Cyber Threat Intelligence and Analytics

Permanent URI for this collection


Recent Submissions

Now showing 1 - 10 of 10
  • Item
    Detecting Cyber Security Vulnerabilities through Reactive Programming
    ( 2019-01-08) Moholth, Ole Christian ; Juric, Radmila ; McClenaghan, Karoline Moholth
    We propose a software architectural model, which uses reactive programming for collecting and filtering live tweets and interpreting their potential correlation to software vulnerabilities and exploits. We aim to investigate if we could discover the existence of exploits for disclosed vulnerabilities in Twitter data streams. Reactive programming is used for performing filtering and querying of tweet to find potential exploits. The result of processing Twitter data streams with reactive programming could be broadcasted, by pointing towards potential exploits, which might create a cyber-attack. They can also be entered as a new entry into existing overt or open source intelligence repositories.
  • Item
    Insight from a Docker Container Introspection
    ( 2019-01-08) Watts, Thomas ; Benton, Ryan ; Glisson, William ; Shropshire, Jordan
    Large-scale adoption of virtual containers has stimulated concerns by practitioners and academics about the viability of data acquisition and reliability due to the decreasing window to gather relevant data points. These concerns prompted the idea that introspection tools, which are able to acquire data from a system as it is running, can be utilized as both an early warning system to protect that system and as a data capture system that collects data that would be valuable from a digital forensic perspective. An exploratory case study was conducted utilizing a Docker engine and Prometheus as the introspection tool. The research contribution of this research is two-fold. First, it provides empirical support for the idea that introspection tools can be utilized to ascertain differences between pristine and infected containers. Second, it provides the ground work for future research conducting an analysis of large-scale containerized applications in a virtual cloud.
  • Item
    A Social Network Analysis (SNA) Study On Data Breach Concerns Over Social Media
    ( 2019-01-08) Vemprala, Naga ; Dietrich, Glenn
    In the current era of digital devices, the concerns over data privacy and security breaches are rampant. Understanding these concerns by analyzing the messages posted on the social media from linguistic perspective has been a challenge that is increasing in complexity as the number of social media sites increase and the volume of data increases. We investigate the diffusion characteristics of the information attributed to data breach messages, first based on the literary aspects of the message and second, we build a social network of the users who are directly involved in spreading the messages. We found that the messages that involve the technicalities, threat and severity related security characteristics spread fast. Contrary to conventional news channels related posts on social media that capture wide attention, breach information diffusion follows a different pattern. The messages are widely shared across the tech-savvy groups and people involved in security-related studies. Analyzing the messages in both linguistic and visual perspective through social networks, researchers can extract grounded insights into these research questions.
  • Item
    Investigating 3D Printer Residual Data
    ( 2019-01-08) Miller, Daniel ; Gatlin, Jacob ; Glisson, William ; Yampolskiy, Mark ; McDonald, Jeffrey
    The continued adoption of Additive Manufacturing (AM) technologies is raising concerns in the security, forensics, and intelligence gathering communities. These concerns range from identifying and mitigating compromised devices, to theft of intellectual property, to sabotage, to the production of prohibited objects. Previous research has provided insight into the retrieval of configuration information maintained on the devices, but this work shows that the devices can additionally maintain information about the print process. Comparisons between before and after images taken from an AM device reveal details about the device’s activities, including printed designs, menu interactions, and the print history. Patterns in the storage of that information also may be useful for reducing the amount of data that needs to be examined during an investigation. These results provide a foundation for future investigations regarding the tools and processes suitable for examining these devices.
  • Item
    Cross-Site Scripting (XSS) Detection Integrating Evidences in Multiple Stages
    ( 2019-01-08) Zhang, Jingchi ; Jou, Yu-Tsern ; Li, Xiangyang
    As Cross-Site Scripting (XSS) remains one of the top web security risks, people keep exploring ways to detect such attacks efficiently. So far, existing solutions only focus on the payload in a web request or a response, a single stage of a web transaction. This work proposes a new approach that integrates evidences from both a web request and its response in order to better characterize XSS attacks and separate them from normal web transactions. We first collect complete payloads of XSS and normal web transactions from two databases and extract features from them using the Word2vec technique. Next, we train two Gaussian mixture models (GMM) with these features, one for XSS transaction and one for normal web transactions. These two models can generate two probability scores for a new web transaction, which indicate how similar this web transaction is to XSS and normal traffics respectively. Finally, we put together these two GMM models in classification by combining these two probabilities to further improve detection accuracy.
  • Item
    How Good is Your Data? Investigating the Quality of Data Generated During Security Incident Response Investigations
    ( 2019-01-08) Grispos, George ; Glisson, William ; Storer, Tim
    An increasing number of cybersecurity incidents prompts organizations to explore alternative security solutions, such as threat intelligence programs. For such programs to succeed, data needs to be collected, validated, and recorded in relevant datastores. One potential source supplying these datastores is an organization’s security incident response team. However, researchers have argued that these teams focus more on eradication and recovery and less on providing feedback to enhance organizational security. This prompts the idea that data collected during security incident investigations may be of insufficient quality for threat intelligence analysis. While previous discussions focus on data quality issues from threat intelligence sharing perspectives, minimal research examines the data generated during incident response investigations. This paper presents the results of a case study identifying data quality challenges in a Fortune 500 organization’s incident response team. Furthermore, the paper provides the foundation for future research regarding data quality concerns in security incident response.
  • Item
    Detecting Dynamic Security Threats in Multi-Component IoT Systems
    ( 2019-01-08) Shrestha, Isaac ; Hale, Matthew
    The rising ubiquity of the Internet of Things (IoT) has heralded a new era of increasingly prolific and damaging IoT-centric security threat vectors. Fast-paced market demand for multi-featured IoT products urge companies, and their software engineers, to bring products to market quickly, often at the cost of security. Lack of proper security threat analysis tooling during development, testing, and release cycles exacerbate security concerns. In this paper, we augment a security threat analysis tool to use audit hooks, open-source information capture components, and machine learning techniques to profile dynamic wearable and IoT operations spanning multiple components during execution. Our tool encourages data-drive threat identification and analysis approaches that can help software engineers perform dynamic testing and threat analysis to mitigate code-level vulnerabilities that lead to attacks in IoT applications. Our approach is evaluated by means of a case study involving a system evaluation across several common attack vectors.
  • Item
    Comparison of Supervised and Unsupervised Learning for Detecting Anomalies in Network Traffic
    ( 2019-01-08) McAndrew, Robert ; Hayne, Stephen ; Wang, Haonan
    Adversaries are always probing for vulnerable spots on the Internet so they can attack their target. By examining traffic at the firewall, we can look for anomalies that may represent these probes. To help select the right techniques we conduct comparisons of supervised and unsupervised machine learning on network flows to find sets of outliers flagged as potential threats. We apply Functional PCA and K-Means together versus Multilayer Perceptron on a real-world dataset of traffic prior to an NTP DDoS attack in January 2014; scanning activity was heightened during this pre-attack period. We partition data to evaluate detection powers of each technique and show that FPCA+Kmeans outperforms MLP. We also present a new variation of the circle plot for visualization of resulting outliers which we suggest excels at displaying multidimensional attributes of an individual IP's behavior over time. In small multiples, circle plots show a gestalt overview of traffic.
  • Item
    Dimensional Reduction Analysis for Constellation-Based DNA Fingerprinting to Improve Industrial IoT Wireless Security
    ( 2019-01-08) Rondeau, Christopher M. ; Temple, Michael ; Betances, J. Addison
    The Industrial Internet of Things (IIoT) market is skyrocketing towards 100 billion deployed devices and cybersecurity remains a top priority. This includes security of ZigBee communication devices that are widely used in industrial control system applications. IIoT device security is addressed using Constellation-Based Distinct Native Attribute (CB-DNA) Fingerprinting to augment conventional bit-level security mechanisms. This work expands upon recent CB-DNA “discovery” activity by identifying reduced dimensional fingerprints that increase the computational efficiency and effectiveness of device discrimination methods. The methods considered include Multiple Discriminant Analysis (MDA) and Random Forest (RndF) classification. RndF deficiencies in classification and post-classification feature selection are highlighted and addressed using a pre-classification feature selection method based on a Wilcoxon Rank Sum (WRS) test. Feature down-selection based on WRS testing proves to very reliable, with reduced feature subsets yielding cross-device discrimination performance consistent with full-dimensional feature sets, while being more computationally efficient.
  • Item
    Introduction to the Minitrack on Cyber Threat Intelligence and Analytics
    ( 2019-01-08) Choo, Kim-Kwang Raymond ; Dehghantanha, Ali