2019 11th International Conference on Cyber Conflict (CyCon)最新文献

{"title":"Call to Action: Mobilizing Community Discussion to Improve Information-Sharing About Vulnerabilities in Industrial Control Systems and Critical Infrastructure","authors":"Daniel Kapellmann, Rhyner Washburn","doi":"10.23919/CYCON.2019.8756895","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756895","url":null,"abstract":"Vulnerability management remains a significant challenge for organizations that handle critical infrastructure worldwide. Hallmark cyber-physical incidents with disruptive and destructive capabilities like Stuxnet (2010) and Triton (2017) have exploited known vulnerabilities in information technology (IT) and operational technology (OT) assets throughout the attack lifecycle. However, the global critical infrastructure security community is still nascent in the field of industrial control systems (ICS) vulnerability management, especially in information-sharing. While their counterparts in IT security have spent years elaborating multiple resources to track and disseminate information about known vulnerabilities, the ICS community lacks specialized mechanisms for knowledge-sharing. Multiple challenges exist when addressing this issue: a general lack of awareness about ICS cybersecurity, the need to consider multiple industry sectors and unique network architectures, and the need to find a balance between protecting and releasing sensitive information regarding critical infrastructure organizations or proprietary vendor knowledge. Through a multiphase research initiative based on the user-centered design process, we intend to test and evaluate the feasibility and effectiveness of various information-sharing platform designs for streamlining the discussion of ICS vulnerabilities. In the first phase of this research, we surveyed ICS and critical infrastructure security stakeholders to gain insight into the range of cogent, shared, and divergent views of the community relating to the need for specialized resources to share information about ICS vulnerabilities. We then evaluated what these different perspectives imply for the adoption and success of certain information-sharing platform frameworks. Finally, utilizing these insights, we demonstrated possible alternative paths forward for addressing the challenge of sharing information about ICS vulnerabilities to keep critical infrastructure safe.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116913752","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Rough-and-Ready: A Policy Framework to Determine if Cyber Deterrence is Working or Failing","authors":"Jason Healey, N. Jenkins","doi":"10.23919/CYCON.2019.8756890","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756890","url":null,"abstract":"This paper addresses the recent shift in the United States' policy that emphasizes forward defense and deterrence and to “intercept and halt” adversary cyber operations. Supporters believe these actions should significantly reduce attacks against the United States, while critics worry that they may incite more adversary activity. As there is no standard methodology to measure which is the case, this paper introduces a transparent framework to better assess whether the new U.S. policy and actions are suppressing or encouraging attacks.11This work was funded in part by the Office of Naval Research under the OSD Minerva program: Grant number N00014-17-1-2423. Determining correlation and causation will be difficult due to the hidden nature of cyber attacks, the veiled motivations of differing actors, and other factors. However even if causation may never be clear, changes in the direction and magnitude of cyber attacks can be suggestive of the success or failure of these new policies, especially as their proponents suggest they should be especially effective. Rough-and-ready metrics can be helpful to assess the impacts of policymaking, can lay the groundwork for more comprehensive measurements, and may also provide insight into academic theories of persistent engagement and deterrence.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"2019 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121158987","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"BlackWidow: Monitoring the Dark Web for Cyber Security Information","authors":"Matthias Schäfer, Markus Fuchs, Martin Strohmeier, Markus Engel, Marc Liechti, Vincent Lenders","doi":"10.23919/CYCON.2019.8756845","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756845","url":null,"abstract":"The Dark Web, a conglomerate of services hidden from search engines and regular users, is used by cyber criminals to offer all kinds of illegal services and goods. Multiple Dark Web offerings are highly relevant for the cyber security domain in anticipating and preventing attacks, such as information about zero-day exploits, stolen datasets with login information, or botnets available for hire. In this work, we analyze and discuss the challenges related to information gathering in the Dark Web for cyber security intelligence purposes. To facilitate information collection and the analysis of large amounts of unstructured data, we present BlackWidow, a highly automated modular system that monitors Dark Web services and fuses the collected data in a single analytics framework. BlackWidow relies on a Docker-based micro service architecture which permits the combination of both preexisting and customized machine learning tools. BlackWidow represents all extracted data and the corresponding relationships extracted from posts in a large knowledge graph, which is made available to its security analyst users for search and interactive visual exploration. Using BlackWidow, we conduct a study of seven popular services on the Deep and Dark Web across three different languages with almost 100,000 users. Within less than two days of monitoring time, BlackWidow managed to collect years of relevant information in the areas of cyber security and fraud monitoring. We show that BlackWidow can infer relationships between authors and forums and detect trends for cybersecurity-related topics. Finally, we discuss exemplary case studies surrounding leaked data and preparation for malicious activity.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131391590","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Understanding the Strategic Implications of the Weaponization of Artificial Intelligence","authors":"J. Burton, Simona R. Soare","doi":"10.23919/CYCON.2019.8756866","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756866","url":null,"abstract":"Artificial Intelligence (AI) is expected to have a revolutionary impact across societies and to create economic displacement and disruption in security and defense. Yet the impact of AI on national security and military affairs has received relatively scant attention. The existing policy-focused literature has concentrated mainly on the technological, ethical or legal limitations of deploying AI and on the risks associated with it. This paper seeks to contribute to the debate by outlining the strategic implications of the weaponization of AI for international security. It explores how and in what ways AI is currently being utilized in the defense sector to enhance offensive and defensive military technologies and operations and assesses the ways in which the incorporation of AI into military platforms will affect war fighting and strategic decision-making. The paper is in four sections. Section one develops a typology of military AI that forms a foundation for the rest of the paper. The second section examines the uses of AI in cyberspace and the relationships between ‘cyber weapons' and AI capabilities. The third section examines how the embeddedness of AI-based capabilities across the land, air, naval and space domains may affect combined arms operations. The final section distills the main strategic implications of weaponized AI, which include the speed of decision-making and action as well as enhanced domain situational awareness.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127802102","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"“Silent Battle” Goes Loud: Entering a New Era of State-Avowed Cyber Conflict","authors":"K. Giles, Kim Hartmann","doi":"10.23919/CYCON.2019.8756713","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756713","url":null,"abstract":"The unprecedented transparency shown by the Netherlands intelligence services in exposing Russian GRU officers in October 2018 is indicative of a number of new trends in state handling of cyber conflict. US public indictments of foreign state intelligence officials, and the UK's deliberate provision of information allowing the global media to “dox” GRU officers implicated in the Salisbury poison attack in early 2018, set a precedent for revealing information that previously would have been confidential. This is a major departure from previous practice where the details of state-sponsored cyber attacks would only be discovered through lengthy investigative journalism (as with Stuxnet) or through the efforts of cybersecurity corporations (as with Red October). This paper uses case studies to illustrate the nature of this departure and consider its impact, including potentially substantial implications for state handling of cyber conflict. The paper examines these implications, including: • The effect of transparency on perception of conflict. Greater public knowledge of attacks will lead to greater public acceptance that countermeasures should be taken. This may extend to public preparedness to accept that a state of declared or undeclared war exists with a cyber aggressor. • The resulting effect on legality. This adds a new element to the long-running debates on the legality of cyber attacks or counter-attacks, by affecting the point at which a state of conflict is politically and socially, even if not legally, judged to exist. • The further resulting effect on permissions and authorities to conduct cyber attacks, in the form of adjustment to the glaring imbalance between the means and methods available to aggressors (especially those who believe themselves already to be in conflict) and defenders. Greater openness has already intensified public and political questioning of the restraint shown by NATO and EU nations in responding to Russian actions; this trend will continue. • Consequences for deterrence, both specifically within cyber conflict and also more broadly deterring hostile actions. In sum, the paper brings together the direct and immediate policy implications, for a range of nations and for NATO, of the new apparent policy of transparency.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"19 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124856161","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Hidden Risks to Cyberspace Security from Obsolete COTS Software","authors":"Barlş Egemen Özkan, Serol Bulkan","doi":"10.23919/CYCON.2019.8756990","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756990","url":null,"abstract":"Obsolescence of Commercial Off The Shelf (COTS) hardware and software, with their shorter product life cycles, is one of the major concerns for cyberspace system/service providers. While hardware obsolescence has been widely studied, software obsolescence has received less attention. However, the increased number of cyber incidents globally calls for more attention to the use of COTS software in critical infrastructures and military systems: systems comprising 25+ product life cycles and dominated by sustainment concerns. The number of reported vulnerabilities of COTS software systems more than doubled in 2017 and continued to increase in 2018. It is already a challenge for system/service providers to keep up with the pace of vulnerabilities to sustain the resiliency of the systems. Increased use of COTS software in mission-critical systems exacerbates the situation because it forces system/ service providers to manage the risk of not being able to receive security updates for obsolete software. In today's cyber conflict, where hybrid threats are enjoying the highly connected nature of cyberspace terrain enabled with globalization and newer technologies, if cyberspace security risks stemming from obsolete COTS software in critical systems are not addressed properly, they may easily become a national security problem. Such risks must be addressed comprehensively at both governance and management levels. This paper presents the sustainability, operational efficiency and cyberspace security risks of obsolete COTS software in critical infrastructures and military systems and proposes mitigations at both governance and management levels. At the management level, a Multi Criteria Decision Making methodology is proposed for system/service providers to balance the conflicting objective functions of reaching a cost-effective solution while maximizing the system's cyberspace security and efficiency.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"176 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132619809","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Neural Network-Based Technique for Android Smartphone Applications Classification","authors":"Roman Graf, Leon Aaron Kaplan, Ross King","doi":"10.23919/CYCON.2019.8757162","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8757162","url":null,"abstract":"With the booming development of smartphone capabilities, these devices are increasingly frequent victims of targeted attacks in the ‘silent battle’ of cyberspace. Protecting Android smartphones against the increasing number of malware applications has become as crucial as it is complex. To be effective in identifying and defeating malware applications, cyber analysts require novel distributed detection and reaction methodologies based on information security techniques that can automatically analyse new applications and share analysis results between smartphone users. Our goal is to provide a real-time solution that can extract application features and find related correlations within an aggregated knowledge base in a fast and scalable way, and to automate the classification of Android smartphone applications. Our effective and fast application analysis method is based on artificial intelligence and can support smartphone users in malware detection and allow them to quickly adopt suitable countermeasures following malware detection. In this paper, we evaluate a deep neural network supported by word-embedding technology as a system for malware application classification and assess its accuracy and performance. This approach should reduce the number of infected smartphones and increase smartphone security. We demonstrate how the presented techniques can be applied to support smartphone application classification tasks performed by smartphone users.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132266372","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Covert or not Covert: National Strategies During Cyber Conflict","authors":"Gil Baram, Udi Sommer","doi":"10.23919/CYCON.2019.8756682","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756682","url":null,"abstract":"Anonymity is considered to be a key characteristic of cyber conflict. Indeed, existing accounts in the literature focus on the advantages of the non-disclosure of cyber attacks. Such focus inspires the expectation that countries would opt to maintain covertness. This hypothesis is rejected in an empirical investigation we conducted on victims' strategies during cyber conflict: in numerous cases, victim states choose to publicly reveal the fact that they had been attacked. These counterintuitive findings are important empirically, but even more so theoretically. They motivate an investigation into the decision to forsake covertness. What does actually motivate states to move into the international arena and publicly expose a cyber attack? The goal of this paper is to understand why and under which geopolitical circumstances countries choose to give up the advantages of anonymity. Whether they wish to Name and Shame opponents for ignoring international norms or whether they try to avoid public humiliation, victims of cyber attacks occasionally reveal the fact that they had been attacked. There is tension between such motivations and the will to protect intelligence sources and the incentives to prevent escalation if an attack is revealed, even more so if the attacker is exposed. Indeed, we find that sunk costs, counter-escalation risks and the need to signal resolve-while critical in motivating victims to keep cyber attacks secret-may not suffice under such specific circumstances. By focusing on the victim's side, we draw inspiration from data on real-world cyber attacks in order to place cyber operations in the larger context of secrecy and covert actions in the international arena. In so doing, the aim is to advance the use of empirical data for understanding the dynamics of cyber conflict and the decision-making process of states operating in this increasingly complex domain.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114377409","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Resilience of Cyber-Physical Systems: an Experimental Appraisal of Quantitative Measures","authors":"G. Murino, A. Armando, A. Tacchella","doi":"10.23919/CYCON.2019.8757010","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8757010","url":null,"abstract":"Cyber-Physical Systems (CPSs) interconnect the physical world with digital computers and networks in order to automate production and distribution processes. Nowadays, most CPSs do not work in isolation, but their digital part is connected to the Internet in order to enable remote monitoring, control and configuration. Such a connection may offer entry-points enabling attackers to gain control silently and exploit access to the physical world at the right time to cause service disruption and possibly damage to the surrounding environment. Prevention and monitoring measures can reduce the risk brought by cyber attacks, but the residual risk can still be unacceptably high in critical infrastructures or services. Resilience - i.e., the ability of a system to withstand adverse events while maintaining an acceptable functionality - is therefore a key property for such systems. In our research, we seek a model-free, quantitative, and general-purpose evaluation methodology to extract resilience indexes from, e.g., system logs and process data. While a number of resilience metrics have already been put forward, little experimental evidence is available when it comes to the cyber security of CPSs. By using the model of a real wastewater treatment plant, and simulating attacks that tamper with a critical feedback control loop, we provide a comparison between four resilience indexes selected through a thorough literature review involving over 40 papers. Our results show that the selected indexes differ in terms of behavior and sensitivity with respect to specific attacks, but they can all summarize and extract meaningful information from bulky system logs. Our evaluation includes an approach for extracting performance indicators from observed variables which does not require knowledge of system dynamics; and a discussion about combining resilience indexes into a single system-wide measure is included. 11The authors wish to thank Leonardo S.p.A. for its financial support. The research herein presented is partially supported by project NEFERIS awarded by the Italian Ministry of Defense to Leonardo S.p.A. in partnership with the University of Genoa. This work received funding from the European Union's Horizon 2020 research and innovation program under grant agreement No 830892 for project SPARTA.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134213289","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Applying Indications and Warning Frameworks to Cyber Incidents","authors":"Bilyana Lilly, Lillian Ablon, Quentin E. Hodgson, Adam S. Moore","doi":"10.23919/CYCON.2019.8756949","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756949","url":null,"abstract":"Despite significant advancements in academia and public policy on identifying, deterring, and mitigating cyber incidents, there is a general discontent among NATO agencies, member states' governments, and intelligence agencies that their strategy against cyber incidents is primarily reactive and implemented post factum, rather than proactive and executed before such attacks occur. This issue could be addressed through the design and application of appropriate indications and warning (I&W) frameworks for the cyber domain. Currently, there is a lack of comprehensive understanding and generally accepted practice of how governments and international organizations can apply such I&W methodologies and integrate them with their existing capabilities and processes. A survey of the classic warning methodologies used by the U.S. intelligence community to address a range of non-cyber threats can inform the design of such robust frameworks. These mature intelligence methods can be adapted and perfected to adequately address threats in cyberspace. In this article, we examine some of these I&W frameworks and propose a high-level practical approach to cyber I&W that governments, NATO agencies and the private sector can use to design and structure their prevention, detection, and response mechanisms in order to effectively anticipate and defend against cyber threats. To demonstrate the utility of this approach, we apply it to an actual case: the November 14, 2018 spearphishing campaign by Russia's APT29 against U.S. government agencies, think tanks, and businesses.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"155 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122895884","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}