Abstracts of the Papers Presented at the International on ... · Continuity Model Xiaomi An,...

Abstracts of the Papers Presented at the

11th International Conference on Cyber Warfare and Security

ICCWS 2016

Hosted by Boston University Boston USA

17‐18th March 2016

Copyright The Authors, 2016. All Rights Reserved. No reproduction, copy or transmission may be made without written permission from the individual authors.

Review Process Papers submitted to this conference have been double‐blind peer reviewed before final acceptance to the conference. Initially, abstracts were reviewed for relevance and accessibility and successful authors were invited to submit full papers. Many thanks to the reviewers who helped ensure the quality of all the submissions.

This Booklet of abstracts and other conference materials is provided to conference participants for use at the conference.

Conference Proceedings The Conference Proceedings for this year and previous years can be purchased from http://academic‐bookshop.com Print version ISSN: 2048‐9870 Print version ISBN: 978‐1‐910810‐82‐8 E‐Book ISSN: 2048‐9889 E‐Book ISBN: 978‐1‐910810‐83‐5

Published by Academic Conferences and Publishing International Limited Reading, UK. +44‐118‐972‐4148. www.academic‐conferences.org

i

Contents

Paper Title Author(s) Guide Page

Page No

Preface viii iv

Committee ix v

Biographies xiii vii

Keynote Presentation Outlines 1

Control Systems Networks...What's in Your Building?

Daryl Haegley 3

Is Security Achievable? A Practical Perspective

Neal Ziring 3

Research Papers 5

Framing Media Coverage of the 2014 Sony Pictures Entertainment Hack: A Topic Modelling Approach

Eric Afful‐Dadzie, Stephen Nabareseh, Zuzana Komínk‐ováOplatková and Petr Klímek

7 1

Black Hole and Mobile Ad Hoc Network (MANET): A Simple Logi‐cal Solution

Abdullah Aljumah and Tariq Ahamad

7 9

Data Integration in the Development of Smart Cities in China: Towards a Digital Continuity Model

Xiaomi An, Shuyang Sun, Wenlin Bai and Hepu Deng

8 13

Attacker Skill, Defender Strategies and the Effectiveness of Migration‐Based Moving Target Defense in Cyber Systems

Noam Ben‐Asher, James Morris‐King, Brian Thomp‐son and William Glodek

9 21

War in 1s and 0s: Framing the Lexicon for the Digital age

Kevin Black and Michael David

10 31

ii


Page No

Analysis of Public Discourse About the Donbas Conflict in Russian Social Media

Radomir Bolgov, Olga Filatova and Andrey Tarnavsky

11 37

Pro‐Active Data Breach Detection: Examining Accuracy and Applicability on Personal Information Detected

Johnny Botha, Mariki Eloff and Ignus Swart

12 47

ExOShim: Preventing Memory Disclosure Using Execute‐Only Kernel Code

Scott Brookes, Robert Denz, Martin Osterloh and Stephen Taylor

13 56

Automating Cyber Offensive Operations for Cyber Challenges

Ivan Burke and Renier. van Heerden

14 66

On Dynamic Cyber Defense and its Improvement

Jim Chen and Gilliam Duvall 14 75

Information Security and Practice: The User’s Perspective

Nathan Clarke, Fudong Li, Steven Furnell, Ingo Stengel and Giorgio Ganis

15 82

Industrial Espionage ‐ Corporate Data Continues to Leak

Moses Dlamini, Jan Eloff, Maria Eloff

16 91

Supply Chain Decision Analytics: Application and Case Study for Critical Infrastructure Security

Nathan Edwards, Gio Kao, Jason Hamlet, John Bailon and Shane Liptak

17 99

Cyber Security in the Smart City of Dubai

Marios Panagiotis Efthymiopoulos

18 108

An Ontology for Digital Security and Digital Forensics Investigative Techniques

Dagney Ellison and Hein Venter

18 120

Combinatorial Optimization of Operational (Cyber) Attacks Against Large‐Scale Critical Infrastructures: The Vertex Cover Approach

Eric Filiol and Cécilia Gallais 19 129

iii


Page No

Wireless Intrusion Detection of Covert Channel Attacks in ITU‐T G.9959‐Based Networks

Jonathan Fuller, Benjamin Ramsey, John Pecarina and Mason Rice

20 139

Assessing the Feasibility of Conducting the Digital Forensic Process in Real Time

Tim Grant, Erwin van Eijk and HS Venter

21 147

Cyberwarfare: From the Trenches to the Clouds

Virginia Greiman 21 157

Z‐Wave Network Reconnaissance and Transceiver Fingerprinting Using Software‐Defined Radios

Joseph Hall, Benjamin Ramsey, Mason Rice and Timothy Lacey

22 164

A Framework for Categorizing Disruptive Cyber Activity and Assessing its Impact

Charles Harry 23 173

Cyberspace: The new Battlefield John Hurley and Lanier Wat‐kins

24 181

Quantifying Decision Making in the Critical Infrastructure

John Hurley and Lanier Wat‐kins

25 190

Building Blocks for National Cyberpower

JC Jansen van Vuuren, Graeme Plint, Louise Leenen, Jannie Zaaiman, Armstrong Kadyamatimba and J Phahlahmohlaka

26 197

Hofstede’s Cultural Markers in Successful Victim Cyber Exploitations

Andre Karamanian, Char Sample and Marc Kolenko

27 206

A Review and a Classification of Mobile Cloud Computing Security Issues

Mohamad Ibrahim Al Ladan 28 215

Theoretical Examination of the Cyber Warfare Environment

Martti Lehto 28 224

iv


Page No

Using Values‐Based Cultural Data to Shape Information Operations Strategies

Christine MacNulty and Julie Ryan

29 232

The Cyber‐Security State of our Nation: A Critique of South Africa’s Stance on Cyber‐Security in Respect of the Protection of Critical Information Infrastructure

Feroze Mohideen 30 236

Development of a Semantic‐Enabled Cybersecurity Threat Intelligence Sharing Model

Jabu Mtsweni, , Nobubele Angel Shozi, Kgwadi Matenche, Muyowa Mutemwa, Njabulo Mkhonto and Joey Jansen van Vuuren

31 245

Factors in Building a Transparent, Usable and Comprehensive User Privacy Policy System

Sarath Kumar Nagaraj and Adam Bryant

32 254

The Military Cyber‐Maturity Model: Preparing Modern Cyber‐Enabled Military Forces for Future Conflicts

David Ormrod and Benjamin Turnbull

32 262

Georgia‐Russia Military Conflict: The Experience of Multilevel Psychological Warfare

Evgeny Pashentsev 34 270

Cyberwarfare as a new Challenge for Latin America

Olga Polunina 35 277

SEBS‐Secure Emoticons Based Steganography

Khan Farhan Rafat and Junaid Hussain

36 281

How Secure is our Information Infrastructure?

Julie Ryan and Daniel Ryan 37 289

Big Data Privacy and Security: A Systematic Analysis of Current and Future Challenges

Nobubele Angel Shozi and Jabu Mtsweni

37 297

v


Page No

Pushing the Boundaries of Digital Diplomacy: The International Experience and the Russian Practice

Ivan Surma 38 305

An Assessment Model to Improve National Cyber Security Governance

Unal Tatar, Bilge Karabacakand Adrian Gheorghe

39 313

Enhancing Cybersecurity by Defeating the Attack Lifecycle

Lanier Watkins and John Hurley

40 321

Categorizing Code Complexities in Support of Analysis

Yan Wu and Frederick Tim Boland

41 329

Detecting a Weakened Encryption Algorithm in Microcontrollers Using Correlation‐Based Anomaly Detection

Justin Wylie, Samuel Stone and Barry Mullins

42 336

Real Time Early Warning DDoS Attack Detection

Konstantinos Xylogian‐nopoulos, Panagiotis Karampelas and Reda Alhajj

43 345

PHD Research Papers 45 353

What’s in Your Honeypot? Adam Brown and Todd An‐del

47 355

Feasibility of Applying Moving Target Defensive Techniques in a SCADA System

Cordell Davidson and Todd Andel

48 363

3D Visualization Applied to PRBGs and Cryptography

Michel Dubois and Eric Filiol 49 371

Securing Critical Infrastructure by Moving Target Defense

Vahid Heydari and Seong‐Moo Yoo

49 382

Cyber‐Warfare and Cyber‐Terrorism: Step to Learning to Knowing the Difference

Elizaveta Huttenlocher 50 391

vi


Page No

Requirements for Achieving Digital Forensic Readiness in the Clous Using an Agent‐Based Solution

Victor Rigworo Kebande 51 399

Proposed High‐Level Solutions to Counter Online Examination Fraud Using Digital Forensic Readiness Techniques

Ivans Kigwana and Hein Venter

51 407

The Role of Cultural Intelligence in Cyber Warfare

Elizabeth Viggiano 52 415

Masters Research Papers 55 423

Threats of Cyber Security and Challenges for Pakistan

Jawad Awan and Shahzad Memon

57 425

Comparison of Static Analysis Tools for Java Using the Juliet Test Suite

Thomas Charest, Nick Rodgers and Yan Wu

57 431

The Smartphone Evidence Awareness Framework for the Users

Innocentin Dlamini 58 439

Barriers to Extending Malware Detection Research

Sarath Kumar Nagaraj and Adam Bryant

59 450

Z‐Ranger: An Improved Tool Set for ZigBee Warwalking

Andrew Seitz and Benjamin Ramsey

60 456

Truncated Differential Attack on Block Cipher PRINCE

Satoshi Setoguchi, Yasutaka Igarashi, Toshinobu Kaneko, Kenichi Arai and Seiji Fuku‐shima

61 466

Comparison of Radio Frequency Based Techniques for Device Discrimination and Operation Identification

Barron Stone and Samuel Stone

62 475

vii

Non Academic Paper 63 485

How a Nuanced Approach to Organizational Loss may Lead to Improved Policies, Better Applied Technologies, and Greater Outcomes

Amie Taal, Jenny Le, Alex Ponce de Leon, Karin Jenson and James Sherer

65 487

Work In Progress Paper 67 495

A Process‐Oriented Intrusion Detection Method for Industrial Control Systems

Edward Colbert, Daniel Sul‐livan, , Steve Hutchinson, Kenneth Renard and Sidney Smith

69 497

Abstracts Only 71

The Limitations of Hard Disk Firewalls

John McCarthy and Adam Jeffreys

73

Abductions as PSYOP Strategy: Hamas as a Case in Point

Ron Schleifer 74

Cyber Maneuver Warfare and Active Cyber Defense

Jeffrey Simpson 74

Citation pages 77

Google Scholar The Importance of Paper citations and Google Scholar

79

Jotter Page Blank Paper for notes

viii

Preface

The 11thInternational Conference on Cyber Warfare and Security (ICCWS 2016) is being held at Boston University, Boston, USA on the 17‐18th March 2016. The Conference Chair is Dr Tanya Zlateva and the Programme Chair is Professor Vir‐ginia Greiman, both from Boston University.

ICCWS is a recognised Cyber Security event on the International research confer‐ences calendar and provides a valuable platform for individuals to present their research findings, display their work in progress and discuss conceptual and em‐pirical advances in the area of Cyber Warfare and Cyber Security. It provides an important opportunity for researchers and managers to come together with peers to share their experiences of using the varied and expanding range of Cyberwar and Cyber Security research available to them.

The keynote speakers for the conference are Daryl Haegley from the Department of Defense (DoD), who will address the topic Control Systems Networks...What's in Your Building? and Neal Ziring from the National Security Agency who will be providing some insight to the issue of Is Security Achievable? A Practical Perspec‐tive.

ICCWS received 125 abstract submissions this year. After the double blind, peer review process there are 43 Academic Research Papers 8 PhD papers Research papers, 7 Masters and 1 work‐in‐progress papers published in these Conference Proceedings. These papers represent work from around the world, including: Aus‐tralia, Canada, China, Czech Republic, District of Columbia, Finland, France, Israel, Japan, Lebanon, Netherlands, Pakistan, Russian Federation, Saudi Arabia, South Africa, Turkey, United Arab Emirates, UK, USA.

We wish you a most interesting conference.

Dr Tanya Zlateva Conference Chair

And

Professor Virginia Greiman Programme Chair

ix

Conference Committee Conference Executives Tanya Zlateva, Boston University, Massachusetts, USA Virginia A. Greiman, Boston University, Massachusetts, USA Mini track chairs Prof. Julie Ryan, D.Sc , George Washington University, Washington, DC, USA Dr. J. S. Hurley, National Defense University i College, Washington, DC, USA Dr. Nasser Abouzakhar, University of Hertfordshire, UK Ms. Larisa Breton, MPS, FullCircle Communications, USA Prof. Evgeny Pashentsev, Diplomatic Academy of the Ministry of Foreign Affairs of the Russian Federation, Russia Dr Greg Simons, Swedish National Defence University and Uppsala University Sweden Conference Committee Dr. Kareem Kamal A.Ghany, Faculty of Computers & Information, Egypt; Abukari Abdul Hanan, University For Development Studies, Ghana; Prof. Azween Abdullah, Malaysian University if Science and Technology, Malaysia; Dr. Nasser Abouzakhar, University of Hertfordshire, UK; Dr. Bulent Acma, Anadolu University, Eskisehir, Turkey; Dr. William Acosta, University of Toledo, USA; Gail‐joon Ahn, University of North Carolina at Charlotte, USA; Dr. Todd Andel, University of South Alabama, USA; Dr. Leigh Armistead, Edith Cowan University, Australia; Johnnes Arreymbi, University of East London, UK; Dr. Hayretdin Bahsi, Tallinn University of Technol‐ogy, Estonia; Prof. Richard Baskerville, Georgia State University, USA; Dr Zakariya Belkhamza, Universiti Malaysia Sabah, Malaysia; Dr. Noam Ben‐Asher, IBM/US Army Research Lab, USA; Prof. Alexander Bligh, Ariel University Center, Ariel, Is‐rael; Dr. Svet Braynov, University of Illinois, Springfield, USA; Ms Larisa Breton, FullCircle Communications, LLC, USA; Dr. Raymond Buettner, Naval Postgraduate School, USA; Ivan Burke, CSIR, Pretoria, South Africa; Dr. Jonathan Butts, AFIT, USA; Ass. Prof. Marco Carvalho, Florida Institute of Technology, USA; Dr. Joobin Choobineh, Texas A&M University, USA; Mr Ben‐Douglas Christie, HMRC, UK; Prof. Sam Chung, University of Washington, Tacoma, USA; Dr. Nathan Clarke, Uni‐versity of Plymouth, UK; Dr. Ronen Cohen, Ariel University Centre, Israel; Mr Edwin Covert, Booz Allen Hamilton, USA; Earl Crane, George Washington Univer‐sity, USA; Dr. Michael Dahan, Sapir College, Israel; Geoffrey Darnton, Require‐ments Analytics, UK; Dr. Dipankar Dasgupta, University of Memphis, USA; Evan Dembskey, UNISA, South Africa; Dorothy Denning, Naval Post Graduate School, USA; Jayanthila Devi, Anna University, India; Dr. Glenn Dietrich, University of Texas, Antonio, USA; Prokopios Drogkaris, University of the Aegean, Greece; Prof.

x

Mariki Eloff, University of South Africa, South Africa; Barbara Endicott‐Popovsky, University of Washington, Seattle, USA; Prof. Dr. Alptekin Erkollar, ETCOP, Austria; Dr. Cris Ewell, Seattle Children's, USA; Dr. Christophe Feltus, Luxembourg Institute of Science and Technology (LIST), Luxembourg; Ms. Alyssa Feola, United States Air Force, USA; Larry Fleurantin, Larry R. Fleurantin & Associates, P.A., USA; Dr. Ahmad Ghafarian, University of North Georgia,; Prof. Klaus‐Gerd Giesen, Univer‐sité d'Auvergne, France; Dr. Samiksha Godara, Shamsher Bahadur Saxena College Of Law, India; Prof. Dr. Tim Grant, Retired But Active Researcher, The Nether‐lands; Mr Murray Greg, Department of Navy , USA; Virginia Greiman, Boston Uni‐versity, USA; Dr. Michael Grimaila, Air Force Institute of Technology, USA; Daniel Grosu, Wayne State University, Detroit, USA, USA; Dr. Per Gustavsson, Combitech / Swedish Defence University / George Mason Univeristy, Sweden; Dr. Alasadi Hamid, Basra University, Iraq; Dr. Drew Hamilton, Mississippi State University, USA; Joel Harding, IO Institute, Association of Old Crows, USA; Dr. Douglas Hart, Regis University, USA; Dr. Dwight Haworth, University of Nebraska at Omaha, USA; Mr Vahid Heydari, University of Alabama in Huntsville, USA; Dr Ulrike Hugl, Accounting, Auditing & Taxation, Austria; Dr. John Hurley, National Defense Uni‐versity, USA; Prof. Bill Hutchinson, Edith Cowan University, Australia; Dr. Berg Hyacinthe, State University of Haiti, Haiti; Dr. Cynthia Irvine, Naval Post Graduate School, USA; Prof. Barry Irwin, Rhodes University, South Africa; Dr. Md Ruhul Is‐lam, Sikkim Manipal Institute of Technology, India; Ramkumar Jaganathan, VLB Janakiammal College of Arts and Science (affiliated to Bharathiar University), In‐dia; Russell James, Metropolitan Airports Commission, USA; Joey Jansen van Vuuren, CSIR, South Africa; Dr. Chen Jim, U.S. National Defense University, USA; James Joshi, University of Pittsburgh, USA; Prof. Leonard Kabeya Mukeba Yaka‐sham, ESURS/ISTA‐KIN & ASEAD, Democratic Republic of Congo; Dr Bilge Karaba‐cak, Freelance, USA; Dr. Anthony Keane, Institute of Technology Blanchardstown, Ireland; Ayesha Khurram, National University of Sciences &Technology, Pakistan; Michael Kraft, CSC, USA; Prashant Krishnamurthy, University of Pittsburgh, USA; Mrs Marina Krotofil, Hamburg University of Technology, Germany; Prof. Hennie Kruger, North‐West University, South Africa; Dr. Dan Kuehl, National Defense Uni‐versity, USA; Peter Kunz, Diamler, Germany; Takakazu Kurokawa, The National Defense Academy, Japan; Dr. Tuija Kuusisto, National Defence University, Finland; Rauno Kuusisto, Finnish Defence Force, Finland; Arun Lakhotia, University of Lou‐isiana Lafayertte, USA; Michael Lavine, John Hopkins University's Information Se‐curity Institute, USA; Louise Leenen, CSIR, Pretoria, South Africa; Tara Leweling, Naval Postgraduate School, Pacific Grove, USA; Dr. Andrew Liaropoulos, University of Piraeus, Greece; Dan Likarish, Regis University, Denver,, USA; Dr. Sam Liles, Purdue University, West Lafayette, USA; Mr Trupil Limbasiya, ITM Universe, India; Cherie Long, Georgia Gwinnett College. Lawrenceville, GA, USA; Juan Lopez Jr., Air Force Institute of Technology, USA; Dr. Bin Lu, West Chester University of PA,

xi

USA; Volodymyr Lysenko, University of Washington, USA; Fredrick Magaya, Kam‐pala Capital City Authority, Uganda; Dr. Bill Mahoney, University of Nebraska, Omaha, USA; Dr. John McCarthy, Cranfield University, UK; Dr. Todd McDonald, Air Force Institute of Technology, USA; Dr. Jeffrey McDonald, University of South Ala‐bama, USA; Dr. Robert Mills, Air Force Institute of Technology, USA; Dr. Nighat Mir, Effat University, Saudi Arabia; Dr. Apurva Mohan, Honeywell ACS Labs, USA; Ass. Prof. Dr. Salwani Mohd Daud, Universiti Teknologi Malaysia, Malaysia; Evan‐gelos Moustakos, Middlesex University, UK; Wilmuth Mueller, Fraunhofer Insti‐tute of Optronics, System Technologies and Image Exploitation ‐ IOSB, Germany; Dr. Srinivas Mukkamala, New Mexico Tech, Socorro, USA; Dr. Barry Mullins, Air Force Institute of Technology, USA; Dr. Lilian Nassif, Public Ministry of Minas Gerais, Brazil; Muhammad Naveed, University of Engineering and Technology, Peshawar, Pakistan; Dr. Funminiyi Olajide, Covenant University, Nigeria; Mr Arif Mohamed Ismail Oliullah, Jefferies International Lts, UK; Prof. Abdelnaser Omran, School of Economics, Finance and Banking, Universiti Utara Malaysia, Malaysia; Prof. Dr. Frank Ortmeier, Otto‐von‐Guericke Universität, Magdeburg, Germany; Rain Ottis , Cooperative Cyber Defence Centre of Excellence, Estonia; Prof. Evgeny Pashentsev, Diplomatic Academy of the Ministry of Foreign Affairs of the Russian Federation, Russia; Dr. Gilbert Peterson, , USA; Pete Peterson, Ministry of Foreign Affairs of the Russian Federation, USA; Andy Pettigrew, George Washington Uni‐versity, USA; Dr. Jackie Phahlamohlaka, Council for Scientific and Industrial Re‐search, Petoria, South Africa; Ms Heloise Pieterse, CSIR, South Africa; Engur Pisirici, Govermental ‐ Independent, Turkey; Dr. Ajeet Poonia, GOVT. College of Engineering & Technonogy, INDIA; Dr Bernardi Pranggono, Sheffield Hallam Uni‐versity, UK; Ms Trishana Ramluckan, Private, South Africa; Dr. Benjamin Ramsey, Air Force Institute of Technology, USA; Prof. Aunshul rege, Temple University, USA; Dr. Ken Revett, British University, Egypt; Lieutenant Colonel Ernest Robinson, U.S. Marine Corps / Air War College, USA; Dr. Neil Rowe, US Naval Postgraduate School, Monterey, USA; Daniel Ryan, National Defence University, Washington DC, USA; Julie Ryan, George Washington University, USA; Prof. Lili Saghafi, Cana‐dian International College, Montreal, Canada; Ramanamurthy Saripalli, Pragati Engineering College, India; Dr. Mark Scanlon, University College Dublin, Ireland; Corey Schou, Idaho State University, USA; Dr. Yilun Shang, Singapore University of Technology and Design, Singapore; Dr. Dan Shoemaker, Singapore University of Technology and Design, Singapore; Prof. Ma Shuangge, Yale University, USA; Mr. Paul Simon, Air Force Institute of Technology, USA; Dr. Elena Sitnikova, University of South Australia, Australia; Prof. Aelita Skarzauskiene, Mykolas Romeris Univer‐sity, Lithuania; Ass. Prof. Dr. Risby Sohaimi, National Defence University of Malay‐sia, Malaysia; William Sousan, University Nebraska, Omaha, USA; Dr. Joseph Spring, University of Hertfordshire, UK; Dr. William Spring, University of Hertford‐shire, UK; Prof. Michael Stiber, University of Washington Bothell, USA; Dr. Kevin

xii

Streff, Dakota State University, USA; Dennis Strouble, Air Force Institute of Tech‐nology, USA; Dr. ARWIN SUMARI, Indonesian Defense University, Indonesia; Dr. Ignus Swart, CSIR, South Africa; Mr. Unal Tatar, Turkish Cyber Security Associa‐tion, Turkey; Peter Thermos, Columbia Univeristy/Palindrome Technologies, USA; Dr. Bhavani Thuraisingham, University of Texas at Dallas, USA; Dr. Socaciu Tiberiu, University of Suceava, Romania; Mr. Patrick Tobin, University College Dublin, Ire‐land; Eric Trias, Air Force Institute of Technology, USA; Dr. Chia‐Wen Tsai, Ming Chuan University, Taiwan; Dr. Doug Twitchell, Illinois State University, USA; Dr. Shambhu Upadhyaya, University at Buffalo, USA; Renier van Heerden, CSIR, Preto‐ria, South Africa; Brett van Niekerk, University of KwaZulu‐Natal, South Africa; Prof. Hendrik Venter, University of Pretoria, South Africa; Stylianos Vidalis, New‐port Business School, Newport, UK; Prof. Kumar Vijaya, High Court of Andhra Pradesh, India; Dr. Natarajan Vijayarangan, Tata Consultancy Services Ltd, India; Sune Von Solms, Council for Scientific and Industrial Research, South Africa; Fahad Waseem, University of Northumbria, UK; Prof. Murdoch Watney, University of Johannesburg, South Africa; Prof. Dr. Bruce Watson, Stellenbosch University, South Africa; Dr. Kenneth Webb, Edith Cowan University, Australia; Mohamed Reda Yaich, École Nationale Supérieure des Mines, France; Enes Yurtoglu, Turkish Air War College, Turkey; Dr. Jannie Zaaiman, University of Venda, South Africa; Dr. Zehai Zhou, University of Houston‐Downtown, USA; Tanya Zlateva, Boston Uni‐versity, USA;

xiii

Biographies Conference Chair

Dr Tanya Zlateva earned her doctorate in information tech‐nology from the Dresden Institute of Technology, and has been a member of the faculty of Boston University since 1990. While her research interests have encompassed com‐putational modeling of visual perception, parallel and dis‐tributed processing, and pattern recognition, for the past ten years Dean Zlateva has focused on information security as

well as educational technologies. She is a founding director of the Boston Univer‐sity Center for Reliable Information Systems & Cyber Security (RISCS), which was instrumental in the University’s designation as a National Center for Excellence in Information Assurance Research and Education. The Dean will continue as co‐director of RISCS.

Programme Chair

Professor Virginia Greiman has published and lectured ex‐tensively on cyber law and cyber trafficking, international law and development, project management and finance, and international business transactions. She is an internationally recognized expert on mega‐project management and infra‐structure development, privatization and project finance, innovation megaprojects, and cyber‐law and security. She

served as deputy chief legal counsel and risk manager on Boston’s $15 billion dol‐lar “Big Dig” project, and has held several high‐level appointments for the United States government, including in Washington, D.C., and international legal counsel to the U.S. Department of State and the U.S. Agency for International Develop‐ment on privatization projects in Eastern and Central Europe, Africa and Asia. She serves as an advisor to some of the world’s largest megaprojects in the United States, Europe and Asia. Professor Greiman also holds part‐time teaching and academic appointments at both Boston University and Harvard University Law Schools.

xiv

Masterclass Facilitator

Dr Edwin “Leigh” Armistead is the Director of Business De‐velopment for Goldbelt Hawk LLC, the Programme Chair for the International Conference of Information Warfare and an Adjunct Lecturer for Edith Cowen University in Perth, Aus‐tralia. He has written nine books, 18 journal articles, pre‐sented 17 academic papers and served as a Chairman for 16 professional and academic conferences. Formerly a Master

Faculty at the Joint Forces Staff College, Leigh received his PhD from Edith CowanUniversity with an emphasis on Information Operations. He also serves as a Co‐Editor for the Journal of International Warfare, and the Editorial Review Board for European Conference on Information Warfare.

Keynote Speakers

Daryl Haegley has 25+ years of military and federal civilian experience, currently overseeing the cybersecurity and in‐formation risk management effort to modernize and inte‐grate real property, geospatial, and energy systems for the Department of Defense (DoD). He leads DoD policy devel‐opment and Technical Working Groups to standardize DoD’s Cybersecurity control baseline and overlay specifics for In‐

dustrial Control Systems (ICS) / Platform Information Technology (I‐PIT) systems, such as electronic (smart) meters and other embedded electronic control sys‐tems. Additionally leads the development of the Cybersecurity of Facility Control Systems Unified Facilities Guide (UFC) and the Enterprise Energy Information Management (EEIM) Capability initiative to standardized DoD processes and inte‐grate systems needed to systematically track, analyze, and report facility energy and related costs. He maintains four certifications, three Masters’ degrees, two college tuitions & one patent.

Neal Ziring is a technical director in the Information Assur‐ance Directorate (IAD) at NSA.

xv

Mini‐Track Chairs

Dr Nasser S. Abouzakhar is a senior lecturer at the University of Hertfordshire, UK. Currently, his research area is mainly focused on critical infrastructure security, cloud security and applying machine learning solutions to various Internet and Web security and forensics related problems. He received PhD in Computer Sci Engg in 2004 from the University of Sheffield, UK. Nasser worked as a lecturer at the University

of Hull, UK in 2004‐06 and a research associate at the University ofSheffield in 2006‐08. He is a technical studio guest to various BBC World Service Programmes such as Arabic 4Tech show, News‐hour programme and Breakfast radio pro‐gramme. Nasser is a BCS chartered IT professional (CITP), CEng and CSci and is a BCS assessor for the accreditation of Higher Education Institutions (HEIs) in the UK. His research papers were published in various international journals and con‐ferences.

Larisa Breton is an expert in strategic communication pro‐gram design, qualitative analysis, and audit/assessment, who participates at the national level on communication and cybersecurity/policy issues. As an academic‐practitioner, she has designed and presented MISO curriculum to the John F Kennedy School for Special Operations at Fort Bragg, and cybersecurity curriculum for the Daniel Morgan Academy in

Washington DC, and designed and taught counterterrorism and cybersecurity courses at the University of the District of Columbia. Her work, “Virtual NonState Actors as Clausewitzian Centers of Gravity”, is published in Leading Issues in In‐formation Warfare and Security Research, volume 2. Larisa is at work on her first book, “Cybersecurity for the Rest of Us: Planning for cybersecurity in a world run by digital natives,” the first of a series on inclusive security.

Dr. John S. Hurley is currently a Professor, Cyberspace Strat‐egies at the National Defense University (NDU) iCollege, Washington, DC. In addition, he serves as the Head of the Critical Infrastructure Protection Laboratory at NDU. He was selected as a 2015 MIT Seminar XXI Fellow. He has extensive experience and expertise in HPC/HTC and information re‐sources and information technology management over en‐

terprises. Previously, he worked as the Senior Manager, Distributed Computing in the Networked Systems Division, The Boeing Company, Bellevue, WA.

xvi

Prof Evgeny N. Pashentsev is a leading researcher at the Dip‐lomatic Academy of the Ministry of Foreign Affairs of the Rus‐sian Federation, a professor at Lomonosov Moscow State University. Director of the International Centre for Social and Political Studies and Consulting. A member of the advisory board at Comunicar Journal (Spain). Presentation of papers at more than 100 international conferences and seminars for the

last 15 years ( Moscow, Saint Petersburg, Birmingham, Sofia, Varna, Macao, Hel‐sinki, Stockholm, Uppsala, Madrid, Milan, Rome, Lueven, Prague, Braga, Vienna, Valencia, Istanbul, Leeds, Cracow, Cluj‐Napoka, Caracas etc.). Author/co‐author of 32 books on military regimes, political transformations under crisis conditions, communication management, and strategic communication published in Russian,

English, Italian, Serbian and Spanish.

Dr. Julie Ryan has been working in the field of information security for over 30 years. Starting out as an intelligence of‐ficer in the US Air Force, she has tackled problems in the mili‐tary, in government, in industry, and in academia. Currently, she is Associate Professor at the George Washington Univer‐sity where she teaches and directs research in information security, cyberwarfare, systems dynamics, and analytics. Her

degrees include B.S. from the U.S. Air Force Academy, MLS from Eastern Michigan University, and D.Sc. from George Washington University.

Dr Greg Simons is a senior researcher at the Swedish Defence University and Uppsala University. He is also a lecturer at Turiba University (Riga, Latvia) and an associated researcher at the Swedish Institute of International Affairs. He is an author or editor (including co‐editor) of nine books, more than 10 chapters in edited books, and approximately 50 articles and book reviews since the successful defence of my doctoral dis‐

sertation. His research focuses on political marketing, soft power, public diploma‐cy, and the role of politics and communication in armed conflicts.

xvii

Contributing Authors

Eric Afful‐Dadzie is a PhD Candidate at Tomas Bata University in Zlin, Czech Re‐public. He holds an MSc. in Systems Engineering and Informatics from Czech Uni‐versity of Life Sciences – Prague. He has published a number of articles in peer reviewed impacted journals such as Quality and Quantity, Kybernestes, Applied artificial intelligence among others.

Abdullah Aljumah, got his PhD from the University of Whales and is working as associate professor in the department of Computer Engineering, Prince Sattam Bin Abdulaziz University, Saudi Arabia.

Xiaomi An is a professor at School of Information Resources Management, Ren‐min University of China (RUC). She is leader of Information Resources Manage‐ment Team at Key Laboratory of Data Engineering and Knowledge Engineering (DEKE), Ministry of Education (MOE) at RUC.

Radomir Bolgov is a Senior Lecturer at the School of International Relations, St. Petersbur State University. He achieved a PhD in Political Science in 2011. He teaches the courses “Information Security”, “Information Society and Interna‐tional Relations”. His current studies focus on the Information Society policies and Information/Cyber‐Security in post‐Soviet countries.

Johnny Botha is a Software developer & researcher at the Council for Scientific and Industrial Research(CSIR). Studying my masters (MTech) degree in Informa‐tion Technology, at University of South Africa(UNISA). Topic: "Personal Identifi‐able Information Disclosure Since the Protection of Personal Information Act Adoption in South Africa"Obtained NDip and BTech degree in Computer Systems Engineering at the Tswane University of Technology(TUT).

Scott Brookes graduated from Dartmouth College in 2014 with a double major in Engineering Sciences and Computer Science. He is currently pursuing his Ph.D. under advisor Dr. Stephen Taylor at the Thayer School of Engineering at Dart‐mouth. His studies focus on kernel and hypervisor security.

Adam Brown is a Ph.D. student at the University of South Alabama’s School of Computing. He received his J.D. and M.B.A. from Florida State University in 2012. He received his B.S. in Mathematics and Statistics from the University of South Alabama in 2007. His research interests include cyber law, computer security, and attribution techniques.

xviii

Adam Bryant is an Assistant Professor of Computer Science and Engineering at Wright State University. He earned a BS in Social Psychology from Park University, an MS in Information Resource Management and Computer Science from the Air Force Institute of Technology (AFIT), and a PhD in Computer Science from AFIT in 2012.

Ivan Burke is a Msc student in the department of Computer Science at the Uni‐versity of Pretoria, South Africa. He also works full time at the Council of Scientific and Industrial Research South Africa in the department of Defense Peace Safety and Security, where he works within the Command, Control and Information War‐fare research group.

Thomas Charest currently a second year student for the M.S. in Computer Science at Bowling Green State University. He previously graduated from Hobart and Wil‐liam Smith Colleges with a B.A. in Computer science, and in Music. His main inter‐ests include mathematics, complexity theory, software development, software assurance, and playing the classical guitar.

Jim Chen is Professor of Systems Management / Cybersecurity in the iCollege at the U.S. National Defense University (NDU). His expertise is in cybersecurity tech‐nology and cybersecurity strategy. He is a recognized cybersecurity expert.

Nathan Clarke is a Professor of Cyber Security and Digital Forensics at Plymouth University. His research interests reside in the area of information security, bio‐metrics, forensics and intrusion detection and has over 130 outputs consisting of journal papers, conference papers, books, edited books, book chapters and pat‐ents.

Edward Colbert is a Research Fellow at ICF International. He manages cyber‐security research and a hardware testbed for Industrial Control Systems for the Army Research Laboratory (ARL). Dr. Colbert holds Bachelor and Master of Sci‐ence degrees from the University of Illinois, and Master of Science and PhD de‐grees from the University of Maryland.

Cordell Davidson earned a BSBA in Accounting from the University of Southern Mississippi and a MSCIS in Computer Science from the University of South Ala‐bama where he is presently pursuing a PhD in Computing. His research interest is software security and moving target defense.

Innocentia Zama Dlamini studied both her undergraduate and honours in Com‐puter Science, from University of Zululand, South Africa. She is currently finalising

xix

her MSc in Digital Forensics with the University of Pretoria; and also work for CSIR‐DPSS (Cyber Defence Research Group) as Cybersecurity Specialist and Re‐searcher, since 2008 to date.

Michel Dubois is national CISO of the French military medical service. Computer engineer and holding a Master in information system security, Michel has prac‐ticed CISO functions within the DoD for more than twenty years. Moreover, he is PhD student in cryptography at the Polytechnic School, teacher and researcher in the Operational Cryptology and Virology Laboratory in Laval.

Nathan Edwards is Senior Member of Technical Staff at Sandia National Laborato‐ries with expertise in embedded system design, failure analysis, and information security. His research efforts have focused on the security of critical embedded systems, including supply chain and lifecycle design assurance. He has a M.Sc. in Electrical and Computer Engineering.

Marios‐Panagiotis Efthymiopoulos is Assistant Professor of International Security and Strategy, American University in the Emirates in Dubai. He is also the Program Coordinator of the MA program in Strategic and Security Studies. He is the CEO of Strategy International Think tank. And is an advisor to the Presidency of Cyprus through the Geostrategic Council of Cyprus. His last appointed position was at Columbia University’s Harriman Institute.

Dagney Ellison is South African but was raised in London, England. She has stud‐ied both in the UK and in Pretoria, South Africa. Dagney completed her under‐graduate degree in Computer Science at the University of Aberdeen in 2013 and is currently working on her Masters in digital forensics at the University of Pretoria.

Jan Eloff is appointed as a full professor in Computer Science at the University of Pretoria, South Africa. His main research interests are Cybersecurity and Data Science.

Jonathan Fuller is a Telecommunications Systems Engineer in the US Army Pursu‐ing a Master's of Science in Computer Science at the Air Force Institute of Tech‐nology. Interests include computer and network security with emphasis in vulner‐ability analysis and exploitation of wireless sensor networks.

Tim Grant is retired but an active researcher (Professor emeritus, Netherlands Defence Academy). Tim has a BSc in Aeronautical Engineering (Bristol University), a Masters‐level Defence Fellowship (Brunel University), and a PhD in Artificial In‐telligence (Maastricht University). Tim's research focuses on the operations‐

xx

technology interplay in network‐enabled Command & Control systems and in of‐fensive cyber operations.

Joseph Hall is a graduate student in the Department of Electrical and Computer Engineering at the Air Force Institute of Technology. His research focuses on the security of low‐rate wireless personal area networks.

Charles Harry is vice president for cyber and analytic solutions at Blackpoint Technologies, LLC, and a Research Scholar at the Center for International and Se‐curity Studies at Maryland. Dr. Harry holds degrees in Economics and History from the University of Colorado. He was awarded a PhD in Policy Studies from the Uni‐versity of Maryland.

Vahid Heydari received the BS and MS degrees in computer engineering. He is a PhD student in electrical and computer engineering and a MS student in cybersecurity at the University of Alabama in Huntsville. His research interests include wireless network security and moving target defense. He is a student member of ACM, IEEE Communication Society. Elizaveta Huttenlocher received her bachelor’s degree in international relations, concentrating in conflict and security at the George Washington University in 2012 and received a master’s degree in diplomacy and international relations in 2015. She currently works to improve cyber and nuclear security policy for NGO, private and government partners.

Joey Jansen van Vuuren is the research group leader of the Cyber Defence Group at the CSIR. She gives the strategic direction for the research group and is mainly involved in research for the SANDF and Government sectors on cybersecurity, government policy and implementation of cybersecurity frameworks and pro‐grams required to ensure national cybersecurity for South Africa.. She has pub‐lished over 30 peer‐reviewed conferences, journal papers and book chapters on both in local and international forums and has been in academia and research for more than 30 years. She was also a keynote at an international conference and wrote an academic text book. Andre Karamanian, CCIE Emeritus, is currently an advanced threat consultant at Cisco. He has worked in the field of security for 17 years. He is the author of "PKI Uncovered: Certificate‐Based Security Solutions for Next‐Generation Networks." Along with many industry certifications, He regularly speaks at conferences, pub‐lishes, and has multiple patents. His current research is a collaboration which ex‐amines the influence of culture on cyber behaviors, with Dr. Char Sample. His goals include developing a generalized framework applying human behavioral

xxi

analysis against cyber behavior in a quantitative, operational model. He and his wife Kathleen and daughter live in Durham NC.

Victor Kebande is a PhD researcher at the University of Pretoria in the field of Cloud Forensic Readiness at the department of computer science, University of Pretoria. He is a member of institute of information technology professionals of South Africa (IIPTSA) and an active member of Information and Computer Security Architectures(ICSA) research group. His research interest are in cloud forensics and internet security Ivans Kigwana has BSc Information‐Technology from Uganda Christian University. He obtained his BScHons Computer‐Science from North‐West University. Cur‐rently he’s working towards MSc in Computer‐Science at University of Pretoria. He is a member of the Information and Computer‐Security Architecture Research Group at the same university, IEEE graduate‐student member. His research inter‐ests include Digital‐Forensics, System and Network‐Security.

Martti Lehto, Adjunct professor, PhD (Military Sciences), Col (G.S.) (ret.) has over 30 years of experience as developer and leader of C4ISR Systems in Finnish De‐fence Forces. He is now a Cyber security researcher and teacher in the University of Jyväskylä. He has over 70 publications, research reports and articles on areas of C4ISR systems, cyber security and defence, information warfare and defence pol‐icy.

Feroze Mohideen is a full‐time employee of KPMG South Africa in the department of Technology Advisory and works as a Senior Analyst in the Information Protec‐tion and Business Resilience service line. He has an Honours degree in Computer Science and has passed the Certified Information Systems Auditor, COBIT Founda‐tion and Certified Vulnerability Assessor exams.

Jabu Mtsweni is currently a Research Group Leader at the Council for Industrial and Scientific Research (CSIR) in the Cyber Defence Research Group in Pretoria, South Africa. He is also an academic associate at the University of South Africa (UNISA), supervising Masters and PhD students. His research interests are: Re‐verse Engineering, Cyber Threat Intelligence, Crowdsourcing and web services.

Sarath Kumar Nagaraj is a graduate student in the department of Computer Sci‐ence and Engineering at Wright State University. His current academic interests include human computer interaction, malware detection, user privacy, and user experience design. Prior to beginning the graduate program, Sarath worked as a systems engineer at Tata Consultancy Services Ltd.

xxii

David Ormrod is an Australian Army officer and Ph.D. Candidate studying at the Australian Defence Force Academy in Canberra, ACT. He is the Chief of Army Foundation Scholar for 2015.

Nick Rodgers earned his Bachelor’s of Science in Information Systems from Brig‐ham Young University in 2009 and is pursuing a Master's of Science in Computer science from Bowling Green State University. Research interests include computer security, code readability, natural language processing, and digital video technol‐ogy.

Muzaffer Satiroglu is a captain in the Army and is currently working in the IT de‐partment and has done for about 5 years. He has been in Fort Gordon, Augusta, GA for 8 mounts for the Information System Management course.

Andrew Seitz is currently pursuing his Master’s degree in Cyber Operations at the Air Force Institute of Technology (AFIT). His research interests include wireless sensors, cyber security, and network penetration testing.

Satoshi Setoguchi received the B.E. degree in electrical and electronics engineer‐ing from Kagoshima University, Japan, in 2014. He is currently pursuing the M.E. degree in electrical and electronics engineering at Kagoshima University. His re‐search is involved with the cryptanalysis of symmetric‐key cryptography.

Jeff Simpson has 30 years of development and management experience across the government, commercial and academic spaces and is currently the Lead Ar‐chitect for the DI2E Framework PMO with focus on Service Discovery and In‐teroperability. Jeff deployed to Afghanistan as a consultant for Intelligence and Operations from HQ ISAF in Kabul to RC‐South in Kandahar

Barron Stone earned his bachelor of science in electrical engineering from Rice University. After college, he became a product marketing engineer for FPGA‐based modular instruments at National Instruments. Today, Barron is serving as a US Air Force officer and is attending the Air Force Institute of Technology to earn a master’s degree in electrical engineering. Shuyang Sun is a PhD candidate of the School of Information Resources Manage‐ment at Renmin University of China, specialization at information resources man‐agement.

Amie Taal is a remarkably talented and highly driven professional offering over 30 years of experience working with computers and over twenty‐four years' experi‐

xxiii

ence as a digital forensic investigator and IT Security, eDiscovery and Data Analyt‐ics Specialist dealing with civil and criminal matter within the public and private sector including the Big 4 and other accounting firms.

Ünal Tatar holds a BSc degree in Computer Engineering and an MS degree in Cryptography. He is currently pursuing a PhD in Engineering Management and Systems Engineering. He is the former coordinator of the National Computer Emergency Response Team of Turkey (TR‐CERT). His main topics of interest are cybersecurity policy, cybersecurity incident management and risk management.

Hein Venter is one of the founding members and current head of the Information and Computer Security Architectures (ICSA) Research Group in the University’s Department of Computer Science. He is also the chair of the Information Security for South Africa (ISSA) national conference and the South African Institute of Computer Science. His research interests are in computer and Internet security, which include network security, Intrusion detection and information

Elizabeth Viggiano is a doctoral candidate at George Washington University’s De‐partment of Engineering Management and Systems Engineering researching the intersection of cultural intelligence and information security. She has a BS and MEng in Operations Research from Cornell University and 10 years experience in information security with the Department of Defense.

Lanier Watkins is currently a Senior Professional Staff II member of the Asymmet‐ric Operations Sector of the Johns Hopkins University Applied Physics Laboratory (JHU/APL) and Associate Research Scientist at the JHU Information Security Insti‐tute. Prior to joining APL, Lanier served as a senior engineer and product manager at the Ford Motor Company and AT&T.

Yan Wu is working as an assistant professor at Computer Science Department of Bowling Green State University, and she previously was a guest researcher in SAMATE team at NIST. She received her Ph.D. degree in Information Technology in 2011 from the University of Nebraska at Omaha. Her research interests are software engineering and software assurance. Justin Wylie received a Bachelor of Science degree in Electrical Engineering from The Citadel in Charleston, South Carolina. Since graduation in 2010, he has served in the United States Air Force as a developmental engineer, and is currently pur‐suing a Master of Science degree in Electrical Engineering at the Air Force Insti‐tute of Technology.

xxiv

Konstantinos Xylogiannopoulos is a PhD Candidate in Computer Science at Uni‐versity of Calgary, with studies in Mathematics, IT and Finance. His research fo‐cuses on Big Data Mining and Pattern Detection, with the use of innovative data structures and algorithms. Research has been applied on many diverse fields like Mathematics, Bioinformatics, Finance, Frequent Itemsets Detection etc.

1

Keynote

Presentation Outlines

3

Control Systems Networks...What's in Your Building? Daryl Haegley Control Systems Cybersecurity, USA Mr Haegley will discuss control systems cyber security vulnerabilities, current and forthcoming government guidance, protection strategies and opportunities for academia focus in control systems environments. Examples of where control sys‐tems are prevalent: weapons systems, training simulators, diagnostic test and maintenance equipment, calibration equipment, research and development, medical devices and health information technologies, vehicles, buildings and their associated control systems (building automation systems or building management systems, energy management system, fire and life safety, physical security, eleva‐tors, etc.), utility distribution systems (such as electric, water, waste water, natu‐ral gas and steam), industrial control systems including supervisory control and data acquisition, direct digital control, programmable logic controllers, advanced metering or sub‐metering, etc.

Is Security Achievable? A Practical Perspective Neal Ziring NSA, USA Recent experiences with cyber attacks and data breaches indicate that many of our operational IT systems are not secure. Attacks have succeeded even against target organizations that had invested substantially in security processes and products. This talk will examine why effective security is so difficult to achieve, and will present a pragmatic model for thinking about security investment. NSA's Information Assurance Directorate has deep experience in protecting and defend‐ing systems; the talk will conclude with seven key factors founded on that experi‐ence for making security achievable.

5

Research

Papers

7

Framing Media Coverage of the 2014 Sony Pictures Enter‐tainment Hack: A Topic Modelling Approach

Eric Afful‐Dadzie, Stephen Nabareseh, Zuzana Komínová Oplatková and Petr Klímek Faculty of Applied Informatics, Tomas Bata University in Zlin, Czech Repub‐lic

Abstract: The Sony Pictures Entertainment hack of 2014, whiles not the biggest in the history of cyber invasion and terrorism, was however by far the most intense‐ly covered in the news media. The political angle it assumed and the release of confidential data of some of the world’s top celebrities, made it news worthy around the world. As the event brought focus on the issue of cyber terrorism, receiving traction in major news outlets around the world, the central theme as far as the hacking incident and its response in local and international media has not all been clear. Using the Latent Dirichlet Allocation (LDA) algorithm of auto‐mated topic modelling, this paper explores the essential themes in news coverage as reported in international and local media around the world. The approach is intended to extract interestingness measures in words usage in an attempt to inject semantic meaning into the narrative and vocabulary used in the media cov‐erage of the incident. With large textual corpora, extracted on monthly basis, ma‐jor news topics on the hacking incident in the US and the international media are compared. The results also help to create a monthly timeline story of events re‐vealing inconsistencies as well as obvious similarities in the topics making news in both US and the rest of the world as far as the hacking event is concerned.

Keywords: Sony Pictures Entertainment, topic modelling, news framing, Latent Dirichlet Allocation (LDA), Text mining

Black Hole and Mobile Ad Hoc Network (MANET): A Simple Logical Solution

Abdullah Aljumah and Tariq Ahamad College of Computer Engineering and Sciences, Prince Sattam Bin Abdu‐laziz University, KSA

Abstract: An ad hoc network is a temporary network for a specified work. Even after ensuring security, there are many other security threats that resist its growth and uses. Modern mobile gadgets are capable of creating economical, reliable, dynamic and self configuring networks but their main capabilities SAAS,

8

PAAS, IAAS and wireless communication are being exploited and resisted by Ad Hoc Networks. The major issue with these networks is the security and that is what is exploited by the modern industry and determines its level of security and makes it easier to attack. The main aim of this research is to understand the core elements of Ad Hoc Networks and its routing protocols before, during and after network attacks. Black hole is one of the most serious issue with this network as well and in this research article we will discuss how to make it more reliable and more attack resistant network.

Keywords: ad hoc, black hole

Data Integration in the Development of Smart Cities in China: Towards a Digital Continuity Model

Xiaomi An1, 2, Shuyang Sun1, 2, Wenlin Bai2, 3 and Hepu Deng1, 4 1School of Information Resource Management, Renmin University of China, Beijing, China 2Key Laboratory of Data Engineering and Knowledge Engineering of the Ministry of Education, Renmin University of China, Beijing, China; 3Business School of Nankai University, Tianjin, China 4School of Business Information Technology and Logistics, RMIT University, Australia

Abstract:This paper presents a digital continuity model for managing big data in the development of smart cities in China. A mix‐methods approach including site visits, document analysis, interviews and case study is adopted in the study, lead‐ing to the identification of four challenges with respect to data provenance, data stakeholders, data processing, and data risk management and several big data governance problems including data assurance, data loss, data trustiness, data security and data reusability in the development of smart cities. To effectively tackle such challenges and adequately address these problems, a digital continui‐ty model is proposed as a holistic approach to managing big data resources that can be tracked, traced, linked and exploited for the sustainable development of smart cities in China. The proposed model can be used to guide the development of a national strategy for the integration of big data resources to improve data assurance, data integrity, data trustiness, data security and data reusability in the provision of smart city services.

Keywords: data integration, digital continuity, data governance, smart city, big data, China

9

Attacker Skill, Defender Strategies and the Effectiveness of Migration‐Based Moving Target Defense in Cyber Sys‐tems

Noam Ben‐Asher1, 2, James Morris‐King2, Brian Thompson2 and Wil‐liam Glodek4 1IBM T.J. Watson Research Center, Yorktown Heights, USA 2U.S. Army Research Laboratory, Adelphi, USA 4BreakPoint Labs, Dunn Loring, USA

Abstract: Despite the significant effort directed toward securing important cyber systems, many remain vulnerable to advanced, targeted cyber intrusion. Today, most systems which provide network services employ a fixed software stack that includes an operating system, web servers, databases, and a virtualization layer. This software mix as a whole constitutes the attack surface of the host, and a vul‐nerability in one or more of these services is a threat to the security of the entire system. Moving target defense (MTD) aims to increase the security of a system against successful intrusion by increasing an attacker’s uncertainty of the attack surface. Platform migration is a form of MTD that entails changing the virtualized software stack configuration of a system. We consider a scenario in which an at‐tacker gathers information and then selects and launches an attack against a tar‐get system which is implementing a platform migration defense (PMD). We use agent‐based simulation to evaluate the MTD’s effectiveness depending on the capabilities of the attacker and defender. In particular, we focus on two core characteristics of a PMD: (i) migration rate, the frequency at which the platform is changed, and (i) platform diversity, the number of platform configurations availa‐ble, as well as two dimensions of an attacker’s capabilities: (i) reconnaissance skill, the ability to collect accurate information regarding the target system, and (ii) arsenal size, the number of usable exploits at the attacker’s disposal. We perform simulation experiments to evaluate a defender’s ability to protect itself against a spectrum of attackers ranging from “script‐kiddies” to state‐sponsored actors. Our results indicate that increased platform diversity results in a lower rate of successful attacks, even in cases where the attacker has near‐perfect information regarding the target system, but that this may come at a cost in functionality of the system. Furthermore, although the strength of an attacker is often measured by their ability to develop or acquire a large arsenal of available exploits, recon‐naissance skill may be just as important a determinant for the success of an attack as the arsenal size. Our analysis provides insight into the relationship between attacker and defender capabilities, which can help inform decision‐making pro‐

10

cesses of cyber defenders and lay the grounds for effective automation of cyber maneuvers.

Keywords: moving target defense, platform diversity, migration, attacker skill, modeling, reconnaissance

War in 1s and 0s: Framing the Lexicon for the Digital age

Kevin Black and Michael David National Intelligence University, USA

Abstract: This paper is written for military Commanders, planners, and practition‐ers. It attempts to place the discussion of cyberwarfare in terms more familiar to them. Presenting the concepts in these common terms provides for an accessible discussion on the usage of cyber capabilities in support of national/military ends, while drawing distinctions between conventional operations and their cyber counterparts. The intent in the work is to demystify cyber‐means for military pro‐fessionals while demonstrating its operational relevance and considerations asso‐ciated with their employment. The focus has been placed not on discovery of a new approach or depicting the flaws in a given theory, but on drawing attention to the operational relevancy of cyber capabilities by placing them in terms of con‐ventional operations and operational design. Ideally, by describing functional par‐allels between traditional military operations and cyber activities, baseline con‐siderations may be drawn that support a more informed discussion of strategy in the information age. Moreover, discussing cyber capabilities in an operational context should assist in identifying opportunities for employment, leading to the operationalization of cyber capabilities, and making those capabilities applicable to more than Combatant Commanders. The paper relates cyber considerations in terms of Defend, Reinforce, Attack, Withdraw, Delay, and Employ Restricted Ca‐pabilities (DRAW‐DE), making the topic more broadly relevant to military practi‐tioners. While network defense operations carry their own level of specific con‐siderations, an inability to discuss network considerations in terms of traditional military operations has created some difficulties in planning and execution. By framing network operations in terms of their effects vis‐à‐vis traditional military operations, and then identifying the underlying concepts that restrict their use, the intent is to place the field of study in accessible terms. By placing network operations in accessible terms, they should be more broadly embraced as opera‐tionally relevant to Commanders and planners alike, and their considerations will be more easily folded into traditional actions. The article is based on studies con‐ducted at the Anthony G. Oettinger School at NIU, and founded on years of expe‐rience in matters appropriate to the field of study. The views expressed do not

11

reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Govern‐ment.

Keywords: military planning, cyberwarfare, information operations

Analysis of Public Discourse About Donbas Conflict in Russian Social Media

Radomir Bolgov1, 2, Olga Filatova1, 2 and Andrey Tarnavsky1 1Saint Petersburg State University, Saint Petersburg, Russia 2ITMO University, Saint Petersburg, Russia

Abstract: This paper provides an analysis of the reports in the Russian social me‐dia (Facebook, VK, Instagram and Twitter) during the escalation of the armed con‐flict in Donbas (from January to March 2015) on topics related to the conflict. These include institutional actors (the executive and legislative branches at the federal level and officially registered political parties) and political individuals. We examined only the textual messages belonging to the subjects of the sample. Re‐posts from the pages of other actors were not included in the database. The au‐thors hypothesize the existence of two divergent discourses which characterize differently the armed Donbas conflict in the social media. To confirm the hypoth‐esis the authors devised an analysis technique that is optimal for discourse analy‐sis in political studies. The technique involves two levels of discourse analysis ‐ identifying key conceptual metaphors in both alleged discourses (positively or negatively characterizing the Donbas insurgents) and the identification of the se‐mantic opposition "us‐them", implemented within the framework of metaphors. On the basis of this approach to textual analysis we can identify the metaphorical images of the conflict as a whole (in our case, the armed conflict in Donbas), which concepts are used, and, subsequently, the conceptual metaphors they cre‐ate. Initially, the hypothesis of existence of two divergent threads that offer dif‐ferent characterizations of the armed Donbas conflict in the social media was fully confirmed, based on the analysis of the conceptual metaphors of discourse and of semantic oppositions in the metaphors. If we talk about the similarities of these discourses, in both cases most of the conceptual metaphors are based on the negative concepts that signify the opposing party of a conflict. We have noted the great emotional debate, as well as a multiplicity of discourses, depends on the political views of their actors.

Keywords: public discourse, conflict in Donbas, social media, social media, dis‐course analysis

12

Pro‐Active Data Breach Detection: Examining Accuracy and Applicability on Personal Information Detected

Johnny Botha1, 2, M. Eloff1, and Ignus Swart2 1Institute for Corporate CitizenshipUNISA, Pretoria, South Africa 2CSIR, Pretoria, South Africa

Abstract: Data breaches remain a common occurrence affecting both companies and individuals alike, despite promulgated data protection legislation worldwide. It is unlikely that factors causing data breaches such as incorrect device configura‐tion or negligence will stop unless effective enforcement of relevant legislation is applied. While several information privacy regulators exist, the dominant norm is to respond reactively on reported incidents. Reactive response is useful for clean‐ing up detected breaches but does not provide a clear indication of the level of personal information available on the internet since only reported incidents are taken into account. The possibility of pro‐active automated breach detection has previously been discussed as a capability augmentation for existing privacy regu‐lators. By pro‐actively detecting leaked information, detection times can poten‐tially be reduced to limit the exposure time of Personal Identifiable Information (PII) on publicly accessible networks. At present the average time for data breach detection is in excess of three months internationally and breach discovery it most often not by the data owner but an external third party increasing exposure of leaked information. The duration of time that data is exposed on the internet has severe negative implications since a significant portion of information dis‐closed in data breaches have been proven to be used for cybercrime activities. It could then be argued that any reduction of data breach exposure time should directly reduce the opportunity for associated cyber‐crime. While pro‐active breach detection has been proven as potentially viable in previous work, numer‐ous aspects of such a system remain in question. Aspects such as legality, detec‐tion accuracy and communication with affected parties and alignment with priva‐cy regulator operating procedures are all unexplored. The research presented in this paper considers the results obtained from two iterations of such an experi‐mental system that was conducted on the South African .co.za domain. The first iteration conducted in early 2014 was used as a baseline for the second iteration that was conducted one year later in 2015. While the experiment was conducted on the South African cyber domain, the concepts are applicable to the interna‐tional environment.

Keywords: data breach, legislation, privacy, personal identifiable information, protection of personal information act, pro‐active security

13

ExOShim: Preventing Memory Disclosure Using Execute‐Only Kernel Code

Scott Brookes, Robert Denz, Martin Osterloh and Stephen Taylor Dartmouth College, USA

Abstract: Information leakage and memory disclosures are significant threats to the security of modern operating systems. If an attacker is able to obtain the bina‐ry‐code of a program, it is then possible to reverse‐engineer its source‐code, un‐cover vulnerabilities, craft exploits, and subsequently patch together code‐segments to form code‐reuse attacks. These activities are particularly concerning when the program is a device driver or the operating system kernel, since these facilitate privilege‐escalation and the ability to persist and hide. While execute‐only code is a way to inhibit memory disclosures, the current x86 64‐bit virtual memory implementation does not provide the capability to enforce execute‐only access permissions. The authors present their implementation of ExOShim: a nov‐el, 325‐line, lightweight shim hypervisor layer employing Intel’s commodity virtu‐alization features that can be dynamically inserted beneath a running kernel to prevent memory disclosures by marking its code execute‐only. Unlike alternative approaches that operate only on user‐level applications, ExOShim utilizes self‐protection and hiding techniques that guarantee its integrity even in the event that the attacker is able to gain root‐level access. The technology can be com‐bined with fine‐grained compile‐ and load‐time diversity to mitigate the additional threat of indirect memory disclosures. These concepts have been integrated with‐in an experimental MINIX‐like 64‐bit microkernel. While the concepts are general and could be applied to other operating systems, their implementation is subtle and requires a detailed understanding of the kernels interaction with its virtual memory layer and consideration at boot‐time to load kernel code and kernel data on distinct pages of memory. Early evaluations quantify ExOShim’s code size and complexity, run‐time performance cost, and effectiveness in thwarting infor‐mation leakage. ExOShim provides complete MULTIC‐like execute‐only protection for kernel code at a runtime‐performance overhead of only 0.86% due to the ad‐vanced modern caching techniques in the x86 architecture. Overall, this paper contributes the presentation, implementation, and evaluation of a lightweight tool for enforcing execute‐only access control permissions on kernel code using the virtualization features of the modern x86‐64 architecture.

Keywords: protection mechanisms, execute‐only memory, memory disclosure exploits, information leaks, code reuse attacks, virtualization, access control

14

Automating Cyber Offensive Operations for Cyber Challenges

Ivan Burke and R.P. van Heerden CSIR, Pretoria, South Africa

Abstract: Cyber awareness training has become a growing industry, with more and more organisations starting to focus on training personnel on how to behave in a secure manner when engaging in cyber operations. Cyber challenges place participants in realistic cyber defence scenarios in order to provide training under fire. This paper documents steps taken to develop an automated attack capability for use within a cyber challenge environment. The challenges discussed within this paper focuses on cyber challenges conducted within developing countries, such as South Africa, but the principles discussed within this paper aim to be ap‐plicable to be applicable to all cyber challenges in general. The researchers based their work on prior publications covering threat modelling, construction of cyber security testbeds and planning of offensive cyber operations. The work presented in this paper is a practical application of an ontological model for cyber attack scenarios.

Keywords: cyber challenges, ontology, attack automation

On Dynamic Cyber Defense and its Improvement

Jim Chen and Gilliam Duvall DoD National Defense University, Fort McNair, Washington, USA

Abstract: In recent years, it is not uncommon to hear that computing systems and even devices with embedded computing systems in both public sector and private sector were hacked even though investment in cybersecurity had been made to protect these systems and devices. This dilemma has puzzled the people who are concerned, especially senior leaders. It clearly indicates that there are flaws in the current approaches in cyber defense. A close examination of these approaches reveals that they are generally static in nature, i.e. they have not been architectured to be flexible enough in dealing with variations of the same attacks or zero‐day types of attacks, and the whole defense posture is fortress‐based de‐fense. Hence, dynamic cyber defense is naturally called for. Coupled with the pro‐posal for dynamic defense provided by Lamb et al. (2012) is the proposal for Mov‐ing Target Defense (MTD), which is “continuously changing a system’s attack sur‐face” to thwart cyber attacks, according to Casola et al. (2013). However, it is not clear when a change should be initiated, what change should be used, and how long one change should last. What is more, making an asset a truly randomized

15

moving target for MTD is always a big challenge. This paper intends to explore an innovative answer to address these challenges. It proposes a new strategic and systematic solution applying the Cybersecurity Strategy Formation Framework put forward in Chen (2014). Specifically, the proposed solution utilizes the concept of contextual analysis in figuring out cost‐effective and function‐effective course of actions in randomizing the appearance of asset guided by contexts. This solution is then applied to a specific scenario for to prove the concepts. The areas for fur‐ther research are also suggested. This paper improves the research in dynamic cyber defense, which employs game‐changing elements such as adaptiveness and complexity.

Keywords: cyber, dynamic defense, moving target defense, contexts, contextual analysis

Information Security and Practice: The User’s Perspective

Nathan Clarke1,4, Fudong Li1, Steven Furnell1,4, Ingo Stengel2 and Giorgio Ganis3 1Centre for Security, Communications and Network Research, Plymouth University, UK 2University of Applied Sciences Karlsruhe, Germany 3Faculty of Health & Human Sciences, Plymouth University, UK 4Security Research Institute, Edith Cowan University, Western Australia

Abstract: The use of Information Technology (IT) has become common practice in our everyday lives both for business and private purposes. While people enjoy the convenience that IT offers, it also poses various security threats if not used properly, including malware, hacking, and information disclosure. Unfortunately, the scale and consequence of cyber threats has increased significantly year‐on‐year despite various security controls having been developed and deployed. It is evident that end users play a significant role within the information security do‐main, as they are frequently the primary target and the main force behind inci‐dents. Nonetheless, whilst there are annual security surveys for organisations, less effort were given regarding assessing how individuals practice information security by the research community. Therefore, this paper presents a survey that investigates user’s IT security practice and behaviour. In total, 400 respondents were surveyed during a five month period (i.e. November 2014 – March 2015). Overall, the results demonstrate that end users practice better IT security than typically thought although it appears only at a relatively basic level. For example, whilst a reasonably good proportion of participants (66%) claimed that they never

16

share their passwords with others, 76% have used the same password on multiple sensitive accounts. Almost three quarters (72%) of responders never click on links or attachments within emails from unknown sources, but this is significantly re‐duced (to 36%) when someone they knew sent the email. Two‐thirds of users (65%) do appreciate the importance of antivirus software as they always keep their antivirus software updated; however, less care is given to other applica‐tions/systems as only 44% would do the same and more alarmingly 65% even cancel or delay the security update process. Over two thirds (68%) of participants do not always backup their data, and only half of the participants (53%) claimed that they always destroy their data before hardware disposal. The results of the survey suggest that whilst levels of awareness are improving, there is still a signifi‐cant gap between existing and required levels of information security knowledge and practice. Arguably, users are currently being overwhelmed by the burden being placed upon them to remain secure. The range of technologies they use (60% using more than 3 devices), the widespread use of online services (89% us‐ing at least 5 IT services) highlight users are becoming or have become technology dependent but perhaps without being security savvy.

Keywords: end‐user, IT security, survey

Industrial Espionage: Corporate Data Continues to Leak

Moses Dlamini1, 2, Jan Eloff1 and Maria Eloff3 1Department of Computer Science, University of Pretoria, Pretoria, South

Africa, 2Discipline of Computer Science, University of KwaZulu Natal, Dur‐

ban, South Africa, 3Institute for Corporate Citizenship, University of South Africa, Pretoria, South Africa Abstract: A press release from the White House, dated 25 September 2015, states that the USA and China have agreed to collaborate in a number of global chal‐lenges. An agreement was reached that the two respective governments will not knowingly support theft of confidential business information. Access to advanced integrated IT infrastructures such as cloud has empowered many businesses eco‐nomically but unfortunately also made them vulnerable to threats such as the leakage or theft of any confidential information, including business information. The problem is that it is nowadays much easier for confidential information to leak especially when businesses that are in competition with each other, share the same cloud infrastructure. Furthermore, it is difficult for Cloud Service Provid‐ers (CSP’s) to control the sharing of resources such as competitors sharing the same physical node in a cloud. The key contributions of this paper are the identifi‐cation of security challenges, requirements for preventing leakage of confidential

17

business information and an approach to show how the physical placement of a business’s data in the cloud can be controlled based on conflict‐of‐interest clas‐ses. Keywords: cloud computing, conflict‐of‐interest, data leakage, security require‐ments

Supply Chain Decision Analytics: Application and Case Study for Critical Infrastructure Security

Nathan Edwards1, Gio Kao1, Jason Hamlet1, John Bailon1 and Shane Liptak2 1Sandia National Laboratories, Albuquerque, USA 2U.S. Army Retired (former member of U.S. Strategic Command J6 ‐‐ Command, Control, Communications and Computer Systems), USA

Abstract: Today’s globalized supply chains are complex systems of systems char‐acterized by a conglomeration of interconnected networks and dependencies. There is a constant supply and demand for materials and information exchange with many entities such as people, organizations, processes, services, products, and infrastructure at various levels of involvement. Fully comprehending supply chain risk (SCR) is a challenging problem, as attacks can be initiated at any point within the system lifecycle and can have detrimental effects to mission assurance. Counterfeit items, from individual components to entire systems, have been found in commercial and government systems. Cyber‐attacks have been enabled by suppliers’ lack of security. Furthermore, there have been recent trends to in‐corporate supply chain security to help defend against potential cyber‐attacks, however, we find that traditional supply chain risk reduction and screening meth‐ods do not typically identify intrinsic vulnerabilities of realized systems. This paper presents the application of a supply chain decision analytics framework for assist‐ing decision makers in performing risk‐based cost‐benefit prioritization of security investments to manage SCR. It also presents results from a case study along with discussions on data collection and pragmatic insight to supply chain security ap‐proaches. This case study considers application of the framework in analyzing the supply chain of a United States Government critical infrastructure construction project, clarifies gaps between supply chain analysis and technical vulnerability analysis, and illustrates how the framework can be used to identify supply chain threats and to suggest mitigations.

Keywords: supply chain risk management, supply chain security, risk analysis, decision support systems, security, critical infrastructure

18

Cyber Security in Smart City of Dubai

Marios Panagiotis Efthymiopoulos American University in the Emirates, Dubai, UAE

Abstract: The city of Dubai emerges as a leading partner in technology innovation. It now designs a new model of smart city infrastructure. Leadership in the country and in each city hold a ‘Grand Strategy’ framework. It is part of a global‐local at‐tempt for the city and the government to become a prime example of develop‐ment, stability and security. Strategic aim is to wire the city of Dubai by 2020, a date for upcoming World Exposition of 2020 (Dubai Government, 2014). This em‐pirical paper attempts to explore, critically analyze and recommend towards the Dubai Strategic Development City model. The paper concentrates on the smart city initiative design and application for the city of Dubai. While the smart city initiative develops, the need for smart cyber‐security is also in request. As such, this paper holds a multidisciplinary and multi‐level approach: It puts forward mul‐tileveled combined proposals in the field of business and economic development, security and strategic management as policy and possible processes. It reflects the policy of grand strategy and security, innovation and infrastructure. As empir‐ical evidence the paper explores the city of Dubai as this is an impressive and in‐novative city. Considering the new policy orientation on cyber‐security this paper strategically attempt to link the security element to the smart city model on its way to welcome the “Dubai 2020 World Exposition” (Dubai Government, 2014).

Keywords: cyber‐security, development, democracy, smart cities, infrastructure, Dubai, Expo 2020, strategic planning, future

An Ontology for Digital Security and Digital Forensics In‐vestigative Techniques

Dagney Ellison and Hein Venter University of Pretoria, Pretoria, South Africa

Abstract: Digital security and digital forensics both centre on the same point – a digital incident. While digital security focuses on preventative measures, digital forensics focuses on reactive measures. Techniques applied on either side of the digital incident are many and scattered amongst a myriad of resources such as books, conference papers, journals and the internet. The aim of this paper is to present the beginnings of an ontology which would be useful in consolidating techniques within the fields of digital security and digital forensics into a single, structured, query‐able repository of knowledge. Detailed steps of the ontology development methodology chosen are given as well as an overview of a system that might contain this ontology. This research draws on methodologies, stand‐

19

ards and other various proposed ontologies within the fields of digital security and digital forensics in order to create a central, structured knowledge base. This would provide a single convenient point of access for digital forensic examiners and academics in the fields of digital security and digital forensics to locate tech‐niques. Techniques are stored along with metadata such as where the technique is applicable and on which file types the techniques work. This metadata is then queried against in order to retrieve techniques. The results of this research pro‐vide a means with which the benefits of ontologies can become realised for the fields of digital security and digital forensics. Information within these two fields can be shared amongst both humans and software agents and certain assump‐tions made within the domains can be made explicit. The consolidation of the two fields provides clearer links between techniques that pertain to a specific digital incident. This paper, therefore, discusses the tools used as well as the initial mod‐el.

Keywords: ontology, knowledge base, digital security, digital forensics, tech‐niques, ISO 27043

Combinatorial Optimization of Operational (Cyber) Attacks Against Large‐Scale Critical Infrastructures: The Vertex Cover Approach

Eric Filiol1 and Cécilia Gallais2 1ESIEA, Laval, France 2TEVALIS, Rennes, France

Abstract: Recent attacks against critical infrastructures, like the electrical grids, have shown that it is possible to take down an entire infrastructure by targeting only a few of its components. To prevent or minimize the effects of this kind of attacks, it is necessary to identify the components whose disruption, damage or destruction can lead to the paralysis of an infrastructure. These components are said critical for the infrastructure. A particular pattern of the graph theory is stud‐ied here to identify the critical components of an infrastructure: the vertex cover. This implies that the infrastructure is represented by a graph. Every kind of com‐ponents of an infrastructure is taken into account, including the external and hu‐man ones, which increase greatly the size of the graph but also provide a more complete representation of the infrastructure. To illustrate how the vertex cover can be useful for the identification of the critical components, the electrical pow‐er grid of the United States is used as an example. It is shown how it is possible to build an attack scenario against it with the results of the vertex cover algorithm that is applied on the model of the electrical power grid. Two main points of view exist to study the security of an infrastructure: the defender point of view and the

20

attacker point of view. In this paper, the latter is privileged and it is the determi‐nation of attack scenarios against an infrastructure which allows the evaluation of its security.

Keywords: terrorism, critical infrastructure, vertex cover, coordinated attacks

Wireless Intrusion Detection of Covert Channel Attacks in ITU‐T G.9959‐Based Networks

Jonathan Fuller, Benjamin Ramsey, John Pecarina and Mason Rice Air Force Institute of Technology, Wright‐Patterson AFB, USA

Abstract: We introduce herein an information hiding technique for injecting ma‐nipulated packets into wireless sensor networks (WSNs). We exhibit how an at‐tacker can apply information hiding as a type of covert channel attack over radio frequency transmissions into the WSN. The feasibility of our injection method is demonstrated through an attack on the most common implementation of the ITU‐T G.9959 recommendation, commercially known as Z‐Wave. More specifical‐ly, we illustrate that after accessing a Z‐Wave gateway controller through com‐promising the WLAN backbone, the attacker has the ability to install malware. The malware scans incoming Z‐Wave packets for information hidden in Media Access Control (MAC) frames received by the Z‐Wave controller. Upon identification of hidden information, a Reverse Secure Shell is initiated through the WLAN back to the attacker. The outcomes of this attack include control of the Z‐Wave network and access to the networked devices on the target WLAN from any Internet con‐nected device. Given this new application of information hiding techniques to Z‐Wave networks, we recognize the need for countermeasures. We therefore offer an effective Misuse‐based Intrusion Detection System (MBIDS) capable of distin‐guishing between manipulated and correctly formed packets. A Universal Soft‐ware Radio Peripheral (USRP) Software‐Defined Radio (SDR) is used in conjunction with a packet monitoring tool capturing incoming transmissions and inspecting them for any violations of the ITU‐T G.9959 MAC specification. We then analyti‐cally and experimentally estimate the efficacy of the USRP as a packet capture device in a realistic test setup, and then evaluate the total efficiency of our MBIDS solution. By employing the MBIDS in the Z‐Wave network, we show the MBIDS is capable of detecting packet manipulation attacks with 92% mean accuracy.

Keywords: covert channel, wireless sensor networks, wireless threats, Z‐Wave, intrusion detection

21

Assessing the Feasibility of Conducting the Digital Foren‐sic Process in Real Time

Tim Grant1, Erwin van Eijk2 and HS Venter3 1R‐BAR, Benschop, The Netherlands 2Netherlands Forensic Institute, Ministry of Security and Justice, The Hague, The Netherlands 3Department of Computer Science, University of Pretoria, South Africa

Abstract: It is understandable when victims of a cyber attack want to retaliate, whether this be termed hacking‐back, pro‐active defence, or offensive operations. They may want to cut short a long‐duration denial of service, to eliminate a ter‐rorist threat, to deter a repetition of the attack, or simply to wreak revenge. Apart from the legal issues, counter‐attacking is currently not practicable. Before a counter‐attack can be unleashed, a professional organization must first assess the damage, the techniques the attacker used, and identify who the attacker is. In short, a digital forensic process must occur. In current practice, the digital forensic process starts only after the incoming attack has finished, and takes many months to complete. Ideally, however, it should deliver results in real time. This paper assesses the feasibility of speeding up the process, based on the recently‐published ISO 27043 standard. The related literature on digital forensic process models and on professional offensive cyber operations is briefly surveyed. The temporal requirements for speeding up digital forensics are identified. The ISO 27043 processes are assessed against these temporal requirements. Finally, con‐clusions are drawn and recommendations made for further work.

Keywords: offensive cyber operations, retaliation, hack‐back, pro‐active defence, counter‐attack, digital forensics, ISO 27043: 2015

Cyberwarfare: From the Trenches to the Clouds

Virginia Greiman Boston University, Boston, USA

Abstract: This paper explores the issues impacting a cohesive, integrated, unified global strategy among regional and national governments to fighting cyber wars in the new 5th domain of cyberspace.To understand better the challenges of de‐veloping a unified system of cyber governance, a comparative analysis of interna‐tional, national and cloud security strategies in the European Union and 5 coun‐tries including the United States was conducted.In addition, in the course of the research, the author has analyzed the literature, case studies and government and private industry data and reports concerning the present and future chal‐

22

lenges they face in developing a strategy that addresses the uniqueness of cyber‐space as a wartime battlefield. Through empirical research, the paper identifies the meaning of cyber warfare under national cyber security strategies and military cyber strategies and the common themes and differences in these strategies.The international definition of what constitutes a “use of force” is examined and the distinction between a cyber‐attack and a “use of force” is explored by considering both, the effects of, and intent behind, a cyber‐attack.The purpose of the re‐search is to understand the barriers to the development of an international strat‐egy on cyber warfare, and the benchmarks required to measure the effectiveness and appropriateness of these strategies under international law including the law of armed conflict.Article 4 of the NATO treaty and Article 51 of the United Nations Charter are examined to identify the problems and challenges of applying the traditional legal regime under this new domain and the obligations of consulta‐tion. The paper concludes with a series of recommendations to develop a frame‐work that could measure the success of the goals and objectives of these strate‐gies.

Keywords: cyber warfare, cyber law, national security strategies, cyber security, cloud security

Z‐Wave Network Reconnaissance and Transceiver Finger‐printing Using Software‐Defined Radios

Joseph Hall, Benjamin Ramsey, Mason Rice and Timothy Lacey Air Force Institute of Technology, Wright‐Patterson AFB, USA

Abstract: Wireless Sensor Networks (WSNs) are a growing subset of the emerging Internet of Things (IoT). WSNs reduce the cost of deployment over wired alterna‐tives; consequently, use is increasing in home automation, critical infrastructure, smart metering, and security solutions. Few published works evaluate the security of proprietary WSN protocols due to the lack of low‐cost and effective research tools. One such protocol is ITU‐T G.9959‐based Z‐Wave, which maintains wide acceptance within the IoT market. Concurrently, the use of software‐defined ra‐dios (SDRs) is experiencing significant growth due to low‐cost and open‐source platforms. Using SDRs, network security professionals are able to evaluate WSNs and identify avenues of attack which historically required large investments in RF equipment and specialized skill sets. Recent work introduces Scapy‐radio, a gener‐ic SDR‐based wireless monitor/injection tool, designed to simplify the develop‐ment of penetration testing capabilities for wireless networks. Other works demonstrate methods for fingerprinting transceivers for the IEEE 802.11b and IEEE 802.15.4 standards by analyzing packet reception rates when preamble lengths are manipulated. This work significantly expands Scapy‐radio, providing

23

broad support for the Z‐Wave protocol using the low‐cost HackRF SDR to investi‐gate cooperative and non‐cooperative fingerprinting techniques. Specifically, this work demonstrates transceiver type fingerprinting through experimental analysis of packet reception with respect to preamble length across eight devices from five manufactures, utilizing the two most widely‐used Z‐Wave transceivers. Further‐more, this work presents EZ‐Wave, a set of Z‐Wave network reconnaissance tools capable of network discovery and enumeration, device fingerprinting, and gather‐ing device status information. Herein this work successfully demonstrates meth‐ods for conducting network reconnaissance on a Z‐Wave Home Area Network and transceiver type fingerprinting through preamble manipulation with greater than 99% accuracy.

Keywords: internet of things, wireless sensor networks, Z‐Wave, transceiver fin‐gerprinting, software‐defined radios

A Framework for Categorizing Disruptive Cyber Activity and Assessing its Impact

Charles Harry University of Maryland, College Park, USA

Abstract: While significant media attention has been given to the volume and range of cyber attacks, the inability to measure and categorize disruptive events has complicated efforts of policy makers to push comprehensive responses that address the range of cyber activity. While organizations and public officials have spent significant time and resources attempting to grapple with the complex na‐ture of these threats, a systematic and comprehensive approach to categorize and measure disruptive attacks remains elusive. This paper addresses this issue by differentiating between exploitive and disruptive cyber events, proposes a formal method to categorize five types of disruptive events, and measures their impact along three dimensions of analysis. Scope, magnitude, and duration of disruptive cyber events are analyzed to locate each event on a Cyber Disruption Index (CDI) so organizations and policymakers can estimate the aggregated effect of a mali‐cious act aimed at impacting their operations. Using the five different event clas‐ses and the CDI estimation method makes it easier for organizations and policy makers to disaggregate a complex topic, contextualize and process individual threats to their network, and target where increased investment can reduce the risk of specific disruptive cyber events.

Keywords: cyber, disruption, effect, categorization, measurement, index

24

Cyberspace: The new Battlefield

John Hurley1 and Lanier Watkins2 1JPME and Cyber‐L Department, National Defense University, iCollege, Washington, USA, 2Information Institute, the Johns Hopkins University, Baltimore, USA

Abstract: Conventional conflicts (up to and including wars), primarily exercised under the purview of the military, have been waged in part due to a wide range of issues, such as: political disagreements; fights for certain freedoms, independ‐ence, and rights; and battles waged over power, control, and territories, to name a few. Past conflicts (especially those carried out under military command) for the most part, were engaged within certain ‘rules of engagement’ often defined by the philosophies and cultural experiences of renown military strategists like Clausewitz, Jomini, Machiavelli, and Sun Tzu. Those battles, often due in large part to self‐serving interests that could culminate in significant gains in territories and resources dominated many of the conflicts (Landscape Metrics, 2015). Increasing‐ly, we now see a broader spectrum of reasons for conflict, as they relate to poli‐tics, culture, economy, religion, and ethnicity. It is important to see how technol‐ogy has transformed the battlefield from those seen in the conventional domains (air, land, sea, and space) to the new domain, cyberspace. The low cost of entry into cyberspace has dramatically changed the battlefield. In cyber conflicts we see the ‘warfront’ having evolved from the conventional domains which were under strict military control to one in which the public and private sectors are not only affected by outcomes but now must play a significant role in how such conflicts are resolved. In addition, the new players, (individuals, communities, nations, and especially non‐nation states) operate under a new set of rules—there are no rules, i.e., everything constitutes a viable option. In this paper, we focus on cyber conflicts and how the cultural differences of these three communities have plagued the ability for a cohesive response against attackers and perpetrators. We pursue the relevance of culture and norms of the environment and their in‐fluence on ‘warfare’ tactics in the cyberspace domain. We also look at the con‐cept of trust and deterrence. Our results indicate the need for a different model to work through the differences in culture if better collaboration between the communities is to take place. In addition, we see that an approach that includes cyber deterrence framed in the context of active defense provides optimism on future outcomes.

Keywords: conventional battlefields, actors, extremists, strategic weapons, cyberwarfare

25

Quantifying Decision Making in the Critical Infrastructure

John Hurley1, Lanier Watkins2, Vern Wendt1, Andrew Gravatt1and Mark McGibbon 1JPME and Cyber‐L Department, National Defense University, iCollege, Washington, USA 2Information Security Institute, the Johns Hopkins University, Baltimore, USA

Abstract: In this paper, we examine ways to better position senior leaders to make critical decisions to protect and defend their information assets against cyber‐attacks. There has been, for obvious reasons, consistent pressure for en‐gagement and cooperation between governments, the private sector, and other stakeholders. However, historically, there has been mistrust and lack of collabora‐tion between the three communities largely because of concerns of the fallout from information sharing and concerns that the government might impose more regulations on the commercial sector. In the context of our discussion, infor‐mation assets are divided into two categories based on relevant technologies, i.e., information technologies (IT) and operational technologies (OT). The IT side is focused on the Internet Protocol (IP) systems. The OT side, on the other hand, is focused onindustrial control systems (ICS) that have a significant impact on the way critical environments enable us to acquire and sustain desired qualities of life. The OT side is the one in which a discussion of weapons of mass destruction (WMD) might have merit. For a collapse or failure of some of the sectors desig‐nated as critical infrastructure could have catastrophic and long‐term impact on essential services and functionality that are critical to our survival. Nowhere is the importance of collaboration between the public, private, and government sectors more important than in the critical infrastructure (CI). Though a large amount of the critical infrastructure is owned by the private sector, it is considered by the Department of Homeland Security (DHS) to be essential in the nation’s national economic and physical security, national public health or safety, or any combina‐tion thereof (Critical Infrastructure, 2015). The Internet has become a game changer, in thatit has become an ‘equalizer’ of sorts due to its adoption by many governments, especially the industrialized nations, as the world has transitioned to a global economy. The transformative changes that we see illustrate how tech‐nology and the Internet have brought greater convenience and functionality to the three communities (public, private, and government) and the adverse impact they can have on the critical infrastructure. Historically, the concern has been for attacks from nation states that generally had a large military and a heavily stock‐piled resource‐base (including huge cash amounts). The asymmetry within the

26

cyber domain has created an unexpected balance that has now brought a new wave of committed players, including as non‐nation states to a level of influence that requires them to be reckoned with and no longer ignored. As a result, senior leadership is much more cautious in its approach to decision making because of the potential consequences. This is especially true because cyber assets, though so valuable can be also so vulnerable. In this study, we will discuss a method that moves decision making from a ‘gut’, experience or insight‐based, qualitative ap‐proach to a more data‐centric, quantifiable approach. This approach supports more certainty of senior leaders in the major decisions on how to optimize the performance and security of the critical infrastructure through targeted and more accurately placed cyber investments.

Keywords: critical infrastructure, quantify, conventional, decision making, better predictor

Building Blocks for National Cyberpower

JC Jansen van Vuuren1,3, Graeme Plint2, Louise Leenen1,3, Jannie Zaaiman3, Armstrong Kadyamatimba3and J Phahlahmohlaka1 1Defence Peace Safety and Security: CSIR, Pretoria, South Africa 2Department of Defence, Pretoria, South Africa 3University of Venda, Thoyandou, South Africa

Abstract: With the advancement of technology and proliferation of mobile and computing devices through all levels of society, cyber power is becoming an in‐creasingly prominent driver in the attainment of national security for any state. This paper investigates the national cyberpower environment by analyzing the elements of cyberspace as part of national security. To understand cyberpower as a contributor to national security, one must identify and analyze the elements of national cyberpower and how they interrelate to national power. In his discussion on national power, David Jablonsky(Jablonsky, 1997) distinguishes between natu‐ral and social determinants of power. In addition, Jablonsky refers to the Ray Cline’s formula (Cline, 1993) to determine a rough estimate of “perceived” na‐tional power by focussing primarily on a state’s capacity to wage war (Jablonsky, 1997). The problem posed is how cyberpower can be best positioned within Jablonsky’s proposed model for national power and the formula of Cline. In this paper, the formula for Perceived Power (PP) will be adapted for use in cyberspace to create a similar formula for Perceived Cyberpower (PCP) in context that will primarily focus on a state’s capacity for cyberwarfare.

Keywords: cyberpower, national power, national security, cyber defence

27

Hofstede’s Cultural Markers in Successful Victim Cyber Exploitations

Andre Karamanian1, Char Sample2 and Marc Kolenko3 1Cisco, USA 2ICF International at Army Research Labs, USA 3Information Innovators Inc., USA

Abstract: Hofstede, Hofstede and Minkov (2010) observed that culture acts as “software of the mind”.According to Hofstede et al. (2010), culture influences behaviour and motivation for behaviour. This phenomenon may also be connect‐ed to underlying behaviours that inadvertently lead to successful exploitation. This study was undertaken in order to determine if a statistical relationship be‐tween culture and successfully exploited government and military websites housed in victim countries. The researchers relied on the use of quantitative sta‐tistical techniques to inform and support decisions. While the researchers provide some cursory analysis on the meaning of the results, the nature of the study is quantitative, and reliant upon statistical findings. The mental software referred to by Hofstede et al. (2010) should logically extend into computer network attack behaviours. Sample (2013), Sample and Karamanian (2014), successfully inferred this relationship when examining the relationship between nationalistic, patriotic website defacements and Hofstede’s cultural dimensions. In 2015 Sample &Karamanian (2015) extended the research by statistically comparing Domain Name System Security Extensions adoption and rejection rates; thereby, adding defence characteristics to the body of knowledge. However, these studies did not directly address specific attack vectors success against target countries assets. This study advances the research by examining the existence of the culture and cyber relationship along with the direct relationship between successful attacks types and target countries’ culture. The preliminary findings affirm the existence of a relationship between culture, specifically masculine cultural values and de‐faced .mil and.gov websites. The analysed data displayed significant findings across the masculine/feminine dimension. The tests performed were quantitative and included group means comparison tests. Additionally, differences were ob‐served between SQL‐injection sites and brute force attack on IIS sites.

Keywords: cyber behaviours, Hofstede, cultural dimensions, political patriotic and revenge (PPR) defacements, attack vectors, victims, brute force attacks, SQL‐injection

28

A Review and a Classifications of Mobile Cloud Compu‐ting Security Issues

Mohamad Ibrahim Al Ladan Computer and Information Systems Department, Rafik Hariri University, Mechref, Dammour, Lebanon

Abstract: Cloud computing is one of the latest developments in the IT industry. It is an emerging technology paradigm that migrates current technological and computing concepts into utility‐like solutions similar to electricity and water sys‐tems. In addition, with the popularity of mobile devices and mobile computing and their integration with cloud computing we end up with a new IT paradigm called Mobile Cloud Computing. In this paradigm, cloud computing provides the infrastructure, platform, and software services to mobile users through mobile devices and mobile networks. Mobile Cloud Computing offers a wide range of benefits including configurable computing resources, economic savings, and ser‐vice flexibility. However, the full use and adoption of this new IT paradigm is hin‐dered by numerous new security and privacy issues and concerns. In this paper we will investigate, review, and discuss the new security issues introduced by the use of mobile cloud computing, profoundly analyzing the security issues from three different aspects: mobile devices, wireless networks, and cloud infrastruc‐ture.

Keywords: mobile cloud computing security, mobile devices security, cloud com‐puting security, mobile cloud computing

Theoretical Examination of the Cyber Warfare Environment

Martti Lehto University of Jyvaskyla, Jyväskylä, Finland

Abstract: As there is no generally accepted definition for cyber warfare it is quite liberally used in describing events and action in the digital cyber world. The con‐cept of cyber warfare became extremely popular from 2008‐2010, partly super‐seding the previously used concept of information warfare which was launched in the 1990s. For some, cyber warfare is war which is conducted in the virtual do‐main. For others, it is a counterpart of conventional ‘kinetic’ warfare. According to the OECD’s 2001 report, cyberwar military doctrines resemble those of so‐called conventional war: retaliation and deterrence. Researchers agree with the notion that the definition of cyberwar should address the aims and motives of war, ra‐ther than the forms of cyber operations. They believe that war is always wide‐

29

spread and encompasses all forms of warfare. Hence, cyber warfare is but one form of waging war, used alongside kinetic attacks.The new capacities of armed forces create new possibilities, both the kinetic and non‐kinetic use of force in cyberspace. Cyber era capabilities make possible operations in the new non‐linear and indefinite hybrid cyber battlespace. It must be possible to seamlessly inte‐grate the decision‐makers, actors and all types of manned and unmanned plat‐forms in the air, on the surface, under the surface, in space and in cyberspace.The main trends that are changing the cyber battlespace are networking, time short‐ening, the increasing amount of data, proliferation of autonomous and robotic systems as well as artificial intelligence and cognitive computing. Cyber space can be modeled as a five layer structure, the parts of which are physical, syntactic, semantic, service and cognitive. The threats, vulnerabilities and risks can be de‐scribed and modeled in each of the layers of this cyber space model. Dedicated attack vectors, operation models and cyber weapons have been developed for these layers. This paper analyzes the new trends in cyber era warfare, command and control and effect‐based cyber operations. The paper uses both Boyd’s OODA‐loop and Wardens Five Ring ‐model as the framework for modern non‐kinetic cyber warfare operations.

Keywords: cyber warfare, command and control, effect

Using Values‐Based Cultural Data to Shape Information Operations Strategies

Christine MacNulty1 and Julie Ryan2 1CEO Applied Futures Inc, Alexandria, USA 2George Washington University, USA

Abstract: The role of technology in information operations (IO) is understandably the focus of much research. It is equally important to recognize the importance of people, who design, use, and defend information systems, when strategizing the elements of IO, and who may be the targets of "softer" information opera‐tions. People can be understood from many different perspectives. Several well‐recognized paradigms include national culture characteristics, personality traits, and cultural history. However, one of the most critical, yet least understood per‐spective, is that of values. Values are deep emotional constructs that underpin beliefs and motivations. Values are measurable and can be classified into person‐ality archetypes, an approach extrapolated from the early work of Maslow, Schwartz and others. An intriguing research question to explore is how values, beliefs, and cultures affect the design, strategy, and implementation of infor‐mation operations. There are current state applications of this contextual under‐

30

standing that could be usefully applied to IO strategies. Additionally, the data sug‐gests that these aspects change over time, which also raises the potential for ex‐ploring strategies that nudge natural evolution of change in directions that are more conducive to peaceful interactions. In these questions, success includes not only the ability to create a strategy that meets the identified operational goals but also the success in the tactics developed to achieve those needs operationally. This paper describes the state of the research, describes an analytical structure to apply the research to information operations strategy, and argues for a research agenda for pushing the concept further.

Keywords: culture, values, motivations, cyberwar, influence

The Cyber‐Security State of our Nation: A Critique of South Africa’s Stance on Cyber‐Security in Respect of the Protection of Critical Information Infrastructure

Feroze Mohideen University of Johannesburg, Auckland Park, South Africa

Abstract: The society we live in faces many technological challenges on a daily basis, especially in developing nations such as South Africa. One such challenge is that of protecting critical information infrastructure (CII) and sensitive, mission critical information. A huge role player in the protection of these two vital com‐ponents of sustainable development is the private sector. Much of a nations CII is owned, operated and maintained by the private sector. However, the responsibil‐ity of setting goals to protect a nations CII and sensitive, mission critical infor‐mation is that of the government’s. Protecting CII can be seen as being very diffi‐cult and there are many influencing factors. There are many barriers that prevent the adequate protection of CII within a developing country such as South Africa. This paper will attempt to identify key contributing factors and barriers to the lack of cyber‐security around CII, the need and lack of public private partnerships to protect CII, a critique of the publicly available South African National Cyber‐Security Policy Framework as well as the recently released Cyber‐Crimes and Cyber‐Security bill. The paper concludes by applying academic research with pro‐fessional knowledge and experience in order to present a few recommendations to both the government and private sector regarding the protection of CII in South Africa.

Keywords: sensitive, critical information infrastructure protection (CIIP), public‐private partnerships

31

Development of a Semantic‐Enabled Cybersecurity Threat Intelligence Sharing Model

Jabu Mtsweni1, 2, Nobubele Angel Shozi3, Kgwadi Matenche1, Muyowa Mutemwa1, Njabulo Mkhonto1 and Joey Jansen van Vuuren1 1Council of Scientific and Industrial Research (CSIR), Defence, Peace, Safety and Security, Pretoria, 2University of South Africa (UNISA), Science Cam‐pus, Florida, South Africa, 3Council of Scientific and Industrial Research (CSIR), Meraka Institute, Pretoria, South Africa

Abstract: Big Data is transforming the global technological landscape by elevating online information access required for addressing everyday challenges, such as detecting in real‐time the spread of diseases within areas of interest. As the data in the cyberspace continues to grow in a gargantuan manner due to the populari‐ty and successes of Web 2.0 technologies and social networks, amongst other reasons, organizations also continue to face the complex challenge of sifting through this data to timely detect and respond to security threats relevant to their operating domain. Traditional businesses and governmental organisations generally rely on inefficient and discrete solutions that rely on limited sources of information, signature‐based and anomaly‐based approaches to detect known cyber threats and attacks. On the contrary, threat agents continue to develop advanced techniques for their cyber espionage, reconnaissance missions, and ultimately devastating attacks. In addition, emerging cybersecurity intelligence solutions lack the semantic knowledge essential for automated sharing of timely and context‐aware information within a specific operating domain. Moreover, existing cybersecurity information sharing solutions lack the visualization and in‐telligence necessary for handling the large volume of unstructured data generated by multiple sources across different sectors. In an attempt to address some of these challenges, this paper presents a preposition of a semantic‐enabled sharing model for exchanging timely and relevant cybersecurity intelligence with trusted collaborators. Drawing from previous research and open source sharing plat‐forms, such as CRITS, this model is underpinned by common information ex‐change standards, such as STIX and TAXII. The proposed cross‐platform sharing model is evaluated by exploiting a large stream of cybersecurity‐related tweets and semantic knowledge available from a variety of data sources. Preliminary results suggest that semantic knowledge is essential towards enabling collabora‐tive and automated exchange of timely and actionable cybersecurity intelligence. Keywords: cybersecurity, threat intelligence, crowdsourcing, big data, web securi‐ty, vulnerabilities

32

Factors in Building Transparent, Usable and Comprehen‐sive User Privacy Policy System

Sarath Kumar Nagaraj and Adam Bryant Wright State University, Dayton, USA

Abstract: Improving associations between users and web‐based systems can make computing tasks easier. User‐to‐system associations include the amount of time spent using the system, quality and quantity of data involved, and the user’s trust in the system. The strength of these associations is an integral part of a us‐er’s online experience and can be improved with better understanding of the in‐teractions involved. One class of user‐to‐system interaction, namely understand‐ing and controlling the release of personal information, can heavily influence a user’s trust associations with a system. However, most users do not read the statements and others do not understand them completely. These statements tend to be lengthy, non‐intuitive, and not written in layman's terms. System own‐ers can modify the way privacy policy statements are developed, presented, and how users have control over the use of their personal information to improve user‐to‐system trust and improve their experience and effectiveness using the systems. We analyze several factors that affect user‐to‐system trust with respect to privacy management and provide an overview of techniques used in building privacy statements and privacy controls. We review existing design models and factors in the context of privacy management and propose methods to improve transparency and control for users. We argue that implementing these models can strengthen user‐to‐system trust associations and can result in more effective system use.

Keywords: human‐computer interaction, mental model, privacy policies, social networking sites, security and usability

The Military Cyber‐Maturity Model: Preparing Modern Cyber‐Enabled Military Forces for Future Conflicts

David Ormrod and Benjamin Turnbull Australian Centre for Cyber‐Security, University of New South Wales at the Australian Defence Force Academy, Australian Capital Territory, Australia

Abstract: Military operations require the support of flexible, responsive and resil‐ient cyber‐capabilities. Information system security models and information as‐surance constructs seek to achieve information assurance, a high degree of cer‐

33

tainty in the confidentiality, integrity and availability of cyber‐systems supporting combat operations. This paper argues that the information assurance approach, whilst a worthy goal, is not reflective of the lessons of history or warfare. Histori‐cally, nations have consistently assumed that their wartime communications sys‐tems were secure, whilst their adversaries were reading important diplomatic cables, strategic and tactical messages. Mayfield’s paradox mathematically demonstrates the futility of attempting to make any information or command and control system completely assured against every attack. The Military Cyber‐Maturity Model presented within this paper adopts a pragmatic view, assuming that the adversary is technically capable and intelligent. This model embraces the possibility of an adversary utilizing an unknown vulnerability to attack the system, and expends resources to deal with the result of the successful attack rather than relying entirely on an impregnable defense. This approach extends beyond the assumption that a cyber‐attack immediately causes mission failure, by recognizing that each cyber‐attack has different requirements and outcomes and will affect different assets and processes. The Military Cyber‐Maturity Model seeks to model business continuity through a high degree of cultural change, embedded work practices that parallel analogue and digital work practices with deceptive counter‐intelligence behavior. The Military Cyber‐Maturity Model incorporates the con‐cepts of behavioral defense and mission assurance to provide agility and increase the likelihood of success in combat. Information deception provides a behavioral defense, creating uncertainty and doubt in the adversary’s mind and reducing the degree of trust they have in the information available. Degeneracy leads to mis‐sion assurance, by providing the ability to absorb shock and catastrophic system attacks. In the same manner that modern physical battlefields have been trans‐formed by hybrid and asymmetric threats, the cyber‐environment has the capaci‐ty to evolve further through the employment of integrated information deception and organisational degeneracy. The Military Cyber‐Maturity Model embraces this approach. The Military Cyber‐Maturity Model provides a methodology for prepar‐ing modern, cyber‐enabled military forces for future conflicts against technologi‐cally capable adversaries. This paper introduces the model, outlines its aims, components and justifications. This work also outlines the need for simulation and testing to validate the model’s effectiveness, and introduces a number of potential use‐cases.

Keywords: cyber, maturity model, military cyber‐effects, information assurance, security model

34

Georgia‐Russia Military Conflict: The Experience of Multi‐level Psychological Warfare

Evgeny Pashentsev Diplomatic Academy at the Ministry of Foreign Affairs of the Russian Fed‐eration, Russia

Abstract: Local armed conflicts that face the collision of interests of great powers usually lead to serious geopolitical consequences. In this case, the coverage of the events in mass media goes far beyond the countries directly involved in the con‐flict. The public assessment of the situation without doubt becomes a field of acute psychological warfare. The Georgia‐Russia military conflict of 2008 was no exception in this respect. In spite of its short duration and the relatively small number of victims, it became the focus of international attention and was accom‐panied by a high level of confrontation in the information environment. The con‐flict was, firstly, a phase of sharp aggravation of the Georgia‐South Ossetia conflict within Georgia, secondly, the direct interstate military conflict between Georgia and Russia, and thirdly, an indirect conflict of interests between Russia and the U.S. and their NATO and the EU allies (only slightly related to the events in Geor‐gia). This multilevel nature of the conflict involves the imbalance of economic and military‐political potentials of Tbilisi on the one hand, and the opposition to the central authorities in South Ossetia and Abkhazia on the other hand. It is neces‐sary to take into account the asymmetry of the potentials of Russia and Georgia, Russia and NATO, the EU (the latter one is only partially offset by the support of Russia on behalf of China and several other countries). The existence of the above‐mentioned asymmetry of potentials of direct and indirect participants of the conflict naturally raises the question about the difference in objective oppor‐tunities of the parties in the field of psychological warfare. This idea shaped the author’s approaches to the solution to the research tasks, and the structure of the paper itself. The paper analyses specific circumstances when false, but profes‐sionally fabricated information or factoids dominated and to a certain extent con‐trolled the public opinion in this conflict. A special focus is on the involvement of senior officials in psychological warfare, the role of the mass media in the conflict, methods of influencing the public consciousness (information channels blocking, misinformation, counterpropaganda, the use of psychological effects of cyberattacks, the management of the foe’s decision‐making process, etc.).

Keywords: psychological warfare, Georgia, South Ossetia, Russia, the USA, EU, military conflict, public opinion

35

Cyberwarfare as a new Challenge for Latin America

Olga Polunina Moscow City Pedagogical University, Russia

Abstract:The global shift towards the new information age has brought new chal‐lenges and questions. Information requires management. This also means that we are living in a world which is not only shaped and defined by the proclaimed free‐dom of information and one’s opinion. Our world is also a state of managed pub‐lic opinion and information. Manipulation of information has become the decisive form of persuasive power. But, while it is widespread, it has also become more subtle, more sophisticated, and less evident. Cyber warfare and information secu‐rity are a highly urgent topic nowadays. Information progress, developing tech‐nologies and ever increasing number of specialists in this sphere prove its rele‐vance. Numerous mistakes, various hazards, few rules and practically no positive experience of counteracting manipulation or defamation in the sphere of the in‐ternet present a daunting problem for specialists. With this in mind, it is worth considering the case of Latin American countries, analysing the peculiarities, tendencies and aspects of cyberattacks from the point of view of their manipula‐tive potential. Leaving aside the technological aspects of the phenomenon of cyber‐attacks let us consider the background of the attacks, dwell on the purpos‐es, analyse the aftereffects, target audiences, and try to predict the circumstanc‐es.Another problem that occurs here is that the sphere of the internet is closely connected with the mass media. Wrong, incorrect or manipulative information resulting from information attacks is exaggerated by the mass media, which makes it next to impossible for an average user to distinguish between ‘black and white’ information. Communication management, on the one hand, is a way of managing people and the capitals by means of communication but, on the other hand, it has at its disposal a wide range of opportunities for analysis.Latin America is an interesting case from different points of view. Firstly, owing to fundamental‐ly different target audiences (from indigenous people to urbanised youth). Sec‐ondly, from the point of view of strong integration processes on the continent which present a fertile ground for manipulations. Thirdly, the left turn in the poli‐tics of the countries on the continent is a target of numerous manipulations. Ac‐cording to the above, the proposed paper will try to trace the reasons of the at‐tacks, the calculated effects and the manipulative potential. Big data analysis and predictive technologies are also analysed in the context of Latin America cyber warfare realities.

Keywords: cyberwarfare, information security, communication management, Latin America

36

SEBS ‐ Secure Emoticons Based Steganography

Khan Farhan Rafat and Junaid Hussain NUST, Rawalpindi/Islamabad, Pakistan

Abstract: Be it a commercial or military undertaking, the decisive factor of one’s success in the respective arena is to have uninterrupted operation‐critical activi‐ties. On account of large scale reliance on information technology, affording max‐imum protection to data has become extremely essential to manage fluctuating business trends. By and large, Cryptographic Services are being employed to se‐cure the data. Secure encryption, indeed, is a remedy against eavesdropping of sensitive information but its perceptibility ‐ as something being gibberish ‐ is suffi‐cient enough to seek immediate attention of an onlooker which raises suspicion of some behind the scene activity. Hence, there felt a serious need to hide sensi‐tive data in a manner such that its existence shall remain unknown to the unau‐thorized person. To address the perceptibility concern, various image based digi‐tal steganographic schemes have been introduced. However, it is observed that existing image‐based digital steganographic schemes do not take into considera‐tion the worst case scenario that the enemy can also have the possession of origi‐nal cover. To overcome this shortcoming, this paper presents a novel steganographic scheme which is effective against known‐cover attack. Further‐more, it provides greater cryptographic security by adhering to Kerckhoff’s princi‐pal and successfully protects private or classified information, whether at rest or in transit. Our steganographic scheme provides a method to protect information by hiding it behind emoticons ‐ a popular means of conversation in mobile com‐munication and social media these days. A single emoticon in our scheme can conceal up to 8 bits of secret information. This scheme affords robustness via unique set of emoticons. We present twofold security via encryption and ste‐ganography. Hence, this scheme is most unlikely to raise suspicion of a hidden message even if original cover is known to the adversary. The proposed scheme is equally suitable for Chat, IM, SMS and email.

Keywords: information security, information assurance, steganography, data pri‐vacy, secure communication information hiding, private texting, secret messages, security through obscurity, cryptography, encryption

37

How Secure is our Information Infrastructure?

Julie Ryan and Daniel Ryan Department of Engineering Management and System Engineering, School of Engineering & Applied Science, The George Washington University, USA

Abstract: Managers of critical information infrastructures need better tools for managing risk than the qualitative or compliance‐based metrics commonly used today in critical infrastructure protection. Security is the inverse of risk, and we can measure risk by evaluating expected loss, which is the product of the proba‐bility that a bad event will occur by the damage such an event will cause if the event does occur. Thus, expected loss provides a way to indirectly measure secu‐rity in information infrastructures. To determine the relevant probabilities, we use failure time analysis. This paper provides a performance‐based metric that can be used to obtain a quantitative measure of the security of information infrastruc‐tures. The metric can be used to compare the security status of different infor‐mation infrastructures, or to track the evolution of security within a single infra‐structure. Since, as all managers know, "If you can't measure it, you can't manage it," the methodology presented here will improve the managers' ability to suc‐cessfully protect critical information infrastructures.

Keywords: risk management, information security, security and protection

Big Data Privacy and Security: A Systematic Analysis of Current and Future Challenges

Nobubele Angel Shozi1, 3 and Jabu Mtsweni2, 3 1Council of Scientific and Industrial Research (CSIR), Meraka Institute, Pre‐toria, South Africa 2Council of Scientific and Industrial Research (CSIR), Defence Peace Safety and Security, Pretoria, South Africa 3University of South Africa (UNISA), South Africa

Abstract:Big data is a term that describes data of huge volumes, variable speeds, and different structures. Even though the rise of big data can yield positives, the nature of big data poses challenges as capturing, processing and storing becomes difficult. One of the challenges introduced by big data relates to its privacy and security. Privacy and security of big data is considered one of the most prominent challenges as it directly impacts on individuals. Through big data, individuals lose control over how their data is used and are unable to protect it. An invasion of privacy occurs when one’s data is used to infer aspects of one’s life without our

38

consent. The prospect of data breaches in big data is also expected and can result in millions of records containing personal information being leaked. This paper aims to understand the privacy and security challenges that relate to big data. In order to gain this understanding, a systematic literature review is conducted to firstly identify the general challenges of big data. Currently, a number of research papers are identifying the challenges of big data however these papers do not follow a sound methodological process in identifying these challenges. The sys‐tematic literature review process consists of sequenced steps that must be fol‐lowed to ensure that your research produces the required results. The systematic literature review was chosen to ensure that the three questions posed in this re‐search are answered. These questions are: What are the current big data related challenges, what challenges are related to privacy and security and what future challenges can be identified from the analysis of these challenges. The top chal‐lenges of big data are discussed briefly and narrowed down into the challenges that are related to privacy and security of big data. In conclusion, this paper will provide reflections on future big data challenges. This outcome of this research is firstly to identify the big data challenges, secondly to understand the privacy and security challenges that relate to big data and lastly to provide insight into the future challenges that can impact on big data.

Keywords:big data, privacy and security, challenges, systematic literature review

Pushing the Boundaries of Digital Diplomacy: The Inter‐national Experience and the Russian Practice

Ivan Surma Diplomatic Academy, Ministry of Foreign Affairs of the Russian Federation, Moscow, Russian Federation

Abstract: One of the negative consequences of rapid development of information and communication technologies (ICTs) is the emergence of new forms of interna‐tional conflicts, including information and network warfare.There are new phe‐nomena such as Cyber‐Mobbing and Cyberbullying (Happy Slapping, Alienation, Extortion of confidential information, “Flaming”, Slander, etc.) or "Factories of Trolls". The usage by some countries of the provocation strategy consists of the organization of information warfare so that the resources of the opponent are directed against him. Today unilateral statements that this or that state can be involved in illegal actions in information field, it is not enough to attribute the given harmful activity to this state. The charges of the states in the organization and realization of cyber attacks should be proved. The author concentrates on exploring prospects and challenges of digital diplomacy in the international field

39

with special reference to Russia. In the paper, the author used the results of his comparative analysis of digital activity of the embassies of Russia in the world and statistical methods in the processing and strategic assessment of the data of Re‐port of the 18th Russian Internet Forum. The paper presents modern techniques of reaching political audiences through digital diplomacy, which on the one hand, provides new opportunities for the implementation of international politics, and on the other, imposes special requirements on its members. The paper examines the consequences of the growing influence of the Internet on global politics, in‐cluding the possibility of large‐scale public opinion manipulation. The results of OSINT research have unveiled hyperactivity of terrorist organisations in networks. The paper centers on the Russian experience to oppose such tools as compulsory recruitment and others. The paper focuses on a new form of public diplomacy and shows its mechanism of influence on foreign audiences. It is shown that there is an inverse relation between the diplomatic and public offices (a new phenome‐non of the modern information society). Basing on the digital activity of Russian embassies in Latin America and Caribbean basin the author stresses the role of social media in shaping public opinion, which puts forward specific requirements for how information is supplied on the official pages of diplomatic offices in social networks. The new format of close cooperation between a society and diplomatic agencies makes the modern diplomacy on the one hand more open and public, and less restrained on the other. At the same time the Ministry of Defense and other state structures of Russia in recent years have been paying special attention to strengthening cybersecurity and continue the national strategy buildup in that area. The complexity of the solution all the above questions lies primarily in the imperfection of international law in the regulation of the information space.

Keywords: digital diplomacy, geopolitics, cyber terrorism, social networks, cybersecurity, international relations, soft power, trolling, foreign policy

An Assessment Model to Improve National Cyber Securi‐ty Governance

Unal Tatar1, Bilge Karabacak2 and Adrian Gheorghe1 1Engineering Management and Systems Engineering Department, Old Dominion University, Norfolk, USA 2Graduate School of Informatics, Middle East Technical University, Ankara, Turkey

Abstract: Today, cyber space has been embraced by individuals, organizations and nations as an indispensable instrument of daily life. Accordingly, impact of cyber

40

threats has continuously been increasing. Critical infrastructure protection and fighting against cyber threats are crucial elements of national security agendas of governments. In this regard, governments need to assess the roles and responsi‐bilities of public and private organizations to address the problems of current cyber protection postures and to respond with reorganization and reauthorization of these postures. A risk management approach is critical in placing these efforts in an ongoing lifecycle process. In this paper, a model is proposed to be used in national cyber security risk management processes. We argue that this model simplifies and streamlines national risk management processes. For this purpose, a matrix is created to partition the problem space. Cyber threat detection and response activities constitute one dimension of the matrix. The second dimension divides the timeline of cyber incidents into three: before, during and after inci‐dents. The resulting matrix is then populated with responsible bodies which need to address each case. As a result, a national cyber security responsibility model is proposed for policy/decision makers and academics. We believe that the pro‐posed model would be useful for governments in analyzing their national respon‐sibility distribution to address gaps and conflicts in their current cyber security postures and for academics in analyzing natural cyber security systems and com‐parative studies.

Keywords: national security, national governance, national cyber security roles and responsibilities, cyber thresholds, risk analysis, risk management

Enhancing Cybersecurity by Defeating the Attack Lifecycle

Lanier Watkins1 and John Hurley2 1CriticalInfrastructure Protection Group, The Johns Hopkins University Ap‐plied Physics Laboratory, Laurel, USA 2JPME and Cyber‐L Department, National Defense University, iCollege, Washington, USA

Abstract: In this paper, we examine cyber threats and vulnerabilities through the eyes of the attacker. It is important to understand the attack lifecycle because the psychology of an attack is driven by the ability to acquire the organization’s in‐formation assets (i.e., ‘crown jewels’). Attacks are usually orchestrated based up‐on where the assets are placed and around the defense and protection mecha‐nisms put into place to protect and secure them. An understanding of the differ‐ent phases of the attack and how perpetrators can either bypass or work through the defense mechanisms into environments best positions attackers for success. This view is often shaped by the goals and intent of the perpetrators for all at‐tacks are not driven for financial gain. Some other goals of an attack may be

41

based upon social, political, cultural and other objectives. For example, banks and other financial institutions are targeted for financial gain. The private and gov‐ernment sectors are targeted for intellectual property (IP). Individuals, communi‐ties, and organizations are targeted for the purpose of demonstrating vulnerabil‐ity of an environment or the capability of the attacker. Many organizations, due to the extent to which they can be damaged if their information is compromised or stolen, are relying more heavily on outside security firms. The rationale seems very logical in that businesses whose focus is on security should be ‘better equipped’ to handle this responsibility for organizations. The problem is that, though firms have gotten much better at ‘qualifying’ their capabilities, the mis‐conception that they can indeed protect and defend against all attacks on infor‐mation assets still exists. The perpetrators, are increasingly becoming savvier, and better resourced and have significantly broadened their target base, as we have seen recently, to now target security firms. We see security firms, e.g., Lifelock (Lifelock to Settle Charges by the FTC and 35 States, 2010) and RSA (Anatomy of an Attack, 2011) under siege in an attempt to get access to the information as‐sets. In many cases, the ‘keys to the castle’ held by the security firms provide ac‐cess to huge assets of some companies, including some of the major Fortune 500 companies—a great incentive to attackers seeking financial gain. As we focus our attention on the attack vectors, it is important to be vigilant in our attention on the attack ecosystem. We find a dominating approach used by many that has produced limited benefits, at best. Recognizing an organization’s vulnerability is the first step in a viable multi‐step hacking recovery program. Unfortunately, the focus of most efforts to protect and defend information assets against perpetra‐tors is concentrated in a phase within the attack lifecycle that actually goes coun‐ter to the realization that environments are likely to get hacked. We introduce a novel approach wherein for the first time, relevant individual technologies have been brought together under a single framework. We believe that the concate‐nating of the individual concepts in a way that has not been previously described is indeed a novel approach to addressing the problem.

Keywords: cybersecurity, attack lifecycle, information assets, deterrence, intru‐sion detection and intrusion prevention

Categorizing Code Complexities in Support of Analysis

Yan Wu1 and Frederick Tim Boland 1Bowling Green State University, Bowling Green, USA

Abstract: Various types of tools are available in the market and they are capable of analysing software: static source code scanners, compilers, test generators, etc. The nature of programming language that the source code is written, affects

42

not only the efficiency of execution but also the complexity of structures, which will hide vulnerabilities behind them to confuse static source code scanners. This paper presents classes of source code elements, called code complexity elements, which affect the ability of static source code scanners to analysing code. We mention relevant assumptions and guidelines for our code complexity classifica‐tion. Then, we present common code complexity elements in terms of complexity name, description, and enumeration. We then give examples of code complexi‐ties in terms of practical test cases. We conclude with future work in this re‐search. To illustrate current status of test case generation, we provide examples on how code complexities are used in organizing test cases in automated test case generators. The descriptive statistics of the test suite from Intelligence Advanced Research Projects Activity's (IARPA) Securely Taking On New Executable Software of Uncertain Provenance (STONESOUP) program, Phase II and III is presented in Appendix.

Keywords: software assurance, code complexity, static source code scanner, test cases, source code generation

Detecting a Weakened Encryption Algorithm in Micro‐controllers Using Correlation‐Based Anomaly Detection

Justin Wylie, Samuel Stone and Barry Mullins Air Force Institute of Technology, Wright‐Patterson Air Force Base, USA

Abstract: Since the 1960s, increasingly more Integrated Circuit (IC) device manu‐facturers have been outsourcing fabrication of semiconductor devices to Taiwan, China, and other countries where the cost of labor is less expensive, as described by Adee (2008). This includes situations where United States companies contract‐ed by the military to develop semiconductor‐based systems outsourced the de‐sign work for the semiconductors to foreign nations according to Yudken (2010). This practice brings to bear security concerns regarding the possibility of overseas fabrication facilities embedding malicious hardware in the device early in the sup‐ply chain. Microcontrollers, specifically, are used in a large number of military operations including encryption, such as the microcontrollers used to encrypt information found in the smart cards issued by the Department of Defense, as stated by the United States General Services Administration (GSA) (2004). Accord‐ing to Beaumont et al. (2011), current IC testing and verification focuses on test‐ing the chips to specifications which may detect whether functionality was re‐moved, but will likely not detect any functionality added by an adversary. Systems used in environments where antivirus and intrusion detection systems are not feasible are particularly vulnerable. In order to detect compromised program‐

43

ming, or potential zero‐day attacks from entering combat systems, an efficient and effective method of anomaly detection is required. This paper proposes ex‐panding use of the Correlation‐Based Anomaly Detection (CBAD) as introduced by Stone (2013) for detecting anomalous microcontroller operation using Uninten‐tional Radio Frequency (RF) Emissions (UREs). Specifically, this paper presents the results of using the CBAD process to detect a modified Advanced Encryption Standard (AES) algorithm implemented on a microcontroller. This process was shown to be effective in detecting anomalous operations in a more limited Pro‐grammable Logic Controller (PLC) program by Stone (2013), and was less re‐source‐intensive than alternatives such as the RF fingerprinting method used for discriminating between hardware devices by Cobb (2011). The CBAD process con‐sists of four major steps: URE collection, signal post‐processing, test statistic gen‐eration, and a declaration. In the process declaration stage, the microcontroller’s program is classified as either Normal operation or Anomalous operation after comparison with a reference response. Results using the CBAD process against the UREs of a microcontroller have been encouraging thus far, and show a True Anomaly Detection Rate (TADR) of greater than 90% at Signal to Noise Ratios (SNRs) greater than 5 dB while maintaining a False Anomaly Detection Rate (FADR) of approximately 10% across all SNRs. Additionally, Receiver Operating Characteristic (ROC) curve Equal Error Rates (EER) are presented for the proposed anomaly detection process.

Keywords: microcontroller security, unintentional RF emissions, AES encryption weakening, hardware security, correlation‐based anomaly detection

Real Time Early Warning DDoS Attack Detection

Konstantinos Xylogiannopoulos1, Panagiotis Karampelas2 and Reda Alhajj1 1University of Calgary, Canada 2Hellenic Air Force Academy, Greece

Abstract: The rapid growth of electronic devices, has transformed the Internet into a significant means of communication all over the world. Because of this, the Internet has experienced an exponential growth in users, services and solutions provided by many public and private organizations. This growth has also led to an increase in different types of cyber threats and crimes. One of the most frequent and detrimental effect is the Distributed Denial of Service (DDoS) attack, with which someone can unleash a massive attack of communication requests through many different isolated hosts and cause a system to become unresponsive due to resources exhaustion. The significance of the problem can be easily acknowledged

44

due to the large number of cases regarding attacks on institutions and enterprises of any size which have been revealed and published in the past few years. In the current paper a novel method is introduced, which is based on a data mining technique that can analyse incoming IP traffic details and warn the network ad‐ministrator about a potentially developing DDoS attack. The method uses a varia‐tion of the ARPaD, which allows the detection of all repeated patterns in a se‐quence. In a DDoS case, the algorithm can analyse all IP prefixes and warn the network administrator if a potential DDoS attack is under development based on the detection of suspicious IP addresses and their analysis depending on pre‐set thresholds on a variety of parameters such as maximum allowed IPs per country, per minute, etc. Moreover, this analysis provides useful information, such as geolocation of incoming traffic, and gives the ability to the network administrator to block, manually or automatically, potential groups of IPs that can be catego‐rized as suspicious, while allowing legitimate users to continue their work. Based on several experiments conducted on real data from the Centre for Applied Inter‐net Data Analysis organization, it has been proven experimentally how rapidly an alert can be raised for a potential DDoS attack. Therefore, the method introduced can identify and detect a potential DDoS attack while it is being initiated and be‐fore it has detrimental effects on system resources. Furthermore, a system based on this method can scale up depending on the needs of any organization, from a small e‐commerce company to large public or private institutions, by providing the same level of high performance detection.

Keywords: distributed denial of service, DDoS, data mining, suffix array, all re‐peated patterns detection

45

PHD Research Papers

47

What’s in Your Honeypot?

Adam Brown and Todd Andel University of South Alabama, Mobile, USA

Abstract: Organizations conduct transactions, provide services, store data, and transmit communications through an increasingly complex series of networks. Securing these networks requires layers of sophisticated safeguards against intru‐sion. Intelligence pertaining to adversarial methodologies plays a critical role in assessing the ability of a system to ward against cyber attacks. Since there is no standard for criminal cyber activities, gathering real‐time idiosyncratic data pro‐vides an invaluable asset for those seeking to protect their information. Honey‐pots allow a victim to monitor an intruder in the act, revealing the tools and methods used. By collecting information of the sources and destinations of differ‐ent payloads, honeypot operators obtain information regarding black‐hat tools and tactics. Frequently networked to functioning systems, a honeypot, however, can be a security hazard. A savvy adversary can use a compromised honeypot to leap onto a live server on the same network. Inadequate monitoring of honeypot traffic and activities increases the risk of theft for any data stored on the actual production host. Depending on the type of institution deploying the honeypot, actions that undermine the security of retained confidential data risk federal sanctions. Federal regulations assigning this heightened duty for data security can be seen in credit reporting agencies, health care providers, and financial institu‐tions. Likewise, some state statutes have established affirmative duties for net‐worked service providers such as honeypot operators; however, legal concerns extend beyond the protection of live confidential data. Though relevant laws may not have been drafted with emerging technologies in mind, they are nonetheless applicable. This research addresses the potential exposure of honeypot operators to downstream liability based on the third‐party actions of adversaries accessing the honeypot. These risks encompass state and federal statutes as well as com‐mon law theories of negligence.

Keywords: honeypots, legal duty, cyber crime, legal issues, downstream liability, negligence

48

Feasibility of Applying Moving Target Defensive Techniques in a SCADA System

Cordell Davidson and Todd Andel University of South Alabama, Mobile, USA

Abstract: Supervisory Control and Data Acquisition (SCADA) systems monitor and control industrial systems of national importance, including but not limited to the electric power grid, oil and gas refineries, water supply and sewage systems, and gas pipelines. They are an integral part of a nation’s critical infrastructure. As such, the reliability and availability of these systems are extremely important. Once SCADA systems are running reliably, changes to the hardware or software are typically avoided. As a result, many of these systems rely upon hardware and software systems that are years or even decades in age. Over time and for the purpose of cost optimization, SCADA systems have become increasingly reliant upon commercial‐off‐the‐shelf (COTS) products. Many of these products have known vulnerabilities that are expected to be patched or replaced quite often to mitigate potential attacks. However, frequent patches and updates are often un‐feasible in a SCADA system. The requirements of reliability and availability may outweigh the potential benefits. An additional security issue is that in order to enable remote system management, SCADA systems are becoming increasingly connected directly to corporate networks as well as the Internet thus making it easier for an adversary to connect to a system in order to exploit known vulnera‐bilities. Moving Target Defense (MTD) is a security approach used in many com‐mon computer systems to help make them less easily compromised. A MTD seeks to provide additional protection to all protected programs even if those programs have known vulnerabilities. It does not seek to fix any particular soft‐ware vulnerability but, instead, seeks to make any such vulnerability more difficult to exploit. Other security solutions elaborated for our common computer systems and networks, such as frequent software patching, might not be applicable for SCADA systems due to their specific requirements and constraints. However, there has not been much academic discussion of applying Moving Target Defens‐es to SCADA systems. We analysed several different MTD techniques for their suitability as defense of various components of SCADA systems. Our determina‐tion is that there are several MTD approaches that are feasible for use in SCADA systems.

Keywords: moving target defense, SCADA, security, network security, software vulnerability mitigation, diversity defense

49

3D Visualization Applied to PRBGs and Cryptography

Michel Dubois and Eric Filiol Operational Cryptology and Virology Laboratory, Laval, France

Abstract: Today there is no easy and quick way to analyse and differentiate ran‐dom data. However, all day long our computers generate pseudo random data, our cryptographic algorithms tend to act as pseudo random generator of data to better hide the message. So we can then ask whether is it possible to quickly de‐termine the algorithm used to construct a random sequence of numbers and in a second time, distinguish between a PRBG or a cryptographic algorithm? In this paper, we present a new approach, to visualize, in a two and three dimensions environment at the same time, a sequence issued from a pseudo random bit gen‐erator or from cryptographic algorithms. To embody our idea, we assume that sequences produced by PRBG and Cryptographic algorithms are comparable to a nonlinear system generating a chronological series of data. We have developed some tools to realize our analysis and use them to well known kinds of PRBG and to the AES. Even, if our approach can't serve as determining proof on the quality of an alea, it can bring a great help to quickly (because visually) distinguish two random sequences and eventually find some statistical bias.

Keywords: block cipher, Boolean function, cryptanalysis, AES

Securing Critical Infrastructure by Moving Target Defense

Vahid Heydari and Seong‐Moo Yoo Electrical and Computer Engineering Department, The University of Ala‐bama in Huntsville, USA

Abstract:One of the most important areas of information security is industrial system security. Cyber‐attacks on critical infrastructure networks causing an out‐age quickly escalate into the worst case scenario. Remote attackers can start an attack from all around the world. During the reconnaissance step, attackers need to gather information about the victim. One of the most important information in this regard is the IP address of the victim. Static IP addresses can help attackers in two aspects. First, they are easily discoverable. Second, after accessing the victim, the attacker can maintain this access for a long time. So an effective defense is a mechanism to change the IP addresses randomly and dynamically. By using Mo‐bile IPv6 we can haveboth a permanent IP address to avoid disrupting TCP ses‐sions and a temporary IP address for connecting to other nodes. Therefore, we

50

developed a Moving Target Mobile IPv6 Defense (MTM6D) to dynamically change the IP address of critical infrastructure servers. The main goals of our method are using a combination of available standards to defend targeted attacks and elimi‐nating packet loss because of address collision during address rotations. The fea‐sibility and performance evaluation of MTM6D are demonstrated by real network implementation.

Keywords: critical infrastructure, remote attacks, moving target defense, mobile IPv6, dynamic IP

Cyber‐Warfare and Cyber‐Terrorism: Step to Learning to Knowing the Difference

Elizaveta Huttenlocher Seton Hall School of Diplomacy, South Orange, USA

Abstract: At the present time, ICT has a significant role in everyone’s lives. That role ranges from entertainment purposes to communication and information ac‐tivities as well as conducting a business or making use of the digital public ser‐vices. People have grown dependent upon cyberspace in areas related to gov‐ernmental and international activities as well. Currently, the reliance on digital technology is expected to increase. This paper aims to distinguish the different approaches states take to engage in cyber warfare and cyber terrorism. The main focus is identify which states are more likely to employ cyber warfare as part of its military and which states are inclined to recruit its citizens not officially affiliated with state military to conduct state‐sponsored cyber‐terrorism. Although the im‐plementation of such new technologies has great benefits in all different spheres of human life, there have been significant costs associated with it. The countries that have netizen staffing system are the ones with the illusion of freedom that remains under strict government control. States that fully free or fully autocratic mobilize their cyber power through their military. These categories will be meas‐ured through civil society and the degree of democratization.

Keywords: netizen, staffing system, North Korea, China, Russia, cyber‐security

51

Requirements for Achieving Digital Forensic Readiness in the Cloud Environment using an NMB Solution

Victor Kebande and Hein Venter Department of Computer Science, University of Pretoria, South Africa Abstract: The proliferation of cloud resources among organizations has had nu‐merous benefits with regard to how business processes are conducted. However, despite the benefits, the cloud has not been very resilient due to its distributed and open nature. Due to this, there have been numerous reports on how the se‐curity of organizational information has been incriminated. In any organization Digital Forensic Readiness (DFR) is employed as a pre‐incident phase whose aim is to maximize the use of potential digital evidence while minimizing the cost of per‐forming a digital forensic investigation. Therefore, it is on this premise that the paper gives a contribution on the requirements needed in order for the cloud to be forensically ready for digital investigations when a modified Non‐Malicious Botnet (NMB) acting as an agent‐based solution is used. The objective of this pa‐per is to propose the requirements for achieving DFR in the cloud based on the standard of ISO/IEC 27043: 2015 which presents guidelines of information tech‐nology, security techniques and incident investigation principles and processes. Moreover, the proposed requirements have been presented based on legal, tech‐nical and operational standpoint. Keywords: Digital, forensic, readiness, requirements, cloud, botnet, NMB

Proposed High‐Level Solutions to Counter Online Examination Fraud Using Digital Forensic Readiness Techniques

Ivans Kigwana and Hein Venter Information and Computer Security Architecture (ICSA) Research Group, Department of Computer Science, University of Pretoria, South Africa

Abstract: In this current digital age, most of the tasks are conducted electronical‐ly. Some academic institutions have not been left behind as they have adopted the norm of presenting exams via online means to students. The present‐day par‐adigm creates opportunities for students to use this as an opening to cheat or commit online examination fraud because of the absence of exam proctors. Hav‐ing electronic evidence would be vital if there was a disciplinary hearing into ex‐amination fraud. In the case when an institution is not prepared before‐hand for

52

such an incident, it is likely that there won’t be important electronic evidence that is admissible before the disciplinary committee. In this case, it could be damaging to the institution’s reputation and how it handles its academic affairs. In order to prepare institutions for such an incident, there should be proactive measures (dig‐ital forensic readiness measures) that need to be in place. These digital forensic readiness techniques can be used interchangeably because most, if not all of them, capture different kinds of data. So the institution needs a proper plan on what data might be useful before any technique can be implemented. Various factors such as cost of implementation and difficulty of implementation of these digital forensic readiness methods make its implementation even more difficult. This paper aims to explore the various ways how students commit online exami‐nation fraud and later propose high level digital forensic readiness techniques that can be used to capture as much information as possible before‐hand which can later be used when there is need for a digital forensic investigation or perhaps suspicion of examination malpractice. We later evaluate the proposed techniques based on difficulty of implementation, cost of implementation and efficiency of operation of each particular technique. As motivation, we choose six (6) tech‐niques which are explained in detail to help the reader understand why and how they can be used to suit a given digital forensic readiness purpose.

Keywords: digital forensics, digital forensic readiness, online examination fraud

The Role of Cultural Intelligence in Cyber Warfare

Elizabeth Viggiano George Washington University, USA

Abstract: History is rife with examples of traditional warfare being biased toward one’s past experience. It is easier to defend against an attack one might carry out against their own enemies, but very difficult to defend against an attack outside the realm of one’s own offensive capabilities. In kinetic warfare, leaders’ cultural values influence Rules of Engagement (e.g. acceptable use of force), the Law of War (e.g. treatment of non‐combatants, avoiding religious sites, not using human shields/camouflage), and other military tradition (e.g. easily identifiable uniforms, agreed upon time/location of battles). Culture and socio‐economics substantially influence resources (e.g. balance between manpower technology), military struc‐ture (e.g. unwavering loyalty to authority vs. lower levels empowered to make decisions), and actions of individual soldiers (e.g. compassion toward those con‐quered vs. pillaging). Defending against an attacker of a different culture can be particularly difficult. Cultural values influence the same foundational components of cyber warfare as well. However, there is additional impact due to the greater involvement of civilians using the information sphere. Whereas all military cul‐

53

tures expect considerable “acceptable losses” in kinetic engagements, civilian cultures have substantially different expectations of privacy and censorship from one country to the next. Likewise, militaries are able to create a culture among soldiers to prepare for kinetic warfare, but civilian users are already considered the biggest challenge for the security of information networks without the added complication of cyber warfare. Internet usage varies substantially from culture to culture: degree of connectivity, devices and applications used, purpose (e.g. so‐cial, informational, economic), as well as differing levels of owner‐ship/involvement of the government and military. These cultural differences mean that network infrastructure, and thus value and defense of potential tar‐gets, varies substantially as well. Nations may find themselves well prepared for cyber warfare with similar cultures but woefully ill equipped to engage cultures substantially different than their own. Cultural boundaries are permeable and therefore all manners of “cultures” interact with each other, with collocated cul‐tures typically having more similarity than those geographically distant. Therefore the cultural differences in cyber warfare can be more distinct given that geo‐graphic location of computer networks is irrelevant. Nations that approach cyber warfare with high cultural intelligence will find themselves far more prepared to defend against and engage their enemies in the information sphere.

Keywords: cultural intelligence, cyber warfare, security culture

55

Master’s

Research

Papers

57

Threats of Cyber Security and Challenges for Pakistan

Jawad Awan and ShahzadMemon Institute of Information and Communication Technology, University of Sindh, Jamshoro, Pakistan

Abstract: With the growing volume and sophistication of cyber‐attacks, the vol‐ume of these attacks reaches to thousands daily. Cyber security researchers have been working for many years to prevent computers, databases, programs, sys‐tems and networks from unauthorized access, attack, change or destruction. In addition, it is also a critical issue in discussions of government and security policy makers in current situation of security round the globe. E‐Government services, capital markets, corporations, and other businesses collect processes and store a large amount of confidential information on computers and transmit that data over internet for professional purposes. In recent years, Lithuania and Iran are one of the cases those are practically affected with cyber‐attacks. Pakistan has played an important role to stop in global war on terrorism after 9/11. As a nucle‐ar state and its geopolitical position, the possibilities of various internal and ex‐ternal security concerns raised during last decade including cyber security. Gov‐ernment of Pakistan is implementing defence policies which shall stop the entry of terrorists in country and supervise territorial borders. Critical defence measures for important cyber services of the country such as NADRA (National Database and Registration Authority), E‐Government services and capital markets also requires attention of government in current security situation. These services are using firewalls and other technologies to protect systems, however; there are many possibilities by which the terrorists can use cyber as a source to attack, con‐trol and stop the essential ICT services. This paper discusses the Cyber challenges in current unstable situation of security in Pakistan.

Keywords: cyber security, Pakistan, threats, internet, Stuxnet

Comparison of Static Analysis Tools for Java Using the Juliet Test Suite

Thomas Charest, Nick Rodgers and Yan Wu Bowling Green State University, Bowling Green, USA

Abstract: As software systems have become essential to critical infrastructure and private information security, software weakness detection becomes a necessity to reduce the risk of exploitation by attackers. By experimenting on carefully‐

58

designed test suites, we explored the effectiveness of several static analysis tools that detect some of the most prevalent software weaknesses. We downloaded the Juliet Test Suite for Java from Software Assurance Reference Dataset (SARD) to test the selected static analysis tools. This test suite was created based on the Common Weakness Enumeration (CWE), a community‐driven database of com‐mon software weaknesses. In an attempt to cover a large portion of developers, we chose tools that were open source, and written for Java. Specifically, we test‐ed CodeProAnalytix, JLint, FindBugs, and VisualCodeGrepper. We found a contin‐uum of success among the tools, both in accuracy and in coverage of planted weakness detection. This result emphasizes the importance of the CWE in evalu‐ating the performance of static analysis tools, and shows that there is room for improvement in the effectiveness of these tools. Although it is possible to elimi‐nate weaknesses in code and make programs more efficient, static analysis does not guarantee the absence of runtime errors. Additionally, static analysis tool per‐formance should be tested on specific weaknesses in both human‐generated code and computer‐generated code, to determine whether accuracy and coverage are comparable. The Juliet Test Suite that we used is comprised of computer‐generated code, which may not have the same characteristics as human‐generated code. Thus, further research is necessary to equally examine the weak‐nesses in human‐generated code. We tested a handful of common weaknesses, but in order to show the true coverage of a static analysis tool, representative code for more CWEs should be tested.

Keywords: static analysis, Juliet test suite, CWE, software vulnerability

The Smartphone Evidence Awareness Framework for the Users

Innocentin Dlamini CISR, South Africa

Abstract: Smartphones are high‐end mobile devices which offer more advanced computing ability and connectivity than traditional feature‐phones. Not only does smartphones provide more advanced features, but it also provides mobile busi‐ness to the users. This paper presents the smartphone evidence awareness (SEA‐ware) training framework for smartphone users. This framework focuses on en‐hancing smartphone evidence awareness skills of smartphone users with regard to collecting, preserving and handling the related data as evidence. The proposed SEAware framework is designed to make users aware of the integrity of evidence that can be collected by an average user, resulting in the evidence being com‐promised by way of incorrect collection, storage or handling requirements. This

59

framework could improve evidence preservation in cases involving smartphones as sources of evidence to confirm users’ testimony during trials. It simplifies the investigation process and improves chances of admissibility of evidence at court when smartphone users are aware of the capabilities of their devices. The SEA‐ware framework further provides instructors or trainers with sufficient guidelines on various steps they need to consider in order to deliver effective and easy to maintain SEAware training.

Keywords: awareness, collection, evidence, framework, preservation, safety, smartphone

Barriers to Extending Malware Detection Research

Sarath Kumar Nagaraj and Adam Bryant Wright State University, Dayton, USA

Abstract; Cyber attackers develop malicious code and inject it into many different types of computing environments to obtain unauthorized access or cause harm. Companies employ antivirus software, analyze log files, and monitor system in‐teractions to detect signatures of activity that correspond to known threats or attack patterns. Signature‐based malware detection systems produce efficient results for identifying well‐known threats, but are easily evaded by attackers. Re‐search aimed at improving malicious file detection has focuses on increasing de‐tection rates, lowering false positive rates, and decreasing processing time in comparison to previous algorithms. Unfortunately, due to several factors in the ecology of malicious software detection, this type of research is difficult to extend and to build upon. In this paper, we examine a number of techniques used in pub‐lished malicious files detection research and discuss gaps in the malicious files detection process. We review efforts at standardizing the measurement, descrip‐tion, evaluation, and architecture supporting malware detection and identify fac‐tors that may be useful to improving the accessibility and extensibility of mali‐cious file detection research.

Keywords: algorithm, antivirus, dataset, malware detection, and signature‐based detection

60

Z‐Ranger: An Improved Tool Set for ZigBee Warwalking

Andrew Seitz and Benjamin Ramsey Air Force Institute of Technology, Wright‐Patterson AFB, USA

Abstract: ZigBee wireless networks have become increasingly prevalent over the past decade. Based on the IEEE 802.15.4 low data rate wireless standard, ZigBee offers low‐cost mesh connectivity in hospitals, refineries, building automation, and national critical infrastructure. The KillerBee suite of tools is an open source Python‐based framework specializing in locating, exploiting, and attacking ZigBee networks. One KillerBee tool in particular, Zbfind, allows a penetration tester to estimate distance to the nearest transceiver based on the received signal strength (RSS). While Zbfind has benefited from recent work, the AT86RF230 transceiver and the underperforming distance estimating parameters fundamentally limit accuracy of the tool set. We present a new tool set for ZigBee distance estimation called Z‐Ranger, written in the C programming language and utilizing the Zena wireless adapter hardware. In this paper, we evaluate the accuracy of each tool set for use against real‐world indoor and outdoor ZigBee appliances, by compar‐ing actual distance against tool set estimated distance. Collection trials consist of measuring RSS from four indoor and two outdoor wireless sensors at warwalking distances of up to 27 and 101 meters, respectively. RSS samples are measured in 2‐meter intervals for the indoor experiment and 5‐meter intervals during the out‐door experiment, significantly increasing sample resolution over previous work. Indoor results indicate the Z‐Ranger tool set outperforms Zbfind for each target trial, reducing overall mean absolute percentage error (MAPE) by 23.1%. Fur‐thermore, outdoor results conclude Z‐Ranger reduces MAPE by 14.5% when com‐pared to Zbfind. Building upon this discovery, we further identify calibrated best‐fit distance estimation formulas for Z‐Ranger warwalking in both indoor and out‐door environments. When re‐evaluated against Zbfind, the new best‐fit formulas reduce indoor distance estimation MAPE for Z‐Ranger by 36.5% and outdoor MAPE drops by 22.5%. The empirical results presented in this paper demonstrate the accuracy and effectiveness of the new Z‐Ranger tool set and offer a comple‐ment utility to the KillerBee suite.

Keywords: ZigBee, IEEE 802.15.4, warwalking, rangefinding, security, Z‐Ranger

61

Truncated Differential Attack on Block Cipher PRINCE

Satoshi Setoguchi1, Yasutaka Igarashi2, Toshinobu Kaneko2, Kenichi Arai3 and Seiji Fukushima1 1The Graduate School of Science and Engineering, Kagoshima University, Kagoshima, Japan 2The Department of Electrical Engineering, Tokyo University of Science, Noda, Japan 3The Graduate School of Engineering, Nagasaki University, Nagasaki, Japan

Abstract:Now that networking is advanced, a variety of information is transmitted through its information network all over the world. Therefore confidentiality of the information is very important, and a variety of security technology has been established. A block cipher algorithm is also one of them. In order to be used se‐cure, it needs to be evaluated its security by a third party. In this study we focus on the block cipher PRINCE and evaluate its security. PRINCE is an SPN‐type 64‐bit block cipher with a 128‐bit key proposed by Borghoff et al. in 2012. The number of round functions of PRINCE is designed as 12. Although the designers have stat‐ed that differential attack, linear attack, algebraic attack, and biclique attack would not be a threat to the security of PRINCE, we evaluate its security against truncated differential attack from a third party standpoint. Differential attack was proposed by Biham et al., and it is based on the stochastic event of differential path caused by the property of nonlinear function used for an encryption process. Truncated difference attack was proposed by Lars Knudsen, and it considers a difference that is only determined to a limited extent, e.g. zero and nonzero dif‐ference. In 2014 Anne et al. reported the truncated differential attack on 10‐round PRINCE, which requires 2 to the 57.94th power pairs of chosen plaintext and ciphertext, and 2 to the 118.56th power times of encryption operation. This time, we apply multiple round‐elimination method to the 1st and the 2nd rounds of PRINCE. From the 3rd round to the 9th round, we construct differential path. On the 10th round, we construct truncated differential path. As a result, we can attack 11‐round PRINCE with 2 to the 62.81th power pairs of chosen plaintext and ciphertext, and 2 to the 106.82th power times of encryption operation.

Keywords: block cipher, common key cryptosystem, differential attack, truncated differential attack, PRINCE

62

Comparison of Radio Frequency Based Techniques for Device Discrimination and Operation Identification

Barron Stone and Samuel Stone

Department of Electrical and Computer Engineering, Air Force Institute of Technology, Wright‐Patterson AFB, USA

Abstract: Modern worms and viruses that infect supervisory control and data (SCADA) systems, such as the well‐known STUXNET attack, may hide their exist‐ence by reporting false status to the operator while performing nefarious deeds (Zetter 2011). Therefore, it is necessary to develop methods to monitor semicon‐ductor devices that perform critical tasks and control our infrastructure to verify that they are functioning as expected. Additionally, counterfeit hardware in the supply chain threatens system reliability (Stradley 2006) and the outsourcing of microchip production to foreign countries presents the opportunity for malicious hardware Trojans to be implanted in devices (OUSD 2005). The methods that pro‐vide a means of monitoring system operation may also be used to discriminate between authentic and counterfeit/Trojan hardware. This paper presents a com‐parison of techniques to classify unintentional radio‐frequency (RF) emissions (URE) from a microcontroller unit (MCU) for the purposes of discriminating be‐tween devices and identifying executed operations. The MSP430F5529 16‐bit MCU manufactured by Texas Instruments is evaluated as the device under test (DUT). Non‐destructive, non‐contact RF signal collection methods are used to ac‐quire URE from 10 same‐model devices executing specially designed software routines. The collected emissions are divided into two groups, training and testing signals, which are then processed using a multiple discriminant analysis/maximum likelihood (MDA/ML) classifier with radio‐frequency distinct native attribute (RF‐DNA) “fingerprints” and a time domain matched filtering technique to develop models (training) and evaluate their effectiveness (testing). The classification as‐pect of this research performs a one‐vs‐many comparison to estimate which de‐vice produced each test signal, in the case of hardware discrimination, or which instruction was being executed, in the case of operation estimation. Verification utilizes a one‐vs‐one comparison to validate that an observed RF emission corre‐sponds to an authentic device. Classification and verification results are presented and compared for device discrimination and operation identification using the RF‐DNA with MDA/ML and matched filtering techniques.

Keywords: unintentional RF emissions, operation identification, device discrimi‐nation, matched filtering, radio‐frequency distinct native attributes, MSP430

63

Non

Academic

Paper

65

How a Nuanced Approach to Organizational Loss may Lead to Improved Policies, Better Applied Technologies, and Greater Outcomes

Amie Taal1, Jenny Le2, Alex Ponce de Leon3, Karin Jenson4 and James Sherer4 1DeutscheBank AG, New York, USA 2Evolve Discovery, New York, USA 3Google, Mountainview, USA 4BakerHostetler, New York, USA

Abstract: The most common strategic approach to preventing data loss begins with and primarily focuses on three factors: Data In‐Use and related integrated endpoint actions and accessibility issues; Data In‐Motion, including applied analyt‐ics and interwoven network traffic considerations; and Data At‐Rest, which incor‐porates data location, management, storage issues, and post‐event analysis. While this common approach provides value, we challenge the assumption that this approach tells the entirety of the data loss story, especially since it is difficult to define true markers of loss. Instead, we assert that data loss prevention strat‐egies deserve a nuanced approach, including a consideration of what data loss truly means to the organization. Our nuanced approach to data loss evaluates what data loss actually means for the organization and factors this into the solu‐tion suite an organization employs to prevent the loss. To clearly consider the full data loss story and choose the best individual or combination of solutions, we assert that the organization may need to consider and define data loss according to a number of factors important to the eventual remediation strategy. Headline‐making, intentional, and malicious data loss may remain the focus of the tradi‐tional approach and the primary consideration for many organizations. But the nuanced approach explored in this paper—which includes unintentional employ‐ee data sharing and unintentional data deletion—should also be incorporated into a more encompassing understanding of data loss when determining a strategy and attendant measures. Data loss measurement also requires considerations as to how it is defined by statute and regulation (as disclosure laws differ by region); from whose perspective the loss is evaluated, as various stakeholder perspectives may include business people with a defined interest in the information, infor‐mation technology professionals who support that work, lawyers (internal and external) to the business, third party contractors, customers, and day‐to‐day users of the data (especially in those sectors protecting personal data such as health information); and whether the data loss was categorized as confidential or sensi‐tive, thus deserving of protection from unauthorized access or exposure. Based

66

on these additional considerations of risk and stakeholder perspective, we assert that the considerations presented in this paper will provide a better understand‐ing of data loss, and that their utilization will aid organizations when developing more holistic and relevant data loss prevention strategies.

Keywords: acceptable user policy, data loss, data in‐use, data in‐motion, data at‐rest, distributed denial of service

67

Work In

Progress

Paper

69

A Process‐Oriented Intrusion Detection Method for In‐dustrial Control Systems

Edward Colbert1, 2, Daniel Sullivan3, 2, Steve Hutchinson1, 2, Kenneth Renard1, 2 and Sidney Smith2 1ICF International, Inc., Fairfax, USA 2US Army Research Lab, Adelphi, USA 3Raytheon Company, Dulles, USA

Abstract: We have developed a process‐oriented method for intrusion detection for use on Industrial Control System (ICS) networks. Network traffic from an ICS has a much lower volume than that from a typical IT enterprise network, and the traffic is much more regular (periodic) and predictable. Most intrusion detection systems for ICSs require additional capabilities. ICS network traffic is relatively predictable and regular and anomaly‐based intrusion detection methods have been shown in the literature to work reasonably well. We use anomaly‐based methods as one line of defense. We propose to strengthen ICS intrusion detection methods by adding two process‐oriented alerting methods. Unlike most anomaly detection methods, these two methods are not configured solely by a network engineer based on inspection of network traffic. We utilize Critical Process Varia‐bles, which are defined by the plant operators themselves. The advantage is that the plant operators have the best knowledge of the critical assets of their system. Limiting values of the Critical Process Variables are defined collaboratively by the plant operator and the network security engineer. A network sensor then alerts a Human Analyst when Critical Process Variables values exceed the defined ranges. We also introduce a third method, which employs Process Network Parameter Metrics, which are also defined collaboratively with the plant operator. Process Network Parameter Metrics are pre‐defined measurements from network traffic that may indicate that either process components are missing or there is addi‐tional traffic present that the process should not normally produce. After initial discussions with the plant operator, the network security engineer designs net‐work models and metrics with appropriate alerting functions in the network sen‐sor. Alerts from Process Network Parameter Metrics may not indicate a critical security incident as Critical Process Variables would, but they may provide an im‐portant warning that suspicious behavior is present.

Keywords: cyber, ICS, SCADA, security, intrusion detection

71

Abstracts

Only

73

The Limitations of Hard Disk Firewalls John McCarthy1 and Adam Jeffreys2 1Buckinghamshire New University, High Wycombe, Bucks, UK 2Hewlett Packard Enterprise, UK Abstract: As we move into the fully deployed Internet of Things Cyber‐attacks have never been more prevalent. Importantly these new complex systems may create unknowable attack vectors, making them very difficult to defend and miti‐gate from attack. Cyber‐attacks are also growing in complexity and sophistication and system controllers are seeking innovative solutions to the ever increasing cyber threats they face. It has been suggested that Hard Disk Firewalls (HDFs) may offer a solution to mitigate against some of the modern day cyber‐attack methods used by cyber criminals. This paper aims to inform the reader of potential prob‐lems with using HDFs as a sole means of defense from cyber‐attack. HDFs have been described as the future of cyber‐attack protection. The premise of this type of software is the prevention of specific file types being written to disk (such as executable files). Using this type of software, it is suggested that malware and attack tools cannot be written to the hard drive. Therefore, if an attacker were to gain access via exploitation of a vulnerability they would be significantly limited in their post exploitation tactics. HDFs also state they protection they provide against malware. In theory, malware would not be able to be written to the hard disk for execution or to be deployed as any type of persistence mechanism via an executable file. The research in this paper focuses on the concerns surrounding HDFs; the significance of the protection they offer in relation to tools and meth‐odologies used by attackers today. This paper details the research that that has uncovered ways to bypass such protection mechanisms and why, as a cyber‐defense tool, HDFs should not be relied upon as a single solution to prevent cyber‐attacks. It has been found that, while HDFs do prevent the writing of specif‐ic types of files to disk, this protection can be bypassed allowing data to be writ‐ten to the physical media. Furthermore, this method of prevention is not able to mitigate attacks that are performed via memory (a very common technique used by cyber criminals for antivirus and forensic evasion), attacks originating from unprotected drives or stop the leakage of intellectual property or sensitive mate‐rial being taken. The paper concludes with a series of recommendations to en‐hance the security of systems that are currently using HDFs to help mitigate the security issues highlighted by this research. Why is your paper of interest to the conference participants? Use this space to persuade the reviewers why they should select this abstract for the conference: The outcome of this paper will help to secure systems and contribute to the body of cyber security knowledge about

74

Hard Disk Firewalls (HDF). This information will aid practitioners and academics in further study and the security of devices using HDF technology.

Keywords: hard disk firewall, hard drive firewall, HDF, HDFs

Abductions as PSYOP Strategy: Hamas as a Case in Point

Ron Schleifer Ariel University of Samaria, Ariel, Israel

Abstract: Abductions have taken place since the dawn of warfare. However, in the past decade, there has been a discernible trend in the war against radical Islam of abductions playing a far more strategic role than merely to obtain ransom or a prisoner exchange. Radical Islam, as a result of its physical inferiority compared to Western military strength, resorts to the ancient art of psychological warfare. The article presents the capture of IDF soldier Gilad Shalit as a case study to argue that an abduction is primarily a tool for disrupting the enemy’s social cohesion prior to a military campaign. This understanding can shed light on dealing with ISIS, the Taliban, and other forms of radical Islam in their campaigns to the caliphate. Ha‐mas uses PSYOP as an integral part of its revolutionary warfare against Israel. As a local Palestinian branch of the global Moslem Brotherhood it is very relevant for the EU and the US to monitor this phenomenon.

Keywords: PSYOP, Hamas, Middle East, Israel

Cyber Maneuver Warfare and Active Cyber Defense

Jeffrey Simpson OUDI DI2E Framework, Urbana, USA

Abstract: Cut and paste or type your abstract in the space below. :: Today’s cur‐rent battlefield is distributed by nature. Computer systems are crucial for main‐taining shared situational awareness between units across the extended battlespace. The primary function of our Command & Control, Intelligence, Sur‐veillance and Reconnaissance (C2ISR) systems is to create and maintain an effi‐cient kill chain and shortened response time compared to any potential adversary. A primary action of cyber attacks is to deny or corrupt individual systems and thus reduce the overall trust commanders have in those systems. The civilian infra‐structure has the same operational characteristics as C2ISR systems and damage to those systems could be equally catastrophic. Classic cyber defenses are fairly

75

static and rely on intrusion detection and other mitigating technologies that are engaged after an attack as occurred. Current practice for dealing with cyber at‐tacks include incident responses after an attack has happened. These responses are likely too late and could result is catastrophic consequences if timed correctly with kinetic or other attacks. To avert cyber attacks before they occur, active de‐fenses can and should be employed to frustrate cyber attacks for any manner of potential adversary. This paper deals with Network‐Based Moving Target Defens‐es (NB‐MTD) which is an important aspect of active cyber defense. A MTD pro‐vides a new set of degrees of freedom for maneuver in cyberspace. Currently, distributed systems tend to remain static on the network. A MTD strategy would allow friendly C2ISR systems to change their network address based on a number of possible scenarios – including reacting to a detected attack or simply randomly. However, changing the network address of a service is easy. When a service moves, it may severely break the configuration of a distributed system. Telling all the legitimate clients of that distributed service where it moved in a secure fash‐ion is a difficult problem. Currently, this is usually done via slow and error‐prone communications between system administrators followed by manual reconfigura‐tion of the various clients. However, it’s clear that a fast and automated NB‐MTD implementation is required for next‐generation battlefields to enable effective maneuver in the cyber domain to actively dodge certain attacks in that domain. This paper is focused on technologies relating to Network‐Based Moving Target Defenses (NB‐MTD). Specifically, it discusses existing and emerging technologies that will allow moving network services to securely communicate their new net‐work locations to legitimate clients. It also discusses its current open source im‐plementation (argo.ws), its current status and various case‐studies within the US C2ISR domain.Why is your paper of interest to the conference participants? Use this space to persuade the reviewers why they should select this abstract for the conference: The area of active cyber defenses and Moving Target Defenses is a new field of research. There are very few existing implementations of a Moving Target Defense and this paper discusses the fundamentals of how the US DoD and IC is approaching the problem of actively avoiding a cyber attack.

Keywords: cyberwar, active defense, moving target defense, SOA, service discov‐ery

77

Paper

Citations

79

The importance of paper citations and Google Scholar

As an academic researcher you will know the importance of having access to the work of other researchers in your field as well as making your own work availa‐ble to others. In the area of academic publishing this is achieved through cita‐tion indexing. There are a number of bodies that undertake this task includ‐ing Thompson ISI, Elsevier Scopus and Google Scholar – to name just a few.

At ACPI we do all we can to ensure that the conference proceedings and the journals that we publish are made available to the major citation bodies and you can see a list relevant to this conference on the home page of the con‐ference website.

However, it is also important for you, the author, to make sure that you have made your work available for citation – particularly with organizations such as Google Scholar. We are providing you here with the simple steps you need to take to do this and we would ask you to take the time to upload your paper as soon as you can.

Step one: Extract your paper from the full proceedings that you have download‐ed from the Dropbox link provided to you.

Step two: Upload your paper to your own website, e.g.,

www.university.edu/~professor/jpdr2009.pdf ; and add a link to it on your publications page, such as www.university.edu/~professor/publications.html.

Make sure that the full text of your paper is in a PDF file that ends with ".pdf",

The Google Scholar search robots should normally find your paper and in‐clude it in Google Scholar within several weeks. If this doesn't work, you could check if your local institutional repository is already configured for indexing in Google Scholar, and upload your papers there.

More information is available from http://scholar.google.com.au/intl/en/scholar/inclusion.html

80

We will separately upload the proceedings to Google Books which is also searched – but evidence has shown that individual upload results in quicker in‐dexing by Google Scholar.

Your own institution may also subscribe to an in‐stitutional repository such as http://digitalcommons.bepress.com/ or http://dspace.org/

Providing the original reference of your paper is included you have our permission as publishers to have your paper uploaded to these repositories.

Sue Nugus ACPIL

Research Jotter Research ideas can happen at any time –

catch them in writing when they first occur

Abstracts of the Papers Presented at the International on ... · Continuity Model Xiaomi An,...

Documents

Transcript of Abstracts of the Papers Presented at the International on ... · Continuity Model Xiaomi An,...