Huw Read

Presenting DEViSE: Data Exchange for Visualizing Security Events

Discusses DEViSE, a fully customizable system that provides a framework for developing a richer, fuller picture of network traffic. This not only helps locate past, present, and ongoing security attacks but also graphically identifies areas where organizations can implement stricter policies to lower the risk of data loss.

An Integrated Visualisation Framework for Intrusion Detection

This paper builds upon earlier work (H. Read, 2005), (N. Avourdiadis, 2005) regarding the need for advanced visualisation techniques applied within the intrusion detection arena. Individual visualisation tools can tell us a lot about the way different attacks have been initiated, but we cannot pass interesting sets of data from one tool to another to get a different perspective on the attack. While much work has concentrated on novel visualisation techniques, we explore ways to bring different tools together to work seamlessly with one another. This research explores the need for a framework upon which different visualisation tools can sit and communicate with one another to aid analysts in the intrusion detection process. In this paper we present our ideas and our proposition for the framework

Network Attack Analysis and the Behaviour Engine

Behaviour Engines allow the acquirement of tacit (implicit or none verbalists) knowledge by using an acquire-by-action workflow and provide a direct interaction platform between the domain expert and the evolving project code based on an intuitive justification-conclusion language, thus surpassing legacy policy engines by being a self developing and learning mechanism. This paper seeks to formulate the current state of the art in technology and processes and attempts to merge the application of ontological decision techniques of behaviour engines with network packet capture data, to detect data exfiltration attempts over covert channelling. The final goal of the research will be to develop a behaviour engine/intrusion detection solution for pre-emptive counter-measures to anomalous behaviour from within or without a network.

Applying the ACPO Guidelines to Building Automation Systems

The increasing variety of Internet enabled hardware devices is creating a world of semi-autonomous, interconnected systems capable of control, automation and monitoring of a built environment. Many building automation and control systems that have previously been limited in connectivity, or due to cost only used in commercial environments, are now seeing increased uptake in domestic environments. Such systems may lack the management controls that are in place in commercial environments. The risk to these systems is further increased when they are connected to the Internet to allow control via a web browser or smartphone application. This paper explores the application of traditional digital forensics practices by applying established good practice guidelines to the field of building automation. In particular, we examine the application of the UK Association of Chief Police Officers guidelines for Digital Evidence, identifying the challenges and the gaps that arise in processes, procedures and available tools.

Locking Out the Investigator: The Need to Circumvent Security in Embedded Systems

ABSTRACT Embedded devices are becoming ubiquitous in both domestic and commercial environments. Although smartphones, tablets, and video game consoles are all labeled by their primary function, most of these devices offer additional features and are capable of additional interactivity. Given the proprietary nature of such devices in terms of hardware and software and the protection mechanisms incorporated into these systems, it is and will continue to be extremely difficult to use “traditional digital forensics” methodologies to access storage media and acquire data for analysis. This paper examines how consumer law may be stifling research that the forensic community could ultimately depend upon to examine devices.

On the Development of Automated Forensic Analysis Methods for Mobile Devices

We live in a connected world where mobile devices are used by humans as valuable tools. The use of mobile devices leaves traces that can be treasured assets for a forensic analyst. Our aim is to investigate methods and exercise techniques that will merge all these valuable information in a way that will be efficient for a forensic analyst, producing graphical representations of the underlying data structures. We are using a framework able to collect and merge data from various sources and employ algorithms from a wide range of interdisciplinary areas to automate post-incident forensic analysis on mobile devices.

The Impact of Changing Technology on International Cybersecurity Curricula

Cyber Security degree programs vary in scope; from those that are constructed around traditional computer science degrees with some additional security content, to those that are strongly focused on the need to develop a dedicated cyber security professional. The latter programs typically include a grounding in computer science concepts such as programming, operating systems and networks to specialised security content covering such disparate areas as digital forensics, information assurance, penetration testing and cryptography. The cyber security discipline as a whole faces new challenges as technology continues to evolve, and therefore significant changes are being faced by educators trying to incorporate the latest technological concepts into courses. This presents cybersecurity educators with a number of related challenges to ensure that changes to degree programs reflect not only the educational needs of students, but of the needs of industry and government. The evolving use of technology therefore presents both opportunities and problems, in how these changes are demonstrated in the curriculum. This paper highlights the accreditation, standards and guidelines (from three of the countries where the authors of this paper have sought accreditation) that shape the way educators are encouraged to develop and structure degree courses and considers these in lieu of factors relating to incorporating new technology in cybersecurity curriculum, particularly in the presentation of technical exercises to students.

An Extensible Platform for the Forensic Analysis of Social Media Data

Visualising data is an important part of the forensic analysis process. Many cell phone forensic tools have specialised visualisation components, but are as of yet able to tackle questions concerning the broad spectrum of social media communication sources. Visualisation tools tend to be stove-piped, it is difficult to take information seen in one visualisation tool and obtain a different perspective in another tool. If an interesting relationship is observed, needing to be explored in more depth, the process has to be reiterated by manually generating a subset of the data, converting it into the correct format, and invoking the new application. This paper describes a cloud-based data storage architecture and a set of interactive visualisation tools developed to allow for a more straightforward exploratory analysis. This approach developed in this tool suite is demonstrated using a case study consisting of social media data extracted from two mobile devices.

Trust and Trustworthy Computing - TRUST 2014

In TPM 2.0, a single signature primitive is proposed to support various signature schemes including Direct Anonymous Attestation (DAA), U-Prove and Schnorr signature. This signature primitive is implemented by several APIs which can be utilized as a static DiffieHellman (SDH) oracle. In this paper, we measure the practical impact of the SDH oracle in TPM 2.0 and show the security strength of these signature schemes can be weakened by 13-bit. We propose a novel property of DAA called forward anonymity and show how to utilize these DAA-related APIs to break forward anonymity. Then we propose new APIs which not only remove the SDH oracle but also support the forward anonymity, thus significantly improve the security of DAA and the other signature schemes supported by TPM 2.0. We prove the security of our new APIs under the discrete logarithm assumption in the random oracle model. We prove that the proposed DAA schemes satisfied the forward anonymity property using the new APIs under the Decision Diffie-Hellman assumption. Our new APIs are almost as efficient as the original APIs in TPM 2.0 specification and can support LRSW-DAA and SDH-DAA together with U-Prove as the original APIs.