To pay or not: game theoretic models of ransomware

Ransomware is a type of malware that encrypts files and demands a ransom from victims. It can be viewed as a form of kidnapping in which the criminal takes control of the victim’s files with the objective of financial gain. In this article, we review and develop the game theoretic literature on kidnapping in order to gain insight on ransomware. The prior literature on kidnapping has largely focused on political or terrorist hostage taking. We demonstrate, however, that key models within the literature can be adapted to give critical new insight on ransomware. We primarily focus on two models. The first gives insight on the optimal ransom that criminals should charge. The second gives insight on the role of deterrence through preventative measures. A key insight from both models will be the importance of spillover effects across victims. We will argue that such spillovers point to the need for some level of outside intervention, by governments or otherwise, to tackle ransomware

Computational optimization models for investigating digital crime and intrusion detection alarms

The Internet is a source of information, communication and entertainment, which makes it impossible for us to imagine a world without being connected. However, there has been a tremendous growth of crimes targeting any form of digital medium. The main objective of this dissertation is to develop and empirically evaluate computational optimization models for investigating digital crime and computer/network intrusion. The first research problem considered in this dissertation relates to the Crime Scene Investigation (CSI) in digital forensics. First, a mixed integer linear programming (MILP) model is proposed to allocate optimal investigation times for evidence, thereby maximizing the overall effectiveness of a forensic investigation procedure. Second, since the proposed general problems are NP-hard, two heuristic algorithms for the sequential digital forensic model with a single investigator and one heuristic algorithm for the sequential digital forensic model with multiple investigators are proposed and empirically evaluated to solve the described general problems. The second research problem addressed in this dissertation involves the investigation of alarms generated by an Intrusion Detection System (IDS) with limited resources. One of the significant challenges presented by IDSs is how network managers prioritize and commit resources to investigating IDS notifications (alarms) of potential threats to the network. In this dissertation, the passive IDS alarm investigation problem is modeled using MILP. More specifically, the model focuses on minimizing the total expected cost incurred by a firm in investigating IDS alarms by assisting a security administrator in making an optimal decision with which to choose: the alarms that need to be investigated and the sequence in which they should be investigated. To simplify the presentation, the case involving a single investigator is considered, even though the analysis can be extended to cover multiple investigators. In view of the NP-hard nature of the problem, a greedy heuristic algorithm is proposed and empirically evaluated to solve the described general problem

IDS Alarms Investigation with Limited Resources

Securing and defending computing networks has become a matter of growing importance attracting the attention of both practitioners and researchers. Among the suite of tools available to network managers to monitor and secure their networks are Intrusion Detection Systems (IDS); software and hardware systems designed and programmed to automate the process of monitoring networks and analyzing them for potential breaches. One of the challenges presented by IDSs is how do network managers prioritize and commit resources to investigate notification by an IDS of potential threats to the network. In this paper, we consider this problem and propose heuristic algorithms for how network managers can optimally allocate their limited resources for investigating IDS notifications

Integrate Text Mining into Computer and Information Security Education

Insider threats has become a significant challenge to organization, due to the employees varying levels of access to the internal network. This will intern bypass the external security measures that have been put in place to protect the organization’s resources. Computer-mediated communication (CMC) is a form of communication over virtual spaces where users cannot see each other. CMC includes email and communication over social networks, amongst others. This paper focuses on the design and implementation of exercise modules, which can be integrated into cybersecurity courses. The main objectives of the paper include how to teach and integrate the CMC learning modules into cyber security courses. Further, experimental case studies and hands-on labs will be discussed to facilitate effective teaching practices pertaining to cybersecurity education

NCHR: A Nonthreshold-Based Cluster-Head Rotation Scheme for IEEE 802.15.4 Cluster-Tree Networks

[EN] The IEEE 802.15.4 standard specifies two network topologies: 1) star and 2) cluster tree. A cluster-tree network comprises of multiple clusters that allow the network to scale by connecting devices over multiple wireless hops. The role of a cluster head (CH) is to aggregate data from all devices in the cluster and then transmit it to the overall personal area network (PAN) coordinator. This specific role of CH needs to be rotated among multiple coordinators in the cluster to prevent it from energy drain out. Prior works on CH rotation are either based on threshold energy levels or rely on periodic rotation. Both approaches have their respective limitations and, at times, result in unnecessary CH rotations or nonoptimal selection of CH. To address this, we propose a nonthreshold CH rotation scheme (NCHR), which incurs minimal rotation overhead. It supports topological changes, node heterogeneity, and can also handle CH failures. Through simulations and hardware implementation, the performance of the proposed NCHR scheme is analyzed in terms of network lifetime, CH rotation overhead, and the number of CH rotations. It is shown that the proposed scheme boosts network lifetime, incurs less rotation overhead, and needs fewer CH rotations compared to other related schemes.This work was supported in part by the Science and Engineering Research Board, Department of Science and Technology, Government of India through ECR, 2016 under Grant 2016/001651; in part by the "Ministerio de Economia y Competitividad" in the "Programa Estatal de Fomento de la Investigacion Cientifica y Tecnica de Excelencia, Subprograma Estatal de Generacion de Conocimiento" within the Project under Grant TIN2017-84802-C2-1-P; and in part by the European Union through the ERANETMED (Euromediterranean Cooperation through ERANET Joint Activities and Beyond) Project ERANETMED3-227 SMARTWATIR.Choudhury, N.; Matam, R.; Mukherjee, M.; Lloret, J.; Kalaimannan, E. (2021). NCHR: A Nonthreshold-Based Cluster-Head Rotation Scheme for IEEE 802.15.4 Cluster-Tree Networks. IEEE Internet of Things. 8(1):168-178. https://doi.org/10.1109/JIOT.2020.30033201681788

Source Anonymization of Digital Images: A Counter–Forensic Attack on PRNU based Source Identification Techniques

A lot of photographers and human rights advocates need to hide their identity while sharing their images on the internet. Hence, source–anonymization of digital images has become a critical issue in the present digital age. The current literature contains a number of digital forensic techniques for “source–identification” of digital images, one of the most efficient of them being Photo–Response Non–Uniformity (PRNU) sensor noise pattern based source detection. PRNU noise pattern being unique to every digital camera, such techniques prove to be highly robust way of source–identification. In this paper, we propose a counter–forensic technique to mislead this PRNU sensor noise pattern based source–identification, by using a median filter to suppress PRNU noise in an image, iteratively. Our experimental results prove that the proposed method achieves considerably higher degree of source anonymity, measured as an inverse of Peak–to–Correlation Energy (PCE) ratio, as compared to the state–of–the–art