações web e o seu reflexo em domínios Portugueses

Muito se tem falado sobre revolução tecnológica e do aparecimento constante de novas aplicações Web, com novas funcionalidades que visam facilitar o trabalho dos utilizadores. Mas será que estas aplicações garantem que os dados transmitidos são tratados e enviados por canais seguros (protocolos)? Que garantias é que o utilizador tem que mesmo que a aplicação utilize um canal, que prevê a privacidade e integridade de dados, esta não apresente alguma vulnerabilidade pondo em causa a informação sensível do utilizador? Software que não foi devidamente testado, aliado à falta de sensibilização por parte dos responsáveis pelo desenvolvimento de software para questões de segurança, levam ao aumento de vulnerabilidades e assim exponenciam o número de potenciais vítimas. Isto aliado ao efeito de desinibição que o sentimento de invisibilidade pode provocar, conduz ao facilitismo e consequentemente ao aumento do número de vítimas alvos de ataques informáticos. O utilizador, por vezes, não sabe muito bem do que se deve proteger, pois a confiança que depõem no software não pressupõem que os seus dados estejam em risco. Neste contexto foram recolhidos dados históricos relativos a vulnerabilidades nos protocolos SSL/TLS, para perceber o impacto que as mesmas apresentam e avaliar o grau de risco. Para além disso, foram avaliados um número significativo de domínios portugueses para perceber se os mesmos têm uma vulnerabilidade específica do protocolo SSL/TLS.

Uusien uhkakuvien luominen: tapaus 'kiinalaiset kybersoturit' : lingvistinen uhka-analyysi kyberdiskurssista

Since his inauguration, President Barack Obama has emphasized the need for a new cybersecurity policy, pledging to make it a "national security priority". This is a significant change in security discourse after an eight-year war on terror – a term Obama announced to be no longer in use. After several white papers, reports and the release of the so-called 60-day Cybersecurity Review, Obama announced the creation of a "cyber czar" position and a new military cyber command to coordinate American cyber defence and warfare. China, as an alleged cyber rival, has played an important role in the discourse that introduced the need for the new office and the proposals for changes in legislation. Research conducted before this study suggest the dominance of state-centric enemy descriptions paused briefly after 9/11, but returned soon into threat discourse. The focus on China's cyber activities fits this trend. The aim of this study is to analyze the type of modern threat scenarios through a linguistic case study on the reporting on Chinese hackers. The methodology of this threat analysis is based on the systemic functional language theory, and realizes as an analysis of action and being descriptions (verbs) used by the American authorities. The main sources of data include the Cybersecurity Act 2009, Securing Cyberspace for the 44th Presidency, and 2008 Report to Congress of the U.S. - China Economic and Security Review Commission. Contrary to the prevailing and popularized terrorism discourse, the results show the comeback of Cold War rhetoric as well as the establishment of a state-centric threat perception in cyber discourse. Cyber adversaries are referred to with descriptions of capacity, technological superiority and untrustworthiness, whereas the ‘self’ is described as vulnerable and weak. The threat of cyber attacks is compared to physical attacks on critical military and civilian infrastructure. The authorities and the media form a cycle, in which both sides quote each other and foster each other’s distrust and rhetoric. The white papers present China's cyber army as an existential threat. This leads to cyber discourse turning into a school-book example of a securitization process. The need for security demands action descriptions, which makes new rules and regulations acceptable. Cyber discourse has motives and agendas that are separate from real security discourse: the arms race of the 21st century is about unmanned war.

Analysis of Automotive Cybersecurity - Attack surfaces and users’ privacy concerns

Modern automobiles are no longer just mechanical tools. The electronics and computing services they are shipping with are making them not less than a computer. They are massive kinetic devices with sophisticated computing power. Most of the modern vehicles are made with the added connectivity in mind which may be vulnerable to outside attack. Researchers have shown that it is possible to infiltrate into a vehicle’s internal system remotely and control the physical entities such as steering and brakes. It is quite possible to experience such attacks on a moving vehicle and unable to use the controls. These massive connected computers can be life threatening as they are related to everyday lifestyle. First part of this research studied the attack surfaces in the automotive cybersecurity domain. It also illustrated the attack methods and capabilities of the damages. Online survey has been deployed as data collection tool to learn about the consumers’ usage of such vulnerable automotive services. The second part of the research portrayed the consumers’ privacy in automotive world. It has been found that almost hundred percent of modern vehicles has the capabilities to send vehicle diagnostic data as well as user generated data to their manufacturers, and almost thirty five percent automotive companies are collecting them already. Internet privacy has been studies before in many related domain but no privacy scale were matched for automotive consumers. It created the research gap and motivation for this thesis. A study has been performed to use well established consumers privacy scale – IUIPC to match with the automotive consumers’ privacy situation. Hypotheses were developed based on the IUIPC model for internet consumers’ privacy and they were studied by the finding from the data collection methods. Based on the key findings of the research, all the hypotheses were accepted and hence it is found that automotive consumers’ privacy did follow the IUIPC model under certain conditions. It is also found that a majority of automotive consumers use the services and devices that are vulnerable and prone to cyber-attacks. It is also established that there is a market for automotive cybersecurity services and consumers are willing to pay certain fees to avail that.

Análisis de la influencia del fenómeno del ciberterrorismo en las dinámicas de seguridad de la Unión Europea

El fenómeno del ciberterrorismo se constituye como una nueva amenaza a la seguridad internacional, este fenómeno es el resultado de distintos procesos en el sistema internacional como el de la globalización. La definición del concepto se establece por la convergencia entre el ciberespacio y el terrorismo. El objetivo de esta investigación es explicar las distintas dimensiones del ciberterrorismo, métodos de ataque, acciones pasadas, propósito del fenómeno, situación actual y vulnerabilidades. El objeto de estudio de esta investigación es la Unión Europea como actor del sistema internacional que se ha visto afectado por este fenómeno. También se dará uso al aparato teórico de los complejos de seguridad desarrollado por Barry Buzan para evidenciar las nuevas amenazas del sistema internacional y analizar los procesos de securitización del fenómeno en el seno de la Unión Europea.

Incidencia de las agresiones a la seguridad cibernética en el desarrollo informático de las Fuerzas Armadas de Estados Unidos (2003-2013)

La presente investigación tiene como objetivo analizar la incidencia de las agresiones cibernéticas en el desarrollo informático de las Fuerzas Armadas de Estados Unidos. Los diferentes estudios que se han realizado sobre el ciberespacio se han enfocado en el papel del individuo como actor principal y se ha dejado de lado las repercusiones que éste ha tenido para el Estado, como un nuevo eje de amenazas. Teniendo en cuenta lo anterior, esta investigación demostrará a partir del concepto de securitización, que se busca priorizar la “ciberseguridad” dentro de la agenda del gobierno estadounidense. Al ser este un estudio que aborda experiencias concretas durante un periodo de tiempo de más de 10 años, el diseño metodológico de la investigación será longitudinal, ya que abarcará estudios, artículos, textos y resoluciones que se han realizado desde 2003 hasta la actualidad.

Plataformas de ejercicios de ciberseguridad

El objetivo principal de este proyecto es estudiar, desde un punto de vista práctico, las posibilidades que ofrece la plataforma de ejercicios de ciberseguridad propuesta por la Universidad de Rhode Island en Estado Unidos, denominada Open Cyber Challenge Platform (OCCP); para ello primero nos ubicaremos dentro del campo de la ciberseguridad, estudiando porqué este área está tomando tanta relevancia, observando datos de estudios reales realizados por instituciones de prestigio, al mismo tiempo estudiaremos la tendencia actual y futura de los ciberataques. Seguidamente, analizaremos el estado del arte de la enseñanza en ciberseguridad y como se está enfocando por parte de las universidades y empresas más importantes en el sector. En esta parte del sector se está imponiendo una novedosa forma para desarrollar el aprendizaje tanto práctico como teórico basada en simular situaciones reales mediante escenarios virtuales. Una vez vistas otras opciones, nos centraremos en OCCP, podremos estudiar el estado de desarrollo de esta plataforma, la situación actual y las principales características. Además detallaremos el primer escenario propuesto por ellos mismos, estudiando los principales componentes, la topología de la red virtual de la empresa virtualizada, los principales ficheros de configuración, e incluso la montaremos y ejecutaremos y podremos observar como el equipo rojo ataca el servidor web de la empresa que lo tiene que proteger el equipo azul y consigue que la web deje de funcionar. También incluiremos una guía de instalación del escenario para que el lector pueda probar con su propio ordenador las posibilidades de esta plataforma. VirtualBox es un programa gratuito de virtualización perteneciente a la empresa Oracle. Más adelante estudiaremos este programa centrándonos en el servicio web ofrecido por VirtualBox ya que es utilizado por la plataforma Open Cyber Challenge Platform como virtualizador o hipervisor. Podremos ver como suelen funcionar los servicios web de este tipo en general y después nos centraremos principalmente en el archivo descriptivo de las interfaces que ofrece esta plataforma. Finalmente, resumiremos los resultados y conclusiones proponiendo un trabajo futuro ya que como hemos dicho esta plataforma está en estado de desarrollo y seguramente al final de la lectura del proyecto incluso el lector se haya podido percatar del potencial tan elevado que tiene una plataforma de este estilo. ABSTRACT. The main objective of this project is to study, from a practical standpoint the possibilities offered by the cybersecurity exercises platform proposed by the University of Rhode Island in United States, called Cyber Challenge Open Platform (OCCP); therefore we will place first in the field of cybersecurity, studying why this area is taking so much relevance, watching real data studies by prestigious institutions and the current and future trend of cyber-attacks. Then, we will discuss the state of the art of teaching cybersecurity and how universities and major companies in the sector are focusing to reach the aims among students or workers. In this part of the sector it is increasing the popularity of a new way to develop both practical and theoretical learning based on simulating real situations through virtual scenarios. Once seen other options, we will focus on OCCP, we can study the state of development of this platform, the current situation and main characteristics. In addition we will detail the first proposed scenario by the very own university, studying the main components, the topology of the virtual network virtualized enterprise, the main configuration files, and even we would mount and execute it. We will see how the red team attacks the web server of the company and get it thrown out. At the same time the blue team will have to protect it. We will also include an installation guide of the scenario so that the reader can test in their own computer the possibilities of this tool. VirtualBox is a free virtualization program belonging to the Oracle enterprise. Later on we will study this program focusing on the web service provided by VirtualBox because it is used by the Open Cyber Challenge Platform like hypervisor. We will see how this kind of web services work and then we will focus mainly on the descriptive file of the interfaces provided by this tool. Finally we summarize the results and conclusions proposing a future work since as we have said this platform is in the development stage and certainly at the end of reading the project even the reader may have realized of such high potential as would have a tool of this kind.

Effective network security monitoring: from attribution to target-centric monitoring

Network security monitoring remains a challenge. As global networks scale up, in terms of traffic, volume and speed, effective attribution of cyber attacks is increasingly difficult. The problem is compounded by a combination of other factors, including the architecture of the Internet, multi-stage attacks and increasing volumes of nonproductive traffic. This paper proposes to shift the focus of security monitoring from the source to the target. Simply put, resources devoted to detection and attribution should be redeployed to efficiently monitor for targeting and prevention of attacks. The effort of detection should aim to determine whether a node is under attack, and if so, effectively prevent the attack. This paper contributes by systematically reviewing the structural, operational and legal reasons underlying this argument, and presents empirical evidence to support a shift away from attribution to favour of a target-centric monitoring approach. A carefully deployed set of experiments are presented and a detailed analysis of the results is achieved.

Analysis of Automotive Cybersecurity - Attack surfaces and users’ privacy concerns

Modern automobiles are no longer just mechanical tools. The electronics and computing services they are shipping with are making them not less than a computer. They are massive kinetic devices with sophisticated computing power. Most of the modern vehicles are made with the added connectivity in mind which may be vulnerable to outside attack. Researchers have shown that it is possible to infiltrate into a vehicle’s internal system remotely and control the physical entities such as steering and brakes. It is quite possible to experience such attacks on a moving vehicle and unable to use the controls. These massive connected computers can be life threatening as they are related to everyday lifestyle. First part of this research studied the attack surfaces in the automotive cybersecurity domain. It also illustrated the attack methods and capabilities of the damages. Online survey has been deployed as data collection tool to learn about the consumers’ usage of such vulnerable automotive services. The second part of the research portrayed the consumers’ privacy in automotive world. It has been found that almost hundred percent of modern vehicles has the capabilities to send vehicle diagnostic data as well as user generated data to their manufacturers, and almost thirty five percent automotive companies are collecting them already. Internet privacy has been studies before in many related domain but no privacy scale were matched for automotive consumers. It created the research gap and motivation for this thesis. A study has been performed to use well established consumers privacy scale – IUIPC to match with the automotive consumers’ privacy situation. Hypotheses were developed based on the IUIPC model for internet consumers’ privacy and they were studied by the finding from the data collection methods. Based on the key findings of the research, all the hypotheses were accepted and hence it is found that automotive consumers’ privacy did follow the IUIPC model under certain conditions. It is also found that a majority of automotive consumers use the services and devices that are vulnerable and prone to cyber-attacks. It is also established that there is a market for automotive cybersecurity services and consumers are willing to pay certain fees to avail that.

Enquadramento legal da Cibersegurança em Portugal e no Mundo

O cibercrime deixou há muito de ser uma palavra desconhecida para a generalidade da população mundial, sendo cada vez mais comum a execução dos mesmos por parte de indivíduos ou mesmo nações. Como tal, reveste-se de elevada importância a existência de uma resposta jurídica adequada às novas ameaças potenciadas pelo ciberespaço, a nível nacional e internacional. A evolução tecnológica levou à criação de novos elementos estratégicos, como os conceitos estratégicos de cibersegurança, e legislativos, com o objetivo de fazer face à especificidade da temática, tendo a União Europeia elaborado a Convenção de Budapeste sobre o Cibercrime de 23 de Novembro de 2001, e Portugal promulgado a Lei nº109/2009 de 15 de Setembro de 2009, a chamada Lei do Cibercrime. Apesar da existência da atual legislação, a ameaça pendente dos ciberataques tornou-se cada vez mais uma preocupação de todos os países, tendo em conta que um ataque no ciberespaço pode pôr em causa a sua segurança e soberania. Tendo estes factos em consideração, importa analisar qual o possível impacto dos ataques cibernéticos a nível nacional e das relações internacionais.