Abstract: With the recent advances and increasing activities in data mining and analysis, the protection of the privacy of individuals is crucial. Several approaches address this concern, from techniques like data anonymisation to secure, non-disclosive computation, all of which have their specific strengths and weaknesses, depending on the specific requirements. A slightly different approach is the generation of synthetic data, which tries to preserve the overall properties and characteristics of the original data without revealing information about actual individual data samples. The promise is that, for most purposes, models trained on the synthetic data instead of the real data do not show a significant loss of performance. In this paper, we give an overview on currently available approaches for synthetic data generation, and empirically evaluate the utility of the generated synthetic data by testing them on a number of supervised machine learning tasks on several publicly available datasets.

Abstract: Modern malware typically makes use of a domain generation algorithm (DGA) to avoid command and control domains or IPs being seized or sinkholed. This means that an infected system may attempt to access many domains in an attempt to contact the command and control server. Therefore, the automatic detection of DGA domains is an important task, both for the sake of blocking malicious domains and identifying compromised hosts. However, many DGAs use English wordlists to generate plausibly clean-looking domain names; this makes automatic detection difficult. In this work, we devise a notion of difficulty for DGA families called the smashword score; this measures how much a DGA family looks like English words. We find that this measure accurately reflects how much a DGA family's domains look like they are made from natural English words. We then describe our new modeling approach, which is a combination of a novel recurrent neural network architecture with domain registration side information. Our experiments show the model is capable of effectively identifying domains generated by difficult DGA families. Our experiments also show that our model outperforms existing approaches, and is able to reliably detect difficult DGA families such as matsnu, suppobox, rovnix, and others. The model's performance compared to the state of the art is best for DGA families that resemble English words. We believe that this model could either be used in a standalone DGA domain detector---such as an endpoint security application---or alternately the model could be used as a part of a larger malware detection system.

Abstract: The process of identifying the true anomalies from a given set of data instances is known as anomaly detection. It has been applied to address a diverse set of problems in multiple application domains including cybersecurity. Deep learning has recently demonstrated state-of-the-art performance on key anomaly detection applications, such as intrusion detection, Denial of Service (DoS) attack detection, security log analysis, and malware detection. Despite the great successes achieved by neural network architectures, models with very low test error have been shown to be consistently vulnerable to small, adversarially chosen perturbations of the input. The existence of evasion attacks during the test phase of machine learning algorithms represents a significant challenge to both their deployment and understanding. Recent approaches in the literature have focused on three different areas: (a) generating adversarial examples in supervised machine learning in multiple domains; (b) countering the attacks with various defenses; (c) theoretical guarantees on the robustness of machine learning models by understanding their security properties. However, they have not covered, from the perspective of the anomaly detection task in a black box setting. The exploration of black box attack strategies, which reduce the number of queries for finding adversarial examples with high probability, is an important problem. In this paper, we study the security of black box deep anomaly detectors with a realistic threat model. We propose a novel black box attack in query constraint settings. First, we run manifold approximation on samples collected at attacker end for query reduction and understanding various thresholds set by underlying anomaly detector, and use spherical adversarial subspaces to generate attack samples. This method is well suited for attacking anomaly detectors where decision boundaries of nominal and abnormal classes are not very well defined and decision process is done with a set of thresholds on anomaly scores. We validate our attack on state-of-the-art deep anomaly detectors and show that the attacker goal is achieved under constraint settings. Our evaluation of the proposed approach shows promising results and demonstrates that our strategy can be successfully used against other anomaly detectors.

Abstract: Today's industrial automation systems are undergoing a digital transformation that implies a shift towards the Internet of Things (IoT), leading to the Industrial Internet of Things (IIoT) paradigm. Existing Industrial Automated Control Systems (IACS), enriched with a potentially large number of IoT devices are expected to make systems more efficient, flexible, provide intelligence, and ultimately enable autonomous control. In general, the majority of such systems come with high level of criticality that calls for well-established methods and approaches when achieving cybersecurity, preferably prescribed by a standard. IEC 62443 is an industrial standard that provides procedures to manage risks related to cybersecurity threats in IACS. Given the new IIoT paradigm, it is likely that existing standards are not sufficiently aligned with the challenges related to developing and maintaining cybersecurity in such systems. In this paper we review the applicability of the IEC 62443 standard in IIoT contexts and discuss potential challenges the process owners might encounter. Our analysis underlines that some areas within the standard could prove difficult to reach compliance with. In particular, handling of cross zone communication and software updates require additional guidance.

Abstract: The literature on cyber security information sharing enumerates an extensive list of potential benefits for organisations in both the public and private sectors. However, despite the potential benefits, successful cyber security information sharing has been difficult to achieve. We report upon a study that sought to measure the extent to which the benefits and barriers suggested by the cyber security information sharing literature are reflected in the attitudes of practising security managers and analysts. A self-administered online survey was used. The survey consisted of: several questions about the participants' experience with cyber security information sharing; and two sets of Likert-type scale items to measure the respondents' attitudes regarding the benefits and barriers identified in the literature. Our findings aim to highlight the gap between the theory and practice of information sharing and provide input for future research into design principles for information sharing systems and ways to mitigate threat information sharing challenges.

Abstract: Threat intelligence sharing has become a cornerstone of cooperative and collaborative cybersecurity. Sources providing such data have become more widespread in recent years, ranging from public entities (driven by legislatorial changes) to commercial companies and open communities that provide threat intelligence in order to help organisations and individuals to better understand and assess the cyber threat landscape putting their systems at risk. Tool support to automatically process this information is emerging concurrently. It has been observed that the quality of information received by the sources varies significantly and that in order to assess the quality of a threat intelligence source it is not sufficient to only consider qualitative indications of the source itself, but it is necessary to monitor the data provided by the source continuously to be able to draw conclusions about the quality of information provided by a source. In this paper, we propose a methodology for evaluating cyber threat information sources based on quantitative parameters. The methodology aims to facilitate trust establishment to threat intelligence sources, based on a weighted evaluation method that allows each entity to adapt it to its own needs and priorities. The approach facilitates automated tools utilising threat intelligence, since information to be considered can be prioritised based on which source is trusted the most at the time the intelligence arrives.

Abstract: Recent studies have proposed that traditional security technology -- involving pattern-matching algorithms that check predefined pattern sets of intrusion signatures -- should be replaced with sophisticated adaptive approaches that combine machine learning and behavioural analytics. However, machine learning is performance driven, and the high computational cost is incompatible with the limited computing power, memory capacity and energy resources of portable IoT-enabled devices. The convoluted nature of deep-structured machine learning means that such models also lack transparency and interpretability. The knowledge obtained by interpretable learners is critical in security software design. We therefore propose two novel models featuring a common Deep Extraction and Mutual Information Selection (DEMISe) element which extracts features using a deep-structured stacked autoencoder, prior to feature selection based on the amount of mutual information (MI) shared between each feature and the class label. An entropy-based tree wrapper is used to optimise the feature subsets identified by the DEMISe element, yielding the DEMISe with Tree Evaluation and Regression Detection (DETEReD) model. This affords 'white box' insight, and achieves a time to build of 603 seconds, a 99.07% detection rate, and 98.04% model accuracy. When tested against AWID, the best-referenced intrusion detection dataset, the new models achieved a test error comparable to or better than state-of-the-art machine-learning models, with a lower computational cost and higher levels of transparency and interpretability.

Abstract: With the introduction of memory-bound cryptocurrencies, such as Monero, the implementation of mining code in browser-based JavaScript has become a worthwhile alternative to dedicated mining rigs. Based on this technology, a new form of parasitic computing, widely called cryptojacking or drive-by mining, has gained momentum in the web. A cryptojacking site abuses the computing resources of its visitors to covertly mine for cryptocurrencies. In this paper, we systematically explore this phenomenon. For this, we propose a 3-phase analysis approach, which enables us to identify mining scripts and conduct a large-scale study on the prevalence of cryptojacking in the Alexa 1 million websites. We find that cryptojacking is common, with currently 1 out of 500 sites hosting a mining script. Moreover, we perform several secondary analyses to gain insight into the cryptojacking landscape, including a measurement of code characteristics, an estimate of expected mining revenue, and an evaluation of current blacklist-based countermeasures.

Abstract: In this article, we discuss the issues of GDPR's impact on cyber-security software and operations, namely automated information sharing. We illustrate the topic on an example of an intrusion detection alert sharing platform. First, we had to investigate the risks to privacy in the alert sharing platform and ensure its compliance with the GDPR's obligations. Second, fears and uncertainties emerged in the alert sharing community regarding the GDPR and its obligations and, thus, willingness to share the information was negatively impacted. We conducted DPIA to investigate risks related to information sharing in cyber security and dismiss doubts within the community. Although our results suggest that the risks are not high, we point out that the hype around GDPR caused substantial development of the sharing platform. The DPIA helped in a deeper understanding of risks and their management and is a solid argument for information sharing in cyber security under GDPR.

Abstract: Cybersecurity is a hot topic and researchers have published extensively on studies conducted using a variety of different research methods. This paper aims to determine which qualitative research methods were most used and for studying which topics. A systematic literature review on Web of Science, Scopus and ACM DL has been conducted to achieve an overview of quantitative methods used in cybersecurity. The review covered the most recent research in different areas of cybersecurity (i.e., personal, organizational and state cybersecurity) in the period of 2017 to 2019. After careful inspection of papers, we identified 160 papers reporting on the use of qualitative methods. The most common qualitative methods are interviews, followed by case studies and observation. Other studied qualitative methods (i.e., focus groups, grounded theory, action research and Delphi method) seem to be much less frequent. Although qualitative methods are used when studying all key cybersecurity areas, they often lack the necessary rigor and detail observed in other research areas where qualitative methods are well-established.

Abstract: The use of network covert channels to improve privacy or support security threats has been widely discussed in the literature. As today, the totality of works mainly focuses on how to not disrupt the overt traffic flow and the performance of the covert channels in terms of undetectability and capacity. To not void the stealthiness of the channel, an important feature is the ability of restoring the carrier embedding the secret information into its original form. However, the development of such techniques mainly targets the domain of digital media steganography. Therefore, this paper applies the concept of reversible data hiding to storage network covert channels. To prove the effectiveness of our idea, a prototypical implementation of a channel exploiting IPv4 flows is presented along with its performance evaluation.

Abstract: Development of metrics that are valuable for assessing security and decision making is an important element of efficient counteraction to cyber threats. The paper proposes an ontology of metrics for cyber security assessment. The developed ontology is based on determining the concepts and relations between primary features of initial security data and forming a set of hierarchically interconnected security metrics. The paper describes the main classes of the proposed ontology, the revealed relations, the involved security metrics, and the used data sources. The publicly available sources of security data are analyzed to get primary security metrics. Application of the approach is shown on a case study. The main feature of the proposed ontology is representation of security metrics as separate instances of ontology. It allows using the relations between the concepts of ontology for calculating integral metrics reflecting the security state.

Abstract: Interactions with IoT devices generates vast amounts of personal data that can be used as a source of evidence in digital investigations. Currently, there are many challenges in IoT forensics such as the difficulty in acquiring and analysing IoT data/devices and the lack IoT forensic tools. Besides technical challenges, there are many concepts in IoT forensics that have yet to be explored such as definitions, experience and capability in the analysis of IoT data/devices and current/future challenges. A deeper understanding of these various concepts will help progress the field. To achieve this goal, we conducted a survey which received 70 responses and provided the following results: (1) IoT forensics is a sub-domain of digital forensics, but it is undecided what domains are included; (2) practitioners are already having to examine IoT devices even though they felt undertrained; (3) requirements for technical training, software and education are non-existent; (4) high priority on research should be to develop IoT forensic tools, how to preserve volatile data and methods to identify and acquire data from the cloud; (5) improvements to forensic tools should be aimed at data acquisition (imaging) and device disassembly / forensic process; (6) practitioners' perspectives on research direction differ slightly to non-practitioners in that the focus should be on breaking encryption on IoT devices rather than focus on cloud data forensics; (7) future research should focus on developing initiatives and strategies to overcome data encryption and trail obfuscation in the cloud and ongoing development of IoT forensic tools. The responses to the survey question on the definition of IoT forensics helped us formulate a working definition. This has provided a clearer understanding of the subject, which will help further advance the research area.

Abstract: Automated programs (bots) are responsible for a large percentage of website traffic. These bots can either be used for benign purposes, such as Web indexing, Website monitoring (validation of hyperlinks and HTML code), feed fetching Web content and data extraction for commercial use or for malicious ones, including, but not limited to, content scraping, vulnerability scanning, account takeover, distributed denial of service attacks, marketing fraud, carding and spam. To ensure their security, Web servers try to identify bot sessions and apply special rules to them, such as throttling their requests or delivering different content. The methods currently used for the identification of bots are based either purely on rule-based bot detection techniques or a combination of rule-based and machine learning techniques. While current research has developed highly adequate methods for Web bot detection, these methods' adequacy when faced with Web bots that try to remain undetected hasn't been studied. For this reason, we created and evaluated a Web bot detection framework on its ability to detect conspicuous bots separately from its ability to detect advanced Web bots. We assessed the proposed framework performance using real HTTP traffic from a public Web server. Our experimental results show that the proposed framework has significant ability to detect Web bots that do not try to hide their bot identity using HTTP Web logs (balanced accuracy in a false-positive intolerant server > 95%). However, detecting advanced Web bots that present a browser fingerprint and may present a humanlike behaviour as well is considerably more difficult.

Abstract: Building more secure software is a recent concern for software engineers due to increasing incidences of data breaches and other types of cyber attacks. However, software security, through the introduction of specialized practices in the software development life cycle, leads to an increase in the development cost. Although there are many studies on software cost models, few address the additional costs required to build secure software. We conducted a systematic review in the form of a mapping study to classify and analyze the literature related to the impact of security in software development costs. Our search strategy strove to achieve high completeness by the identification of a quasi-gold-standard set of papers, which we then used to establish a search string and retrieve papers from research databases automatically. The application of inclusion/exclusion criteria resulted in a final set of 54 papers, which were categorized according to the approach to software security cost analysis. Perform Security Review, Apply Threat Modeling, and Perform Security Testing were the three most frequent activities related to cost, and Common Criteria was the most applied standard. We also identified ten approaches to estimating software security costs for development projects; however, their validation remains a challenge, which could be addressed in future studies.

Abstract: Network covert channels enable various secret data exchange scenarios among two or more secret parties via a communication network. The diversity of the existing network covert channel techniques has rapidly increased due to research during the last couple of years and most of them share the same characteristics, i.e., they require a direct communication between the participating partners. However, it is sometimes simply not possible or it can raise suspicions to communicate directly. That is why, in this paper we introduce a new concept we call "dead drop", i.e., a covert network storage which does not depend on the direct network traffic exchange between covert communication sides. Instead, the covert sender stores secret information in the ARP (Address Resolution Protocol) cache of an unaware host that is not involved in the hidden data exchange. Thus, the ARP cache is used as a covert network storage and the accumulated information can then be extracted by the covert receiver using SNMP (Simple Network Management Protocol).

Abstract: In the area of physical attacks, system-on-chip (SoC) designs have not received the same level of attention as simpler micro-controllers. We try to model the behavior of secure software running on a superscalar out-of-order microprocessor typical of more complex SoC, in the presence of electromagnetic (EM) pulses. We first show that it is possible, in a black box approach, to corrupt the loop iteration count of both original and hardened versions of two sensitive loops. We propose a characterization methodology based on very simple codes, to understand and classify the fault effects at the level of the instruction set architecture (ISA). The resulting classification includes the well established instruction skip and register corruption models, as well as new effects specific to more complex processors, such as operand substitution, multiple correlated register corruptions, advanced control-flow hijacking, and combinations of all reported effects. This diversity and complexity of effects can lead to powerful attacks. The proposed methodology and fault classification at ISA level is a first step towards a more complete characterization. It is also a tool supporting the designers of software and hardware countermeasures.

Abstract: The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructure realms. Several challenges impede addressing IoT security at large, including, the lack of IoT-centric data that can be collected, analyzed and correlated, due to the highly heterogeneous nature of such devices and their widespread deployments in Internet-wide environments. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. This not only aims at classifying and inferring Internet-scale compromised IoT devices by solely observing such one-way network traffic, but also endeavors to uncover, track and report on orchestrated "in the wild" IoT botnets. Initially, to prepare the effective utilization of such data, a novel probabilistic model is designed and developed to cleanse such traffic from noise samples (i.e., misconfiguration traffic). Subsequently, several shallow and deep learning models are evaluated to ultimately design and develop a multi-window convolution neural network trained on active and passive measurements to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is deployed by scrutinizing a set of innovative and efficient network feature sets. By analyzing 3.6 TB of recent darknet traffic, the proposed approach uncovers a momentous 440,000 compromised IoT devices and generates evidence-based artifacts related to 350 IoT botnets. While some of these detected botnets refer to previously documented campaigns such as the Hide and Seek, Hajime and Fbot, other events illustrate evolving threats such as those with cryptojacking capabilities and those that are targeting industrial control system communication and control services.

Abstract: Myriads of new devices take their places around us every single day, making a decisive step towards bringing the concept of the Internet of Things (IoT) in reality. The Low Power Wide Area Networks (LPWANs) are today considered to be one of the most perspective connectivity enablers for the resource and traffic limited IoT. In this paper, we focus on one of the most widely used LPWAN technologies, named LoRaWAN. Departing from the traditional data-focused security attacks, in this study we investigate the robustness of LoRaWAN against energy (depletion) attacks. For many IoT devices, the energy is a limited and very valuable resource, and thus in the near future the device's energy may become the target of an intentional attack. Therefore, in the paper, we first define and discuss the possible energy attack vectors, and then experimentally validate the feasibility of an energy attack over one of these vectors. Our results decisively show that energy attacks in LoRaWAN are possible and may cause the affected device to lose a substantial amount of energy. Specifically, depending on the device's SF (Spreading Factor), the demonstrated attack increased the total energy consumption during a single communication event 36% to 576%. Importantly, the shown attack does not require the attacker to have any keys or other confidential data and can be carried against any LoRaWAN device. The presented results emphasize the importance of energy security for LPWANs in particular, and IoT in general.

Abstract: A variety of solutions, e.g., Proof-of-Work (PoW), Proof-of-Stake (PoS), Proof-of-Burn (PoB), and Proof-of-Elapsed-Time (PoET), have been proposed to make consensus mechanism used by the blockchain technology more democratic, efficient, and scalable. However, these solutions have a number of limitations, e.g., PoW approach requires a huge amount of computational power, scales poorly, and wastes a lot of electrical energy. Recently, an innovative protocol called Algorand has been proposed to overcome these limitations. Algorand not only guarantees an overwhelming probability of linearity of the blockchain, but it also aims to solve the "blockchain trilemma" of decentralization, scalability, and security. In this paper, we present a security analysis of Algorand. To the best of our knowledge, it is the first security analysis as well as the first formal study on Algorand. We designed an attack scenario in which a group of malicious users tries to break the protocol, or at least limit it to a reduced partition of network users, by exploiting a security flaw in the messages validation process of the Byzantine Agreement (BA). Since the source code or an official simulator for Algorand was not available at the time of our study, we created a simulator (which is available on request) to implement the protocol and assess the feasibility of our attack scenario. Our attack requires the attacker to merely have the trivial capability of establishing multiple connections with targeted nodes, and it costs practically nothing to the attacker. Our results show that it is possible to slow down the message validation process on honest nodes - which eventually forces them to select default values on the consensus - leaving the targeted nodes behind in the chain as compared to the non-attacked nodes. Even though our results are subject to the real implementation of the protocol, the core concept of our attack remains valid.

Abstract: Over recent years, emphasis in secure V2X communications research has converged on the use of Vehicular Public Key Infrastructures (VPKIs) for credential management and privacy-friendly authentication services. However, despite the security and privacy guarantees offered by such solutions, there are still a number of challenges to be conquered. By reflecting on state-of-the-art PKI-based architectures, in this paper, we identify their limitations focusing on scalability, interoperability, pseudonym reusage policies and revocation mechanisms. We argue that in their current form such mechanisms cannot capture the strict security, privacy, and trust requirements of all involved stakeholders. Motivated by these weaknesses, we then proceed on proposing the use of trusted computing technologies as an enabler for more decentralized approaches where trust is shifted from the back-end infrastructure to the edge. We debate on the advantages offered and underline the specifis of such a novel approach based on the use of advanced cryptographic primitives, using Direct Anonymous Attestation (DAA) as a concrete example. Our goal is to enhance run-time security, privacy and trustworthiness of edge devices with a scalable and decentralized solution eliminating the need for federated infrastructure trust. Based on our findings, we posit open issues and challenges, and discuss possible ways to address them.

Abstract: Cyber security management requires fast and cost efficient responses to threat alerts. Automation of cyber threat sensing and responding is one way to achieve immediate reactions to imminent threats. There are already tools for an extensive automation of threat sensing, e.g. threat intelligence sharing platforms. Methods, techniques and tools for reacting to menacing states and events, e.g. security-policy-controlled systems, have also been explored and published for some time. What is still missing, however, is the integration of these two approaches. This paper describes first steps towards an integration of threat intelligence sharing platforms and security-policy-controlled systems. We present a conceptual design for threat reaction strategies, security architectures and mechanisms and information representation requirements. We use two exemplary threat scenarios to demonstrate our proposals.

Abstract: The forthcoming 5G operational environment entails heterogeneous and multi-dimensional ecosystems where cyber assets, digital actors and cyber-physical risks coexist. In this context, the prediction and anticipation of the attacks propagation thorough the targeted systems promises to be some of the major workhorses of the emerging self-protection capabilities. In the grounds of the Self-Organizing Network (SON) paradigm, it is expected that by taking into account proactive actuations, the decision and enforcement of the best courses of action will be enhanced. With the aim on contributing to their planning and execution, this paper introduces a novel framework for proactive self-protection on 5G environments, the description of an architectural framework able to sustain the rest of the anticipation enablers, the formalization of a knowledge representation and reasoning strategy for active cyber threat mitigation, and a prediction strategy adapted to the difficulties inherent in analyzing events on 5G scenarios. The effectiveness of the proposal has been demonstrated by proof-of-concept instantiation for anticipating the impact of Denial of Service (DoS) attacks on a real communication environment.

Abstract: This paper describes an approach to overcome the interoperability challenges related to identity management systems supporting cross-collaboration between heterogeneous manufacturing platforms. Traditional identity management systems have shown many weaknesses when it comes to cloud platforms and their federations, from not being able to support a simplified login process, to information disclosure and complexity of implementation in practice. This paper discusses workflows to practically implement federated identity management across the heterogeneous manufacturing platforms and design interoperability at different levels, e.g. at the platform level and at the platform integration level. Our motivation to find the best federated identity management solution for heterogeneous cloud-based platforms is related to practical requirements coming from the ongoing European project eFactory.

Abstract: Fake news have been a problem for multiple years now and in addition to this "fake images" that accompany them are becoming increasingly a problem too. The aim of such fake images is to back up the fake message itself and make it appear authentic. For this purpose, more and more images such as photo-montages are used, which have been spliced from several images. This can be used to defame people by putting them in unfavorable situations or the other way around as propaganda by making them appear more important. In addition, montages may have been altered with noise and other manipulations to make an automatic recognition more difficult. In order to take action against such montages and still detect them automated, a concept based on feature detection is developed. Furthermore, an indexing of the features is carried out by means of a nearest neighbor algorithm in order to be able to quickly compare a high number of images. Afterwards, images suspected to be a montage are reviewed by a verifier. This concept is implemented and evaluated with two feature detectors. Even montages that have been manipulated with different methods are identified as such in an average of 100 milliseconds with a probability of mostly over 90%.

Abstract: Containerization is a lightweight virtualization technique reducing virtualization overhead and deployment latency compared to full VM; its popularity is quickly increasing. However, due to kernel sharing, containers provide less isolation than full VM. Thus, a compromised container may break out of its isolated context and gain root access to the host server. This is a huge concern, especially in multi-tenant cloud environments where we can find running on a single server containers serving very different purposes, such as banking microservices, compute nodes or honeypots. Thus, containers with specific security needs should be able to tune their own security level. Because OS-level defense approaches inherited from time-sharing OS generally requires administrator rights and aim to protect the entire system, they are not fully suitable to protect usermode containers. Research recently made several contributions to deliver enhanced security to containers from host OS level to (partially) solve these challenges. In this survey, we propose a new taxonomy on container defense at the infrastructure level with a particular focus on the virtualization boundary, where interactions between kernel and containers take place. We then classify the most promising defense frameworks into these categories.

Abstract: The ever increasing volume of data in digital forensic investigation is one of the most discussed challenges in the field. Usually, most of the file artefacts on seized devices are not pertinent to the investigation. Manually retrieving suspicious files relevant to the investigation is akin to finding a needle in a haystack. In this paper, a methodology for the automatic prioritisation of suspicious file artefacts (i.e., file artefacts that are pertinent to the investigation) is proposed to reduce the manual analysis effort required. This methodology is designed to work in a human-in-the-loop fashion. In other words, it predicts/recommends that an artefact is likely to be suspicious rather than giving the final analysis result. A supervised machine learning approach is employed, which leverages the recorded results of previously processed cases. The process of features extraction, dataset generation, training and evaluation are presented in this paper. In addition, a toolkit for data extraction from disk images is outlined, which enables this method to be integrated with the conventional investigation process and work in an automated fashion.

Abstract: We demonstrate a breach in smartphone location privacy through the accelerometer and magnetometer's footprints. The merits or otherwise of explicitly permissioned location sensors are not the point of this paper. Instead, our proposition is that other non-location-sensitive sensors can track users accurately when the users are in motion, as in travelling on public transport, such as trains, buses, and taxis. Through field trials, we provide evidence that high accuracy location tracking can be achieved even via non-location-sensitive sensors for which no access authorisation is required from users on a smartphone.

Abstract: Over the past few decades, the automotive industry was mostly focused on testing the safety aspects of a vehicle. However, this was not the case with security testing as it only began to be addressed recently. As a result, multiple approaches applying various security testing techniques on different software-based vehicle IT components emerged. With that said, the research and practice lack an overview about these techniques. In this paper, we conduct a systematic mapping study. This involved the investigation on the following five dimensions: (1) security testing techniques, (2) AUTOSAR layers, (3) functional interfaces of AUTOSAR, (4) vehicle lifecycle phases and (5) attacks. In total, 39 papers presenting approaches for security testing in automotive engineering were systematically selected and classified. The results identify multiple security testing techniques focusing on early phases of vehicle life cycle through the application and services layer of the AUTOSAR architecture. Finally, there is a need for security regression testing approaches, as well as combined security and safety testing approaches.