Rabih Mohsen

Rabih has recently joined the group and contributes to several activities.

Don’ t fool me!: Detection, Characterisation and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks

dont-foolme-pic
Wireless Sensor Networks carry a high risk of being compromised, as their deployments are often unattended, physically accessible and the wireless medium is difficult to secure. Malicious data injections take place when the sensed measurements are maliciously altered to trigger wrong and potentially dangerous responses. When many sensors are compromised, they can collude with each other to alter the measurements making such changes difficult to detect. Distinguishing between genuine and malicious measurements is even more difficult when significant variations may be introduced because of events, especially if more events occur simultaneously. We propose a novel methodology based on wavelet transform to detect malicious data injections, to characterise the responsible sensors, and to distinguish malicious interference from faulty behaviours. The results, both with simulated and real measurements, show that our approach is able to counteract sophisticated attacks, achieving a significant improvement over state-of-the-art approaches.

 

Vittorio P. Illiano, Luis Muñoz-González and Emil C. Lupu: Don’ t fool me!: Detection, Characterisation and Diagnosis of Spoofed and Masked Events in Wireless Sensor Networks.

To appear in IEEE Transactions on Dependable and Secure Computing
IEEE TNSM link (open access)

Attestation in Wireless Sensor Networks: A Survey

Attestation is a mechanism used by a trusted entity to validate the software integrity of an untrusted platform. Over the past few years, several attestation techniques have been proposed. While they all use variants of a challenge-response protocol, they make different assumptions about what an attacker can and cannot do. …
Download a copy here

RISS group was part of London Duathlon!

RISS Group participated at the London Duathlon this Sunday (18/09/16) at the Duathlon Relay. Erisa Karafili ran 10km, Daniele Sgandurra cycled 44km, and Rodrigo Vieira Steiner ran 5km.

Automated Dynamic Analysis of Ransomware: Benefits, Limitations and use for Detection

Recent statistics show that in 2015 more than 140 millions new malware samples have been found. Among these, a large portion is due to ransomware, the class of malware whose specific goal is to render the victim’s system unusable, in particular by encrypting important files, and then ask the user to pay a ransom to revert the damage. Several ransomware include sophisticated packing techniques, and are hence difficult to statically analyse. We present EldeRan, a machine learning approach for dynamically analysing and classifying ransomware. EldeRan monitors a set of actions performed by applications in their first phases of installation checking for characteristics signs of ransomware. Our tests over a dataset of 582 ransomware belonging to 11 families, and with 942 goodware applications, show that EldeRan achieves an area under the ROC curve of 0.995. Furthermore, EldeRan works without requiring that an entire ransomware family is available beforehand. These results suggest that dynamic analysis can support ransomware detection, since ransomware samples exhibit a set of characteristic features at run-time that are common across families, and that helps the early detection of new variants. We also outline some limitations of dynamic analysis for ransomware and propose possible solutions.

Daniele Sgandurra, Luis Muñoz-González, Rabih Mohsen, Emil C. Lupu. In ArXiv e-prints, arXiv:1609.03020, September 2016.

Formalizing Threat Models for Virtualized Systems

30th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy (DBSec 2016)!

Authors: Daniele Sgandurra, Erisa Karafili and Emil Lupu.

Abstract: We propose a framework, called FATHoM (FormAlizing THreat Models), to define threat models for virtualized systems. For each component of a virtualized system, we specify a set of security proper- ties that defines its control responsibility, its vulnerability and protection states. Relations are used to represent how assumptions made about a component’s security state restrict the assumptions that can be made on the other components. FATHoM includes a set of rules to compute the derived security states from the assumptions and the components’ relations. A further set of relations and rules is used to define how to protect the derived vulnerable components. The resulting system is then analysed, among others, for consistency of the threat model. We have developed a tool that implements FATHoM, and have validated it with use-cases adapted from the literature.

Paper:Threat Model paper @ DBSec

Publisher’s Link

PETRAS Hub for the IoT

PETRAS_logo_black smallWe are thrilled to be part of the PETRAS IoT Hub which aims to ensure that the UK remains a global leader in the Internet of Things. PETRAS (Privacy, Ethics, Trust, Reliability, Acceptability and Security) groups together 9 leading UK universities and has more than 47 user partners from industry and the public sector. The consortium has received a £9.8M grant from the EPSRC. Dr Emil Lupu is to serve as Deputy Director of the Hub and lead for the Security and Safety Theme.

Evolution of Attacks, Threat Models and Solutions for Virtualized Systems

ACM DL Author-ize serviceEvolution of Attacks, Threat Models, and Solutions for Virtualized Systems

Daniele Sgandurra, Emil Lupu, ACM Computing Surveys (CSUR), Volume 48 Issue 3, Article No. 46, February 2016

Abstract: Virtualization technology enables Cloud providers to efficiently use their computing services and resources. Even if the benefits in terms of performance, maintenance, and cost are evident, however, virtualization has also been exploited by attackers to devise new ways to compromise a system. To address these problems, research security solutions have evolved considerably over the years to cope with new attacks and threat models. In this work, we review the protection strategies proposed in the literature and show how some of the solutions have been invalidated by new attacks, or threat models, that were previously not considered. The goal is to show the evolution of the threats, and of the related security and trust assumptions, in virtualized systems that have given rise to complex threat models and the corresponding sophistication of protection strategies to deal with such attacks. We also categorize threat models, security and trust assumptions, and attacks against a virtualized system at the different layers—in particular, hardware, virtualization, OS, and application.

Download citation (BibTeX format)

Exact Inference Techniques for the Dynamic Analysis of Attack Graphs

Attack graphs are a powerful tool for security risk assessment by analysing network vulnerabilities and the paths attackers can use to compromise valuable network resources. The uncertainty about the attacker’s behaviour and capabilities make Bayesian networks suitable to model attack graphs to perform static and dynamic analysis. Previous approaches have focused on the formalization of traditional attack graphs into a Bayesian model rather than proposing mechanisms for their analysis. In this paper we propose to use efficient algorithms to make exact inference in Bayesian attack graphs, enabling the static and dynamic network risk assessments. To support the validity of our proposed approach we have performed an extensive experimental evaluation on synthetic Bayesian attack graphs with different topologies, showing the computational advantages in terms of time and memory use of the proposed techniques when compared to existing approaches.

Luis Muñoz-González, Daniele Sgandurra, Martín Barrere, and Emil C. Lupu: Exact Inference Techniques for the Dynamic Analysis of Attack Graphs. arXiv preprint: arXiv:1510.02427. October, 2015.

Konstantina Spanaki

Konstantina joined Imperial College Business School as a Research Associate in 2014. Her main research interests focus on topics of IT adoption, business integration and information management. She worked on joint projects between this group and the Business School in particular on value aspects of data and adoption of cloud security services. Konstantina is now a Lecturer at School of Business and Economics, Loughborough University.

 

Detecting Malicious Data Injections in Wireless Sensor Networks: a Survey

Wireless Sensor Networks are widely advocated to monitor environmental parameters, structural integrity of the built environment and use of urban spaces, services and utilities. However, embedded sensors are vulnerable to compromise by external actors through malware but also through their wireless and physical interfaces. Compromised sensors can be made to report false measurements with the aim to produce inap- propriate and potentially dangerous responses. Such malicious data injections can be particularly difficult to detect if multiple sensors have been compromised as they could emulate plausible sensor behaviour such as failures or detection of events where none occur. This survey reviews the related work on malicious data injection in wireless sensor networks, derives general principles and a classification of approaches within this domain, compares related studies and identifies areas that require further investigation.

Vittorio P. Illiano and Emil C. Lupu: Detecting Malicious Data Injections in Wireless Sensor Networks: a Survey Published in ACM Computing Surveys Vol. 48, No. 2, Article 24, Publication date: October 2015
Download
Manuscript published on ACM Computing Surveys