2019 11th International Conference on Cyber Conflict (CyCon)最新文献

{"title":"SamSam and the Silent Battle of Atlanta","authors":"Kenneth Kraszewski","doi":"10.23919/CYCON.2019.8757090","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8757090","url":null,"abstract":"The SamSam ransomware attack on Atlanta in early 2018 crippled municipal services in a major American city without the firing of a single shot, epitomizing the notion of a “Silent Battle”. Atlanta was not the only battlefield. Municipal governments in Colorado and New Mexico, as well as medical associations in Indiana, Virginia, New York and Buffalo, were all targets. While other ransomware or ransomware-like attacks have been larger-scale events, the SamSam ransomware attacks deserve an international law analysis. This article examines the SamSam attacks on health care providers and municipal government through the lens of the second Tallinn Manual. First, it explains the SamSam ransomware itself and Gold Lowell, the group presumed to be behind it. Second, this article explores how the SamSam incidents might be classified under international law. This article asks whether ransomware attacks are internationally wrongful acts - breaches of international obligations attributable to a State. This entails considering whether a ransomware attack may be legally classified as a use of force, an intervention, a violation of sovereignty, or a breach of an international law obligation. Finally, this article discusses the possible legal responses to the SamSam ransomware attacks available to the United States: countermeasures, the plea of necessity, acts of self-defense under Article 51 of the U.N. Charter, and acts of retorsion.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"32 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132695097","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"What are Military Cyberspace Operations Other Than War?","authors":"Brad Bigelow","doi":"10.23919/CYCON.2019.8756835","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756835","url":null,"abstract":"NATO has recognized cyberspace as a domain of military operations, with the Cyberspace Operations Centre as the focal point for coordinating and directing effects in cyberspace in the context of Alliance operations and missions. Yet many of the threats nations face in cyberspace deliver their effects below the level of conventional armed conflict, involve systems and capabilities outside the span of military control, and do not lend themselves to traditional military response options. As concerns over the defense of critical national infrastructures and other non-military targets such as election systems and social media increase, however, many are calling for the military to take on a greater role in cyberspace outside the context of armed conflicts. This paper looks at calls for greater military involvement in cyberspace below the level of conventional armed conflict, in the context of previous doctrinal work on military operations other than war. It attempts to derive a set of equivalent principles that could be applied to military cyberspace operations performed below the level of armed conflict; it then assesses these functions in terms of whether the military should take a leading or supporting role, and what kinds of tasks, relationships, and authorities might be involved. The aims of this paper are to identify the appropriate roles for the military in cyberspace operations below the level of conflict and to highlight the importance of cross-functional coordination with civil authorities in performing these roles.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"53 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126816275","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Machine Learninģ-based Detection of C&C Channels with a Focus on the Locked Shields Cyber Defense Exercise","authors":"Nicolas Känzig, Roland Meier, L. Gambazzi, Vincent Lenders, L. Vanbever","doi":"10.23919/CYCON.2019.8756814","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756814","url":null,"abstract":"The diversity of applications and devices in enterprise networks combined with large traffic volumes make it inherently challenging to quickly identify malicious traffic. When incidents occur, emergency response teams often lose precious time in reverse-engineering the network topology and configuration before they can focus on malicious activities and digital forensics. In this paper, we present a system that quickly and reliably identifies Command and Control (C&C) channels without prior network knowledge. The key idea is to train a classifier using network traffic from attacks that happened in the past and use it to identify C&C connections in the current traffic of other networks. Specifically, we leverage the fact that - while benign traffic differs - malicious traffic bears similarities across networks (e.g., devices participating in a botnet act in a similar manner irrespective of their location). To ensure performance and scalability, we use a random forest classifier based on a set of computationally-efficient features tailored to the detection of C&C traffic. In order to prevent attackers from outwitting our classifier, we tune the model parameters to maximize robustness. We measure high resilience against possible attacks - e.g., attempts to camouflaging C&C flows as benign traffic - and packet loss during the inference. We have implemented our approach and we show its practicality on a real use case: Locked Shields, the world's largest cyber defense exercise. In Locked Shields, defenders have limited resources to protect a large, heterogeneous network against unknown attacks. Using recorded datasets (from 2017 and 2018) from a participating team, we show that our classifier is able to identify C&C channels with 99% precision and over 90% recall in near real time and with realistic resource requirements. If the team had used our system in 2018, it would have discovered 10 out of 12 C&C servers in the first hours of the exercise.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129953298","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Silent Battles: Towards Unmasking Hidden Cyber Attack","authors":"Robert Koch, Mario Golling","doi":"10.23919/CYCON.2019.8757146","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8757146","url":null,"abstract":"When looking at the media, it can easily be seen that new cyber attacks are reported on a regular basis. The corresponding effects of these attacks can be manifold, ranging from downtime of popular services affected by a rather trivial Denial-of-Service attack, to physical destruction based on sophisticated cyber weapons. This can also range from single affected systems up to an entire nation (e.g., when the cyber incident has major influence on a democratic election). Some of these attacks have gained broader public attention only by chance. This raises the fundamental question: do some cyber activities remain hidden, even though they have a significant impact on our everyday lives, and how can such unknown cyber involvements be unmasked? The authors investigate this question in depth in this paper. The first part of the paper analyzes the characteristics of silent battles and hidden cyber attacks - what needs to be considered on the way towards a better detection of hidden cyber attacks? After that, an evaluation of the current cyber security landscape is provided, summarizing what developments we can see and what we can expect. Based on this, the complexity of detecting hidden cyber attacks is discussed and we ask the question: why does detection fail and how can it be improved? To investigate this question, the capabilities of the attackers are examined and are reflected in a 3-Layer Vulnerability Model. It is shown that a traditional Cyber Kill Chain is not sufficient to detect complex cyber attacks. Therefore, to improve the detection of hidden cyber attacks, a new detection model based on combining the 3-Layer Vulnerability Model and the Cyber Kill Chain is proposed.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121522796","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The Cyber-ASAT: On the Impact of Cyber Weapons in Outer Space","authors":"James Pavur, I. Martinovic","doi":"10.23919/CYCON.2019.8756904","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756904","url":null,"abstract":"Satellites have revolutionized military strategy and the dynamics of national power. However, satellites themselves are fragile and can be destroyed by even miniscule projectiles. Anti-Satellite Weapons (ASATs) which exploit this weakness have long been prophesied as the Achilles heel of space power; yet orbit has remained relatively peaceful for more than sixty years. As the threat of cyber attacks against space assets looms, the impact that cyberspace will have on stability in outer space is not well understood. This paper presents a strategic analysis of the impact of cyber weapons on three key stabilizing factors which have thus far contributed to peace in space. Based on this analysis, it contends that cyber-ASATs threaten the foundations of space's longstanding stability due to their high accessibility, low attributability, and low risk of collateral damage. This conjecture is tested experimentally though the development of a simulated cyber-ASAT capability targeting one small component of satellite operations: space situational awareness data. By leveraging orbital simulations and genetic algorithms, we demonstrate the ability to artificially alter debris collision forecasts and cause direct harm to critical space systems without firing a single rocket. The attack method is tested in realistic simulations and shown to have a high success rate against realworld satellites of vital strategic importance. Our interdisciplinary approach unifies strategic analysis with technical experimentation to present the case that cyber-ASATs are not merely a distant theoretical threat, but a real and present danger to the balance of power in space.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133236604","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Cyber-Physical Battlefield Platform for Large-Scale Cybersecurity Exercises","authors":"J. Kim, Kyeongho Kim, Moonsu Jang","doi":"10.23919/CYCON.2019.8756901","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756901","url":null,"abstract":"In this study, we propose a platform upon which a cyber security exercise environment can be built efficiently for national critical infrastructure protection, i.e. a cyber-physical battlefield (CPB), to simulate actual ICS/SCADA systems in operation. Among various design considerations, this paper mainly discusses scalability, mobility, reality, extensibility, consideration of the domain or vendor specificities, and the visualization of physical facilities and their damage as caused by cyber attacks. The main purpose of the study was to develop a platform that can maximize the coverage that encompasses such design considerations. We discuss the construction of the platform through the final design choices. The features of the platform that we attempt to achieve are closely related to the target cyber exercise format. Design choices were made considering the construction of a realistic ICS/SCADA exercise environment that meets the goals and matches the characteristics of the Cyber Conflict Exercise (CCE), an annual national exercise organized by the National Security Research Institute (NSR) of South Korea. CCE is a real-time attack-defense battlefield drill between 10 red teams who try to penetrate a multi-level organization network and 16 blue teams who try to defend the network. The exercise platform provides scalability and a significant degree of freedom in the design of a very large-scale CCE environment. It also allowed us to fuse techniques such as 3D-printing and augmented reality (AR) to achieve the exercise goals. This CPB platform can also be utilized in various ways for different types of cybersecurity exercise. The successful application of this platform in Locked Shields 2018 (LS18) is strong evidence of this; it showed the great potential of this platform to integrate high-level strategic or operational exercises effectively with low-level technical exercises. This paper also discusses several possible improvements of the platform which could be made for better integration, as well as various exercise environments that can be constructed given the scalability and extensibility of the platform.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"55 7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115349681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Addressing Adversarial Attacks Against Security Systems Based on Machine Learning","authors":"Giovanni Apruzzese, M. Colajanni, Luca Ferretti, Mirco Marchetti","doi":"10.23919/CYCON.2019.8756865","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756865","url":null,"abstract":"Machine-learning solutions are successfully adopted in multiple contexts but the application of these techniques to the cyber security domain is complex and still immature. Among the many open issues that affect security systems based on machine learning, we concentrate on adversarial attacks that aim to affect the detection and prediction capabilities of machine-learning models. We consider realistic types of poisoning and evasion attacks targeting security solutions devoted to malware, spam and network intrusion detection. We explore the possible damages that an attacker can cause to a cyber detector and present some existing and original defensive techniques in the context of intrusion detection systems. This paper contains several performance evaluations that are based on extensive experiments using large traffic datasets. The results highlight that modern adversarial attacks are highly effective against machine-learning classifiers for cyber detection, and that existing solutions require improvements in several directions. The paper paves the way for more robust machine-learning-based techniques that can be integrated into cyber security platforms.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"177 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122808713","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Hidden in the Shadow: The Dark Web - A Growing Risk for Military Operations?","authors":"Robert Koch","doi":"10.23919/CYCON.2019.8756708","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756708","url":null,"abstract":"A multitude of leaked data can be purchased through the Dark Web nowadays. Recent reports highlight that the largest footprints of leaked data, which range from employee passwords to intellectual property, are linked to governmental institutions. According to OWL Cybersecurity, the US Navy is most affected. Thinking of leaked data like personal files, this can have a severe impact. For example, it can be the cornerstone for the start of sophisticated social engineering attacks, for getting credentials for illegal system access or installing malicious code in the target network. If personally identifiable information or sensitive data, access plans, strategies or intellectual property are traded on the Dark Web, this could pose a threat to the armed forces. The actual impact, role, and dimension of information treated in the Dark Web are rarely analysed. Is the available data authentic and useful? Can it endanger the capabilities of armed forces? These questions are even more challenging, as several well-known cases of deanonymization have been published over recent years, raising the question whether somebody really would use the Dark Web to sell highly sensitive information. In contrast, fake offers from scammers can be found regularly, only set up to cheat possible buyers. A victim of illegal offers on the Dark Web will typically not go to the police. The paper analyses the technical base of the Dark Web and examines possibilities of deanonymization. After an analysis of Dark Web marketplaces and the articles traded there, a discussion of the potential risks to military operations will be used to identify recommendations on how to minimize the risk. The analysis concludes that surveillance of the Dark Web is necessary to increase the chance of identifying sensitive information early; but actually the ‘open’ internet, the surface web and the Deep Web, poses the more important risk factor, as it is - in practice - more difficult to surveil than the Dark Web, and only a small share of breached information is traded on the latter.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"207 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131984226","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Towards Measuring Global DDoS Attack Capacity","authors":"Arturs Lavrenovs","doi":"10.23919/CYCON.2019.8756851","DOIUrl":"https://doi.org/10.23919/CYCON.2019.8756851","url":null,"abstract":"In today's Internet, distributed denial-of-service (DDoS) attacks play an ever-increasing role and constitute a risk to any commercial, military or governmental entity that has a presence on the Internet or simply has an Internet connection. To address this threat on all levels, decision-makers have to rely on trustworthy information regarding attack capacity, sources, and the largest contributors. The lack of this information limits the ability of technicians, policymakers, and other relevant decision-makers to remediate the issue as efficiently as possible. This research introduces a methodology for measuring the properties of individual devices participating in such attacks. These properties include rate limiting, amplification factor, and speed, which allows the calculation of each device's actual contribution to the attack capacity. This methodology was implemented as a proof of concept for the NTP protocol and the results indicate that it has promising potential. Individual measurements aggregated together provide insights into particular abused protocols: all the protocols together could provide the global DDoS attack capacity.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121959070","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"NATO Cooperative Cyber Defence Centre of Excellence","authors":"","doi":"10.23919/cycon.2019.8756674","DOIUrl":"https://doi.org/10.23919/cycon.2019.8756674","url":null,"abstract":"The NATO Cooperative Cyber Defence Centre of Excellence (CCD COE), a NATO-accredited knowledge hub in Tallinn, Estonia, is described. CCD COE offers a unique interdisciplinary approach to the most relevant issues in cyber defence. We conduct research, trainings and exercises in four core areas: technology, strategy, operations and law. The heart of the Centre is a diverse group of international experts from military, government, academia and industry, representing currently 21 member nations. Almost half as many nations are aspiring to become member in the years to come. NATO CCD COE's mission is to support its member nations and NATO in the fields of cyber defence research, training and exercises. The Centre provides cyber defence expertise in the fields of technology, strategy, operations and law, often in an interdisciplinary manner. NATO CCD COE embodies and fosters the cooperation of like-minded nations in cyber defence. Our member nations are allies in NATO and like-minded partners beyond the Alliance.","PeriodicalId":114193,"journal":{"name":"2019 11th International Conference on Cyber Conflict (CyCon)","volume":"150 12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127060423","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}