Theodore Tryfonas

Acquiring volatile operating system data tools and techniques

The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.

A game theoretic defence framework against DoS/DDoS cyber attacks

Game-theoretic approaches have been previously employed in the research area of network security in order to explore the interaction between an attacker and a defender during a Distributed Denial of Service (DDoS) attack scenario. Existing literature investigates payoffs and optimal strategies for both parties, in order to provide the defender with an optimal defence strategy. In this paper, we model a DDoS attack as a one-shot, non-cooperative, zero-sum game. We extend previous work by incorporating in our model a richer set of options available to the attacker compared to what has been previously achieved. We investigate multiple permutations in terms of the cost to perform an attack, the number of attacking nodes, malicious traffic probability distributions and their parameters. We analytically demonstrate that there exists a single optimal strategy available to the defender. By adopting it, the defender sets an upper boundary to attacker payoff, which can only be achieved if the attacker is a rational player. For all other attack strategies (those adopted by irrational attackers), attacker payoff will be lower than this boundary. We preliminary validate this model via simulations with the ns2 network simulator. The simulated environment replicates the analytical models parameters and the results confirm our models accuracy.

Design and performance evaluation of a lightweight wireless early warning intrusion detection prototype

The proliferation of wireless networks has been remarkable during the last decade. The license-free nature of the ISM band along with the rapid proliferation of the Wi-Fi-enabled devices, especially the smart phones, has substantially increased the demand for broadband wireless access. However, due to their open nature, wireless networks are susceptible to a number of attacks. In this work, we present anomaly-based intrusion detection algorithms for the detection of three types of attacks: (i) attacks performed on the same channel legitimate clients use for communication, (ii) attacks on neighbouring channels, and (iii) severe attacks that completely block networks operation. Our detection algorithms are based on the cumulative sum change-point technique and they execute on a real lightweight prototype based on a limited resource mini-ITX node. The performance evaluation shows that even with limited hardware resources, the prototype can detect attacks with high detection rates and a few false alarms.

Standardising business application security assessments with pattern-driven audit automations

In the light of recent corporate corruption scandals the requirement for Corporate Governance and Responsibility has emerged as a top management priority, as reflected on the recent regulatory environment and compliance requirements e.g. Sarbanes-Oxley Act. The need for explicitly demonstrated assurance of the financial and accounting information in an IT-fuelled business environment has shifted interest to the information and the IT systems themselves. Assurance of information is based on the art and science of IT audit, a set of recurring tasks by nature both in time and in space. In environments of integrated business applications and enterprise resource planning systems, auditing is particularly laborious and the requirement for automation of auditing tasks was never more demanding. The belief that audit automation is part of the means to achieve governance is developing amongst scholars and practitioners alike. However there is no common understanding yet developed as of how such automation could be achieved across different systems and applications. We argue that through appropriate standardisation of the automation requirements such cross-system implementation may be possible and we propose as a means of standardisation the use of security design patterns. In this paper we explore the use of security patterns for audit automation and we implement them as a means of supporting its standardisation within integrated business application systems.

A lightweight web-based vulnerability scanner for small-scale computer network security assessment

There appears to be a common perception amongst average computer users pointing towards a global lack of trust when using the Internet. The resolution of this lack of trust relating to the use of the Internet, particularly orientated towards its commercial use and online purchasing, requires partly from website developers to create and maintain web applications that are robust and provide a certain degree of resilience to attack from outside threats. This project intends to contribute to this particular aspect by providing site developers and system testers, as well as simple site users, with a tool for reconnaissance, vulnerability scanning and remote network mapping that is easily accessible and useable due to its web-based and visual, event-driven interface. It is anticipated that the cumbersome task of learning to use a number of command line tools and their exact functionality and parameters can be avoided through this and similar developments, and hence that this will potentially widen the access to security testing, particularly to small and medium businesses.

A family of key agreement mechanisms for mission critical communications for secure mobile ad hoc and wireless mesh internetworking

Future wireless networks like mobile ad hoc networks and wireless mesh networks are expected to play important role in demanding communications such as mission critical communications. MANETs are ideal for emergency cases where the communication infrastructure has been completely destroyed and there is a need for quick set up of communications among the rescue/emergency workers. In such emergency scenarios wireless mesh networks may be employed in a later phase for providing advanced communications and services acting as a backbone network in the affected area. Internetworking of both types of future networks will provide a broad range of mission critical applications. While offering many advantages, such as flexibility, easy of deployment and low cost, MANETs and mesh networks face important security and resilience threats, especially for such demanding applications. We introduce a family of key agreement methods based on weak to strong authentication associated with several multiparty contributory key establishment methods. We examine the attributes of each key establishment method and how each method can be better applied in different scenarios. The proposed protocols support seamlessly both types of networks and consider system and application requirements such as efficient and secure internetworking, dynamicity of network topologies and support of thin clients.

A Body-Centered Cubic Method for Key Agreement in Dynamic Mobile Ad Hoc Networks

Mobile ad hoc networking is an operating mode for rapid mobile host interconnection, where nodes rely on each other, in order to maintain network connectivity and functionality. Security is one of the main issues for mobile ad hoc networks (MANETs) deployment. We introduce a weak to strong authentication mechanism associated with a multiparty contributory key agreement method, designed for dynamic changing topologies, where nodes arrive and depart from a MANET at will. We introduce a new cube algorithm based on the body-centered cubic (BCC) structure. The proposed system employs elliptic curve cryptography, which is more efficient for thin clients where processing power and energy are significant constraints. The algorithm is designed for MANETs with dynamic changing topologies due to continuous flow of incoming and departing nodes.

A Cognitive Model for the Forensic Recovery of End-User Passwords

Despite the existence of a number of advanced authentication mechanisms such as two- factor tokens, biometrics etc., the use of passwords is still the most popular means of authenticating users in a computing system. Consequently, we need to generate and remember a large number of passwords, and these passwords need to be as strong as the assets they protect. During the course of a forensic examination a computer forensics analyst may come across a number of situations where the recovery of passwords is required, either in order to access a particular user account, or to unlock encrypted or otherwise obfuscated digital content. In this paper we create a cognitive model to describe the creation of end-user generated passwords that may be applied particularly during an attempt to forensically recover such passwords. We propose that it may be feasible to recover a password by reversing the logic of its creation, taking into account contextual and other parameters, instead of applying computationally expensive brute force.

A Face Centered Cubic Key Agreement Mechanism for Mobile Ad Hoc Networks

Mobile ad hoc networking is an operating mode for rapid mobile node networking. Each node relies on adjacent nodes in order to achieve and maintain connectivity and functionality. Security is considered among the main issues for the successful deployment of mobile ad hoc networks (MANETs). In this paper we introduce a weak to strong authentication mechanism associated with a multiparty contributory key establishment method. The latter is designed for MANETs with dynamic changing topologies, due to continuous flow of incoming and departing nodes. We introduce a new cube algorithm based on the face-centered cubic (FCC) structure. The proposed architecture employs elliptic curve cryptography, which is considered more efficient for thin clients where processing power and energy consumption are significant constraints.

Global Positioning Systems: Analysis Principles and Sources of Evidence in User Devices

The growing popularity of Global Positioning Systems and other location-based telecommunications service provision provide a further potential source of data for the forensic investigator. Network- or device located information may have evidential value in supporting a case by providing details or proof of visited locations, navigation through particular routes,or communications with third parties. In this paper we focus on the examination of the end users portable device and we highlight the nature and locations where potential evidence may be left behind.