Dissertations / Theses on the topic 'Cyber security ; Computing'

In the information age, the growth in availability of both technology and exploit kits have continuously contributed in a large volume of websites being compromised or set up with malicious intent. The issue of drive-by-download attacks formulate a high percentage (77%) of the known attacks against client systems. These attacks originate from malicious web-servers or compromised web-servers and attack client systems by pushing malware upon interaction. Within the detection and intelligence gathering area of research, high-interaction honeypot approaches have been a longstanding and well-established technology. These are however not without challenges: analysing the entirety of the world wide web using these approaches is unviable due to time and resource intensiveness. Furthermore, the volume of data that is generated as a result of a run-time analysis of the interaction between website and an analysis environment is huge, varied and not well understood. The volume of malicious servers in addition to the large datasets created as a result of run-time analysis are contributing factors in the difficulty of analysing and verifying actual malicious behaviour. The work in this thesis attempts to overcome the difficulties in the analysis process of log files to optimise malicious and anomaly behaviour detection. The main contribution of this work is focused on reducing the volume of data generated from run-time analysis to reduce the impact of noise within behavioural log file datasets. This thesis proposes an alternate approach that uses an expert lead approach to filtering benign behaviour from potentially malicious and unknown behaviour. Expert lead filtering is designed in a risk-averse method that takes into account known benign and expected behaviours before filtering the log file. Moreover, the approach relies upon behavioural investigation as well as potential for 5 system compromisation before filtering out behaviour within dynamic analysis log files. Consequently, this results in a significantly lower volume of data that can be analysed in greater detail. The proposed filtering approach has been implemented and tested in real-world context using a prudent experimental framework. An average of 96.96% reduction in log file size has been achieved which is transferable to behaviour analysis environments. The other contributions of this work include the understanding of observable operating system interactions. Within the study of behaviour analysis environments, it was concluded that run-time analysis environments are sensitive to application and operating system versions. Understanding key changes in operating systems behaviours within Windows is an unexplored area of research yet Windows is currently one of the most popular client operating system. As part of understanding system behaviours for the creation of behavioural filters, this study undertakes a number of experiments to identify the key behaviour differences between operating systems. The results show that there are significant changes in core processes and interactions which can be taken into account in the development of filters for updated systems. Finally, from the analysis of 110,000 potentially malicious websites, typical attacks are explored. These attacks actively exploited the honeypot and offer knowledge on a section of the active web-based attacks faced in the world wide web. Trends and attack vectors are identified and evaluated.

The research presented in this thesis covers two specific problems within the larger domain of cyber-physical algorithms for enhancing collaboration between one or more people. The two specific problems are 1) determining when people are going to arrive late to a meeting and 2) creating ad-hoc secure pairing protocols for short-range communication. The domain was broken down at opposite extremes in order to derive these problems to work on: 1) collaborations that are planned long in advance and deviations from the plan need to be detected and 2) collaborations that are not planned and need to be dynamically created and secured. Empirical results show the functionality and performance of user late arrival detection for planned collaborations and end-user authentication protocols for unplanned collaborations.<br>Master of Science

There are a variety of communication mediums or devices for interaction. Users hop from one medium to another frequently. Though the increase in the number of devices brings convenience, it also raises security concerns. Provision of platform to users is as much important as its security. In this dissertation we propose a security approach that captures user behavior for identifying malicious activities. System users exhibit certain behavioral patterns while utilizing the resources. User behaviors such as device location, accessing certain files in a server, using a designated or specific user account etc. If this behavior is captured and compared with normal users? behavior, anomalies can be detected. In our model, we have identified malicious users and have assigned trust value to each user accessing the system. When a user accesses new files on the servers that have not been previously accessed, accessing multiple accounts from the same device etc., these users are considered suspicious. If this behavior continues, they are categorized as ingenuine. A trust value is assigned to users. This value determines the trustworthiness of a user. Genuine users get higher trust value and ingenuine users get a lower trust value. The range of trust value varies from zero to one, with one being the highest trustworthiness and zero being the lowest. In our model, we have sixteen different features to track user behavior. These features evaluate users? activities. From the time users? log in to the system till they log out, users are monitored based on these sixteen features. These features determine whether the user is malicious. For instance, features such as accessing too many accounts, using proxy servers, too many incorrect logins attribute to suspicious activity. Higher the number of these features, more suspicious is the user. More such additional features contribute to lower trust value. Identifying malicious users could prevent and/or mitigate the attacks. This will enable in taking timely action against these users from performing any unauthorized or illegal actions. This could prevent insider and masquerade attacks. This application could be utilized in mobile, cloud and pervasive computing platforms.

Cyber-Physical Systems (CPS) entail the tight integration of and coordination between computational and physical resources. These systems are increasingly becoming vital to modernizing the national critical infrastructure systems ranging from healthcare, to transportation and energy, to homeland security and national defense. Advances in CPS technology are needed to help improve their current capabilities as well as their adaptability, autonomicity, efficiency, reliability, safety and usability.  Due to the proliferation of increasingly sophisticated cyber threats with exponentially destructive effects, CPS defense systems must systematically evolve their detection, understanding, attribution, and mitigation capabilities. Unfortunately most of the current CPS defense systems fall short to adequately provision defense services while maintaining operational continuity and stability of the targeted CPS applications in presence of advanced persistent attacks. Most of these defense systems use un-coordinated combinations of disparate tools to provision defense services for the cyber and physical components. Such isolation and lack of awareness of and cooperation between defense tools may lead to massive resource waste due to unnecessary redundancy, and potential conflicts that can be utilized by a resourceful attacker to penetrate the system.   <br />Recent research argued against the suitability of the current security solutions to CPS environments.  We assert the need for new defense platforms that effectively and efficiently manage dynamic defense missions and toolsets in real-time with the following goals: <br />1) Achieve asymmetric advantage to CPS defenders, prohibitively increasing the cost for attackers; <br />2) Ensure resilient operations in presence of persistent and evolving attacks and failures; and  <br />3) Facilitate defense alliances, effectively and efficiently diffusing defense intelligence and operations transcending organizational boundaries. <br />Our proposed solution comprehensively addresses the aforementioned goals offering an evolutionary CPS defense system. The presented CPS defense platform, termed CyPhyCARD (Cooperative Autonomous Resilient Defenses for Cyber-Physical systems) presents a unified defense platform to monitor, manage, and control the heterogeneous composition of CPS components. CyPhyCARD relies on three interrelated pillars to construct its defense platform. CyPhyCARD comprehensively integrates these pillars, therefore building a large scale, intrinsically resilient, self- and situation- aware, cooperative, and autonomous defense cloud-like platform that provisions adequate, prompt, and pervasive defense services for large-scale, heterogeneously-composed CPS. The CyPhyCARD pillars are: <br />1) Autonomous management platform (CyberX) for CyPhyCARD\'s foundation. CyberX enables application elasticity and autonomic adaptation to changes by runtime diversity employment, enhances the application resilience against attacks and failures by multimodal recovery mechanism, and enables unified application execution on heterogeneously composed platforms by a smart employment of a fine-grained environment-virtualization technology. <br />2) Diversity management system (ChameleonSoft) built on CyberX. ChameleonSoft encrypts software execution behavior by smart employment of runtime diversity across multiple dimensions to include time, space, and platform heterogeneity inducing a trace-resistant moving-target defense that works on securing CyPhyCARD platform against software attacks. <br />3) Evolutionary Sensory system (EvoSense) built on CyberX. EvoSense realizes pervasive, intrinsically-resilient, situation-aware sense and response system to seamlessly effect biological-immune-system like defense. EvoSense acts as a middle layer between the defense service provider(s) and the Target of Defense (ToD) creating a uniform defense interface that hides ToD\'s scale and heterogeneity concerns from defense-provisioning management.<br />CyPhyCARD is evaluated both qualitatively and quantitatively. The efficacy of the presented approach is assessed qualitatively, through a complex synthetic CPS attack scenario. In addition to the presented scenario, we devised multiple prototype packages for the presented pillars to assess their applicability in real execution environment and applications. Further, the efficacy and the efficiency of the presented approach is comprehensively assessed quantitatively by a set of custom-made simulation packages simulating each CyPhyCARD pillar for performance and security evaluation.  The evaluation illustrated the success of CyPhyCARD and its constructing pillars to efficiently and effectively achieve its design objective with reasonable overhead.<br>Ph. D.

Security attacks are becoming more prevalent as cyber attackers exploit system vulnerabilities for financial gain. The resulting loss of revenue and reputation can have deleterious effects on governments and businesses alike. Signature recognition and anomaly detection are the most common security detection techniques in use today. These techniques provide a strong defense. However, they fall short of detecting complicated or sophisticated attacks. Recent literature suggests using security analytics to differentiate between normal and malicious user activities. The goal of this research is to develop a repeatable process to detect cyber attacks that is fast, accurate, comprehensive, and scalable. A model was developed and evaluated using several production log files provided by the University of North Florida Information Technology Security department. This model uses security analytics to complement existing security controls to detect suspicious user activity occurring in real time by applying machine learning algorithms to multiple heterogeneous server-side log files. The process is linearly scalable and comprehensive; as such it can be applied to any enterprise environment. The process is composed of three steps. The first step is data collection and transformation which involves identifying the source log files and selecting a feature set from those files. The resulting feature set is then transformed into a time series dataset using a sliding time window representation. Each instance of the dataset is labeled as green, yellow, or red using three different unsupervised learning methods, one of which is Partitioning around Medoids (PAM). The final step uses Deep Learning to train and evaluate the model that will be used for detecting abnormal or suspicious activities. Experiments using datasets of varying sizes of time granularity resulted in a very high accuracy and performance. The time required to train and test the model was surprisingly fast even for large datasets. This is the first research paper that develops a model to detect cyber attacks using security analytics; hence this research builds a foundation on which to expand upon for future research in this subject area.

Building Automation System (BAS) is a complex distributed control system that is widely deployed in commercial, residential, industrial buildings for monitoring and controlling mechanical/electrical equipment. Through increasing industrial and technological advances, the control components of BAS are becoming increasingly interconnected. Along with potential benefits, integration also introduces new attack vectors, which tremendous increases safety and security risks in the control system. Historically, BAS lacks security design and relies on physical isolation and "security through obscurity". These methods are unacceptable with the "smart building" technologies. The industry needs to reevaluate the safety and security of the current building automation system, and design a comprehensive solution to provide integrity, reliability, and confidentiality on both system and network levels. This dissertation focuses on the system level in the effort to provide a reliable computing foundation for the devices and controllers. Leveraged on the preferred security features such as, robust modular design, small privilege code, and formal verifiability of microkernel architecture, this work describes a security enhanced operating system with built-in mandatory access control and a proxy-based communication framework for building automation controllers. This solution ensures policy-enforced communication and isolation between critical applications and non-critical applications in a potentially hostile cyber environment.

The smart grid is the next-generation electrical infrastructure utilizing Information and Communication Technologies (ICTs), whose architecture is evolving from a utility-centric structure to a distributed Cyber-Physical System (CPS) integrated with a large-scale of renewable energy resources. However, meeting reliability objectives in the smart grid becomes increasingly challenging owing to the high penetration of renewable resources and changing weather conditions. Moreover, the cyber-physical attack targeted at the smart grid has become a major threat because millions of electronic devices interconnected via communication networks expose unprecedented vulnerabilities, thereby increasing the potential attack surface. This dissertation is aimed at developing novel game-theoretic and machine-learning techniques for addressing the reliability and security issues residing at multiple layers of the smart grid, including power distribution system reliability forecasting, risk assessment of cyber-physical attacks targeted at the grid, and cyber attack detection in the Advanced Metering Infrastructure (AMI) and renewable resources. This dissertation first comprehensively investigates the combined effect of various weather parameters on the reliability performance of the smart grid, and proposes a multilayer perceptron (MLP)-based framework to forecast the daily number of power interruptions in the distribution system using time series of common weather data. Regarding evaluating the risk of cyber-physical attacks faced by the smart grid, a stochastic budget allocation game is proposed to analyze the strategic interactions between a malicious attacker and the grid defender. A reinforcement learning algorithm is developed to enable the two players to reach a game equilibrium, where the optimal budget allocation strategies of the two players, in terms of attacking/protecting the critical elements of the grid, can be obtained. In addition, the risk of the cyber-physical attack can be derived based on the successful attack probability to various grid elements. Furthermore, this dissertation develops a multimodal data-driven framework for the cyber attack detection in the power distribution system integrated with renewable resources. This approach introduces the spare feature learning into an ensemble classifier for improving the detection efficiency, and implements the spatiotemporal correlation analysis for differentiating the attacked renewable energy measurements from fault scenarios. Numerical results based on the IEEE 34-bus system show that the proposed framework achieves the most accurate detection of cyber attacks reported in the literature. To address the electricity theft in the AMI, a Distributed Intelligent Framework for Electricity Theft Detection (DIFETD) is proposed, which is equipped with Benford’s analysis for initial diagnostics on large smart meter data. A Stackelberg game between utility and multiple electricity thieves is then formulated to model the electricity theft actions. Finally, a Likelihood Ratio Test (LRT) is utilized to detect potentially fraudulent meters.

Embedded electronics are widely employed in cyber-physical systems (CPSes), which tightly integrate and coordinate computational and physical elements. CPSes are extensively deployed in security-critical applications and nationwide infrastructure. Perimeter security approaches to preventing malware infiltration of CPSes are challenged by the complexity of modern embedded systems incorporating numerous heterogeneous and updatable components. Global supply chains and third-party hardware components, tools, and software limit the reach of design verification techniques and introduce security concerns about deliberate Trojan inclusions. As a consequence, skilled attacks against CPSes have demonstrated that these systems can be surreptitiously compromised. Existing run-time security approaches are not adequate to counter such threats because of either the impact on performance and cost, lack of scalability and generality, trust needed in global third parties, or significant changes required to the design flow. We present a protection scheme called Run-time Enhancement of Trusted Computing (RETC) to enhance trust in CPSes containing untrusted software and hardware. RETC is complementary to design-time verification approaches and serves as a last line of defense against the rising number of inexorable threats against CPSes. We target systems built using reconfigurable hardware to meet the flexibility and high-performance requirements of modern security protections. Security policies are derived from the system physical characteristics and component operational specifications and translated into synthesizable hardware integrated into specific interfaces on a per-module or per-function basis. The policy-based approach addresses many security challenges by decoupling policies from system-specific implementations and optimizations, and minimizes changes required to the design flow. Interface guards enable in-line monitoring and enforcement of critical system computations at run-time. Trust is only required in a small set of simple, self-contained, and verifiable guard components. Hardware trust anchors simultaneously addresses the performance, flexibility, developer productivity, and security requirements of contemporary CPSes. We apply RETC to several CPSes having common security challenges including: secure reconfiguration control in reconfigurable cognitive radio platforms, tolerating hardware Trojan threats in third-party IP cores, and preserving stability in process control systems. High-level architectures demonstrated with prototypes are presented for the selected applications. Implementation results illustrate the RETC efficiency in terms of the performance and overheads of the hardware trust anchors. Testbenches associated with the addressed threat models are generated and experimentally validated on reconfigurable platform to establish the protection scheme efficacy in thwarting the selected threats. This new approach significantly enhances trust in CPSes containing untrusted components without sacrificing cost and performance.<br>Ph. D.

A Cyber-Physical System (CPS) is a large-scale, distributed, embedded system, consisting of various components that are glued together to realize control, computation and communication functions. Although these systems are complex, they are ubiquitous in the Internet of Things (IoT) era of autonomous vehicles/drones, smart homes, smart grids, etc. where everything is connected. These systems are vulnerable to unauthorized penetration due to the absence of proper security features and safeguards to protect important information. Examples such as the typewriter hack involving subversive chips resulting in leakage of keystroke data and hardware backdoors crippling anti-aircraft guns during an attack demonstrate the need to protect all system functions. With more focus on securing a system, trust in untrusted components at the integration stage is of a higher priority. This work builds on a red-black security system, where an architecture testbed is developed with critical and non-critical IP cores and subjected to a variety of Hardware Trojan Threats (HTTs). These attacks defeat the classic trusted hardware model assumptions and demonstrate the ability of Trojans to evade detection methods based on physical characteristics. A novel metric is defined for hardware Trojan detection, termed as HTT Detectability Metric (HDM) that leverages a weighted combination of normalized physical parameters. Security analysis results show that using HDM, 86% of the implemented Trojans were detected as compared to using power consumption, timing variation and resource utilization alone. This led to the formulation of the security requirements for the development of a novel, distributed and secure methodology for enhancing trust in systems developed under untrusted environments called FIDelity Enhancing Security (FIDES). FIDES employs a decentralized information flow control (DIFC) model that enables safe and distributed information flows between various elements of the system such as IP cores, physical memory and registers. The DIFC approach annotates/tags each data item with its sensitivity level and the identity of the participating entities during the communication. Trust enhanced FIDES (TE-FIDES) is proposed to address the vulnerabilities arising from the declassification process during communication between third-party soft IP cores. TE-FIDES employs a secure enclave approach for preserving the confidentiality of the sensitive information in the system. TE-FIDES is evaluated by targeting an IoT-based smart grid CPS application, where malicious third-party soft IP cores are prevented from causing a system blackout. The resulting hardware implementation using TE-FIDES is found to be resilient to multiple hardware Trojan attacks.<br>Ph. D.

Cyber-attack simulation is a suitable method used for assessing the security ofnetwork systems. An attack simulation advances step-wise from a certain systementry-point to explore the attack paths that lead to dierent weaknesses inthe model. Each step is analyzed, and the time to compromise is calculated.Attack simulations are primarily based on attack graphs. The graphs areemployed to model attack steps where nodes can represent assets in the system,and edges can represent the attack steps. To reduce the computational cost associatedwith building an attack graph for each specic system, domain-specicattack languages, or DSL for short, are used.The nal product of this thesis work is azureLang, a probabilistic modelingand simulation language for modeling Microsoft Azure cloud infrastructure.AzureLang is a DSL which denes a generic attack logic for MicrosoftAzure systems. Using azureLang, system administrators can easily instantiatespecic-system scenarios which emulate their Microsoft Azure cloud system infrastructure.After creating the model, attack simulation can be run to assessthe security of the model.<br>Cyberattacksimulering är en lämplig metod som används för att bedöma säkerhetenhos nätverkssystem. En angrepsimulering går stegvis från ett visst systeminmatningspunkt för att utforska angreppsbanorna som leder till olika svagheter i modellen. Varje steg analyseras och tiden för kompromettera beräknas.Attack-simuleringar baseras huvudsakligen på attackgrafer. Graferna används för att modellera angreppssteg där noder kan representera tillgångar i systemet, och kanterna kan representera attackenstegen. För att minska kostnaden för att skapa attackgrafer för varje specifikt system används domänspecifika språk eller DSL förkortat.Den slutliga produkten av detta examensarbete är azureLang, ett probabilistisk hotmodelleringsoch attacksimuleringsspråk för analys av Microsoft Azure Cloud Infrastructure. AzureLang är en DSL som definierar en generisk attacklogik för Microsoft Azure-system. Med hjälp av azureLang kan systemadministratörer enkelt ordna specifika systemscenarier som efterliknar deras Microsoft Azure cloudsystem infrastruktur. Efter att ha skapat modellen kan attack simu-lering köras för att bedöma modellens säkerhet.

Elliptic curve cryptography (ECC) is extensively used in various multifactor authentication protocols. In this work, various recent ECC based authentication and key exchange protocols are subjected to threat modeling and static analysis to detect vulnerabilities, and to enhance them to be more secure against threats. This work demonstrates how currently used ECC based protocols are vulnerable to attacks. If protocols are vulnerable, damages could include critical data loss and elevated privacy concerns. The protocols considered in thiswork differ in their usage of security factors (e.g. passwords, pins, and biometrics), encryption and timestamps. The threatmodel considers various kinds of attacks including denial of service, man in the middle, weak authentication and SQL injection. Countermeasures to reduce or prevent such attacks are suggested. Beyond cryptanalysis of current schemes and proposal of new schemes, the proposed adversary model and criteria set forth provide a benchmark for the systematic evaluation of future two-factor authentication proposals.

Det blir viktigare för företag att tillämpa lyckade implementeringar på arbetsplatser. Detta för att kunna matcha den ökande standarden som företag ställs inför. Företaget pressas därför från flera olika fronter. Teknologier kan därför implementeras som en del av industri 4.0. Detta för att skapa ökad kommunikation, säkrare arbetsplatser och en bättre arbetsmiljö för den anställde med högre kompetens. Detta samtidigt som det ska vara gynnsamt ekonomiskt. För att behålla sig plats på marknaden krävs därför utveckling. Implementeringar på arbetsplatsen är en typ av utveckling. Implementeringar kräver dock struktur och planering för att uppnå ett lyckat resultat. Frågeställningen blir därmed hur implementeringen av de nya teknologierna påverkar människorna i företaget. Detta då förändringar som sker drastiskt på arbetsplatsen påverka säkerheten för den anställde då struktur och kunskap kan saknas. Företag behöver därför arbeta parallellt och med samspel av andra teknologier för att inte utsätta den anställde för risker. Det finns ett flertal teknologier att tillämpa vid implementering av industri 4.0 som påverkar den anställde. Dessa teknologier påverkar olika aspekter även sammanhängande och bör därför implementeras med samspel. Att skapa fördelar på arbetsplatsen med hjälp av teknologierna som förbättrad kommunikation ger den anställde möjlighet till att kunna ta del av teknologins fördelar vid implementering. Genom studien har slutsatsen dragits att dessa fem aspekter kommunikation, arbetsmiljö, säkerhet, ekonomi, utbildning/kompetens är de viktigaste påverkande på den anställde vid implementering av industri 4.0. Syftet med detta examensarbete är att studera teknologier inom industri 4.0 för att finna dess påverkan på den anställde vid implementering. För att besvara frågeställningen har studien använt sig av sekundärdata som innefattar vetenskapliga artiklar och böcker. Teorierna är analyserade och avgränsades under arbetets gång för att presentera en slutsats på frågeställning.

Dissertação de Mestrado em Engenharia Informática apresentada à Faculdade de Ciências e Tecnologia<br>A ubiquidade de acessos á rede global levou a um aumento exponencial do número de ameaças a sistemas digitais. A vasta quantidade e diversidade de vectores de ataque tornaram a área de Ciber Segurança um foco de pesquisa e desenvolvimento na tentativa de minimizar riscos para recursos digitais empresariais e de consumidores.A geração de eventos para catalogar acções e interações de sistemas tornou-se um dos principais meios de perceber e monitorizar tanto o estado actual como o comportamento a longo prazo.A utilização e disponibilização de cada vez mais recursos e tecnologias causou o aumento do volume de eventos gerados. As equipas de Segurança e Resposta a Incidentes que eram responsáveis for reunir, analisar e responder á chegada de Eventos não conseguem responder aos milhares de pontos de dados de diversos sistemas e tipos que recebem apenas com recursos humanos.Para resolver esse problema e ajudar Equipas de Resposta a Incidentes, desenvolver plataformas de monitorização e análise de dados tem sido um foco de profissionais na área de Ciber Segurança. Não só ajudam a apresentar os dados recolhidos, como os conseguem processar, analisar e enriquecer, gerando nova informação com vista global a partir de Eventos originalmente isolados.Este Projecto serve para acrescentar valor a uma dessas plataformas. O Portolan, produto da Dognædis, é uma plataforma de monitorização de segurança com o objectivo de reunir e enriquecer dados de múltiplas fontes externas e formatá-los para um modelo de dados uniforme, com o objectivo de adicionar mais informação ao contexto de segurança interna da empresa cliente. Este Documento detalha o processo que levou ao planeamento, implementação e avaliação de um novo módulo para o Portolan capaz de Processamento de Eventos Complexos.<br>With the ubiquity of access to the global network, threats to computer systems have increased exponentially. The sheer amount and width of attack vectors make Cyber Security a focus of research and development, trying to minimize risk to individuals and corporations' technological assets.A means to get a sense of how systems are behaving is the generation of \glspl{event} based on their current status and behavior, whether by the systems themselves or by outside sources.However, the amount of Events generated has increased exponentially as more and more resources and technologies are made available and used worldwide. Security Operations Center (SOC) teams were initially responsible for gathering, parsing and acting upon \glspl{event} as they arrived, but have recently become a bottleneck, as their manpower pales in comparison to the thousands of incoming data entries, possibly from multiple, highly diverse sources.To solve that problem, and aid incident response teams, development of monitoring and analysis platforms has been a focus of Cyber Security experts. Not only can they help by making data presentable, they can also process, analyse and enrich it, creating new information from a multitude of originally "loose" Events.This project aims to add value to one such platform. Portolan, a Dognaedis product, is a security monitoring platform outfitted for gathering and enriching data from multiple independent sources, formatting it into an uniform data model. Portolan gathers events from external sources in order add more context to internal security events. This document details the planning, implementation and evaluation of a module capable of Complex Event Processing, creating Complex Events from the data already gathered by Portolan.

The recent emergence and rapid advancement of Cloud Computing (CC) infrastructure and services have made outsourcing Information Technology (IT) and digital services to Cloud Providers (CPs) attractive. Cloud offerings enable reduction in IT resources (hardware, software, services, support, and staffing), and provide flexibility and agility in resource allocation, data and resource delivery, fault-tolerance, and scalability. However, the current standards and guidelines adopted by many CPs are tailored to address functionality (such as availability, speed, and utilization) and design requirements (such as integration), rather than protection against cyber-attacks and associated security issues. In order to achieve sustainable trust for cloud services with minimal risks and impact on cloud customers, appropriate cloud information security models are required. The research described in this dissertation details the processes adopted for the development and implementation of an integrated information security cloud based approach to cloud service models. This involves detailed investigation into the inherent information security deficiencies identified in the existing cloud service models, service agreements, and compliance issues. The research conducted was a multidisciplinary in nature, with detailed investigations on factors such as people, technology, security, privacy, and compliance involved in cloud risk assessment to ensure all aspects are addressed in holistic and well-structured models. The primary research objectives for this dissertation are investigated through a series of scientific papers centered on these key research disciplines. The assessment of information security, privacy, and compliance implementations in a cloud environment is described in Chapters two, three, four, and five. Paper 1 (CCIPS: A Cooperative Intrusion Detection and Prevention Framework for Cloud Services) outlines a framework for detecting and preventing known and zero-day threats targeting cloud computing networks. This framework forms the basis for implementing enhanced threat detection and prevention via behavioral and anomaly data analysis. Paper 2 (A Trusted CCIPS Framework) extends the work of cooperative intrusion detection and prevention to enable trusted delivery of cloud services. The trusted CCIPS model details and justifies the multi-layer approach to enhance the performance and efficiency of detecting and preventing cloud threats. Paper 3 (SOCaaS: Security Operations Center as a Service for Cloud Computing Environments) describes the need for a trusted third party to perform real-time monitoring of cloud services to ensure compliance with security requirements by suggesting a security operations center system architecture. Paper 4 (SecSLA: A Proactive and Secure Service Level Agreement Framework for Cloud Services) identifies the necessary cloud security and privacy controls that need to be addressed in the contractual agreements, i.e. service level agreements (SLAs), between CPs and their customers. Papers five, six, seven, and eight (Chapters 6 – 9) focus on addressing and reducing the risk issues resulting from poor assessment to the adoption of cloud services and the factors that influence such as migration. The investigation of cloud-specific information security risk management and migration readiness frameworks, detailed in Paper 5 (An Effective Risk Management Framework for Cloud Computing Services) and Paper 6 (Information Security, Privacy, and Compliance Readiness Model) was achieved through extensive consideration of all possible factors obtained from different studies. An analysis of the results indicates that several key factors, including risk tolerance, can significantly influence the migration decision to cloud technology. An additional issue found during this research in assessing the readiness of an organization to move to the cloud is the necessity to ensure that the cloud service provider is actually with information security, privacy, and compliance (ISPC) requirements. This investigation is extended in Paper 7 (A Practical Life Cycle Approach for Cloud based Information Security) to include the six phases of creating proactive cloud information security systems beginning with initial design, through the development, implementation, operations and maintenance. The inherent difficulty in identifying ISPC compliant cloud technology is resolved by employing a tracking method, namely the eligibility and verification system presented in Paper 8 (Cloud Services Information Security and Privacy Eligibility and Verification System). Finally, Paper 9 (A Case Study of Migration to a Compliant Cloud Technology) describes the actual implementation of the proposed frameworks and models to help the decision making process faced by the Saudi financial agency in migrating their IT services to the cloud. Together these models and frameworks suggest that the threats and risks associated with cloud services are continuously changing and more importantly, increasing in complexity and sophistication. They contribute to making stronger cloud based information security, privacy, and compliance technological frameworks. The outcomes obtained significantly contribute to best practices in ensuring information security controls are addressed, monitoring, enforced, and compliant with relevant regulations.<br>Graduate<br>0984<br>0790<br>fahd333@gmail.com

MCom (Business Information Systems)<br>Department of Business Information Systems<br>Although technology is being progressively used in supporting student learning and enhancing business processes within tertiary institutions, certain aspects are hindering the decisions of cloud usage. Among many challenges of utilizing cloud computing, cybersecurity has become a primary concern for the adoption. The main aim of the study was to investigate the effect of cloud cyber-security usage at rural based tertiary institutions in order to compare the usage with an urban-based institution and propose a cybersecurity framework for adoption of cloud computing cybersecurity. The research questions focused on determining the drivers for cloud cybersecurity usage; the current adoption issues; how cybersecurity challenges, benefits, and quality affects cloud usage; the adoption perceptions and awareness of key stakeholders and identifying a cloud cybersecurity adoption framework. A quantitative approach was applied with data collected from a simple random sample of students, lecturers, admin and IT staff within the tertiary institutions through structured questionnaires. The results suggested compliance with legal law as a critical driver for cloud cybersecurity adoption. The study also found a lack of physical control of data and harmful activities executed on the internet as challenges hampering the adoption. Prevention of identity fraud and cheaper security costs were identified as benefits of adoption. Respondents found cloud cybersecurity to be accurate and effective, although most of the students and employees have not used it. However, respondents were aware of the value of cybersecurity adoption and perceive for it to be useful and convenient, hence have shown the intention of adopting it. There were no significant elements identified to differentiate the perceptions of usage at rural and urban-based tertiary institutions. The results of the study are to be used for clarifying the cybersecurity aspects of cloud computing and forecasting the suitability cloud cybersecurity within the tertiary institutions. Recommendations were made on how tertiary institutions and management can promote cloud cybersecurity adoption and how students, lecturers, and staff can effectively use cloud cybersecurity.<br>NRF

Mobile applications are an important but fast changing piece of the digital forensics’ world. For mobile forensics researchers and field analysts, it is hard to keep up with the pace of the ever-changing world of the newest and most popular applications teens are using. Mobile forensic tools are quickly becoming more and more supportive of new applications, but with how quickly apps are changing and new ones being released, it is still difficult for the tools to keep up. The research question for this project examines to what extent digital forensic tools support new and emerging applications seen recently in investigations involving teenagers? For this research, a survey was conducted asking digital forensic analysts, and others who investigate digital crimes, what applications they are coming across most frequently during investigations involving teens and whether those applications are being supported by forensic tools. The top three applications from the survey that were not supported by mobile forensic tools, Monkey, Houseparty, and Likee were populated onto a test device and then evaluated and analyzed to see what forensic artifacts were found in those applications. The mobile application artifacts were then compared on two different forensic tools to see which tool obtains the most forensic artifacts from the applications. Through the examination and analysis of the applications and data contained within the apps, it was determined that 61% of the populated forensic artifacts were recovered manually and only 45% were recovered by a forensic tool for the Monkey application. 100% of the populated forensic artifacts were recovered manually and only 29% were recovered by a forensic tool for the Houseparty application. 42% of the populated forensic artifacts were recovered manually and only 3% were recovered by a forensic tool for the Likee application. It was found that the extent of support from digital forensic tools for these types of applications depends greatly on how the application stores the artifacts, but the artifact extraction support was limited for all applications. This research benefits in helping researchers and analysts by understanding the data and artifacts contained within the applications, what forensic artifacts are recoverable, and where to find those important artifacts. This research can help in finding important evidence for future investigations.<br>

Securing information systems from cyber attacks, malware and internal cyber threats is a difficult problem. Attacks on authentication and authorization (access control) is one of the more predominant and potentially rewarding attacks on distributed architectures. Attribute-Based Access Control (ABAC) is one of the more recent mechanisms to provide access control capabilities. ABAC combines the strength of cryptography with semantic expressions and relational assertions. By this composition, a powerful grammar is devised that can not only define complex and scalable access control policies, but defend against attacks on the policy itself. This thesis demonstrates how ABAC can be used as a primary access control solution for enterprise and commercial applications.<br>Graduate<br>0984<br>djbchepe@gmail.com