Dissertations / Theses on the topic 'Insider attacks'

This study was carried out with the intention of examining the defensive mechanism employed against the latest cyber espionage methods including both insider and outsider attacks. The main focus of this study was on web servers as the targets of the cyber attacks. Information in connection to the study was obtained from researchers’ online articles. A survey was also conducted at MidSweden University in order to obtain information about the latest cyber attacks on web servers and about the existing defensive mechanism against such attacks. The existing defensive mechanism was surveyed and a simple design was created to assist in the investigation of the efficiency of the system. Some simple implementations of the existing defensive mechanism were made in order to provide some practical results that were used for the study. The existing defensive mechanism was surveyed and improved upon where possible. The improved defensive mechanism was designed and implemented and its results were compared with the results from the existing defensive mechanism. Due to the fact that the majority of the attackers use defensive mechanisms’ vulnerability in order to find their way into devices such as web servers, it was felt that, even with the most sophisticated improved defensive mechanism in place, it would not be entirely correct to claim that it is possible to fully protect web servers against such attacks.

The purpose of this research is to identify the factors that influence organizational insiders to violate information security policies. There are numerous accounts of successful malicious activities conducted by employees and internal users of organizations. Researchers and organizations have begun looking at methods to reduce or mitigate the insider threat problem. Few proposed methods and models to identify, deter, and prevent the insider threat are based on empirical data. Additionally, few studies have focused on the targets or goals of the insider with organizational control as a foundation. From a target perspective, an organization might be able to control the outcome of a malicious insider threat attack. This research applied a criminology lens as an organization policy violation is, or resembles, a criminal activity. This research uses the Routine Activities Theory (RAT) as a guide to develop a theoretical model. The adoption of RAT was for its focus on the target and the protective controls, while still taking into account the motivated offender. The study identified the components of the model concerning insider threats, espionage, and illicit behavior related to information systems through literature. This led to the development of 10 hypotheses regarding the relationships of key factors that influence malicious insider activity. Data was collected using a scenario-based survey, which allowed for impartial responses from a third-person perspective. This technique has become popular in the field of criminology, as the effects of social desirability, acceptance, or repudiation will not be a concern. A pilot test verified the survey's ability to collect the appropriate data. The research employed Structural Equation Modeling (SEM) and Confirmatory Factor Analysis (CFA) techniques to analyze and evaluate the data. SEM and CFA techniques identified the fit of the model and the factors that influence information security policy violations. The result of the analysis provided criteria to accept the hypotheses and to identify key factors that influence insider Information System policy violations. This research identified the relationships and the level of influence between each factor.

Facebook accounts are secured against unauthorized access through passwords, and through device-level security. Those defenses, however, may not be sufficient to prevent social insider attacks, where attackers know their victims, and gain access to their accounts using the victim's device. To characterize these attacks, we ran two Amazon Mechanical Turk studies geographically restricting participant pool to US only. Our major goal was to establish social insider attack prevalence and characteristics to justify a call to action for better protective and preventative countermeasures against it. In the first study involving 1308 participants, we used the list experiment, a quantitative method to estimate that 24% of participants had perpetrated social insider attacks, and that 21% had been victims to it (and knew about it). In the second, qualitative study with 45 participants, we collected stories detailing personal experiences with such attacks. Using thematic analysis, we typified attacks around 5 motivations (fun, curiosity, jealousy, animosity and utility), and explored dimensions associated with each type. Our combined findings indicate a number of trends in social insider attacks. We found that they are common, they can be perpetrated by almost all social relations and often have serious emotional consequences. Effective mitigation would require a variety of approaches as well as better user awareness. Based on the results of our experiments, we propose methodological steps to study the perception of severity of social insider attacks. In this procedure, we include an experimental design of the study and its possible limitations. The study consists of presenting stories collected in the previously mentioned second study to a new cohort of participants. It the asks them to provide a Likert Scale rating and justification for how severe they perceive the attack in the story to be if they were the victim as well as how likely they feel they might be a victim to such an attack. Lastly, we discuss possible future work in creating countermeasures to social insider attacks, their viability and limitations. We conclude that no single technique is complete solution. Instead mitigation will require a number of techniques in combination to be effective.<br>Science, Faculty of<br>Computer Science, Department of<br>Graduate

In big data systems, the infrastructure is such that large amounts of data are hosted away from the users. Information security is a major challenge in such systems. From the customer’s perspective, one of the big risks in adopting big data systems is in trusting the service provider who designs and owns the infrastructure, with data security and privacy. However, big data frameworks typically focus on performance and the opportunity for including enhanced security measures is limited. In this dissertation, the problem of mitigating insider attacks is extensively investigated and several static and dynamic run-time techniques are developed. The proposed techniques are targeted at big data systems but applicable to any data system in general. First, a framework is developed to host the proposed security techniques and integrate with the underlying distributed computing environment. We endorse the idea of deploying this framework on special purpose hardware and a basic model of the software architecture for such security coprocessors is presented. Then, a set of compile-time and run-time techniques are proposed to protect user data from the perpetrators. These techniques target detection of insider attacks that exploit data and infrastructure. The compile-time intrusion detection techniques analyze the control flow by disassembling program binaries while the run-time techniques analyze the memory access patterns of processes running on the system. The proposed techniques have been implemented as prototypes and extensively tested using big data applications. Experiments were conducted on big data frameworks such as Hadoop and Spark using cloud-based services. Experimental results indicate that the proposed techniques successfully detect insider attacks in the context of data loss, data degradation, data exposure and infrastructure degradation.

The IEEE 802.15.4 has attracted time-critical applications in wireless sensor networks (WSNs) because of its beacon-enabled mode and guaranteed timeslots (GTSs). However, the GTS scheme’s security still leave the 802.15.4 MAC vulnerable to attacks. Further, the existing techniques in the literature for securing 802.15.4 either focus on non beacon-enabled 802.15.4 or cannot defend against insider attacks for beacon-enabled 802.15.4. In this thesis, we illustrate this by demonstrating attacks on the availability and integrity of the beacon-enabled 802.15.4. To proof the attacks, we implement the attacks using Tmote Sky motes for a malicious node along with regular nodes. We show that the malicious node can freely exploit the beacon frames to compromise the integrity and availability of the network. For the defense, we present beacon-enabled MiniSec (BCN-MiniSec) and analyze its cost.

There are a variety of communication mediums or devices for interaction. Users hop from one medium to another frequently. Though the increase in the number of devices brings convenience, it also raises security concerns. Provision of platform to users is as much important as its security. In this dissertation we propose a security approach that captures user behavior for identifying malicious activities. System users exhibit certain behavioral patterns while utilizing the resources. User behaviors such as device location, accessing certain files in a server, using a designated or specific user account etc. If this behavior is captured and compared with normal users? behavior, anomalies can be detected. In our model, we have identified malicious users and have assigned trust value to each user accessing the system. When a user accesses new files on the servers that have not been previously accessed, accessing multiple accounts from the same device etc., these users are considered suspicious. If this behavior continues, they are categorized as ingenuine. A trust value is assigned to users. This value determines the trustworthiness of a user. Genuine users get higher trust value and ingenuine users get a lower trust value. The range of trust value varies from zero to one, with one being the highest trustworthiness and zero being the lowest. In our model, we have sixteen different features to track user behavior. These features evaluate users? activities. From the time users? log in to the system till they log out, users are monitored based on these sixteen features. These features determine whether the user is malicious. For instance, features such as accessing too many accounts, using proxy servers, too many incorrect logins attribute to suspicious activity. Higher the number of these features, more suspicious is the user. More such additional features contribute to lower trust value. Identifying malicious users could prevent and/or mitigate the attacks. This will enable in taking timely action against these users from performing any unauthorized or illegal actions. This could prevent insider and masquerade attacks. This application could be utilized in mobile, cloud and pervasive computing platforms.

La sécurité des Systèmes d’Information (SI) constitue un défi majeur car elle conditionne amplement la future exploitation d’un SI. C’est pourquoi l’étude des vulnérabilités d’un SI dès les phases conceptuelles est cruciale. Il s’agit d’étudier la validation de politiques de sécurité, souvent exprimées par des règles de contrôle d’accès, et d’effectuer des vérifications automatisées sur des modèles afin de garantir une certaine confiance dans le SI avant son opérationnalisation. Notre intérêt porte plus particulièrement sur la détection des vulnérabilités pouvant être exploitées par des utilisateurs internes afin de commettre des attaques, appelées attaques internes, en profitant de leur accès légitime au système. Pour ce faire, nous exploitons des spécifications formelles B générées, par la plateforme B4MSecure, à partir de modèles fonctionnels UML et d’une description Secure UML des règles de contrôle d’accès basées sur les rôles. Ces vulnérabilités étant dues à l’évolution dynamique de l’état fonctionnel du système, nous proposons d’étudier l’atteignabilité des états, dits indésirables, donnant lieu à des attaques potentielles, à partir d’un état normal du système. Les techniques proposées constituent une alternative aux techniques de model-checking. En effet, elles mettent en œuvre une recherche symbolique vers l’arrière fondée sur des approches complémentaires : la preuve et la résolution de contraintes. Ce processus de recherche est entièrement automatisé grâce à notre outil GenISIS qui a montré, sur la base d’études de cas disponibles dans la littérature, sa capacité à retrouver des attaques déjà publiées mais aussi des attaques nouvelles<br>The early detection of potential threats during the modelling phase of a Secure Information System (IS) is required because it favours the design of a robust access control policy and the prevention of malicious behaviours during the system execution. This involves studying the validation of access control rules and performing vulnerabilities automated checks before the IS operationalization. We are particularly interested in detecting vulnerabilities that can be exploited by internal trusted users to commit attacks, called insider attacks, by taking advantage of their legitimate access to the system. To do so, we use formal B specifications which are generated by the B4MSecure platform from UML functional models and a SecureUML modelling of role-based access control rules. Since these vulnerabilities are due to the dynamic evolution of the functional state, we propose to study the reachability of someundesirable states starting from a normal state of the system. The proposed techniques are an alternative to model-checking techniques. Indeed, they implement symbolic backward search algorithm based on complementary approaches: proof and constraint solving. This rich technical background allowed the development of the GenISIS tool which automates our approach and which was successfully experimented on several case studies available in the literature. These experiments showed its capability to extract already published attacks but also new attacks

Wireless sensor networks are a relatively new technology for information gathering and processing. A sensor network usually consists of many, resource constrained sensor nodes. These nodes perform measurements of some physical phenomena, process data, generate reports, and send these reports via multihop communication to a central information processing unit called sink. Depending on the scenario, information gathering and processing is collaboratively performed by multiple sensor nodes, e.g., to determine the average temperature in a certain area. Sensor networks can be used in a plethora of application scenarios. Emerging from military research, e.g., sensor networks for target tracking in a battlefield, sensor networks are nowadays used more and more in civil applications such as critical infrastructure monitoring. For ensuring the functionality of a sensor network, especially in malicious environments, security mechanisms are essential for all sensor networks. However, sensor networks differ from classical (wireless) networks and this consequently makes it harder to secure them. Reasons for this are resource constraints of the sensor nodes, the wireless multihop communication, and the possibility of node compromise. Since sensor nodes are often deployed in unattended or even hostile environments and are usually not equipped with tamper-resistant hardware, it is relatively easy to compromise a sensor node. By compromising a sensor node, an adversary gets access to all data stored on the node, such as cryptographic keys. Thus, deployed security mechanisms such as node-based authentication become ineffective and an adversary is able to perform attacks as a "legitimate" member of the network. Such attacks are denoted as insider attacks and pose a serious threat for wireless sensor networks. In this thesis, we develop concepts and mechanisms to cope with insider attacks in wireless sensor networks. The contribution of this thesis is twofold. First, we propose a new general classification to classify the different approaches to protect against insider attacks. Second, we propose several security protocols to protect against insider attacks. In our classification, approaches to protect against insider attacks are first distinguished by the implemented security strategy. The respective strategies are further subclassified by the applied mechanisms. Related work is integrated in the classification to systematically identify open problems and specific properties in the respective areas. The results may be a basis for future protocol design. The protocols, proposed in the second part of this thesis encompass different areas. First, we propose a protocol to protect against a serious Denial-of-Service attack where an adversary injects or replays a large amount of false messages to overload many message forwarding nodes and to (totally) waste their scarce energy resources. Proposed approaches usually apply threshold-based mechanisms to filter such messages out. The drawback of this approach is that messages are not filtered out immediately and if the threshold of compromised nodes is reached, the attack becomes again possible. Our protocol is able to immediately filter such messages while tolerating an arbitrary number of compromised sensor nodes. Further mechanisms are required to additionally protect against an insider attack where an adversary injects false reports to deceive the sink. Usually a redundancy-based approach is used where a report is only valid if it has been collaboratively generated by multiple sensor nodes. However, previously proposed protocols are susceptible to an insider attack where an adversary that has compromised only a single node might be able to impede a successful report generation. So far, only one protocol has been proposed to cope with this issue. However, it is a specific enhancement for a particular protocol and the attacking nodes cannot be identified and excluded. In this thesis, we propose two protocols which protect against the injection of false reports and also enable the detection and exclusion of nodes trying to disrupt the collaborative report generation. In addition, our protocols can be used in combination with or as an extension to any other protocol. In addition, we investigate a general approach to prevent insider attacks and to detect compromised nodes in certain scenarios. We propose to use tamper-resistant hardware in form of the Trusted Platform Module (TPM). Due to cost reasons, the TPM is integrated only in some special sensor nodes that perform some special tasks such as key management, localization or time synchronization in the sensor network. These nodes are a valuable target for an adversary. To detect tampering attempts on these nodes, we propose two efficient attestation protocols. In contrast to attestation protocols proposed for "classical" networks, our protocols have a low communication and computational overhead. They do not require expensive public key operations on the verifying nodes and the few exchanged messages are very short. In addition, compared to software-based attestation, our protocols have the advantage to enable attestation along multiple hops which is of high concern in sensor networks. Using our approach, it is possible to verify the trustworthiness of certain sensor nodes even in unattended or hostile environments making them suitable to perform special tasks.

碩士<br>朝陽科技大學<br>資訊工程系碩士班<br>101<br>Due to the rapid development of the Internet, many applications of Internet are widely used. It brings convenient, but derives many problems. We often hear news about insider trading in different enterprises, the cheating case of engineer commercial spying, etc. The security of Internet becomes an important issue in the transaction. In this thesis, we proposed two schemes to apply in different environment. In the first scheme, we defend against the illegal insider trading of enterprises to construct an investigator unearths illegal behavior via a subliminal channel. The scheme can let investigator safety to send the evidence to the organization. And we set an official agent to make both have fair arbitration. The second scheme focuses on e-bidding case. We proposed an electronic public engineering project bidding protocol via a subliminal channel. In the bidding phase, we use the blind signature based on ElGamal mechanism to protect bidder’s identity, also can prevent the insiders of Public Construction Commission to disclose bid information. And we use the arbitration mechanism to construct a secure and fair scheme to protect the rights benefit.

abstract: Large organizations have multiple networks that are subject to attacks, which can be detected by continuous monitoring and analyzing the network traffic by Intrusion Detection Systems. Collaborative Intrusion Detection Systems (CIDS) are used for efficient detection of distributed attacks by having a global view of the traffic events in large networks. However, CIDS are vulnerable to internal attacks, and these internal attacks decrease the mutual trust among the nodes in CIDS required for sharing of critical and sensitive alert data in CIDS. Without the data sharing, the nodes of CIDS cannot collaborate efficiently to form a comprehensive view of events in the networks monitored to detect distributed attacks. The compromised nodes will further decrease the accuracy of CIDS by generating false positives and false negatives of the traffic event classifications. In this thesis, an approach based on a trust score system is presented to detect and suspend the compromised nodes in CIDS to improve the trust among the nodes for efficient collaboration. This trust score-based approach is implemented as a consensus model on a private blockchain because private blockchain has the features to address the accountability, integrity and privacy requirements of CIDS. In this approach, the trust scores of malicious nodes are decreased with every reported false negative or false positive of the traffic event classifications. When the trust scores of any node falls below a threshold, the node is identified as compromised and suspended. The approach is evaluated for the accuracy of identifying malicious nodes in CIDS.<br>Dissertation/Thesis<br>Masters Thesis Computer Science 2020

博士<br>國立臺灣大學<br>資訊工程學研究所<br>104<br>In this thesis, we consider a new insider threat for the privacy preserving work of distributed kernel-based data mining (DKBDM), such as distributed Support Vector Machine (SVM). Among several known data breaching problems, those associated with insider attacks have been rising significantly, making this one of the fastest growing types of security breaches. Once considered a negligible concern, insider attacks have risen to be one of the top three central data violations. Insider-related research involving the distribution of kernel-based data mining is limited, resulting in substantial vulnerabilities in designing protection against “collaborative organizations.” Prior works often fall short by addressing a multifactorial model that is more limited in scope and implementation than addressing “insiders within an organization” colluding with outsiders. A faulty system allows collusion to go unnoticed when an insider shares data with an outsider, who can then recover the original data from message transmissions (intermediary kernel values) among organizations. This attack requires only accessibility to a few data entries within the organizations rather than requiring the encrypted administrative privileges typically found in the distribution of data mining scenarios. To the best of our knowledge, we are the first to explore this new insider threat in DKBDM. We also analytically demonstrate the minimum amount of insider data necessary to launch the insider attack. For countering the described attack, we then present two privacy-preserving methods to defend against the attack. For the first method, we reduce the number of insiders or expand the data dimensions to prevent the satisfaction of the privacy breach rule. For the second method, as differential privacy is one of the most theoretically sound and widespread privacy concepts, we will prove differential private method effective against the serious insider attack. Besides, Homomorphic Encryption method, which allows calculations on encrypted information to be performed without first decrypting the information, has been successfully used to solve the privacy issue of DKBDM in the past. However, this method is too time-consuming. Thus, we propose a Differentially-Private model based on Additive Homomorphic Proxy Re-Encryption for SVM (DAHOPE-SVM), which can drastically reduce the use of Homomorphic Encryption with the help of Proxy Re-Encryption and thus reduce the time required to perform. Our proposed method has been the quickest method of applying Homomorphic Encryption in DKBDM until now; at the same time, our method maintains a high standard of privacy protection by including a proven differential privacy component.

abstract: For systems having computers as a significant component, it becomes a critical task to identify the potential threats that the users of the system can present, while being both inside and outside the system. One of the most important factors that differentiate an insider from an outsider is the fact that the insider being a part of the system, owns privileges that enable him/her access to the resources and processes of the system through valid capabilities. An insider with malicious intent can potentially be more damaging compared to outsiders. The above differences help to understand the notion and scope of an insider. The significant loss to organizations due to the failure to detect and mitigate the insider threat has resulted in an increased interest in insider threat detection. The well-studied effective techniques proposed for defending against attacks by outsiders have not been proven successful against insider attacks. Although a number of security policies and models to deal with the insider threat have been developed, the approach taken by most organizations is the use of audit logs after the attack has taken place. Such approaches are inspired by academic research proposals to address the problem by tracking activities of the insider in the system. Although tracking and logging are important, it is argued that they are not sufficient. Thus, the necessity to predict the potential damage of an insider is considered to help build a stronger evaluation and mitigation strategy for the insider attack. In this thesis, the question that seeks to be answered is the following: `Considering the relationships that exist between the insiders and their role, their access to the resources and the resource set, what is the potential damage that an insider can cause?' A general system model is introduced that can capture general insider attacks including those documented by Computer Emergency Response Team (CERT) for the Software Engineering Institute (SEI). Further, initial formulations of the damage potential for leakage and availability in the model is introduced. The model usefulness is shown by expressing 14 of actual attacks in the model and show how for each case the attack could have been mitigated.<br>Dissertation/Thesis<br>Masters Thesis Computer Science 2019

<p>Advances in Artificial Intelligence (AI), or more precisely on Neural Networks (NNs), and fast processing technologies (e.g. Graphic Processing Units or GPUs) in recent years have positioned NNs as one of the main machine learning algorithms used to solved a diversity of problems in both academia and the industry. While they have been proved to be effective in solving many tasks, the lack of security guarantees and understanding of their internal processing disrupts their wide adoption in general and cybersecurity-related applications. In this dissertation, we present the findings of a comprehensive study aimed to enable the absorption of state-of-the-art NN algorithms in the development of enterprise solutions. Specifically, this dissertation focuses on (1) the development of defensive mechanisms to protect NNs against adversarial attacks and (2) application of NN models for anomaly detection in enterprise networks.</p><p>In this state of affairs, this work makes the following contributions. First, we performed a thorough study of the different adversarial attacks against NNs. We concentrate on the attacks referred to as trojan attacks and introduce a novel model hardening method that removes any trojan (i.e. misbehavior) inserted to the NN models at training time. We carefully evaluate our method and establish the correct metrics to test the efficiency of defensive methods against these types of attacks: (1) accuracy with benign data, (2) attack success rate, and (3) accuracy with adversarial data. Prior work evaluates their solutions using the first two metrics only, which do not suffice to guarantee robustness against untargeted attacks. Our method is compared with the state-of-the-art. The obtained results show our method outperforms it. Second, we proposed a novel approach to detect anomalies using LSTM-based models. Our method analyzes at runtime the event sequences generated by the Endpoint Detection and Response (EDR) system of a renowned security company running and efficiently detects uncommon patterns. The new detecting method is compared with the EDR system. The results show that our method achieves a higher detection rate. Finally, we present a Moving Target Defense technique that smartly reacts upon the detection of anomalies so as to also mitigate the detected attacks. The technique efficiently replaces the entire stack of virtual nodes, making ongoing attacks in the system ineffective.</p><p> </p>

In this thesis, we present a novel, elegant and simple method for secure transaction authentication and non-repudiation for trading multimedia content. Multimedia content can be video, images, text documents, music, or any form of digital signal, however here we will focus particular on still images with application to video. We will provide proof that not only can receiving parties within a transaction be untrustworthy, but the owner, or members within an owning party, also cannot be trusted. Known as the insider attack, this attack is particularly prevalent in multimedia transactions. Thus the focus of the thesis is on the prevention of piracy, with particular emphasis on the case where the owner of a document is assumed to be capable of deceit, placing the system under the assumption of mutual distrust. We will introduce a concept called staining, which will be used to achieve authentication and non-repudiation. Staining is composed of two key components: (1) public-key cryptography; and (2) steganographic watermarking. The idea is to watermark a multimedia document after encryption, thereby introducing a stain on the watermark. This stain is due to the non-commutative nature of the scheme, so that decryption will be imperfect, leaving a residue of the cryptographic process upon the watermark. Essentially, secrets from the owner (the watermark) and the receiver (the cryptographic key) are entangled rather than shared, as in most schemes. We then demonstrate our method using image content and will test several different common cryptographic systems with a spread-spectrum type watermark. Watermarking and cryptography are not usually combined in such a manner, due to several issues such as the rigid nature of cryptography. Contrary to the expectation that there will be severe distortions caused to the original document, we show that such an entanglement is possible without destroying the document under protection. We will then attack the most promising combination of systems by introducing geometric distortions such as rotation and cropping, as well as compressing the marked document, to demonstrate that such a method is robust to typical attacks.<br>http://proxy.library.adelaide.edu.au/login?url= http://library.adelaide.edu.au/cgi-bin/Pwebrecon.cgi?BBID=1297339<br>Thesis (Ph.D.) - University of Adelaide, School of Electrical and Electronic Engineering, 2007