Dissertations / Theses on the topic 'Computer viruses. Cyberterrorism. Computer networks'

Thesis (M.S. in Computer Science)--Naval Postgraduate School, December 2003.
Thesis advisor(s): James B. Michael, Mikhail Auguston. Includes bibliographical references (p. 52-54). Also available online.

Presidential Decision Directive (PDD) 63 calls for improving the security of Supervisory Control and Data Acquisition (SCADA) and other control systems which operate the critical infrastructure of the United States. In the past, these industrial computer systems relied on security through obscurity. Recent economic and technical shifts within the controls industry have increased their vulnerability to cyber attack. Concurrently, their value as a target has been recognized by terrorist organizations and competing nation states. Network reconnaissance is a basic tool that allows computer security managers to understand their complex systems. However, existing reconnaissance tools incorporate little or no understanding of control systems. This thesis provides a conceptual analysis for the creation of a SCADA network exploration/reconnaissance tool. Several reconnaissance techniques were researched and reviewed in a laboratory environment to determine their utility for SCADA system discovery. Additionally, an application framework using common non-SCADA security tools was created to provide a proof of concept. Development of a viable tool for identifying SCADA systems remotely will help improve critical infrastructure security by improving situational awareness for network managers.

Thesis (M.S. in Computer Science)--Naval Postgraduate School, Sept. 2004.
Thesis advisor(s): Cynthia E. Irvine, Karen Burke. Includes bibliographical references (p. 161-162). Also available online.

This document aims to provide a complete discussion on vulnerability and patch management. The first chapters look at the trends relating to vulnerabilities, exploits, attacks and patches. These trends describe the drivers of patch and vulnerability management and situate the discussion in the current security climate. The following chapters then aim to present both policy and technical solutions to the problem. The policies described lay out a comprehensive set of steps that can be followed by any organisation to implement their own patch management policy, including practical advice on integration with other policies, managing risk, identifying vulnerability, strategies for reducing downtime and generating metrics to measure progress. Having covered the steps that can be taken by users, a strategy describing how best a vendor should implement a related patch release policy is provided. An argument is made that current monthly patch release schedules are inadequate to allow users to most effectively and timeously mitigate vulnerabilities. The final chapters discuss the technical aspect of automating parts of the policies described. In particular the concept of 'defense in depth' is used to discuss additional strategies for 'buying time' during the patch process. The document then goes on to conclude that in the face of increasing malicious activity and more complex patching, solid frameworks such as those provided in this document are required to ensure an organisation can fully manage the patching process. However, more research is required to fully understand vulnerabilities and exploits. In particular more attention must be paid to threats, as little work as been done to fully understand threat-agent capabilities and activities from a day to day basis.
TeX output 2007.02.08:2212
Adobe Acrobat 9.51 Paper Capture Plug-in

This study researches the varying threats that emanate from terrorists who carry their activity into the online arena. It examines several elements of this threat, including virtual to virtual attacks and threats to critical infrastructure that can be traced to online sources. It then reports on the methods that terrorists employ in using information technology such as the internet for propaganda and other communication purposes. It discusses how the United States government has responded to these problems, and concludes with recommendations for best practices.

Thesis (Ph. D.)--Michigan State University. Dept. of Electrical and Computer Engineering, 2006.
Title from PDF t.p. (viewed on June 19, 2009) Includes bibliographic references. Also issued in print.

Worldwide computer systems continue to execute malicious software that degrades the systemsâ performance and consumes network capacity by generating high volumes of unwanted traffic. Network-based detectors can effectively identify machines participating in the ongoing attacks by monitoring the traffic to and from the systems. But, network detection alone is not enough; it does not improve the operation of the Internet or the health of other machines connected to the network. We must identify malicious code running on infected systems, participating in global attack networks. This dissertation describes a robust and secure approach that identifies malware present on infected systems based on its undesirable use of network. Our approach, using virtualization, attributes malicious traffic to host-level processes responsible for the traffic. The attribution identifies on-host processes, but malware instances often exhibit parasitic behaviors to subvert the execution of benign processes. We then augment the attribution software with a host-level monitor that detects parasitic behaviors occurring at the user- and kernel-level. User-level parasitic attack detection happens via the system-call interface because it is a non-bypassable interface for user-level processes. Due to the unavailability of one such interface inside the kernel for drivers, we create a new driver monitoring interface inside the kernel to detect parasitic attacks occurring through this interface. Our attribution software relies on a guest kernelâ s data to identify on-host processes. To allow secure attribution, we prevent illegal modifications of critical kernel data from kernel-level malware. Together, our contributions produce a unified research outcome --an improved malicious code identification system for user- and kernel-level malware.

Many automation and power control systems are integrated into the 'Smart Grid' concept for efficiently managing and delivering electric power. This integrated approach created several challenges that need to be taken into consideration such as cyber security issues, information sharing, and regulatory compliance. There are several issues that need to be addressed in the area of cyber security. Currently, there are no metrics for evaluating cyber security and methodologies to detect cyber attacks are in their infancy. There is a perceived lack of security built into the smart grid systems, but there is no mechanism for information sharing on cyber security incidents. In this thesis, we discuss the vulnerabilities in power system devices, and present ideas and a proposal towards multiple-threat system intrusion detection. We propose to test the multiple-threat methods for cyber security monitoring on a multi-laboratory test bed, and aid the development of a SCADA test bed, to be constructed on the Georgia Tech Campus.

The use of Network Telescope systems has become increasingly popular amongst security researchers in recent years. This study provides a framework for the utilisation of this data. The research is based on a primary dataset of 40 million events spanning 50 months collected using a small (/24) passive network telescope located in African IP space. This research presents a number of differing ways in which the data can be analysed ranging from low level protocol based analysis to higher level analysis at the geopolitical and network topology level. Anomalous traffic and illustrative anecdotes are explored in detail and highlighted. A discussion relating to bogon traffic observed is also presented. Two novel visualisation tools are presented, which were developed to aid in the analysis of large network telescope datasets. The first is a three-dimensional visualisation tool which allows for live, near-realtime analysis, and the second is a two-dimensional fractal based plotting scheme which allows for plots of the entire IPv4 address space to be produced, and manipulated. Using the techniques and tools developed for the analysis of this dataset, a detailed analysis of traffic recorded as destined for port 445/tcp is presented. This includes the evaluation of traffic surrounding the outbreak of the Conficker worm in November 2008. A number of metrics relating to the description and quantification of network telescope configuration and the resultant traffic captures are described, the use of which it is hoped will facilitate greater and easier collaboration among researchers utilising this network security technology. The research concludes with suggestions relating to other applications of the data and intelligence that can be extracted from network telescopes, and their use as part of an organisation’s integrated network security systems

Careful examination of the composition and concentration of malicious traffic in transit on the channels of the Internet provides network administrators with a means of understanding and predicting damaging attacks directed towards their networks. This allows for action to be taken to mitigate the effect that these attacks have on the performance of their networks and the Internet as a whole by readying network defences and providing early warning to Internet users. One approach to malicious traffic monitoring that has garnered some success in recent times, as exhibited by the study of fast spreading Internet worms, involves analysing data obtained from network telescopes. While some research has considered using measures derived from network telescope datasets to study large scale network incidents such as Code-Red, SQLSlammer and Conficker, there is very little documented discussion on the merits and weaknesses of approaches to analyzing network telescope data. This thesis is an introductory study in network telescope analysis and aims to consider the variables associated with the data received by network telescopes and how these variables may be analysed. The core research of this thesis considers both novel and previously explored analysis techniques from the fields of security metrics, baseline analysis, statistical analysis and technical analysis as applied to analysing network telescope datasets. These techniques were evaluated as approaches to recognize unusual behaviour by observing the ability of these techniques to identify notable incidents in network telescope datasets

Internet worm attacks have become increasingly more frequent and have had a major impact on the economy, making the detection and prevention of these attacks a top security concern. Several countermeasures have been proposed and evaluated in recent literature. However, the eect of these proposed defensive mechanisms on legitimate competing traffic has not been analyzed. The first contribution of this thesis is a comparative analysis of the effectiveness of several of these proposed mechanisms, including a measure of their effect on normal web browsing activities. In addition, we introduce a new defensive approach that can easily be implemented on existing hosts, and which significantly reduces the rate of spread of worms using TCP connections to perform the infiltration. Our approach has no measurable effect on legitimate traffic. The second contribution is presenting a variant of the flash worm that we term Compact Flash or CFlash that is capable of spreading even faster than its predecessor. We perform a comparative study between the flash worm and the CFlash worm using a full-detail packet-level simulator, and the results show the increase in propagation rate of the new worm given the same set of parameters. The third contribution is the study of the behavior of TCP based worms in MANETs. We develop an analytical model for the worm spread of TCP worms in the MANETs environment that accounts for payloadsize, bandwidthsharing, radio range, nodal density and several other parameters specific for MANET topologies. We also present numerical solutions for the model and verify the results using packetlevel simulations. The results show that the analytical model developed here matches the results of the packetlevel simulation in most cases.

This dissertation investigates and introduces novel algorithms, theories, and supporting frameworks to significantly improve the growing problem of Internet security. A distributed firewall and active response architecture is introduced that enables any device within a cyber environment to participate in the active discovery and response of cyber attacks. A theory of semantic association systems is developed for the general problem of knowledge discovery in data. The theory of semantic association systems forms the basis of a novel semantic path merger packet classification algorithm. The theoretical aspects of the semantic path merger packet classification algorithm are investigated, and the algorithm's hardware-based implementation is evaluated along with comparative analysis versus content addressable memory. Experimental results show that the hardware implementation of the semantic path merger algorithm significantly outperforms content addressable memory in terms of energy consumption and operational timing.

M.Com. (Informatics)
Cyber issues are global phenomena in a world of inter-related systems, and as such, the discussion on cybersecurity frameworks, policies and strategies inevitably requires reference to, and benchmarking with regional, continental and global trends and solutions. This, in the context of the effects of globalisation on developing countries, with specific reference to areas such as Africa as a developing continent with regard to the protection of its cyberspace. More drastic measures, such as the utilization of cyber warfare techniques and pre-emptive cyber strike-teams in addition to traditional cybersecurity mechanisms as an essential part of a national security effort to protect cyberspace has become more prevalent within the developed worlds. Likewise, developing nations need to gear themselves in a structured, coordinated and responsible way in order to do their part to secure their own environments. Cyberspace is a dynamic global environment with cyber related issues being a global concern. Although countries generally regulate their own cyber environment through policy; cross-border cyber issues are difficult to resolve and the lack of international cyber laws impede cybersecurity efforts. Cybercrime and the management of cross-border cyber incidents are becoming a growing national security concern as the lack of effective controls leave critical infrastructure and the cyber-connected environment vulnerable to attack. Some developing countries are on track with the maturity of their cybersecurity initiatives, but appropriate cybersecurity frameworks for many developing countries require careful consideration, especially due to the lack of resources, infrastructure and local technology development capabilities.

Τα τελευταία χρόνια το Διαδίκτυο αναπτύσσεται και επεκτείνεται με εκθετικούς ρυθμούς τόσο σε επίπεδο πλήθους χρηστών όσο και σε επίπεδο παρεχόμενων υπηρεσιών. Η ευρεία χρήση των κατανεμημένων βάσεων δεδομένων, των κατανεμημένων υπολογιστών και των τηλεπικοινωνιακών εφαρμογών βρίσκει άμεση εφαρμογή και αποτελεί θεμελιώδες στοιχείο στις επικοινωνίες, στην άμυνα, στις τράπεζες, στα χρηματιστήρια, στην υγεία, στην εκπαίδευση και άλλους σημαντικούς τομείς. Το γεγονός αυτό, έχει κάνει επιτακτική την ανάγκη προστασίας των υπολογιστικών και δικτυακών συστημάτων από απειλές που μπορούν να τα καταστήσουν τρωτά σε κακόβουλους χρήστες και ενέργειες. Αλλά για να προστατεύσουμε κάτι θα πρέπει πρώτα να καταλάβουμε και να αναλύσουμε από τι απειλείται. Η διαθεσιμότητα αξιόπιστων μοντέλων σχετικά με τη διάδοση απειλών στα δίκτυα υπολογιστών, μπορεί να αποδειχθεί χρήσιμη με πολλούς τρόπους, όπως το να προβλέψει μελλοντικές απειλές ( ένα νέο Code Red worm) ή να αναπτύξει νέες μεθόδους αναχαίτισης. Αυτή η αναζήτηση νέων και καλύτερων μοντέλων αποτελεί ένα σημαντικό τομέα έρευνας στην ακαδημαϊκή και όχι μόνο κοινότητα. Σκοπός της παρούσης εργασίας είναι η παρουσίαση κάποιων βασικών επιδημιολογικών μοντέλων και κάποιων παραλλαγών αυτών. Αναλύουμε για κάθε μοντέλο τις υποθέσεις που έχουν γίνει, τα δυνατά και αδύνατα σημεία αυτών. Αυτά τα μοντέλα χρησιμοποιούνται σήμερα εκτεταμένα προκειμένου να μοντελοποιηθεί η διάδοση αρκετών απειλών στα δίκτυα υπολογιστών, όπως είναι για παράδειγμα οι ιοί και τα σκουλήκια ( viruses and worms). Θα πρέπει εδώ να αναφέρουμε ότι οι ιοί υπολογιστών και τα σκουλήκια (worms) είναι οι μόνες μορφές τεχνητής ζωής που έχουν μετρήσιμη επίδραση-επιρροή στη κοινωνία. Επίσης αναφέρουμε συγκεκριμένα παραδείγματα όπως το Code Red worm, τον οποίων η διάδοση έχει χαρακτηριστεί επιτυχώς από αυτά τα μοντέλα. Τα επιδημιολογικά αυτά μοντέλα που παρουσιάζουμε και αναλύουμε είναι εμπνευσμένα από τα αντίστοιχα βιολογικά, που συναντάμε σήμερα σε τομείς όπως είναι για παράδειγμα ο τομέας της επιδημιολογίας στην ιατρική που ασχολείται με μολυσματικές ασθένειες. Αναλύουμε τις βασικές στρατηγικές σάρωσης που χρησιμοποιούν σήμερα τα worms προκειμένου να βρουν και να διαδοθούν σε νέα συστήματα. Παρουσιάζουμε τα πλεονεκτήματα και μειονεκτήματα αυτών. Επίσης παρουσιάζουμε αναλυτικά κάποιες βασικές κατηγορίες δικτύων που συναντάμε σήμερα και χαρακτηρίζουν τα δίκτυα υπολογιστών. Η γνώση αυτή που αφορά την τοπολογία των δικτύων είναι ένα απαραίτητο στοιχείο που σχετίζεται άμεσα με τη διάδοση κάποιων απειλών που μελετάμε στη συγκεκριμένη εργασία. Τέλος παρουσιάζουμε και αναλύουμε ένα δικό μας μοντέλο διάδοσης απειλών με τη χρήση ενός συστήματος διαφορικών εξισώσεων βασιζόμενοι στο θεώρημα του Wormald. Θεωρούμε ότι τα δίκτυα email, Instant messaging και P2P σχηματίζουν ένα social δίκτυο. Αυτά τα δίκτυα μακροσκοπικά μπορούν να θεωρηθούν σαν μία διασύνδεση ενός αριθμού αυτόνομων συστημάτων. Ένα αυτόνομο σύστημα είναι ένα υποδίκτυο που διαχειρίζεται από μία και μόνο αρχή. Παρουσιάζουμε λοιπόν ένα μοντέλο διάδοσης βασισμένο σε αυτή τη δομή δικτύου που θα αναλύσουμε, καθώς και στις συνήθειες επικοινωνίας των χρηστών. Το μοντέλο αυτό ενσωματώνει τη συμπεριφορά των χρηστών με βάση κάποιες παραμέτρους που ορίζουμε. Επίσης προτείνουμε ένα πιο ρεαλιστικό μοντέλο σχετικά με τη προοδευτική ανοσοποίηση των συστημάτων. Η μοντελοποίηση του δικτύου έγινε με βάση το Constraint Satisfaction Problem (CSP). Χρησιμοποιώντας αυτό το μοντέλο που προτείνουμε, μπορούμε να καθορίσουμε τη διάδοση κάποιων απειλών όταν δεν έχουμε εγκατεστημένο κάποιο πρόγραμμα προστασίας ή σωστά ενημερωμένους χρήστες.
In recent years the Internet grows and expands exponentially rates at many levels of users and service level. The widespread use of distributed databases, distributed computing and telecommunications applications is directly applicable and is an essential element in the communications, defense, banks, stock exchanges in the health, education and other important areas. This has made imperative the need to protect computer and network systems from threats that may make them vulnerable to malicious users and actions. But to protect something you must first understand and analyze what is threatened. The availability of reliable models for the spread of threats to computer networks, may prove useful in many ways, such as to predict future threats (a new Code Red worm) or develop new methods of containment. This search for new and better models is an important area of research in the academic community and not only. The purpose of this work is to present some basic epidemiological models and some variations thereof. We analyze each model assumptions made, the strengths and weaknesses of these. These models are currently used extensively to disseminate montelopoiithei several threats to computer networks, eg viruses and worms (viruses and worms). It should be mentioned here that the computer viruses and worms (worms) are the only artificial life forms that have a measurable impact-influence in society. Also cite specific examples, such as Code Red worm, whose spread has been described successfully by these models. Epidemiological models are presented and analyzed are inspired by their biological, which have been created in areas such as for example the field of epidemiology in medicine that deals with infectious diseases. We analyze the basic scanning strategies used today to find worms and spread to new systems. We present the advantages and disadvantages of these. Also present in detail some basic types of networks which have been characterized and computer networks. This knowledge on the topology of networks is an essential element directly related to the dissemination of some threats are studying in this work. Finally we present and analyze our own model proliferation threats using a system of differential equations based on the theorem of Wormald. We believe that networks email, Instant messaging and P2P form a social network. These networks can be considered macroscopically as an interconnection of a number of autonomous systems. An autonomous system is a subnet managed by a single authority. Presents a diffusion model based on the network structure to be analyzed, and the communication habits of users. This model incorporates the behavior of users based on some parameters set. Also propose a more realistic model of the progressive immune systems. The modeling system was based on the Constraint Satisfaction Problem (CSP). Using this model we propose, we can determine the spread of some threats when we have established a protection program or properly informed users.