Jill Slay

Lessons Learned from the Maroochy Water Breach

Supervisory control and data acquisition (SCADA) systems are widely used to monitor and control operations in electrical power distribution facilities, oil and gas pipelines, water distribution systems and sewage treatment plants. Technological advances over the past decade have seen these traditionally closed systems become open and Internet-connected, which puts the service infrastructures at risk. This paper examines the response to the 2000 SCADA security incident at Maroochy Water Services in Queensland, Australia. The lessons learned from this incident are useful for establishing academic and industry-based research agendas in SCADA security as well as for safeguarding critical infrastructure

UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)

One of the major research challenges in this field is the unavailability of a comprehensive network based data set which can reflect modern network traffic scenarios, vast varieties of low footprint intrusions and depth structured information about the network traffic. Evaluating network intrusion detection systems research efforts, KDD98, KDDCUP99 and NSLKDD benchmark data sets were generated a decade ago. However, numerous current studies showed that for the current network threat environment, these data sets do not inclusively reflect network traffic and modern low footprint attacks. Countering the unavailability of network benchmark data set challenges, this paper examines a UNSW-NB15 data set creation. This data set has a hybrid of the real modern normal and the contemporary synthesized attack activities of the network traffic. Existing and novel methods are utilised to generate the features of the UNSWNB15 data set. This data set is available for research purposes and can be accessed from the link.

The evaluation of Network Anomaly Detection Systems: Statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set

ABSTRACT Over the last three decades, Network Intrusion Detection Systems (NIDSs), particularly, Anomaly Detection Systems (ADSs), have become more significant in detecting novel attacks than Signature Detection Systems (SDSs). Evaluating NIDSs using the existing benchmark data sets of KDD99 and NSLKDD does not reflect satisfactory results, due to three major issues: (1) their lack of modern low footprint attack styles, (2) their lack of modern normal traffic scenarios, and (3) a different distribution of training and testing sets. To address these issues, the UNSW-NB15 data set has recently been generated. This data set has nine types of the modern attacks fashions and new patterns of normal traffic, and it contains 49 attributes that comprise the flow based between hosts and the network packets inspection to discriminate between the observations, either normal or abnormal. In this paper, we demonstrate the complexity of the UNSW-NB15 data set in three aspects. First, the statistical analysis of the observations and the attributes are explained. Second, the examination of feature correlations is provided. Third, five existing classifiers are used to evaluate the complexity in terms of accuracy and false alarm rates (FARs) and then, the results are compared with the KDD99 data set. The experimental results show that UNSW-NB15 is more complex than KDD99 and is considered as a new benchmark data set for evaluating NIDSs.

Recovery of Skype Application Activity Data from Physical Memory

The use of Internet based communication technologies has become more prevalent in recent years. Technologies such as Skype provide a highly secure and decentralised method of communication. These technologies may also leave little evidence on static media causing conventional digital forensic processes to be ineffective. This research looks at exploiting physical memory to recover evidence from Internet based communication technologies where conventional methods cannot. The paper first proposes a set of generic target artefacts that defines information that may be targeted for recovery and the meaning that can be inferred from this. A controlled test was then undertaken where Skype was executed and the memory from the target machine collected. The analysis showed that it is feasible to recover the target data as applied to Skype, which would not be otherwise available. As this is the first set of tests of a series, the future direction is also discussed.

Enhancement of Forensic Computing Investigations through Memory Forensic Techniques

The use of memory forensic techniques has the potential to enhance computer forensic investigations. The analysis of digital evidence is facing several key challenges; an increase in electronic devices, network connections and bandwidth, the use of anti-forensic technologies and the development of network centric applications and technologies has lead to less potential evidence stored on static media and increased amounts of data stored off-system. Memory forensic techniques have the potential to overcome these issues in forensic analysis. While much of the current research in memory forensics has been focussed on low-level data, there is a need for research to extract high-level data from physical memory as a means of providing forensic investigators with greater insight into a target system. This paper outlines the need for further research into memory forensic techniques. In particular it stresses the need for methods and techniques for understanding context on a system and also as a means of augmenting other data sources to provide a more complete and efficient searching of investigations.

IS security, trust and culture: a theoretical framework for managing IS security in multicultural settings

System security today focuses on the design of safe and secure information systems and their operation. In the analysis of any information system, whether small or large, one observes within it a “set of human activities related to each other so they can be viewed as a whole”. If one particularly focuses on security aspects of large information systems, and then considers the many layers of complexity comprising the human activity systems within them, it becomes apparent that one of these layers, or subsystems, is a cultural one. This paper proposes that the perspective gained on the impact of culture in such a system by the application of a systems theory, augmented by perspectives supplied by worldview theory, is helpful in designing appropriate learning, e‐commerce or other kinds of distributed environments for multicultural settings.

Towards a Formalization of Digital Forensics

While some individuals have referred to digital forensics as an art, the literature of the discipline suggests a trend toward the formalization of digital forensics as a forensic science. Questions about the quality of digital evidence and forensic soundness continue to be raised by researchers and practitioners in order to ensure the trustworthiness of digital evidence and its value to the courts. This paper reviews the development of digital forensic models, procedures and standards to lay a foundation for the discipline. It also points to new work that provides validation models through a complete mapping of the discipline.

Wi-Fi Network Signals as a Source of Digital Evidence: Wireless Network Forensics

802.11-based wireless networking has significantly altered the networking means and topology for cities, offices, homes and coffee shops over the last five years. A second generation of wireless devices has extended what was once a computer-to-computer protocol into the area of embedded functional devices. Accompanying this widespread usage is the presence of crime; the more popular technology, the more opportunity exists for its misuse. This work studies the 802.11-based wireless networking environment from a forensic computing perspective. It seeks to understand the current state of wireless misuse: present misuses; potential forms of misuse involving 802.11-based wireless networks; and current tools and techniques used in its identification, containment and analysis. The research highlights the lack of current tools and procedures for forensic computing investigations that are able to effectively handle the presence of wireless devices and networks, and that there are forms of misuse that may escape detection by forensic investigation teams.

Wireless Forensic Analysis Tools for Use in the Electronic Evidence Collection Process

This paper discusses the need for both a series of electronic tools and procedural changes to the evidence collection process to accommodate the possibilities of wireless technologies. 802.11-based wireless technologies in particular pose an issue to the collection of electronic evidence, as devices that appear isolated may be tirelessly accessed during the collection phase, leading to after-seizure communications and a tampering of evidence in custody. Whilst forensic acquisition and analysis procedural guides are yet to discuss the acquisition of wireless devices, one of the core issues in collecting wireless devices is that there is no indication for the number or type of devices connected to a wireless network, should one exist in an area of interest. It is proposed that a series of forensic software tools be developed to aid in the detection, analysis and control of wireless networks that are in the process of being seized for forensic analysis. Through control of the wireless medium, information regarding connected devices may be gathered and methods to prevent communication between devices during and after evidence seizure are also examined

Novel Geometric Area Analysis Technique for Anomaly Detection using Trapezoidal Area Estimation on Large-Scale Networks

The prevalence of interconnected appliances and ubiquitous computing face serious threats from the hostile activities of network attackers. Conventional Intrusion Detection Systems (IDSs) are incapable of detecting these intrusive events as their outcomes reflect high false positive rates (FPRs). In this paper, we present a novel Geometric Area Analysis (GAA) technique based on Trapezoidal Area Estimation (TAE) for each observation computed from the parameters of the Beta Mixture Model (BMM) for features and the distances between observations. As this GAA-based detection depends on the methodology of anomaly-based detection (ADS), it constructs the areas of normal observations in a normal profile with those of the testing set estimated from the same parameters to recognise abnormal patterns. We also design a scalable framework for handling large-scale networks, and our GAA technique considers a decision engine module in this framework. The performance of our GAA technique is evaluated using the NSL-KDD and UNSW-NB15 datasets. To reduce the high-dimensional data of network connections, we apply the Principal Component Analysis (PCA) and evaluate its influence on the GAA technique. The empirical results show that our technique achieves a higher detection rate and lower FPR with a lower processing time than other competing methods.