Arnau Erola

The anatomy of online deception: what makes automated text convincing?

Technology is rapidly evolving, and with it comes increasingly sophisticated bots (i.e. software robots) which automatically produce content to inform, influence, and deceive genuine users. This is particularly a problem for social media networks where content tends to be extremely short, informally written, and full of inconsistencies. Motivated by the rise of bots on these networks, we investigate the ease with which a bot can deceive a human. In particular, we focus on deceiving a human into believing that an automatically generated sample of text was written by a human, as well as analysing which factors affect how convincing the text is. To accomplish this, we train a set of models to write text about several distinct topics, to simulate a bots behaviour, which are then evaluated by a panel of judges. We find that: (1) typical Internet users are twice as likely to be deceived by automated content than security researchers; (2) text that disagrees with the crowds opinion is more believably human; (3) light-hearted topics such as Entertainment are significantly easier to deceive with than factual topics such as Science; and (4) automated text on Adult content is the most deceptive regardless of a users background.

Validating an Insider Threat Detection System: A Real Scenario Perspective

There exists unequivocal evidence denoting the dire consequences which organisations and governmental institutions face from insider threats. While the in-depth knowledge of the modus operandi that insiders possess provides ground for more sophisticated attacks, organisations are ill-equipped to detect and prevent these from happening. The research community has provided various models and detection systems to address the problem, but the lack of real data due to privacy and ethical issues remains a significant obstacle for validating and designing effective and scalable systems. In this paper, we present the results and our experiences from applying our detection system into a multinational organisation, the approach followed to abide with the ethical and privacy considerations and the lessons learnt on how the validation process refined the system in terms of effectiveness and scalability.

Smart Insiders: Exploring the Threat from Insiders Using the Internet-of-Things

The Internet-of-Things (IoT) is set to be one of the most disruptive technology paradigms since the advent of the Internet itself. Market research company Gartner estimates that around 4.9 billion connected things will be in use in 2015, and around 25 billion by 2020. While there are substantial opportunities accompanying IoT, spanning from Healthcare to Energy, there are an equal number of concerns regarding the security and privacy of this plethora of ubiquitous devices. In this position paper we approach security and privacy in IoT from a different perspective to existing research, by considering the impact that IoT may have on the growing problem of insider threat within enterprises. Our specific aim is to explore the extent to which IoT may exacerbate the insider-threat challenge for organisations and overview the range of new and adapted attack vectors. Here, we focus especially on (personal) devices which insiders bring and use within their employers enterprise. As a start to addressing these issues, we outline a broad research agenda to encourage further research in this area.

A Tripwire Grammar for Insider Threat Detection

The threat from insiders is an ever-growing concern for organisations, and in recent years the harm that insiders pose has been widely demonstrated. This paper describes our recent work into how we might support insider threat detection when actions are taken which can be immediately determined as of concern because they fall into one of two categories: they violate a policy which is specifically crafted to describe behaviours that are highly likely to be of concern if they are exhibited, or they exhibit behaviours which follow a pattern of a known insider threat attack. In particular, we view these concerning actions as something that we can design and implement tripwires within a system to detect. We then orchestrate these tripwires in conjunction with an anomaly detection system and present an approach to formalising tripwires of both categories. Our intention being that by having a single framework for describing them, alongside a library of existing tripwires in use, we can provide the community of practitioners and researchers with the basis to document and evolve this common understanding of tripwires.

The challenge of detecting sophisticated attacks: Insights from SOC Analysts

The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those applying machine learning algorithms, often centre their detection on the identification of threats in individual network events, which is proven inadequate in detecting sophisticated multi-stage attacks. Similarly, SOC analysts whose roles involve detecting advanced threats are faced with a significant amount of false-positive alerts from the existing tools. Their ability to detect novel attacks or variants of existing ones is limited by the lack of expert input from SOC analysts in their creation of the tools; and the use of features that are closely linked to the structure of specific malware which detection models aim to identify. In this work, we conduct a literature review on malware detection tools, reflect on the features used in these approaches and extend the feature-set with novel ones identified by interviewing experienced SOC analysts. We conduct thematic analysis to the qualitative data obtained from the interviews, and our results indicate not only the presence novel generic malware characteristics based on network and application events (web proxy, firewall, DNS), but identify valuable lessons for developing effective SOCs regarding their structure and processes.

RicherPicture: Semi-automated cyber defence using context-aware data analytics

In a continually evolving cyber-threat landscape, the detection and prevention of cyber attacks has become a complex task. Technological developments have led organisations to digitise the majority of their operations. This practice, however, has its perils, since cybespace offers a new attack-surface. Institutions which are tasked to protect organisations from these threats utilise mainly network data and their incident response strategy remains oblivious to the needs of the organisation when it comes to protecting operational aspects. This paper presents a system able to combine threat intelligence data, attack-trend data and organisational data (along with other data sources available) in order to achieve automated network-defence actions. Our approach combines machine learning, visual analytics and information from business processes to guide through a decision-making process for a Security Operation Centre environment. We test our system on two synthetic scenarios and show that correlating network data with non-network data for automated network defences is possible and worth investigating further.