International Conference on Cyber Warfare and Security <p>The International Conference on Information Warfare and Security has been run on an annual basis since 2004. Conference Proceedings have been published each year and authors have been encouraged to upload their papers to university repositories. In addition the proceedings are indexed by a number of indexing bodies.</p> <p>From 2022 the publishers have decided to make all conference proceedings fully open access. Individual papers and full proceedings can be accessed via this system.</p> Academic Conferences International en-US International Conference on Cyber Warfare and Security 2048-9870 Editorial, Biographies and Review Committee Robin Griffin Copyright (c) 2022 Dean Robert P. Griffin 2022-03-02 2022-03-02 17 1 Cyberbullying Indicator as a Precursor to a Cyber Construct Development <p class="Abstract">The current global pandemic occasioned by the SARS-CoV-2 virus has been attributed, partially, to the growing range of cyber vises within the cyber ecosystem. One area of such impact is the increasing tendencies of cyber-bullying among students. Cyberbullying -the act of subjugating others using a cyber platform- is a growing concern among educators, especially in High-Schools. Whilst studies have been carried out towards understanding this menace, the approach towards identifying indicators of cyberbullying is largely missing in the literature. To address this research gap, this study proposed a cyberbullying framework based on the identification of some observable behavioral indicators. Using a self-administered measurement instrument from 30-respondents, the study observed the probability of a cyberbully construct, as a potential measure of the presence of cyberbullying; a probability that has been largely ignored in extant literature. This observation presents a veritable tool for the development of an active and integrated learning platform void of abuse among students. Furthermore, within the cyber education ecosystem, a cyberbullying construct would provide a mechanism for the development of an appropriate online learning platform, which would be useful to the information system and cyber education research communities.</p> Salam Al-Romaihi Richard Adeyemi Ikuesan Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-02-21 2022-02-21 17 1 1 6 10.34190/iccws.17.1.4 Education and Training Against Threat of Phishing Emails <p>The research results published in this article are oriented toward two areas: phishing email analysis and education for defense against the threats of phishing emails. The first topic builds on previous research primarily by analyzing changes in captured phishing emails over an interval of 4 weeks, half a year after the previous experiment. In this section, a statistical survey of phishing emails from both experiments is carried out and emails are segmented into categories focused on business, charity, asset transfer, and fund offers. The results of both experiments are then compared and validated. Based on this comparison and validation, a conclusion is made on trends and development in the phishing email domain in the last half a year. The second focus of our research is analysis of the existing education and testing systems for phishing emails. Based on the results of the analysis, a suitable system for university education and training against phishing and other malicious email threats will be designed. There is also an analysis of existing systems for improving and testing users' ability to recognize and react to phishing emails. Based on our findings about these systems, our own system is proposed. An experiment is prepared on "self-service" testing of phishing email detection skills performed by students with their colleagues. Some activists were employed to assist with this experiment; they will operate and prepare the environment according to the processed scenario. All experiments must be completely safe and effective at the same time. The experiments will be evaluated and the experience used to develop the education and training system at the university.</p> Ladislav Burita Ivo Klaban Tomas Racil Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 7 18 10.34190/iccws.17.1.28 Don’t Drink the Cyber: Extrapolating the Possibilities of Oldsmar’s Water Treatment Cyberattack <p>Water treatment represents an essential critical infrastructure sector which has a direct impact on the health and well-being of its customers. Water treatment is often performed by municipalities with very limited budgets for cybersecurity resources. These underfunded, high-impact, targets represent an emerging cyber warfare attack-surface paradigm which poses a direct threat to the quality of life for millions of people. On February 5th, 2021, a water treatment plant in Oldsmar, Florida was the victim of an attempted cyberattack. This attack commanded the system to add a dangerous amount of<br />sodium hydroxide to water which supplied thousands. Direct exposure to sodium hydroxide causes painful burns to the exposed area with permanent internal damage likely upon ingestion. A system operator noticed this malicious behaviour and corrected the situation, minimizing the attack’s impact. This paper outlines the attack and illustrates how minor modifications to the attacker’s tactics, techniques, and procedures could have resulted in a cyber-derived catastrophe for thousands of unsuspecting citizens. Lastly, this paper explores the effectiveness of various low-cost cyber-physical security technologies when pitted against differing attacker models in these theoretical scenarios. These cybersecurity solutions are evaluated by cost, ease of use, implementation difficulty, and ability to support safe operation continuity when faced with adversary behaviour. The results of this evaluation illuminate a path forward for low-cost threat mitigation which increases the difficulty to compromise these critical cyber-physical systems. With attacks targeting industrial control systems on the rise, the Oldsmar water treatment cyberattack represents more than an individual incident, it can be viewed as a reflection of the current status of thousands of similar critical infrastructure systems that have yet to be caught in crosshairs of a competent and willing adversary with financial incentives and cyber warfare mission requirements serving as impetus for adversary willingness and any resulting large-scale cyber cataclysm.</p> James Cervini Aviel Rubin Lanier Watkins Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 19 25 10.34190/iccws.17.1.29 An Ontology for Effective Security Incident Management <p>With the evolution of technologies like Internet of Things (IoTs), there will be more and more connected devices in use around the world. This is one of the reasons why cyber security is critical to contemporary society as it makes the large majority susceptible to cyber-attacks. Such cyber-attacks not only impact confidentiality, integrity, and availability but also can cause physical damage. This is evident from cyber-attacks like Stuxnet and German steel mill. Effective security incident management plays an important role in minimising negative impact of such attacks mainly in terms of the organizations’ finance, reputation, and personnel safety. Typically, the main phases of security incident management include: (i) preparation, (ii) mid-incident, and (iv) post-incident. There are diverse set of concepts like Structured Threat Information Expression (STIX) and Incident Object Description Exchange Format (IODEF) in the above-mentioned phases of security incident management. However, a comprehensive overview of different concepts and the relationships between such concepts in security incident management is missing. In this paper, we develop an ontology model with relevant concepts and their corresponding relationships between them especially in the mid-incident and post-incident phases of security incident management. Furthermore, we demonstrate the proposed ontology model using colonial pipeline example case study. The proposed model will help incident responders to operationalise concepts, by having a clear understanding on different concepts and their corresponding relationships, which in turn would also make the incident response more effective in practice.</p> Sabarathinam Chockalingam Clara Maathuis Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 26 35 10.34190/iccws.17.1.6 Bureau of Justice Assistance Student Computer and Digital Forensics Educational Opportunities Program <p>The current capabilities of many law enforcement agencies are tightly constrained despite the heightened level of awareness and concern for the role recent technology has in facilitating cybercrime and instances of online victimization. More specialized computer forensics and digital evidence training programs are necessary to meet the needs of local and state law enforcement agencies. Based on the context, this paper discusses an interdisciplinary approach to addressing this dilemma while providing in-depth computer forensics and cybercrime investigation training that is both informative and<br />pragmatic to future law enforcement officers. Using pre- and post-test results, this study assesses students’ technical background levels, reflecting comprehensive course learning objectives and pre-training levels of applied digital forensic investigation knowledge. Results suggest that students’ technical abilities and knowledge of different investigative tools significantly improved after the program. In particular, the program not only strengthened students’ knowledge of digital forensic investigation, but also helped students achieve higher t-test scores. We expect our study results to provide recommendations for cyber programs in other higher education institutions. The findings will serve as a guide for enhancing the current capacities of other higher education institutions to better serve their students in areas of computer forensics and digital evidence. In the long term, these efforts will lead to more effective cybercrime investigation and successful prosecutions, ultimately reducing cybercrime victimization.</p> Kyung-Shick Choi Lou Chitkushev Kyung-Seok Choo Claire Lee Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 36 44 10.34190/iccws.17.1.30 Protecting Networks with Intelligent Diodes <p>This paper explores the utility, practical nuances, performance characteristics, and attendant security risks associated with intelligent<em> Diodes</em> -- network appliances that regulate traffic flow by validating formats and mission payloads within the security perimeter afforded by a single Field Programmable Gate Array (FPGA). Diodes operate in the middle-ground between networks that are fully air-gapped -- i.e., completely disconnected from the Internet -- and those that are fully connected but require complex boundary defenses and security administration. As such, they provide an all-hardware, real-time alternative for protecting military vehicles and sensitive networks. Diodes are particularly useful in four core settings: when industrial plant need be connected to cloud-analytic services, such as Google-Analytics, for the purpose of process optimization; for supporting the lifecycle of military vehicles through Condition-based Maintenance; for preventing information bleed when sensor feeds must be consumed inside sensitive networks; and finally, for the reliable distributed replication of large files and databases. The devices may operate directly on protocol-specific traffic headers to dispatch or block traffic.&nbsp; Alternatively, they may be customized to validate file and traffic formats. This is achieved using an automated circuit design workflow that builds a hardware parsing plugin from a formal grammar and embeds it into the FPGA. This results in custom hardware that intelligently operates on mission specific data.</p> Jason Dahlstrom Stephen Taylor Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 45 54 10.34190/iccws.17.1.7 Can Attrition Theory Provide Insight for Cyber Warfare? <p>This paper explores the notion that cyber-adversaries can use classic attrition tactics to cause weakness to address follow-on attacks. We conducted a grounded theory study that reviewed historic literature to identify parallels between past attrition tactics and cyber warfare. From historical examples, we see the possibility of an adversary conducting an asymmetric campaign by flooding the adversary with false-positive attacks in order to have them drain resources. For a modern perspective, we interviewed subject-matter experts from a US military command. Thematic analysis demonstrates a link between attrition and cyber-maneuver warfare. One significant finding is that most subject-matter experts agreed a culture of compliance, which encourages a full resources response to security events given full resources, can reduce the ability to maneuver appropriately and takes away from the focus on critical mission functions that cyber security is actually in place to protect. Other common themes that surfaced include that some interviewees believed their organizations were not prepared for cyber war nor are they resourced adequately to respond to a state of cyber war. Issues that need further study are the need to compare and correlate telemetry and metrics of incident responses and better tracking of the dollar-cost value of incident response and cyber tactics.</p> Stephen Defibaugh Donna Schaeffer Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 55 62 10.34190/iccws.17.1.9 A Novel DevSecOps Model for Robust Security in an MQTT Internet of Things <p>Message Queuing Telemetry Transport (MQTT) is a standard messaging protocol for the Internet of Things (IoT). Among the various communication protocols used in IoT, MQTT stands unique because of its multiple advantages such as being efficient and light weight, reliability in message delivery and scalability to millions of things. However, the fact that the data privacy of the MQTT messages can be compromised while the data is in transit poses risks to the security mechanism. Attack scenarios related to MQTT have exposed multiple risks and vulnerabilities such as thousands of MQTT brokers being accessible over the default port, data privacy, authentication, data integrity, port obscurity, and botnet over MQTT. These risks and vulnerabilities undermine security mechanism which results in compromised IoT systems. Development Security and Operations (DevSecOps) aims at integrating security at every phase of the IoT lifecycle with enhanced automation, tools, and a process for determining security vulnerabilities at every stage. This results in a rapid and cost-effective IoT system which is enabled by proactive security mechanisms, threat prediction, threat detection, and alerting mechanisms. The aim of this work is to build a DevSecOps pipeline utilizing open source MQTT servers and brokers. A comparative study was performed to identify the risk posture provided by the DevSecOps pipeline across MQTT ports offering different combinations of security mechanisms. Firstly, threat modelling was conducted wherein the IoT system was analyzed at an architectural level from an attacker’s perspective and appropriate risk mitigation and defense mechanisms were accommodated into the design. The IoT system was then subjected to rigorous static and dynamic analysis followed by vulnerability scanning and third component checks. Penetration test cases and controls are automated to check threats and vulnerabilities like escalation of privileges, denial of service, spoofing, information disclosure, and repudiation. An alerting mechanism is also integrated into the system to monitor risks and vulnerabilities. Our proposed DevSecOps models achieves standard maturity in security systems with earlier threat prediction and detection.&nbsp;</p> Manasa Ekoramaradhya Christina Thorpe Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 63 71 10.34190/iccws.17.1.31 Exploring Ontologies for Mitigation Selection of Industrial Control System Vulnerabilities <p>Mitigating vulnerabilities in industrial control systems (ICSs) represents a highly complex task. ICSs may contain an abundance of device types, all with unique software and hardware components. Upon discovering vulnerabilities on ICS devices, cyber defenders must determine which mitigations to implement, and which mitigations can apply across multiple vulnerabilities. Cyber defenders need techniques to optimize mitigation selection. This exploratory research paper shows how ontologies, also known as linked-data models, can potentially be used to model ICS devices, vulnerabilities, and mitigations, as well as to identify mitigations that can remediate or mitigate multiple vulnerabilities. Ontologies can be used to reduce the complexity of a cyber defender’s role by allowing for insights to be drawn, especially in the ICS domain. Data are modelled from the Common Platform Enumeration (CPE), the National Vulnerability Database (NVD), standardized list of controls from the National Institute of Standards and Technology (NIST), and ICS Cyber Emergency Response Team (CERT) advisories. Semantic queries provide the techniques for mitigation prioritization. A case study is described for a selected programmable logic controller (PLC), its known vulnerabilities from the NVD, and recommended mitigations from ICS CERT. Overall, this research shows how ontologies can be used to link together existing data sources, to run queries over the linked data, and to allow for new insights to be drawn for mitigation selection. </p> Thomas Heverin Michael Cordano Andy Zeyher Matthew Lashner Sanjana Suresh Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 72 80 10.34190/iccws.17.1.32 Future Needs of the Cybersecurity Workforce <p>Expected growth of the job market for cyber security professionals in both the US and the UK remains strong for the foreseeable future. While there are many roles to be found in cyber security, that vary from penetration tester to chief information security officer (CISO). One job of particular interest is security architect. The rise in Zero Trust Architecture (ZTA) implementations, especially in the cloud environment, promises an increase in the demand for these security professionals. A security architect requires a set of knowledge, skills, and abilities covering the responsibility for integrating the various security components to successfully support an organization’s goals. In order to achieve the goal of seamless integrated security, the architect must combine technical skills with business, and interpersonal skills. Many of these same skills are required of the CISO, suggesting that the role of security architect may be a professional stepping-stone to the role of CISO. We expected degreed programs to offer courses in security architecture. Accredited university cyber security programs in the United Kingdom (UK) and the United States of America (USA) were examined for course offerings in security architecture. Results found the majority of programs did not offer a course in security architecture. Considering the role of the universities in preparing C-suite executives, the absence of cyber security architecture offerings is both troubling and surprising.</p> Connie Justice Char Sample Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 81 91 10.34190/iccws.17.1.33 Zero Trust and Advanced Persistent Threats: Who Will Win the War? <p>Advanced Persistent Threats (APTs) are state-sponsored actors who break into computer networks for political or industrial espionage. Because of the nature of cyberspace and ever-changing sophisticated attack techniques, it is challenging to prevent and detect APT attacks. 2020 United States Federal Government data breach once again showed how difficult to protect networks from targeted attacks. Among many other solutions and techniques, zero trust is a promising security architecture that might effectively prevent the intrusion attempts of APT actors. In the zero trust model, no process insider or outside the network is trusted by default. Zero trust is also called perimeterless security to indicate that it changes the focus from network devices to assets. All processes are required to verify themselves to access the resources. In this paper, we focused on APT prevention. We sought an answer to the question: "could the 2020 United States Federal Government data breach have been prevented if the attacked networks used zero trust architecture?" To answer this question, we used MITRE's ATT&amp;CK® framework to extract how the APT29 threat group techniques could be mitigated to prevent initial access to federal networks. Secondly, we listed basic constructs of the zero trust model using NIST Special Publication 800-207 and several other academic and industry resources. Finally, we analyzed how zero trust can prevent malicious APT activities. We found that zero trust has a strong potential of preventing APT attacks or mitigating them significantly. We also suggested that vulnerability scanning, application developer guidance, and training should not be neglected in zero trust implementations as they are not explicitly or strongly mentioned in NIST SP 800-207 and are among the mostly referred controls in academic and industry publications.</p> Bilge Karabacak Todd Whittaker Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 92 101 10.34190/iccws.17.1.10 Advancing cybersecurity capabilities for South African organisations through R&D <p>There is a growth of cyber-attacks in South Africa. Seeing that there are over 38 million Internet users in South Africa, this is no surprise. The South African government has published the National Cybersecurity Policy Framework (NCPF) and Protection of Personal Information Act (POPIA) to move towards mitigating cyber threats due to the increase of the presence of South African organisations and citizens in cyber space. This demonstrates that there is a need for organisations to have a clear roadmap to implement and improve on their own cybersecurity capabilities. South African organisations need to take a proactive stance in cybersecurity because businesses rely heavily on technology for day-to-day operations. Currently cyber-attacks cost South African organisations over R2 billion, and the current work-from-home arrangement that most organisations have implemented will only worsen the situation. While a cybersecurity roadmap will differ in every organisation based on the organisation’s vision, goals, and objectives, along with their information technology (IT) and operations technology (OT), a starting point is perhaps the identification of key research and development (R&amp;D) areas together with key activitiesthat organisations can focus on in order to improve their cybersecurity capabilities. Cybersecurity capabilities are tools that organisations use to strengthen their organisation and protect themselves from potential cyber threats. The purpose of this study was to investigate R&amp;D areas that organisations should invest in for the purpose of improving their cybersecurity capabilities. There are various subfields in cybersecurity that can be explored for organisations to advance their cybersecurity capabilities. Five integral R&amp;D dimensions were identified together with key activities and are presented and discussed. A conceptual framework is also presented which maps the R&amp;D dimensions and activities to the main pillars of cybersecurity, i.e., People, Processes, and Technology. South African organisations could reference the framework and adapt it for their business needs to protect themselves against potential cyber threats.</p> Zubeida Casmod Khan Nenekazi Mkuzangwe Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 102 110 10.34190/iccws.17.1.34 Zero Trust Container Architecture (ZTCA) <p>Containerisation is quickly becoming an accepted industry standard for development environments and Gartner, in a recent market forecast, estimated that by 2022 more than 75% of organisations will be using containers in production deployments. With this explosion in growth comes an added focus on security and best practices for using containers. The use of containers, in particular Docker containers, has altered some of the more traditional deployment paradigms by giving control of deployments to the development teams. This has massively benefited the DevOps release cycle, but at the expense of many mature security and review processes that are integrated into traditional deployments. Like all systems, containers need frameworks to guide best practices for deployments and to ensure mistakes are not made that increase the risk level or attack surface of an application or service using containers, or the containers themselves. Indeed, according to a recent presentation during DevSecCon24 by Justin Cormack, Security Lead at Docker Inc., Cormack believes most security issues related to Docker are due to misconfiguration rather than direct exploit. While work has been previously conducted with regards to container security and separately applying Zero Trust Networking Architecture to containers, in this work we will investigate the security state of a default deployment of the Docker container engine on Linux and analyse how the principals of Zero Trust Architecture can be extended beyond the domain of networking, distilled into a ”Zero Trust Containers Architecture” and applied to secure Docker deployments. In order to determine this, research was conducted into the current state of Docker security and Zero Trust Architecture. Practical and theoretical attacks were reviewed against a default Docker deployment to identify common themes and areas of issue. Results were used to advise a generalised trust-based framework which was then used to analyse a Docker deployment and validate mitigation of a selection of the identified attacks, proving out the concept of the proposed “Zero Trust Container Architecture” framework.</p> Darragh Leahy Christina Thorpe Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 111 120 10.34190/iccws.17.1.35 APT Cyber-attack Modelling: Building a General Model <p>The global community continues to experience an increase in the scale, sophistication, and successful perpetration of cyber-attacks. As the quantity and value of electronic information have increased, so too have the efforts of criminals and other malicious actors who have embraced the Internet as a more anonymous, convenient, and profitable way of carrying out their activities. The systems are attacked more and more by single or multiple hacktivists, state sponsored hackers, cyber criminals, cyber terrorists, cyber spies, or cyber warfare warfighters. The cyber security approach requires a balance of cyber threat intelligence, real time cyber-attack detection and especially the cyber early warning ability. Threats in cyberspace are<br />difficult to define, as it is hard to identify the source of attacks and the motives that drive them, or even to foresee the course of an attack as it unfolds. The identification of cyber threats is further complicated by the difficulty in defining the boundaries between national, international, public, and private interests. Because threats in cyberspace are global in nature and involve rapid technological developments, the struggle to respond them is ever-changing and increasingly complicated. Cyber-attack models describe the structure of an attack in different phases. They provide a means to conceptualize the different aspects and elements of an attack. However, it is important to understand that not all attacks must complete all phases to be successful, and the objective of the attack defines the structure of the attack. Different actors have built different cyberattack models. Modeling is used to understand the different goals of cyber attackers. Attack models are based on attack targets and attack objectives. This paper analyzes different APT cyber-attack models and presents a general cyber-attack model.</p> Martti Lehto Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 121 129 10.34190/iccws.17.1.36 Design and Evaluation of a Cyber Protection Team Planner Work Aid <p>Cyber Protection Teams (CPTs) are responsible for providing mission assurance by ensuring that mission-relevant cyber terrain is secure and protected for operations. In order to do this effectively, CPT planners must correlate and integrate information regarding customers’ missions with information about the systems and networks required to perform those missions. To support this challenge, a CPT Planner work aid was designed and evaluated to assess its effectiveness. The evaluation compared the work aid with current CPT planning methods. Ten participants with varying planning expertise performed four planning tasks (managing approvals, assigning resources, managing accesses, and scheduling meetings). To test the efficacy of the proposed work aid, participants were tasked with planning a fictional mission utilizing both the traditional planning method and the work aid method. Data was collected from objective metrics to include time and task performance score, as well as subjective perception of workload. In addition, participants were asked a series of situation awareness (SA) questions after each task to measure their understanding of the mission-relevant information. Score and time to answer SA questions were also recorded. While CPT planning experience did not have a significant effect on performance, results revealed significant improvements in task time, SA question response time, and perceived workload when using the work aid versus the baseline condition.&nbsp;&nbsp;&nbsp;</p> Kristen Ligg Arielle Stephenson Meghan Strang Geoffrey Dobson Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 130 134 10.34190/iccws.17.1.11 I Know You by Heart: Biometric Authentication based on Electrocardiogram (ECG) signals <p>Trust, confidence and trustworthiness are of fundamental importance in human societies, usually established and sustained through personal relationships. But, due to the globalization and ongoing interconnection of everything up to Cyber-Physical Productions Systems (CPPS) and the Internet of Everything (IoE), physical attendance is no longer necessary. (Remote) access to systems is possible from anywhere on the globe. Accompanied with the lack of personal relationship is the challenge to trust entities –humans or machines-, and proof the identity they are claiming to be. Whether it's payment transactions with smartwatches, logging in to systems, or accessing sensitive parts of buildings, the user's identity is the basic prerequisite. For human participants, for instance, the verification can be obtained through biometrics. These are distinguishable into physiological, biological and behavioral features, each characteristic but of varying difficulty to deduce them. Although using biometric features is not a new concept -indeed they are the oldest form of authentication-, modern approaches are shifting them back into focus. Improved sensor technology enables the identification of people by their gait, or to distinguish them by their characteristic gestures. This work highlights how the availability of (medical) data, and the possibilities of Artificial Intelligence (AI) contribute to the identification and authentication of humans. Therefore, Electrocardiogram (ECG) signals are recorded using a Microcontroller Unit (MCU) and ECG electrodes to derive a three-lead ECG. Using different Machine Learning (ML) algorithms: K-Nearest Neighbor (KNN), Support Vector Machines (SVM) and Gaussian Naïve Bayes (GNB); it is analyzed whether the ECG signals are able to distinguish individuals. Thereby, the ML algorithms are compared with each other, determining which one achieves the best results. The results of the evaluation indicate that ECG signals are capable to distinguish humans based on their heartbeat in such a manner that they can be used as Human - Physically Unclonable Functions (Human-PUFs). Furthermore, the results give reason to assume that the algorithms can also be used for medical applications, for example to recognize heart diseases.</p> Christoph Lipps Lea Bergkemper Jan Herbst Hans Dieter Schotten Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 135 144 10.34190/iccws.17.1.12 Shallow Deep Learning using Space-filling Curves for Malware Classification <p>The incidents of malware attacks are continually increasing at a rapid rate, thanks to the lucrative potential in schemes such as ransomware, credential stealing Trojans and cryptominers. Their explosive growth is compounded by the ease with which variants can be created from original strains. As a result, anti-virus organisations are struggling to keep up, with some reporting upwards of 14 million samples processed per month. These sheer volumes have caused a shift towards machine learning and artificial intelligence in an effort to alleviate the manual burden of analysis and classification. This research presents a novel framework for the classification of malware into distinct family classes through computer vision and deep learning. In the proposed framework, malware binaries are represented in an abstract form as images mapped through mathematical constructs known as space-filling curves. Convolutional neural networks were constructed and applied to the malware images to build predictive models for classification. The models were optimised using an auto-tuning function for the hyper parameters, which included Bayesian Optimisation, Random search and HyperBand, providing an exhaustive search on the hyper parameters. On a training dataset of 13k malware samples from 23 distinct families, the models yielded an average score of 95% for precision, recall and f1-score. &nbsp;The final deep learning model was validated for robustness against a dataset of more recent variants, comprising 12,816 samples from 16 malware families, returning classification scores of 95%, 86% and 90% for precision, recall and f1-score. The final model was demonstrated to outperform a similar benchmark model considerably. The results show the potential of the deep learning framework as a viable solution to the classification of malware, without the need for manually intensive feature generation or invasive processing techniques.</p> David Long Stephen O'Shaughnessy Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 145 154 10.34190/iccws.17.1.13 Integrating Democratic Cybersecurity <p>The expansion of pervasive and ubiquitous computing, especially with the advancement of the Internet of Things and the Smart City concept, extend the novel means of criminality and its investigation. We argue that current forms of investigation and discovery are not sufficient to limit injuries onto persons and communities. Nonetheless, cybersecurity approaches within criminal justice, criminology, and workforce development – together – offer models that significantly benefit efforts to address public cybersecurity harms, yet they have been largely overlooked. This paper draws on an interdisciplinary lens to address cybersecurity, including criminal justice and workforce development integration and employing empowerment theory. Applying empowerment theory, this presentation demonstrates the effects from integrating cybersecurity and forensic practices into traditional law enforcement. The effects are positive as public safety will be needed to provide public safety and security in our hybrid technical world. Thus, this paper illustrates how we must, in essence, “democratize” cybersecurity through its distributed availability. We present means to achieve this and results from efforts to promote this integration through several coordinated, yet differently targeted programs at one research university.</p> Michael Losavio Jeffrey Sun Sharon Kerrick Adel Elmaghraby Cheryl Purdy Clay Johnson Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 155 165 10.34190/iccws.17.1.37 On Explainable AI Solutions for Targeting in Cyber Military Operations <p>Nowadays, it is hard to recall a domain, system, or problem that does not use, embed, or could be tackled through AI. From early stages of its development, its techniques and technologies were successfully implemented by military forces for different purposes in distinct military operations. Since cyberspace represents the last officially recognized operational battlefield, it also offers a direct virtual setting for implementing AI solutions for military operations conducted inside or through it. However, planning and conducting AI-based cyber military operations are actions still in the beginning of development. Thus, both practitioner and academic dedication isrequired since the impact of their use could have significant consequences which requires that the output of such intelligent solutions is explainable to the engineers developing them and also to their users e.g., military decision makers. Hence, this article starts by discussing the meaning of explainable AI in the context of targeting in military cyber operations, continues by analyzing the challenges of embedding AI solutions (e.g., intelligent cyber weapons) in different targeting phases, and is structuring them in corresponding taxonomies packaged in a design framework. It does that by crossing the targeting process focusing on target development, capability analysis, and target engagement. Moreover, this research argues that especially in such operations carried out in silence and at incredible speed, it is of major importance that the military forces involved are aware of the following. First, the decisions taken by the<br />intelligent systems embedded. Second, are not only aware, but also able to interpret the results obtained from the AI solutions in a proper, effective, and efficient way. From there, this research draws possible technological and humanoriented methods that facilitate the successful implementation of XAI solutions for targeting in military cyber operations.</p> Clara Maathuis Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 166 175 10.34190/iccws.17.1.38 Analyzing the Performance of Block-Splitting in LLVM Fingerprinting <p>This paper expands and builds upon previous work reported at the 2021 ICCWS concerning Executable Steganography and software intellectual property protection via fingerprinting. Software fingerprinting hides some type of unique identification into the binary program artifact so that a proof of ownership can be established if the artifact turns up elsewhere. In our previous work, it was noted that “fingerprints are a special case of watermarks, with the difference being that each fingerprint is unique to each copy of a program”. This prior work emphasized making the fingerprint independent of the machine architecture; that is, performing the operations on an intermediate representation (IR). LLVM was used as the target IR, which is a compiler “middleware” language that is then converted into machine code in a later step. Both a static fingerprinting method, where the serial number or data is embedded and visible by inspection, and a dynamic method, where the code must be executed, were explored. The dynamic method only incurs an overhead if the proof code is executed and has very minimal impact if the proof code is not executed. However, the static fingerprint was accomplished by shuffling the order of basic blocks in the software in a manner that represents the serial number data, and this would have an impact on both the execution speed and the program size. This paper reports on subsequent research to improve the quantity of data which could be encoded by rearranging the blocks in a program and increasing the number of blocks by splitting them into smaller fragments, thus allowing for more potential orderings and therefore more data. Contributions in the current<br />work are twofold. First, the experimental infrastructure has been refined so that the fingerprinting actions take place within the compiler itself as opposed to an external LLVM parser. Second, code has been introduced to limit the upper bound on the size of a block and to split blocks which are larger than this upper bound. We evaluate the resultant overhead and performance of the block splitting method and report negligible increases based on the block-splitting technique.</p> William Mahoney Philip Sigillito Jeff Smolinski Todd McDonald George Grispos Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 176 184 10.34190/iccws.17.1.39 Taxonomy of Social Engineering Attacks: A Survey of Trends and Future Directions <p>Hackers have many techniques available for breaching the security flaws of organizations. The human approach, called Social Engineering (SE), is probably the most difficult one to be dealt with. Social engineering is considered one of the most creative methods for gaining unauthorized access to information systems. This type of cyber threat does not require advanced technical knowledge because it relies mainly on human nature. Social engineers use different techniques, such as phishing, to manipulate people and cause significant damage to the organizations where they work. Therefore, organizations must raise the awareness of their users about social engineering attacks. Most organizations are putting all defense efforts into advanced technologies to prevent various threats. This is considered a wrong approach because employees of an organization use email, social networks, or other online sites as part of their work activities. Therefore, the prevention of attacks cannot be accomplished through advanced technologies alone, but the human aspect must also be studied. This paper comprehensively analyzes the existing literature in the taxonomy of social engineering attacks focusing on human aspects. It provides an overview of research opportunities that should be addressed and elaborated in future investigations.</p> Arianit Maraj William Butler Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 185 193 10.34190/iccws.17.1.40 Blockchain Technology for Addressing Privacy and Security Issues in Cloud Computing <p>Blockchain technology is a recent and important financial technology that has completely transformed business transactions. The adoption of cloud computing in all IT environments due to its efficiency and availability has increased dramatically. Despite attempts to address privacy and security issues, confusion remains in the cloud environment. It is said that blockchains are a promising solution for many distributed applications and have the potential to overcome issues pertaining to the centralized system. The decentralized nature of blockchains provides a new forms of distributed software architectures where users can reach agreement consensually on the shared system without relying on a central integration point. Nonetheless, there are some challenges which need to be evaluated. Accordingly, this study explores how blockchains can curb cloud computing issues from both legal and technical aspects. This article presents the use of blockchain in current cloud storage applications and discusses how blockchain technology can be used to resolve security and privacy challenges.<br />The use of blockchains as a solution for each issue will be proposed by explaining how they can overcome the shortcomings of cloud computing.</p> Pardis Moslemzadeh Tehrani Gabriele Kotsis Andasmara Rizky Pranata Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 194 200 10.34190/iccws.17.1.41 Context-Aware Cyber Threat Intelligence Exchange Platform <p>The ubiquity of network and internet-connected devices has increased exponentially in the past decade. The proliferation of end-user devices has created a lucrative environment for cybercriminals to exploit unsuspecting users at a personal and organizational level. Moreover, businesses and governments are heavily reliant on cyberspace to conduct their business. According to Accenture, in 2019 South Africa saw a spike in cyberattacks on all fronts—banks, Internet Service Providers (ISPs), utilities and eCommerce platforms. This shows that threat actors are continuously looking to exploit new and old vulnerabilities at ever-increasing rates. Furthermore, threat actors are sharing tactics, tools, and procedures to expand their attack surface and to improve the effectiveness of their attacks. Security research tends to be an insular process and rarely do individuals or groups share threat data. This is due to lack of trust, organizational policies, or simply the inability to get the information out to the masses. The idea behind this paper is to design a context-aware threat intelligence exchange platform that encourages collaboration and creates a federated environment amongst different industry stakeholders to share Indicators of Compromise. This paper further aims to define the process of transforming raw Indicators of Compromise into cyber threat intelligence. The platform described in this paper, when implemented, would provide the basic building blocks for developing a highly effective cybersecurity intelligence-sharing system that can improve vulnerability detection<br />and remediation by speeding up the time required to identify/resolve incidents.</p> Michael Motlhabi Phumeza Pantsi Bokang Mangoale Rofhiwa Netshiya Samson Chishiri Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 201 210 10.34190/iccws.17.1.42 The Development of Cybersecurity Awareness Measurement Model in the Water Sector <p>:Cyber-attacks are one of the main threats to information systems, and humans have been identified as the weakest link with regards to information security. This study aims to develop a measurement instrument to evaluate the level of cyber security awareness (CSA) in the water sector in South Africa. There are lots of synergies with regards to cyber system usage across industries, and as a result this study will take a broad base approach in configuring an instrument that can be used to adequately assess the sample space in question. Having a reliable instrument to measure cyber security awareness helps mitigate the failed attempts at preparing employees for imminent cyber disruptions by pin-pointing areas where the training is needed before campaigns can be organised. This study will show that the psychology of employees with respect to cyber security awareness is compartmentalised into three traits: knowledge, attitude, and behaviour. These three traits were assessed under the following eight focus areas to check employee resilience to cyber security: IS policy adherence, Password management, Email use, Internet use, social media use, mobile devices, information handling, and incident reporting. In practice, employees will be required to answer questions formulated under these focus areas to the evaluate their cyber security awareness (CSA) level. The model proposed in this paper was developed to test cybersecurity awareness in the water sector, but can be utilised in other sectors for cybersecurity awareness testing.</p> Bryan S. Mufor Annlizé Marnewick Suné von Solms Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 211 218 10.34190/iccws.17.1.43 Circuit-Variant Moving Target Defense for Side-Channel Attacks <p>The security of cryptosystems involves preventing an attacker's ability to obtain information about plaintext. Traditionally, this has been done by prioritizing secrecy of the key through complex key selection and secure key exchange. With the emergence of side-channel analysis (SCA) attacks, bits of a secret key may be derived by correlating key values with physical properties of cryptographic process execution. Information such as power consumption and electromagnetic (EM) radiation side-channel properties can be observed during encryption or decryption. These signals reflect data-dependent system behaviours that may reveal secret key information. Power and EM SCA attacks require several measurements of the target process to amplify the signal of interest, filter out noise, and derive the secret key through statistical analysis methods. Differential power and EM analysis attacks rely on correlating actual side-channel measurements to hypothetical models. The goal of this research is to increase the complexity of both power and EM SCA by introducing structural and spatial randomization of the target hardware. We propose a System-on-a-Chip (SOC) countermeasure that will periodically reconfigure an AES scheme using randomly located S-box circuit variants. We hypothesize that changing the location of the target modules between encryption runs will result in a nonconstant EM signal strength for any given point on the chip, increasing the number of traces needed to perform a localized EM SCA attack. Further, each of the S-box circuit variants will consist of functionally equivalent, structurally diverse hardware. By diversifying the implementations at the gate-level, we aim to vary the power behaviour observed by the attacker and disrupt the correlation between the hypothetical and actual power consumption, increasing the complexity of power SCA. This moving target defense aims to disrupt side-channel collection and correlation needed to successfully implement an attack.</p> Tristen Mullins Brandon Baggett Todd Andel Todd McDonald Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 219 226 10.34190/iccws.17.1.14 A Modern ICT Network Simulator for Co-Simulations in Smart Grid Applications <p>The current transformation of power grids towards smart grids and the associated increase in the use of ICT technologies lead to an increased attack surface via the communication network. Holistic, multi-domain co-simulations can be used to evaluate the possibilities for, and impacts of, ICT-based attacks on these grids. This paper presents an ICT network simulator that can be used in co-simulation environments. It outlines requirements for this kind of simulation tool and provides insight into how these requirements can be met. In addition, co-simulation use cases for the simulator arising from different research projects are laid out. Finally, the simulator’s functionalities in co-simulation environments are verified with a practical application example. This application shows that our simulator (rettij) is able to exchange data with other simulators through a co-simulation interface. It also demonstrates our simulators capabilities to perform real-world ICT attacks on realistic network topologies.</p> Fabian Niehaus Bastian Fraune Giacomo Gritzan Richard Sethmann Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 227 236 10.34190/iccws.17.1.44 Towards Detection of Selfish Mining Using Machine Learning <p>Selfish mining is an attack against a blockchain where miners hide newly discovered blocks instead of publishing them to the rest of the network. The selfish miners continue to mine on their private chain while the honest miners waste resources mining on a shorter chain. According to the blockchain protocol, a longer chain takes precedent and shorter chains are discarded which allows the selfish miners to gain an advantage by keeping their chain secret. This attack can be used by malicious miners to earn a disproportionate share of the mining rewards or in conjunction with other attacks to steal money from cryptocurrency exchanges. Several of these attacks were launched in 2018 and 2019 with the attackers stealing as much as $18 Million. Developers made several different attempts to fix this issue, but the effectiveness of the fixes is currently unknown. Although this attack is possible against both Proof-of-Work and Proof-of-Stake blockchains, this research concentrates on detection in Proof-of-Work blockchains. As is difficult to evaluate security advances in the real-time blockchain, it is imperative to focus on simulation to evaluate blockchain security properties. To this end, we extend a blockchain simulator and add the ability to simulate selfish mining attacks. Several existing simulators are examined before choosing SimBlock for this research. Our goal is to identify the factors that identify selfish mining. Using existing research, we choose several factors that could identify an attack in an unlaunched state, an active state, or historically. We plan to use simulated data to train a machine learning model to detect selfish mining. Using the modified simulator, we generate training and test data for unlaunched and active attacks. For historical attacks, we will use historical data from known selfish mining attacks. While some existing research has examined the detection of selfish mining, it only examines active attacks. In this paper, we seek to lay the groundwork for future research into detecting attacks that are unlaunched, active, or historical.</p> Matthew Peterson Todd Andel Ryan Benton Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 237 243 10.34190/iccws.17.1.15 Specialised Media Monitoring Tool to Observe Situational Awareness <p class="Abstract">The 21<sup>st</sup> century witnessed the rise of the digital age via the evolution of the Internet. A direct result of the established digital era is the growth of digital media. Although traditional media, such as print and broadcasting, remains relevant, the low accessibility and limited reach impact the effectiveness of such media. In comparison, digital media, such as social media, provides access to vast collections of open-source information. The open-source information available on digital media platforms is current and easily accessible. However, conversion of open-source information into intelligence becomes a time-consuming and quite ineffective process due to the large quantities of information available. Open-source intelligence (OSINT) tools attempt to address such limitations by offering technological solutions that provide access to up to date, as well as easily searchable digital information. Thus, OSINT tools, such as Shodan and Maltego, streamline the conversion of open-source information into intelligence. This paper introduces the design of a new but specialised media monitoring tool to assist with the monitoring of open-source information towards enabling situational awareness. The key design feature of this new media monitoring tool is to offer versatility by guiding the collection of open-source information. Controlling the amount of information gathered in turn improves the efficiency of the processes used to extract intelligence. The obtained intelligence, thus, enables the observation of situational awareness of chosen aspects within a secure environment. Also discussed in this paper is the motivation behind the design of the specialised media monitoring tool, as well as various design considerations, are taken to ensure effective usage of the tool. The paper concludes by discussing the various benefits offered by the specialised media monitoring tool concerning observing situational awareness.</p> Heloise Pieterse Carien Van 't Wout Zubeida Kahn Chris Serfontein Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 244 252 10.34190/iccws.17.1.16 New Dawn for Space Security <p class="Abstract">Space infrastructure provides vital services for a number of critical industries, including; defence, transportation, energy, utilities, emergency services, banking, environment, academia, and others. These services range from global communications to remote sensing and geolocation, with many new applications undoubtedly on the horizon, including plans for further exploration and even human settlement. It is therefore essential that space technologies are protected from unwanted interferences – a task that is becoming more challenging by the day. Adding to the already complex space security environment, we are experiencing the beginnings of a second space race that is seeing the rapid deployment of space systems containing a vast array of new technologies, such as the Internet of Things (IoT) and advanced onboard processing. This is subsequently introducing new vulnerabilities to an already aged and vulnerable satellite ecosystem, hence increasing the risk of potentially catastrophic security events. Although well-articulated in political, legal, and international relations literature, the engineering, science, and technology aspects of space security are currently under-studied and disjointed, leading to fragmented research and inconsistent terminology. This paper examined space security from an engineering perspective by conceptually tying existing space and security literature together to detail the space threat landscape and identify research gaps and opportunities. Additionally, this paper identifies the need for wider recognition of space systems security as a specialist inter-disciplinary domain in order to break down disciplinary silos, enhance collaboration, and unify definitions, taxonomies, and research objectives.</p> Jordan Plotnek Jill Slay Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 253 261 10.34190/iccws.17.1.17 Assessment of Cybersecurity Risks: Maritime Automated Piloting Process <p>A modern society is a combination of several critical infrastructures, of which international and national maritime transportation systems are essential parts. Digitalization makes it possible to increase levels of autonomy in maritime systems. It also means fully existing cyberenvironments in maritime processes. In cyberenvironments, it is crucial there is trustable information communication between system elements of the process, alongside the usability, reliability, and integrity of systems data in the operating environment. In order to develop maritime autonomy in Finland the Sea4Value / Fairway (S4VF) research program has been developed. At the first stage of the program, the main goal is to create automated fairway piloting feature in the near future. An automated remote piloting process, “ePilotage,” will be a complex system of systems entity. This paper provides a research approach to investigating the cybersecurity risks at the system levels of process. It emphasizes the importation of comprehensive risk assessment to increase the cybersecurity of fairway operations. The findings of the study are located in cybersecurity risks in critical information flows between the main system blocks of the fairway process. The research question is “How can the cybersecurity risks of automated remote fairway operations be evaluated?”&nbsp; The main findings are related to the probabilities of the risks in all levels of process stakeholders’ responsibilities. Risk assessment methodology, that has been described, is based on attack probabilities against probabilities to defend actions of adversarial in use of communication technologies. Risks assessment factors have been identified and the risk assessment tool have been proposed.</p> Jouni Pöyhönen Martti Lehto Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 262 271 10.34190/iccws.17.1.18 Utilizing Switch Port Link State to Detect Rogue Switches <p>There are many methods to detect rogue wireless access points, but the same case can not be said for rouge switches on a LAN network. Detecting these rogue switches is key to security of any organization. The introduction of a rogue unmanaged network switch has the potential to cripple a network. These types of switches pose a big risk because they are usually plug and play types of devices and can prove difficult to track. A switch becomes rouge when it is connected to a network without proper authorization. Rogue switches are a huge threat to the security and reliability of any network. An attacker could use a rogue switch to launch an attack or spy on network traffic information. Many organizations these days implement a “bring your own device” policy that can prove to be a daunting task to monitor for any network administrator. It is important that these rogue network switches are not introduced to a network, whether by accident or in a malicious attempt. The vulnerability that is introduced could comprise the confidentiality of network messages, degrade network performance, or even allow hackers or authorized users access to critical network infrastructure and data. In this paper we present a method that can help detect these rogue switches by monitoring the ethernet frames across the network and looking at the link state of the network switch ports. We will be using Wireshark, a Windows Computer, and a local switch setup to test methods for detecting a rogue switch. In our scenario we were able to provide some evidence of a<br />method that could be used in conjuncture with other rules and policies to detect rogue switches connected to a network. We were able to determine based on the port link state that there was another device, most likely a rogue switch between the good switch and the computer.</p> Travis Quitiqut Vijay Bhuse Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 272 278 10.34190/iccws.17.1.45 Aligning South African Data and Cloud Policy with the PoPI Act <p>On 1 April 2021, the South African government released the Draft National Data and Cloud Policy for public comment. This policy aims to support the digital economy in South Africa by implementing initiatives to augment the development of digital infrastructure and skills, with a specific focus on cloud computing. The adoption of the policy would help position the country as a data-driven economy. However, the implementation of such a policy is predicated on the existence of supporting digital infrastructure and aligned inter-departmental goals. Currently, there are many technological and legal considerations that must be addressed in order for such a policy to be implemented successfully. One particularly important consideration is how this policy relates to South Africa’s Protection of Personal Information Act, which came into effect on 1 July 2021. The Act sets out legal imperatives for the collection, storage and use of personal information belonging to South African citizens. The aim of this paper is to analyze how the Draft National Data and Cloud Policy relates to the Protection of Personal Information Act in terms of what is proposed in the Policy and what is legislatively imperative in the Act. The overarching context for this evaluation is data governance in the cloud with an emphasis on the security of personal information. Macroeconomic threats and a shortage of critical ICT skills presupposes technical challenges for the implementation of a cloud service. Formal Concept Analysis is utilized to conceptualize and understand the relationships between the Draft National Data and Cloud Policy and the Protection of Personal Information Act. Classification, Confidentiality and Open Data are presented as technological challenges to cloud implementation. This paper aims to contribute towards an understanding of these challenges and how they are affected by South Africa’s legislation and policies. We therefore investigate how the Draft National Data and Cloud Policy is situated in the broader context of data protection in South Africa.&nbsp;</p> Emma Raaff Nicole Rothwell Aidan Wynne Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 279 287 10.34190/iccws.17.1.19 Transient Execution and Side Channel Analysis: a Vulnerability or a Science Experiment? <p class="Abstract">In the world of computer security, attackers are constantly looking for new exploits to gain data from or control over a computer system. One category of exploit that can prove quite effective at accessing privileged data is side channel exploits. These exploits attempt to take advantage of vulnerabilities that are inherent in the design of a system rather than vulnerabilities in the code that has been written for and is running on said system. In other words, they exploit side effects of computation. Examples of this include measuring the power consumption of a system’s processor over time and analysing that power usage to leak system secrets or reading secrets from a system by analysing the electromagnetic radiation the system leaks as it processes data. Another type of side channel attack is a cache-based side channel attack, which exploits the timings of cache and memory accesses to determine data from the target system. We discuss some of the more common types of side channel attacks used to interpret data values from the microarchitectural changes created by transient executions. In particular, we will focus on attacks that are capable of recovering data that is processed through transient execution in some way and then wrongly accessed using a side channel, such as the Spectre and Meltdown classes of attack. We also discuss other attacks of a similar type and survey some popular mitigations for these attacks. We provide a survey of all available Spectre proof-of-concept repositories on GitHub, evaluating whether they work on different platforms. Finally, we review our experiences with these types of attacks on modern systems and comment on the attacks’ practicality, reliability, and portability. We conclude that these types of attacks are interesting, but there are some practicality and reliability concerns that make other attacks easier much of the time.</p> Michael Shepherd Scott Brookes Robert Denz Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 288 297 10.34190/iccws.17.1.20 Bug Bounties: Between New Regulations and Geopolitical Dynamics <p>Crowdsourced security and vulnerability co-ordination platforms, such as Bugcrowd or HackerOne, reward individuals for discovering, reporting, and responsibly disclosing software bugs. A growing number of vendors are turning towards these platforms to improve their product’s security, whilst others set up their own bug bounty programs (BBPs) alongside more traditional approaches, such as in-house testing and professional security reviews. Whether providing a supplementary or even alternative path to organisational cybersecurity, these newer approaches go beyond increasing product security, for example by fostering co-operation between various actors or providing a clear incentive to remain on the ethical side of security research. Whilst some research centres on the reward structures, actor motivations, or effectiveness, the wider impact on peace and stability in cyberspace is rarely examined. Similarly, rarely is light shed on emerging regulatory or policy approaches, or the effects this might have. To fill these gaps, the paper will use Global Public Goods (GPGs) theory to example BBPs across two case studies. Whereas the novel Chinese regulations push towards more national sovereignty in cyberspace, the European Union invests in the compensation of BBP under-provision among open source software (OSS). These regulatory changes in China and endeavours by the European Union, respectively, reveal that the prevalent geopolitical divisions in related topics, such as internet governance, continue to play their part. Further research on BBPs is proposed to quantitatively examine their effect on peace and stability.</p> Jantje Silomon Mischa Hansel Fabiola Schwartz Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 298 305 10.34190/iccws.17.1.21 Emerging Cyber risk Challenges in Maritime Transportation <p>Maritime security and surveillance have become one of the main areas in managing overall situational awareness.<br>For example, the growing importance of maritime traffic in cross-border trade has created new pressures to develop new<br>technologies for accident prevention, especially in the ports. Maritime safety is also a matter of concern for continuity<br>management. Automatic ship alarm systems, coastal radars and coastal cameras are not alone sufficient equipment to build<br>maritime awareness. The Universal Shipborne Automatic Identification System (AIS) is a ship transponder system that is a<br>globally used tracking system, but highly vulnerable to hacking. A major maritime traffic problem arises if transponders are<br>switched off. Hybrid threats need coordinated hybrid responses; therefore, a cyber situational picture is also needed. Cyber<br>situational awareness is an essential part of the management of maritime situational awareness. The lack of using real-time<br>data from the maritime actors affects the correct formation of the common situational picture—for example, from the site<br>of an accident. Cyber security is an essential factor in developing fairway navigation and all terminal (port-to-port) activities.<br>This research will be done as a part of the SMARTER (Smart Terminals) -project that belongs to the SEA4VALUE program. The<br>project aims to develop unique digitalized concepts that enhance safe transportation and reduce emissions in the port and<br>the terminal areas. By using the multiagent system with sensor technology, e.g., in the harbors, it is possible to gather and<br>share meaningful maritime security-related data. The study's primary purpose is to describe the operating environment and<br>make an initial analysis of system requirements for optimizing situational awareness in the area of western ports of Finland</p> Jussi Simola Jouni Pöyhönen Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 306 314 10.34190/iccws.17.1.46 Improving Protection Against Cybersecurity Attacks of Emergency Dispatch Centers <p>Public service answering points (PSAPs), also known as 911 dispatch centers, serve as integral and critical infrastructure components that serves as a conduit between the public and emergency assistance such as police, fire and emergency medical services.&nbsp; It has been demonstrated in previous research, that PSAPs may be exceptionally vulnerable to telephonic and distributed denial of service (TDoS/DDoS) attacks with potentially devastating effects.&nbsp; It is the purpose of this study is to gather the best practices from experts and tap into the knowledge of the professionals tasked with safeguarding PSAPs every day.&nbsp; Due to the unknown full capabilities of the PSAPs and the antiquated infrastructure on which they must operate, it is unclear just what safeguards are in place to defend these critical infrastructure components against attacks of this nature.&nbsp; To gather this information, a multiple rounds qualitative Delphi study was conducted.&nbsp; Through this process, participants were asked to comment on current tactics and techniques, practices that could be implemented under ideal conditions without political or financial hurdles and how to bridge the gap between current and optimal environments.&nbsp; PSAP administrators, hereby referred to as experts, with a minimum of five years of experience working within a United States PSAP were included in this study and provided a firm understanding of their capabilities.&nbsp; The suggestions provided by participants included patch managements, updated hardware, federally mandated standards, regular plan exercises, and standardized education.&nbsp; After gathering and analysing the data, three basic tenets could be appreciated including cyber hygiene, preparedness and intelligence, and education and training.&nbsp; It is expected that the results of this study will prove integral in not only better securing the PSAPs within the United States critical infrastructure, but also understanding some of the hurdles and difficulties PSAP administrators must overcome.</p> James Sweeney Vu Tran Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 315 324 10.34190/iccws.17.1.23 Increasing Industry Profitability and Cyber Hygiene Utilizing Awareness Progression Methods <p>Securing critical networks and systems through proper cyber hygiene is a constant battle. Businesses spend a significant amount of time and money implementing cybersecurity mechanisms. However, businesses do not always see the cost-benefit from paying for proper cyber hygiene mechanisms, given the inevitability and persistence of cyber threats. This research explores potential financial incentives for businesses to improve their cyber hygiene awareness. Past anti-smoking and climate change awareness campaigns are compared to support a new cyber hygiene awareness campaign. By investigating the effectiveness of the incentive methods used by these awareness campaigns, this work proposes adopting similar incentive methods to improve cyber hygiene awareness.</p> John Thebarge Mark Reith Wayne Henry Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 325 332 10.34190/iccws.17.1.47 Identifying Adversaries’ Signatures Using Knowledge Representations of Cyberattack Techniques on Cloud Infrastructure <p class="Abstract">Advanced Persistent Threats (APTs) have increased in parallel to growing cloud infrastructure and cloud Software-as-a-Service (SaaS) needs, exposing new vulnerabilities within the cloud environment. Moreover, APT groups are becoming more sophisticated and organised which needs to be addressed by the research community to enable faster response and more importantly, prevent threats within the domain. The MITRE ATT&amp;CK Cloud framework offers one of the leading structured inventories within this context. Our research is to expose patterns and signatures of a select group of APT’s on the MITRE Cloud Framework by using Formal Concept Analysis (FCA) to construct a “lattice graph” and an ontology. The goal is to develop a better conceptualisation of the MITRE ATT&amp;CK Cloud Matrix framework for cyber security experts to be able to proactively act upon adversary techniques. The MITRE ATT&amp;CK framework was retrieved, cleaned, and pre-processed to construct the lattice and ontology using data cleaning methods, FCA tools such as Concept Explorer, and the Web Ontology Language (OWL), with additional symbolic reasoning and inference generation. This resulted in knowledge representations/graphs, which are highly efficient representations of this knowledge field. The underlying linkages between techniques and targets specific to those APTs are further exposed and enriched and presented visually and integrated into the ontology. The ontology gives formalisation to associations and implications between techniques, tactics, and APTs – enabling cyber security practitioners to forecast potential targets and techniques based on their scenario, but also to attribute certain technique patterns and signatures to individual APTs. Cyber security practitioners can query from this knowledge graph and formulate strategic proactive measures. From these findings, the applications and constraints of the APTs’ cyber-attack techniques and their associated patterns were determined. The findings provide a guideline for future additional research in the field of AI knowledge representation in cybersecurity, as well as highlighting certain limitations in this field of research.</p> Gilliam van der Merwe Christian Muller Wilhelm van der Merwe Dewald Blaauw Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 333 339 10.34190/iccws.17.1.24 Rising Above Misinformation and Deepfakes <p>Misinformation can be rapidly spread in cyberspace. It thrives in the social media landscape as well as news platforms. Misinformation can readily gain momentum in the race to influence people or intentionally deceive.&nbsp; With the use of bots, misinformation can be easily shared, especially in environments like Twitter and Facebook. While, some measures are taken to stop the spread of misinformation, threats like Deepfakes are posing a higher challenge. Deepfakes provide a means to generate fake digital content in order to impersonate a person. With the use of audio, images and videos, artificial intelligence is used to depict the speech and actions of people. Deepfakes are typically made of presidents or influential businessmen such as Donald Trump and Mark Zuckerberg.&nbsp; Deep Fakes can be very realistic and convincing as this form of synthetic media is raising concerns about its possible misuse.&nbsp; The effects of Deepfakes are to spread disinformation, confuse users or create influence. This can lead to further effects like political factions, blackmail, harassment and extortion. Deepfakes could lead to a distrust in digital content as many may feel that anything we see is actually just a manipulation. Deepfakes has arisen as a new generation of misinformation through the manipulation of digital media in order to&nbsp; create realistic videos. This paper looks at the governing, communal and technical issues relating to Deepfakes.&nbsp; At the technical level, the use of audio and text analysis used to create Deepfake videos is advancing at a rapid pace which has also made its affordability and accessibility easier. An evaluation of the threats stemming from Deepfakes reveals that there are various mental, monetary and group dynamics involved. In this paper, the various types of threats emanating from Deepfakes is discussed. This paper also looks at five factors in the field of Deepfakes that should be taken into consideration (Technical Source Dissemination Victim Viewers).&nbsp; The paper discussed these five factors in order to help identify measures to help curb the spread of Deepfakes. A combination of these measures can help limit the spread of Deepfakes and support mitigation of the threat.&nbsp; Due to prominence and power that digital media has, it is imperative that this threat not be overlooked. The paper provides a holistic approach to understanding the risk and impact of Deepfakes, as well measures to help mitigate abuse thereof.</p> Namosha Veerasamy Heloise Pieterse Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 340 348 10.34190/iccws.17.1.25 Multi-Purpose Cyber Environment for Maritime Sector <p>The cyber attack surface in a maritime environment is constantly growing. More current information and computer technologies are being used on cargo and passenger ships to save on operational costs and increase navigational safety. Along with the growing reliance on automation, the risk of a disruption to a vessel's critical systems by drawing on the wrong inputs from sensors to change the behaviour of the actuators has significantly increased. Traditional operational technological systems are much more complicated to update than the automatic software updates we see in information technology systems. To better understand existing cyber threats in the maritime sector and increase cybersecurity resilience, this paper aims to replicate the digital components of a ship's bridge to examine scenarios when the bridge system loses connectivity, receives the wrong inputs from sensors, or the internal system becomes compromised. The simulator differentiates fundamentally from traditional simulators or digital twins in the maritime sector that focus on training seafarers. This environment generates data streams that are similar to those on board a ship. Those data streams can be analysed, modified and spoofed to observe the effects. The effects can be technical but it is equally necessary to analyse how human beings would react in specific circumstances. Our work provides the opportunity to isolate the ship network traffic, conduct penetration testing, find cybersecurity vulnerabilities on devices, and execute cyber attacks without the dangers associated with running such scenarios on a vessel in the open sea.</p> Gabor Visky Arturs Lavrenovs Erwin Orye Dan Heering Kimberly Tam Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 349 357 10.34190/iccws.17.1.26 Ethical and Legal Aspects Pertaining to law Enforcement use of Drones <p class="Abstract">Law enforcement is an information-based activity. The use of drones (also referred to as unmanned aerial vehicles or UAVs) for policing may be beneficial as an aerial surveillance tool in gathering information pertaining to crime prevention, detection and /or investigation which are conducted in the interest of national security. In most instances, the law enforcement use of drones for purposes of search and rescue, crime scene investigation and hostage situations are not controversial. However, police use of drones for crowd monitoring and protests may be contentious as it may violate various human rights such as the right to privacy which includes data protection, free speech, right to protest and freedom of movement. These rights must be balanced against public safety. The discussion focuses on identifying ethical and legal concerns relating to the use of drones by the police and how these concerns should be addressed. It highlights that the danger is not the drone technology itself, but how it is used and the manner in which the police deal with, process and act upon information gathered, in order to prevent or control crime. The use of drone technology for surveillance impacts on human rights. There is a risk that surveillance may manifest itself in governmental domination and power if no safeguards are in place to curtail pervasive surveillance. It should be established whether domestic drone policing is in general so intrusive that the drawbacks outweigh the benefits of using it for public safety purposes. The manner in which these issues are addressed may serve as a guideline to countries who are considering the use of drones for law enforcement.</p> Murdoch Watney Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 358 365 10.34190/iccws.17.1.27 Social Media Privacy Using EDEE Security Model <p>Social Media platforms have become a significant part of our daily lives and a modern way to connect friends and family, document our lives, and share other great personal information about our lives. These activities leave us vulnerable to privacy and security breach due to lapse security controls necessary to protect users' sensitive data on these platforms. We conducted exploratory privacy and security analysis on paramount social media platforms such as Facebook and Snapchat and determined that current Social Media privacy and security posture insufficient and proposed Social Media platform Security through “Educate,” “Determine,” “Enable,” and “Evaluate” (EDEE) Security model to address the evolving Social Media platform security as a growing concern in Cybersecurity for individual using the platform and companies hosting the platform.</p> Benjamin Yankson Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 366 374 10.34190/iccws.17.1.48 The Impact of CISO Appointment Announcements on the Market Value of Firms <p class="Abstract">Previous studies concerning the economic impact of security events on publicly listed companies have focussed on the negative effect of data breaches and cyberattacks with a view to encouraging firms to improve their cyber security posture to avoid such incidents. This paper is an initial study on the impact of investment in human capital related to security, specifically appointments of chief information security officers (CISO), chief security officers (CSO) or similar overall head of security roles. Using event study techniques, a dataset of 37 CISO type appointment announcements spanning multiple world markets between 2012 and 2019 was analysed and statistically significant (at the 5% level) positive cumulative abnormal returns (CAR) of around 0.8% on average were observed over the three-day period before, during and after the announcement. Furthermore, this positive CAR was found to be highest, at nearly 1.8% on average, within the financial services sector and showing statistical significance at the 1% level. In addition to the industry sector, other characteristics were investigated such as job title, reporting structure, comparison of internal versus external appointments, gender and variations between markets. Although these findings were not as conclusive they are, nevertheless, good pointers for future research in this area. This overall positive market reaction to CISO related announcements is a strong case for publicly listed firms to be transparent in such appointments and to, perhaps, review where that function sits within their organisation to ensure it delivers the greatest benefits. As 24% of the firms analysed were listed outside the US, this study also begins to counter the strong US bias seen in similar and related studies. This research is expected to be of interest to business management, cyber security practitioners, investors and shareholders as well as researchers in cyber security or related fields.</p> Adrian Ford Ameer Al-Nemrat sayed Ali Ghorashi Julia Davidson Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 375 384 10.34190/iccws.17.1.49 What is a Substantial Contribution to a Research Project in Offensive Cyberspace Operations that Merits Co-Authorship? <p class="Abstract">This article reviews the question what is a substantial contribution to a research project in offensive cyberspace operations that merits co-authorship? Frustrations and conflicts may develop during research projects when researchers with different backgrounds, cultures, research fields and expertise decide to conduct research and produce and publish those results. The focus of this paper is a research project in cyberspace operations while taking into account the power-dynamics inherent in the academic system and how these can affect the co-authorship of research products. First, the purpose with doing research is presented. Next, three models of the research process are reviewed, describing their differences and similarities. Then, linguistic analysis is applied on a set of terms in guidelines for co-authorship described in some different universities in Sweden. The results present a model for a research project in offensive cyberspace operations and based on the output of the linguistic analysis, the model is used to quantify and describe what a substantial contribution is in three scenarios that merits co-authorship.</p> Gazmend Huskaj Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 385 394 10.34190/iccws.17.1.50 Human Errors: A Cybersecurity Concern and the Weakest Link to Small Businesses <p>Cybersecurity is essential for all organizations, especially during this menacing Covid-19 global pandemic. The sudden transition of leaving the offices to work from home – the 'new normal' – has introduced information security-related risks associated with human factors. For example, both criminals and employees use the same platform for information exchange but with starkly different intentions. But both their actions compromise information and computer security. Criminals intentionally exploit systems to gain unauthorized access for their benefit, while employees make careless mistakes, leaving systems exposed and vulnerable. The present study examines human errors influenced by actions, attitudes, and behaviors that affect overall information security. Purposive sampling within the qualitative approach was used to select thirty (30) small business managers. Data was collected using a qualitative online survey as a Google Form. The study used thematic analysis. The results revealed that repeated human mistakes compromise information security principles and render employees the weakest link. The study explained the risks caused by employees due to ignorance or poor decision making, technical-related errors, and skills- and policy-based errors. Even though small businesses do not require a 'one-size-fits-all' security approach, recommendations to reduce human mistakes were made. &nbsp;&nbsp;</p> Tabisa Ncubukezit Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 395 403 10.34190/iccws.17.1.51 Need for a Cyber Resilience Framework for Critical Space Infrastructure <p class="Abstract">The purpose of this paper is to introduce a case for a standardised comprehensive cyber resilience framework for Critical Space Infrastructure (CSI). Based on structure systematic review and meta-analyses, this paper outlines the needs of a risk-based framework. Space assets are fundamental components of critical national infrastructure (CNI), whose destruction significantly impacts many lives.<a name="_Hlk84600883"></a> Moreover, today’s digitally connected space infrastructure is exposed to sophisticated and catastrophic cyber-attacks. This paper lays out the research gap to present the need for a comprehensive cyber resilience framework for CSI and future research and collaboration to understand the emergence of a new category of failures related to space-asset-reliance disruption risks.</p> Syed Shahzad Li Qiao Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 404 412 10.34190/iccws.17.1.52 Ransomware Detection using Process Memory <p>Ransomware attacks have increased significantly in recent years, causing great destruction and damage to critical systems and business operations. Attackers are unfailingly finding innovative ways to bypass detection mechanisms, which encouraged the adoption of artificial intelligence. However, most research summarizes the general features of AI and induces many false positives, as the behavior of ransomware constantly differs to bypass detection. Focusing on the key indicating features of ransomware becomes vital as this guides the investigator to the inner workings and main function of ransomware itself. By utilizing access privileges in process memory, the main function of the ransomware can be detected more easily and accurately. Furthermore, new signatures and fingerprints of ransomware families can be identified to classify novel ransomware attacks correctly. The current research used the process memory access privileges of the different memory regions of the behavior of an executable to quickly determine its intent before serious harm can occur. To achieve this aim, several well-known machine learning algorithms were explored with an accuracy range of 81.38% – 96.28%. The study thus confirms the feasibility of utilizing process memory as a detection mechanism for ransomware.</p> Avinash Singh Richard Ikuesan Hein Venter Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 413 422 10.34190/iccws.17.1.53 Evaluating the Reliability of Android Userland Memory Forensics <p>Memory Forensics is one of the most important emerging areas in computer forensics. In memory forensics, analysis of userland memory is a technique that analyses per-process runtime data structures and extracts significant evidence for application-specific investigations. In this research, our focus is to examine the critical challenges faced by process memory acquisition that can impact object and data recovery. Particularly, this research work seeks to address the issues of consistency and reliability in userland memory forensics on Android. In real-world investigations, memory acquisition tools record the information when the device is running. In such scenarios, each application’s memory content may be in flux due to updates that are in progress, garbage collection activities, changes in process states, etc.&nbsp; In this paper we focus on various runtime activities such as garbage collection and process states and the impact they have on object recovery in userland memory forensics. The outcome of the research objective is to assess the reliability of Android userland memory forensic tools by providing new research directions for efficiently developing a metric study to measure the reliability. We evaluated our research objective by analysing memory dumps acquired from 30 apps in different Process Acquisition Modes.&nbsp; The Process Acquisition Mode (PAM) is the memory dump of a process that is extracted while external runtime factors are triggered. Our research identified an inconsistency in the number of objects recovered from analysing the process memory dumps with runtime factors included. Particularly, the evaluation results revealed differences in the count of objects recovered in different acquisition modes. We utilized Euclidean distance and covariance as the metrics for our study. These two metrics enabled the authors to identify how the change in the number of recovered objects in PAM impact forensic analysis. Our conclusion revealed that runtime factors could on average result in about 20% data loss, thus revealing these factors can have an obvious impact on object recovery.</p> Sneha Sudhakaran Aisha Ali-Gombe Andrew Case Golden Richard III Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 423 432 10.34190/iccws.17.1.54 The Cumulative Cyber Deterrence <p>The cumulative cyber deterrence can be seen as a concept in which increasing the weight of different means and their use increases the deterrent effect on a common level or on selected adversaries. Cumulative cyber deterrence may include all traditional options of deterrence, and can be active or passive. Active deterrence can be characterized as targeting specific threats and actors, as a deterrent consisting of several different methods, while passive deterrence is a form of deterrence commonly targeted at all the potential adversaries. The cumulative cyber deterrence can be an independent type of deterrence or part of a state’s overall deterrence. This paper approaches the concept of cumulative cyber deterrence from a military perspective. The purpose is to determine what factors can be formed by cumulative cyber deterrence. It describes how cumulative deterrence will change and be affected and what problems can be associated with that concept. The aim is to find answers to these questions by looking at the way how Israel and Russia use cumulative cyber deterrence as part of their overall deterrence. In its theoretical context, this paper is based on the theory of the character of war. Through the theory of character of war and utilizing the concept of reflexive control, an attempt is made to explain the position of cumulative cyber deterrence as part of overall deterrence. Integrative literature analysis has been used as the research method. The key conclusion of the paper is that creating a credible cyber deterrent is an affect and cost-effective way to increase overall deterrence. However, this presupposes that the state also has offensive cyber methods at its disposal and is able to credibly communicate their existence and the will to use them if necessary. The concept of cumulative cyber deterrence depends on the other means of deterrence available to the state. Both Israel and Russia have all these qualities. A key difference in the deterrence strategies of these states is that Israel uses cumulative methods to make it clear where the red lines are, while Russia’s strategic goal is to blur them</p> Maija Turunen Martti Kari Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 433 439 10.34190/iccws.17.1.55 Performance Implications for Multi-Core RISC-V Systems with Dedicated Security Hardware <p class="Abstract">The RISC-V instruction set architecture (ISA) is a promising open-source architecture supporting the Open Era of Computing. As RISC-V matures, consumers, industry leaders, and nation states are looking at the potential benefits RISC-V offers –especially for secure systems which may require privileged architecture implementations, physical memory protection (PMP), or trusted execution environments (TEEs) among other hardware-based security primitives. The inclusion of these security technologies unavoidably impacts the performance of any given compute system. To quantify the performance impacts introduced by secure enclave processing, representative computational benchmarks are executed on the Freedom U74-MC System-on-a-Chip (SoC) onboard the HiFive Unmatched development board by SiFive. These benchmarks are conducted across applicable modes of the RISC-V Privileged ISA specification to analyze Privileged ISA and PMP performance implications for Confidential Computing. To evaluate performance impacts, a theoretical model is applied to represent the interactions of the security monitor. The Keystone enclave framework tasks the security monitor with enforcing strict adherence to system security primitives while the Phoronix Test Suite (PTS) captures performance data. Individual benchmarks are conducted both with and without secure enclave technologies to characterize representative performance metrics.</p> Samuel Chadwick Scott Graham James Dean Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 440 448 Analysis of Image Thresholding Algorithms for Automated Machine Learning Training Data Generation <p>Secured compounds often safeguard physical layout details of both internal and external facilities, but these details are at risk due to the growing inclusion of Light Detection and Ranging (LiDAR) sensors in consumer off-the-shelf (COTS) technology such as cell phones. The ability to record detailed distance data with cell phones facilitates the production of high-quality three-dimensional scans in a discrete manner which directly threatens the security of private compounds. Therefore, it behooves the organizations in charge of private compounds to detect LiDAR activity. Many security cameras already detect LiDAR sources as generic light sources in specific conditions, but further analysis must identify these light sources as LiDAR sources in order to alert an organization of a potential security incident. Testing confirms the feasibility of identifying some LiDAR sources based on the color and intensity of light shined directly into a camera sensor, but this analysis proves inadequate for cell phone LiDAR. However, the unique intensity and pattern characteristics of cell phone LiDAR reflected off a surface can potentially be identified by an object identification machine learning model. In order to train a model to identify a LiDAR object, we must first produce a training dataset containing marked and labelled LiDAR objects. To do this, we apply an image thresholding algorithm to isolate the LiDAR object in an image to calculate its bounding box. The image thresholding algorithm directly affects the bounding box accuracy, so we test two different algorithms and find that Otsu’s image thresholding algorithm performs best, resulting in 99.5% accurate bounding boxes.</p> Tristan Creek Barry Mullins Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 449 458 10.34190/iccws.17.1.57 Securing InfiniBand Networks with the Bluefield-2 Data Processing Unit <p>Interest in securing InfiniBand networks with encryption is growing.&nbsp; However, the performance benefit realized by InfiniBand’s use of Direct Memory Access (DMA) to bypass the kernel and avoid intervention from host Central Processing Units (CPUs) is at odds with IP datagram encryption techniques.&nbsp; Encryption forces data through the CPU before transmission and decryption, incurring multiple clock cycles.&nbsp; The Bluefield-2 Data Processing Unit (DPU) is Nvidia-Mellanox’s latest system on chip that combines a high-performance, programmable processor, network interface card (NIC), and flexible hardware accelerators.&nbsp; This research characterizes the Bluefield-2’s capability to accelerate IPsec encryption in hardware.&nbsp; Results show that the Bluefield-2’s hardware accelerators are capable of supporting a secure IPsec tunnel with a throughput of nearly 16 Gb/s.&nbsp; Offloading IPsec encryption operations to the hardware accelerators on the Bluefield-2 is a promising method for adding confidentiality, integrity, and authentication to InfiniBand networks.&nbsp;</p> Noah Diamond` Scott Graham Gilbert Clark Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 459 468 10.34190/iccws.17.1.58 Malware Binary Image Classification Using Convolutional Neural Networks <p>The persistent shortage of cybersecurity professionals combined with enterprise networks tasked with processing more data than ever before has led many cybersecurity experts to consider automating some of the most common and time-consuming security tasks using machine learning. One of these cybersecurity tasks where machine learning may prove advantageous is malware analysis and classification. To evade traditional detection techniques, malware developers are creating more complex malware. This is achieved through more advanced methods of code obfuscation and conducting more sophisticated attacks. This can make the manual process of analyzing malware an infinitely more complex task. Furthermore, the proliferation of malicious files and new malware signatures increases year by year. As of March 2020, the total number of new malware detections worldwide amounted to 677.66 million programs. In 2020, there was a 35.4% increase in new malware variants over the previous year. This paper examines the viability of classifying malware binaries represented as fixed-size grayscale using convolutional neural networks. Several Convolutional Neural Network (CNN) architectures are evaluated on multiple performance metrics to analyze their effectiveness at solving this classification problem.</p> John Kiger Shen-Shyang Ho Vahid Heydari Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 469 478 10.34190/iccws.17.1.59 Defending Small Satellites from Malicious Cybersecurity Threats <p>The connection between space and cyberspace domains is increasingly intertwined. Advancements in space technology, decreasing costs for satellite development, and the use of commercial off-the-shelf products present many cybersecurity challenges to space infrastructure.&nbsp; Additionally, space-based global critical infrastructure makes the space domain a prime target for malicious cyber threats.&nbsp; Software-defined radios introduce a potential attack vector for adversaries planning malicious satellite activity.&nbsp; This paper demonstrates how an adversary would send malicious commands via a software-defined radio to affect the integrity of the sensors on the satellite running NASA's core Flight System software. The experiment demonstrates one possible threat vector using a commercially available USRP N210 software-defined radio. The results show that well-constructed messages can be created to manipulate sensors on a target small satellite system.&nbsp; Identifying cybersecurity vulnerabilities like these in space systems can improve security and prevent disruptions for the global space enterprise.</p> Banks Lin Wayne Henry Richard Dill Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 479 488 10.34190/iccws.17.1.60 Improving Hardware Security on Talos II Architecture Through Boot Image Encryption <p>The OpenPOWER Foundation is an organization that promotes open-source high-performance hardware like the POWER9. OpenBMC is an OpenPower project that strives to produce an open-source firmware stack for Baseboard Management Controllers (BMCs). If hardware falls into the hands of competitors or bad actors, reverse engineering methods can be used to leak or manipulate sensitive information from the boot sequence. This represents a security concern because the root of trust can be invalidated. For example, since the Initial Program Load (IPL) data is frequently not encrypted and is sent over the Low Pin Count (LPC) bus, it is possible to intercept and conduct man-in-the-middle attacks to modify the boot process. The boot image flash chip could also be removed from the Talos II motherboard and examined by competing server architecture manufacturers to reveal detailed boot information. Firmware that developers deem to contain sensitive code or perform innovative operations needs to be protected before being flashed onto the boot image chip. This paper demonstrates a method to encrypt sections of the boot image by encrypting a section of the image before flashing it onto the Talos II. The encrypted image will be decrypted during the boot sequence in the Level 3 cache of the POWER9, proving that it is possible to prevent adversaries from interfering with the IPL flow or obtaining details on firmware from the flash chip. This paper presents a novel method to improve the security of the boot image on Talos II architecture by encrypting the boot firmware image and decrypting it during the boot process. The proof of concept was executed on a Raptor Engineering Talos II system running a POWER9 processor with OpenBMC firmware on the ASPEED AST2500 BMC. This research claims that this unique method increases boot time security through firmware without altering hardware.</p> Calvin Muramoto Stephen Dunlap Scott Graham Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 489 496 10.34190/iccws.17.1.61 Technical Analysis of Thanos Ransomware <p>Ransomware is a developing menace that encrypts users’ files and holds the decryption key hostage until the victim pays a ransom. This particular class of malware has been in charge of extortion hundreds of millions of dollars every year. Adding to the problem, generating new variations is cheap. Therefore, new malware can detect antivirus and intrusion detection systems and evade them or manifest in ways to make themselves undetectable. We must first understand the characteristics and behavior of various varieties of ransomware to create and construct effective security mechanisms to combat them. This research presents a novel dynamic and behavioral analysis of a newly discovered ransomware called Thanos. It was founded in 2020 and is building up to be the leading malware used by low-to-medium-level attackers. It is part of a new ransomware class known as RaaS (Ransomware as a Service), where attackers can customize it for their desired target audience. So far, it is more prevalent in the middle east and North Africa and has over 130 unique samples already. As part of this investigation, the Thanos ransomware is carefully being analyzed. A testbed is created in the virtual artificial environment that mimics a regular operating system and identifies malware interactions with user data. Using this testbed, we can study how ransomware generally affects our system, how it spreads, and how it continually persists to access the user’s information. We can design a new security mechanism to detect and mitigate Thanos and similar ransomware based on behavior examination results.</p> Ikuromor Ogriki Christopher Beck Vahid Heydari Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 497 504 10.34190/iccws.17.1.62 Analysis of Sexual Abuse of Children Online and CAM Investigations in Finland <p>Children who use their free time with phones and computers online, interact with the digital environment on a daily basis, where they will often make social contacts with their friends as well as exchange photos and videos with them. However, children often make contact incautiously with new people online and may risk falling victim to sexual harassment or sexual abuse via sexually charged messages, requests to send nude photos or other Child Abuse Materials (CAM). Most of these cases are unreported crimes. Victims do not always understand that they could be victims. Sexual abuse of children endangers children’s psychological, physical and social health, and is against the interests of the child and their human rights. The European Commission’s Internal Security Fund Police (ISFP) aims to fund projects on fighting cybercrime and child sexual abuse including digital investigations. This paper provides background information for an innovation project intended to get funding from the ISFP. The case study composes up-to-date pictures of sexual abuse of children online in Finland by applying (1) observations of national police officers who have worked with CAM investigations as a tactical, technical or lead investigator to get unwritten knowledge of the challenge of investigations in the future, and (2) earlier research in Finland. Finnish Child Victim Surveys from past years provide a nationally representative sample of the experiences of children between 12 and 15 years of age where online grooming and sexual abuse is reported. In spring 2021, Save the Children Finland published 11-17-year-old children’s experiences of and thoughts on online grooming, and its results show grooming to be a common phenomenon and that a portion of children reported contact being made sexual from its very beginning. This case study combines qualitative and quantitative methods for achieving different aspects and paradigms over the CAM investigations in Finland and are now up to date and would describe how crime investigators have to observe CAM crimes in crime investigations and how cases would be investigated effectively and reliably in a timely fashion and without unnecessary mental workload.</p> Johanna Parviainen Jyri Rajmaki Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 505 512 10.34190/iccws.17.1.63 Digital Risk Management: Investigating Human-Factor Security with a Behaviorist Approach <p>sdfssd</p> Ruan Pretorius Dewald Blaauw Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 513 521 10.34190/iccws.17.1.64 Ensuring the Security of Space Systems from Eavesdropping Attacks <p class="Abstract">In a day and age where satellite communications are more important than ever to ensure global communication, establish international military power, and support our everyday way of life, satellite security must be at the forefront of innovation. However, eavesdropping attacks pose a serious threat to satellite communication systems that have not been adequately addressed. An eavesdropping attack threatens to put sensitive data in the wrong hands or even jeopardize critical missions. Research is needed to explore why defense against eavesdropping attacks is crucial, particularly for satellite systems. Three potential solutions to the problem are presented, addressing different challenges. Realistic solutions to the eavesdropping threat are needed urgently to defend the space domain from malicious threats.</p> Caleb Richardson Mark Reith Wayne Henry Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 522 526 10.34190/iccws.17.1.65 Cyberwarfare and its Effects on Critical Infrastructure <p>The growth and capabilities of cyberspace have brought about many advantages to societies. Individuals and businesses have used cyberspace for easier communication, but nation-states also utilise it to improve the functioning of their critical infrastructure. Critical infrastructures provide vital services such as the health, safety and security needed for the efficient functioning of societies. However, vulnerabilities in cyberspace have made cyberattacks such as cyberwarfare possible. Cyberwarfare is an international concern due to the negative impact it can have on critical infrastructure. This paper aims to discuss cyberwarfare and the potential effects that it can have on critical infrastructure. This paper follows a theoretical research methodology to provide an understanding of cyberwarfare. In addition, the paper provides a better understanding of the impact that cyberwarfare can have on critical infrastructure. The paper contains an exhaustive definition of cyberwarfare. Since cyberwarfare is a type of cyberattack, it is similar but not the same as other cyberattacks such as cybercrime and cyberterrorism. Therefore, to gain a clear understanding of cyberwarfare, the paper discusses cyberwarfare, cybercrime, and cyberterrorism. The paper also discusses some of the most significant cyberwarfare incidents. Since the effects can be devastating, critical infrastructure must be protected from cyberwarfare. A survey of techniques for protecting critical infrastructure from cyberwarfare is presented. The identified incidents highlight the effects that cyberwarfare can cause. Hence, the possible effects that cyberwarfare can cause on critical infrastructure is discussed. Due to the negative effects of cyberwarfare, nations need to be prepared to protect their critical infrastructure from cyberwarfare. Therefore, the paper also discusses the authors’ stance on South Africa preparedness to defend themselves in the event of cyberwarfare.</p> Humairaa Bhaiyat Siphesihle Sithungu Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 536 543 10.34190/iccws.17.1.68 Addressing the Skills Shortage in Cybersecurity <p>Security by design is an up and coming paradigm which seeks to decrease the opportunity for corruption and disruption, and to increase the inherent stability, dependability and resilience of systems.&nbsp; Cyber experts need to be involved in the design phase as Finagle's Law, interpreted for cybersecurity, is 'if it can be hacked, it will – at the worst possible time'. Testing is designed to counter Murphy's Law and reduce resistentialism. Defensive programming, original cybersecurity, carries an overhead, for which there is often no demonstrable return.&nbsp; The priority of the design stage cybersecurity expert is to plan for contingencies and think like a hacker.&nbsp; It is about risk management; understanding this dictates security by design requirements in the knowledge that interconnected systems' security is only as strong as its weakest link. Definition and audit of Service Level Agreements (SLA) are an essential part of cybersecurity, as is the audit of any third party suppliers of componentry of the system under design.&nbsp; Governance and policy definitions, exciting for some, are integral to cybersecurity.&nbsp; Beyond this, the cybersecurity expert must consider system failure.&nbsp; Recent ransomware attacks have demonstrated the necessity for business continuity plans as recovery has still taken time.&nbsp;&nbsp; The Blue Team Field Manual has an impressive list of necessary documentation and actions required in this event, but glosses over the effort required. While the above is rolling maintenance, threat hunting differs.&nbsp; Every vulnerability or threat must be evaluated for consequential impact.&nbsp; Either a passionate interest in psychology or an extremely jaundiced view of the world is a necessary attribute for cybersecurity.&nbsp; Reality is so different from the aspirations of potential pen testers, incident responders, and AI security engineers facing 3 – 5 post-graduation years to proficiency, it is no wonder disillusion results in a shortage of 3.5 million cybersecurity experts.</p> Gareth Davies Angela Mison Peter Eden Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 544 551 10.34190/iccws.17.1.69 Critical Systems Protection (CSP): The US Secret Service’s Tactical Cyber Capability for Securing Protectees <p class="Abstract">This paper examines a largely unknown cybersecurity function within the United States Secret Service (USSS), that is separate and apart from its traditional cybersecurity mission in financial crime investigations.&nbsp;&nbsp;This program - Critical Systems Protection (CSP) – is instead focused on the Secret Service’s protective mission and analyzes and secures the cyber environments of facilities and locations visited by the agency’s protectees.&nbsp;&nbsp;Exploiting publicly available documents about CSP, this paper will document this unique organization that combines some of the highest profile issues in cybersecurity – operational and tactical level cybersecurity efforts, and the security of cyber-physical systems.&nbsp;Drawing on open-source information and government documents, this paper sketches out the CSP mission, its partnerships with other agencies and organizations, and some of the tools and other capabilities it has developed.&nbsp;</p> Austin Hyman Brian Nussbaum Mario Bencivenga Zachary Rizzo Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 552 558 10.34190/iccws.17.1.70 WFH, not WTH? The security challenges of working-from-home <p class="Abstract">Under the coronavirus pandemic, governments and corporations around the world have adopted a work-from-home (WFH) mode of operations to continue governing and operating. Over a two year into the COVID-19 pandemic, many of us continue to work from home and a large majority have few plans to return to the office. Early on, governments and companies scrambled to increase Virtual Private Network (VPN) licenses and bandwidth capacities to take on the additional user load at a technical level. This allowed a near seamless continua of communications for common government unclassified information and corporate sensitive information of non-national interest using commercial software encryption. But what about information of national interest? A smaller number of individuals in key government departments, sometimes under staff rotations, continued to work in the office to serve these needs. Within weeks, government departments began deploying assets to access classified Secret systems from home. This paper discusses the WFH use of classified (e.g., Secret) IT systems while considering multiple security areas (physical, operational, personnel, IT, communication, and electromagnetic and radio-frequency emission) with focus on insider threats and foreign state actors, to describe the impact to the WFH public servant, the citizens, and the government. It describes the severe security challenges and risks governments have accepted under the pandemic, raising the question “<em>what the heck</em> were governments thinking?”</p> Neal Kushwaha Piret Pernik Bruce Watson Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 559 567 10.34190/iccws.17.1.76 The Failure of Trust in Trusted Systems <p>Contrary to the early days in which freedom of access and knowledge for all was a fundamental tenet of the burgeoning internet, today, the internet is a hostile environment. This paper represents that practices of trusted autonomous systems and zero trust must reside both organisationally and in any connected device, and that they will be insufficient to secure any hyperconnected system. For example, in the area of Connected and Autonomous Vehicles (CAV), the emphasis of standards associated with cybersecurity is to protect vehicles from an external attack, particularly where it may have an impact on safety. The Internet of Vehicles (IoV) is a subset of the IoT. Security of the IoT has not been standardised and is applied by proprietary organisations. Little consideration has been given to the IoV not being the target of an attack, but a means to an end. Vehicles necessarily communicate with the infrastructure and other vehicles. Additionally, outsourced organisational systems and third-party components within a complex, interconnected, communicating system renders it impossible to define and secure all endpoints. Malware in any part of the hyperconnected systems, provides opportunities for hackers. The security of the systems is only as strong as its weakest link. As an example of an onward attack, a DDOS attack is a debilitating exhaustion of resources attack that disables intended operation of a system. Formation of a botnet from the IoV for use in onward attacks is hypothesised. Such a botnet could have a global reach. Research has indicated that the complete cleansing of a computer-based botnet could take between 5 and 15 years. However, with decentralised command and control and peer to peer communication, the botnet could remain persistent. It is shown that persistent botnet formation software is readily available on the dark market and that specialist software can be commissioned as Crime as a Service. Organised crime groups have already reverse engineered vehicle systems. Mobile attack platform swarms are an attractive proposition to the malefactor, and with the potential for global reach, perhaps the next step on from ransomware. Intermittent disruption from mobile sources is hard to trace and there is an existing pool of 1.2 billion vehicles.</p> Angela Mison Gareth Davies Peter Eden Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 568 575 10.34190/iccws.17.1.71 New Wave Cyber Attacks <p>There is increasing enthusiasm for, and recognition of, the benefits that artificial intelligence (AI) can provide to society. The emphasis has been on the positive, but AI and deep learning can be used for negative purposes. Modular Neural Networks (MNN) are capable of independent learning and have been targeted at evolutionary, complex financial systems. If the goal of an MNN were to be defined as system penetration, there is no reason why an algorithm could not run in the background. There are a resource requirements, but organised crime groups, technology companies, nation states and individuals with a curious bent are all capable of such. Ordered society and security requires a degree of certainty that systems on which society depends will remain recognisable, dependable and resilient. Under current conditions, security is difficult enough. It is suggested that limitations may be required before release of certain AI systems, in the knowledge of their potential for detriment to society. An AI system capable of independent learning, permits undefined emergent behaviours. That the results of any emergent properties may be benign or malign is irrelevant. Scientific history is littered with developments whose uses were redirected away from the benign.Such concern could be interpreted as fear of the unknown, standing in the way of technological advances. Unless society wishes to become machine-driven, the power and control of systems should be defined and limited by society, not accidently sprung on humanity or based on a ruthless logic that may drive a system to an unacceptable conclusion. Currently there are sophisticated botnet forming methods ensuring botnet persistence. If combined with the concepts of AI, there is a possibility that botnets could exist in perpetuity, with no one able to predict emergence, and no time limits on evolution. Whither cyber defence in the face of the unstoppable, increasingly intelligent, goal directed systems?</p> Angela Mison Gareth Davies Peter Eden Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 576 582 10.34190/iccws.17.1.72 Role of Big Tech in Future Cyber Defence <p>Ordered society and nation states are dependent on interconnected systems, the defence of which is largely in private hands whose actions are driven by need for oligopolistic market dominance, protection of assets, and their monetisation models. This paper queries the responsibility of the nation state for the protection of itself and its citizenry. By some definitions, corporations are conducting cyberwarfare and, in cyberspace, are virtual nation states with ownership and rights over the data they hold and the intelligence it yields. The financial challenge for market dominance could drive an internecine war among the major technology corporations, and an assertion that the rights over the data they control are superior to those of the nation state. As functional monopolists, data they have acquired is not available from any other source. The intelligence from analytics exercised over that data, and the data itself is proprietary. These corporations exercise monopolist characteristics in the areas of data, information and intelligence. The aggregate value of the top 5 technology corporations, colloquially known as Big Tech is equivalent to third in projected global GDP rankings for 2021. This represents an equivalent expression of power in/over cyberspace. Cloud service providers (CSP) are often offshoots of Big Tech and have a high compound annual growth rate, thereby revealing the motivation for protection of market dominance and potential threat to user/customers. By concentrating on traditional cyber warfare and defence, there is limited consideration on policing or guarding against the rise of these virtual supranational powers driven by strict market agenda. What consideration there is regarding potential threats is driven by an economic perspective and anti-trust initiatives. Whether judged by the nation state as benign or malign, Big Tech has an impact on the nature and direction of society as currently understood and the question must be raised whether both citizens, organisations, and states need protection from it. </p> Angela Mison Gareth Davies Peter Eden Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 583 590 10.34190/iccws.17.1.73 Data Mining for the Security of Cyber Physical Systems Using Deep-Learning Methods <p>Cyber Physical Systems (CPSs) have become widely popular in recent years, and their applicability have been growing exponentially. A CPS is an advanced system that incorporates a computation unit along with a hardware unit, allowing for computing processes to interact with the physical world. However, this increased usage has also led to the security concerns in them, as they allow potential attack vendors to exploit the possibilities of committing misconduct for their own benefit. It is of paramount importance that these systems have comprehensive security mechanisms to mitigate these security threats. A typical attack vector for a CPS is malicious data supplied by compromised sensors that are part of the CPSs. To combat this attack vector, many systems are secured through fault tolerance, including methods such as checkpointing to recover the system. Looking at the diverse nature of attacks and their ever growing complexities, traditional security approaches may not counter them efficiently, which creates a vacuum to be filled with sophisticated state-of-the-art techniques. In this paper, Deep Learning methods such as autoencoders, and Support Vector Machines are proposed to secure CPSs against these attacks. The networks in these applied methods are trained with a normal data profile devoid of any malicious data. Data collected from the system’s sensors at specified intervals is used to form a data series and input to the neural networks. The networks compare and analyze new data to the normal profile to detect anomalies, if there is any. In the presence of anomalous data, the networks generate corrective action(s) for these sensors and the physical states they are recording. Through detection of anomalies, effective security of CPSs may be improved in addition to providing protection for the sensors. Moreover, the proposed method of securing CPSs opens up the possibility of further research by showcasing the applicability of neural networks in securing CPSs.</p> Bhagawan Nath Timo Hamaleinen Soundararajan Ezekiel Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 591 598 10.34190/iccws.17.1.74 ‘Out Beyond Jointery’: Developing a Model for Gaming Multi-Domain Warfare <p>What Huizinga is saying here is not that conflict is <em>playful</em>, but rather, it is a <em>game,</em> following set rules of conduct and occurs within a defined zone of action. Elsewhere in <em>Homo ludens</em>, he argues that modern warfare operates without the ritualised, rule-based structure of, for example, the mediaeval tourney. The purpose of this paper is to consider the ways in which a model based on the structure of games may help us better engage with the challenges of Multi-Domain Conflict. We are all familiar with the concept of Cyber as the 5<sup>th</sup> Domain of warfare, but we need to consider it not as a discrete zone, but as running through and interpenetrating the other 4 (Earth, Sea, Air, Space), the informational spine that enables all other forms of conflict. This paper will: 1. Discuss the developing concept of Multi-Domain Conflict as a move ‘beyond jointery’ (as General Sir Nick Carter put it) into a truly integrated form of warfare, blurring and collapsing boundaries between kinetic and non-kinetic, between the services, and between military and civilian authority; 2. Outline a theoretical model for conceptualising Multi-Domain Conflict as gamelike in form, with environments of operation (‘boards’), protagonists (‘players’), and possible forms of action (‘moves’). As befits a conference on Cyber and Information Warfare, it will argue that the D5 model of IW (Deny, Disrupt, Degrade, Deceive and Destroy) is portable and scalable across the other 4 domains (Land, Sea, Air, Space); 3. Show how this theoretical model can be employed both to model and simulate Multi-Domain Conflict; wargames have been a key element of military planning and training for at least a century – this paper argues that we need to develop a new <em>Kriegspiel</em> to better understand coming conflicts.</p> Keith Scott Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 599 608 10.34190/iccws.17.1.77 Research Gaps and Opportunities for Secure Access Service Edge <p>This paper provides a contemporary discussion of security as a service from a network perspective and discusses state-of-the-art research conducted within a framework known as Secure Access Service Edge (SASE) (pronounced ‘sassy’). SASE is a network security framework proposed by Gartner (2019) (MacDonald, Orans and Skorupa, 2019). This paper gives brief description of cloud concepts and technologies, focuses on network security in the cloud and aims to provide researchers with subjects of future research in SASE. To achieve the aim, the authors evaluate existing papers on SASE and its core components to identify gaps in the literature currently available on SASE.</p> Stephanus van der Walt Hein Venter Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 609 619 10.34190/iccws.17.1.75 Mitigating Global Cyber Risk Through Bridging the National Incident Response Capacity Gap <p class="Abstract">Cyber-attacks know no borders. Given the globally connected environment, no region or country is secure against cyber-attacks unless the entire world is secure or has cyber capabilities. Yet, whether preventive or reactive, cyber countermeasures require coordination and engagement of various organizations, government bodies, and citizens of different countries. Although a variety of countermeasures exist, Computer Security Incident Response Teams (CSIRTs) have been deemed necessary systems in defending against and preventing cyberattacks, further supporting a nation’s cyber capacity and limiting the harm to citizens, businesses, and governments. Despite calls for establishing CSIRTs at the national level, especially toward protecting critical infrastructure and lives from cyber threats, various discrepancies exist based on a nation’s resources, capabilities, and needs. Limited research delves into the cyber capabilities of low-income countries despite an emphasis on improving global cyber capacity, leading to a need to establish a framework for low-income countries to address the unique needs with lessons learned from existing standards. CSIRTs can improve the cybersecurity posture of countries, so we seek to investigate how low-income countries can better mitigate cyber threats through cyber capacity building, including the creation of CSIRTs. This work-in-progress paper aims to investigate cyber incident response capacity building at the national level in low-income countries and identify challenges they may face in contributing to a more secure global cyberspace. Stemming from this paper, we will conduct a survey of national CSIRTs in low-income countries and conduct semi-structured interviews to further investigate their role. The implications of our research are far-spreading, assisting academics, practitioners, and governments in developing research, processes, and policies to aid low-income countries in their national cyber capacity building.</p> Elisabeth Dubois Unal Tatar Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 527 531 10.34190/iccws.17.1.66 An Exploration on APTs in Biocybersecurity and Cyberbiosecurity <p class="Abstract">Novel and complex digital threats that are increasingly interwoven with means and products of biology that can affect society. Much work in Biocybersecurity/Cyberbiosecurity (BCS/CBS) discuss vulnerabilities, but few deeply address malicious actor varieties as attacks at this intersection are new. The path to those attacks remains mostly theoretical, presenting considerable difficulty to accomplish in practical scenarios. In terms of advanced persistent threats (APTs) this of course needs to change as biomanufacturing facilities are at risk, considering Covid-19 and other potential pandemics. Further attacks are not out of reach and thus we must start to imagine how BCS APTs may appear. This paper in progress aims to open discussion regarding the definition of the concept BCS/CBS APTs and their implications, as well as create call to action for increased attention.</p> Xavier-Lewis Palmer Lucas Potter Saltuk Karahan Copyright (c) 2022 International Conference on Cyber Warfare and Security 2022-03-02 2022-03-02 17 1 532 535 10.34190/iccws.17.1.67