Visible to the public International Conferences: Cyber and Information Security Research, Oak Ridge, TN

SoS Newsletter- Advanced Book Block


SoS Logo

International Conferences:

Cyber and Information Security Research

Oak Ridge, Tennessee


The 10th Annual Cyber and Information Security Research (CISR) Conference was held at Oak Ridge, Tennessee on April 7-9, 2015. The conference themes focused on Resilience: theory, practice, and tools for rapidly resuming critical functionality following a cyber disruption, or maintaining critical functionality during an ongoing attack; Situational Awareness (SA): tools and practice for providing SA for cyber defenders; Moving Target Defense: methods and tools for creating asymmetric uncertainty that favors defenders over attackers, or that increase the potential cost for attackers; and Cyber Physical Security: methods for protecting both national critical infrastructure and local embedded systems. The papers cited here were recovered on September 2, 2015.

Robert K. Abercrombie, Frederick T. Sheldon, Bob G. Schlicher. “Risk and Vulnerability Assessment Using Cybernomic Computational Models: Tailored for Industrial Control Systems." CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 18. Doi: 10.1145/2746266.2746284
Abstract: In cybersecurity, there are many influencing economic factors to weigh. This paper considers the defender-practitioner stakeholder points-of-view that involve cost combined with development and deployment considerations. Some examples include the cost of countermeasures, training and maintenance as well as the lost opportunity cost and actual damages associated with a compromise. The return on investment (ROI) from countermeasures comes from saved impact costs (i.e., losses from violating availability, integrity, confidentiality or privacy requirements). A measured approach that informs cybersecurity practice is pursued toward maximizing ROI. To this end for example, ranking threats based on their potential impact focuses security mitigation and control investments on the highest value assets, which represent the greatest potential losses. The traditional approach uses risk exposure (calculated by multiplying risk probability by impact). To address this issue in terms of security economics, we introduce the notion of Cybernomics. Cybernomics considers the cost/benefits to the attacker/defender to estimate risk exposure. As the first step, we discuss the likelihood that a threat will emerge and whether it can be thwarted and if not what will be the cost (losses both tangible and intangible). This impact assessment can provide key information for ranking cybersecurity threats and managing risk.
Keywords: Availability, Dependability, Integrity, Security Measures/Metrics, Security Requirements, Threats and Vulnerabilities  (ID#: 15-6439)

Dan Du, Lu Yu, Richard R. Brooks. "Semantic Similarity Detection for Data Leak Prevention." CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 4. Doi: 10.1145/2746266.2746270
Abstract: To counter data breaches, we introduce a new data leak prevention (DLP) approach. Unlike regular expression methods, our approach extracts a small number of critical semantic features and requires a small training set. Existing tools concentrate mostly on data format where most defense and industry applications would be better served by monitoring the semantics of information in the enterprise. We demonstrate our approach by comparing its performance with other state-of-the-art methods, such as latent dirichlet allocation (LDA) and support vector machine (SVM). The experiment results suggest that the proposed approach have superior accuracy in terms of detection rate and false-positive (FP) rate.
Keywords: DLP, LDA, SVM, semantic similarity  (ID#: 15-6440)

Susan M. Bridges, Ken Keiser, Nathan Sissom, Sara J. Graves. “Cyber Security for Additive Manufacturing.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 14. Doi: 10.1145/2746266.2746280
Abstract: This paper describes the cyber security implications of additive manufacturing (also known as 3-D printing). Three-D printing has the potential to revolutionize manufacturing and there is substantial concern for the security of the storage, transfer and execution of 3-D models across digital networks and systems. While rapidly gaining in popularity and adoption by many entities, additive manufacturing is still in its infancy. Supporting the broadest possible applications the technology will demand the ability to demonstrate secure processes from ideas, design, prototyping, production and delivery. As with other technologies in the information revolution, additive manufacturing technology is at risk of outpacing a competent security infrastructure so research and solutions need to be tackled in concert with the 3-D boom.
Keywords: 3-D Printing, Additive Manufacturing, Cybersecurity (ID#: 15-6441)

Ryan Grandgenett, William Mahoney, Robin Gandhi. “Authentication Bypass and Remote Escalated I/O Command Attacks.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 2. Doi: 10.1145/2746266.2746268
Abstract: The Common Industrial Protocol (CIP) is a widely used Open DeviceNet Vendors Association (ODVA) standard [14]. CIP is an application-level protocol for communication between components in an industrial control setting such as a Supervisory Control And Data Acquisition (SCADA) environment. We present exploits for authentication and privileged I/O in a CIP implementation. In particular, Allen Bradley's implementation of CIP communications between its programming software and Programmable Logic Controllers (PLCs) is the target of our exploits. Allen Bradley's RSLogix 5000 software supports programming and centralized monitoring of Programmable Logic Controllers (PLCs) from a desktop computer. In our test bed, ControlLogix EtherNet/IP Web Server Module (1756-EWEB) allows the PLC Module (5573-Logix) to be programmed, monitored and controlled by RSLogix 5000 over an Ethernet LAN. Our vulnerability discovery process included examination of CIP network traffic and reverse engineering the RSLogix 5000 software. Our findings have led to the discovery of several vulnerabilities in the protocol, including denial-of-service attacks, but more significantly and recently the creation of an authentication bypass and remote escalated privileged I/O command exploit. The exploit abuses RSLogix 5000's use of hard-coded credentials for outbound communication with other SCADA components. This paper provides a first public disclosure of the vulnerability, exploit development process, and results.
Keywords: Control Systems, EtherNet/IP, Remote Code Execution, SCADA (ID#: 15-6442)

Suzanna Schmeelk, Junfeng Yang, Alfred Aho. “Android Malware Static Analysis Techniques.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 5. Doi: 10.1145/2746266.2746271
Abstract: During 2014, Business Insider announced that there are over a billion users of Android worldwide. Government officials are also trending towards acquiring Android mobile devices. Google's application architecture is already ubiquitous and will keep expanding. The beauty of an application-based architecture is the flexibility, interoperability and customizability it provides users. This same flexibility, however, also allows and attracts malware development.  This paper provides a horizontal research analysis of techniques used for Android application malware analysis. The paper explores techniques used by Android malware static analysis methodologies. It examines the key analysis efforts used by examining applications for permission leakage and privacy concerns. The paper concludes with a discussion of some gaps of current malware static analysis research.
Keywords: Android Application Security, Cyber Security, Java, Malware Analysis, Static Analysis  (ID#: 15-6443)


Mark Pleszkoch, Rick Linger. “Controlling Combinatorial Complexity in Software and Malware Behavior Computation.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 15. Doi: 10.1145/2746266.2746281
Abstract: Virtually all software is out of intellectual control in that no one knows its full behavior. Software Behavior Computation (SBC) is a new technology for understanding everything software does. SBC applies the mathematics of denotational semantics implemented by function composition in Functional Trace Tables (FTTs) to compute the behavior of programs, expressed as disjoint cases of conditional concurrent assignments. In some circumstances, combinatorial explosions in the number of cases can occur when calculating the behavior of sequences of multiple branching structures. This paper describes computational methods that avoid combinatorial explosions. The predicates that control branching structures such as ifthenelses can be organized into three categories: 1) Independent, resulting in no behavior case explosion, 2) Coordinated, resulting in two behavior cases, or 3) Goal-oriented, with potential exponential growth in the number of cases. Traditional FTT-based behavior computation can be augmented by two additional computational methods, namely, Single-Value Function Abstractions (SVFAs) and, introduced in this paper, Relational Trace Tables (RTTs). These methods can be applied to the three predicate categories to avoid combinatorial growth in behavior cases while maintaining mathematical correctness.
Keywords: Hyperion system, Software behavior computation, malware  (ID#: 15-6444)


Xingsi Zhong, Paranietharan Arunagirinathan, Afshin Ahmadi, Richard Brooks, Ganesh Kumar Venayagamoorthy. “Side-Channels in Electric Power Synchrophasor Network Data Traffic.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 3. Doi: 10.1145/2746266.2746269
Abstract: The deployment of synchrophasor devices such as Phasor Measurement Units (PMUs) in an electric power grid enhances real-time monitoring, analysis and control of grid operations. PMU information is sensitive, and any missing or incorrect PMU data could lead to grid failure and/or damage. Therefore, it is important to use encrypted communication channels to avoid any cyber attack. However, encrypted communication channels are vulnerable to side-channel attacks. In this study, side-channel attacks using packet sizes and/or inter-packet timing delays differentiate the stream of packets from any given PMU within an encrypted tunnel. This is investigated under different experimental settings. Also, virtual private network vulnerabilities due to side-channel analysis are discussed.
Keywords: Cyber-attacks, cybersecurity, grid operation data, hidden Markov model, phasor measurement units, power system, side-channel analysis (ID#: 15-6445)


Zoleikha Abdollahi Biron, Pierluigi Pisu, Baisravan HomChaudhuri. “Observer Design Based Cyber Security for Cyber Physical Systems.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 6. Doi: 10.1145/2746266.2746272
Abstract: In this paper, an observer based cyber-attack detection and estimation methodology for cyber physical systems is presented. The cyber-attack is considered to influence the physical part of the cyber physical system that compromises human safety. The cyber-attacks are considered to affect the sensors and the actuators in the sub-systems as well as the software programs of the control systems in the cyber physical system. The whole system is modeled as a hybrid system to incorporate the discrete and continuous part of the cyber physical system and a sliding mode based observer is designed for the detection of these cyber-attacks. For simulation purposes, this paper considers different cyber-attacks on the battery sub-system of modern automobiles and the simulation results of attack detection are presented in the paper.
Keywords: Cyber Physical System, Cyber Security, In-vehicle Network, Sliding Mode Observer  (ID#: 15-6446)


Yu Fu, Benafsh Husain, Richard R. Brooks. “Analysis of Botnet Counter-Counter-Measures.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 9. Doi: 10.1145/2746266.2746275
Abstract: Botnets evolve quickly to outwit police and security researchers. Since they first appeared in 1993, there have been significant botnet countermeasures. Unfortunately, countermeasures, especially takedown operations, are not particularly effective. They destroy research honeypots and stimulate botmasters to find creative ways to hide. Botnet reactions to countermeasures are more effective than countermeasures. Also, botnets are no longer confined to PCs. Android and iOS platforms are increasingly attractive targets. This paper focuses on recent countermeasures against botnets and counter-countermeasures of botmasters. We look at side effects of botnet takedowns as insight into botnet countermeasures. Then, botnet counter-countermeasures against two-factor-authentication (2FA) are discussed in Android and iOS platform. Representative botnet-in-the-mobile (BITM) implementations against 2FA are compared, and a theoretical iOS-based botnet against 2FA is described. Botnet counter-countermeasures against keyloggers are discussed. More attention needs to be paid to botnet issues.
Keywords: 2FA, Android, Botnet, iOS, keyloggers, takedown (ID#: 15-6447)


Michael Iannacone, Shawn Bohn, Grant Nakamura, John Gerth, Kelly Huffer, Robert Bridges, Erik Ferragut, John Goodall. “Developing an Ontology for Cyber Security Knowledge Graphs.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 12. Doi: 10.1145/2746266.2746278
Abstract:  In this paper we describe an ontology developed for a cyber security knowledge graph database. This is intended to provide an organized schema that incorporates information from a large variety of structured and unstructured data sources, and includes all relevant concepts within the domain. We compare the resulting ontology with previous efforts, discuss its strengths and limitations, and describe areas for future work.
Keywords: cyber security, information extraction, ontology architecture, security automation  (ID#: 15-6448)


Christopher Robinson-Mallett, Sebastian Hansack. “A Model of an Automotive Security Concept Phase.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 16. Doi: 10.1145/2746266.2746282
Abstract: The introduction of wireless interfaces into cars raises new security-related risks to the vehicle and passengers. Vulnerabilities of the vehicle electronics to remote attacks through internet connections have been demonstrated recently. The introduction of industrial-scale processes, methods and tools for the development and quality assurance of appropriate security-controls into vehicle electronics is an essential task for system providers and vehicle manufacturers to cope with security hazards.  In this contribution a process model for security analysis tasks during automotive systems development is presented. The proposed model is explained on the vulnerabilities in a vehicle's remote unlock function recently published by Spaar.
Keywords: Analysis, Process, Requirements, Security  (ID#: 15-6449)


Paul Carsten, Todd R. Andel, Mark Yampolskiy, Jeffrey T. McDonald. “In-Vehicle Networks: Attacks, Vulnerabilities, and Proposed Solutions.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 1. Doi: 10.1145/2746266.2746267
Abstract: Vehicles made within the past years have gradually become more and more complex. As a result, the embedded computer systems that monitor and control these systems have also grown in size and complexity. Unfortunately, the technology that protects them from external attackers has not improved at a similar rate. In this paper we discuss the vulnerabilities of modern in-vehicle networks, focusing on the Controller Area Network (CAN) communications protocol as a primary attack vector. We discuss the vulnerabilities of CAN, the types of attacks that can be used against it, and some of the solutions that have been proposed to overcome these attacks.
Keywords: Automotive Vulnerabilities, CAN bus, In-Vehicle Networks  (ID#: 15-6450)


Hani Alturkostani, Anup Chitrakar, Robert Rinker, Axel Krings. “On the Design of Jamming-Aware Safety Applications in VANETs.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 7. Doi: 10.1145/2746266.2746273
Abstract: Connected vehicles communicate either with each other or with the fixed infrastructure using Dedicated Short Range Communication (DSRC). The communication is used by DSRC safety applications, such as forward collision warning, which are intended to reduce accidents. Since these safety applications operate in a critical infrastructure, reliability of the applications is essential. This research considers jamming as the source of a malicious act that could significantly affect reliability. Previous research has discussed jamming detection and prevention in the context of wireless networks in general, but little focus has been on Vehicular Ad Hoc Networks (VANET), which have unique characteristics. Other research discussed jamming detection in VANET, however it is not aligned with current DSRC standards. We propose a new jamming-aware algorithm for DSRC safety application design for VANET that increases reliability using jamming detection and consequent fail-safe behavior, without any alteration of existing protocols and standards. The impact of deceptive jamming on data rates and the impact of the jammer's data rate were studied using actual field measurements. Finally, we show the operation of the jamming-aware algorithm using field data.
Keywords: DSRC, Jammer Detection, Jamming, VANET (ID#: 15-6451)


Lu Yu, Juan Deng, Richard R. Brooks, Seok Bae Yun. “Automobile ECU Design to Avoid Data Tampering.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 10. Doi: 10.1145/2746266.2746276
Abstract: Modern embedded vehicle systems are based on network architectures. Vulnerabilities from in-vehicle communications are significant. Privacy and security measures are required for vehicular Electronic Control Units (ECUs). We present a security vulnerability analysis, which shows that the vulnerability mainly lies in the ubiquitous on-board diagnostics II (OBD-II) interface and the memory configuration within ECU. Countermeasures using obfuscation and encryption techniques are introduced to protect ECUs from data sniffing and code tampering. A security scheme of deploying lures that look like ECU vulnerabilities to deceive lurking intruders into installing rootkits is proposed. We show that the interactions between the attacker and the system can be modeled as a Markov decision process (MDP).
Keywords: ECU, MDP, vehicular cyber security (ID#: 15-6452)


Jarilyn M. Hernández, Aaron Ferber, Stacy Prowell, Lee Hively. “Phase-Space Detection of Cyber Events.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 13. Doi: 10.1145/2746266.2746279
Abstract: Energy Delivery Systems (EDS) are a network of processes that produce, transfer and distribute energy. EDS are increasingly dependent on networked computing assets, as are many Industrial Control Systems. Consequently, cyber-attacks pose a real and pertinent threat, as evidenced by Stuxnet, Shamoon and Dragonfly. Hence, there is a critical need for novel methods to detect, prevent, and mitigate effects of such attacks. To detect cyber-attacks in EDS, we developed a framework for gathering and analyzing timing data that involves establishing a baseline execution profile and then capturing the effect of perturbations in the state from injecting various malware. The data analysis was based on nonlinear dynamics and graph theory to improve detection of anomalous events in cyber applications. The goal was the extraction of changing dynamics or anomalous activity in the underlying computer system. Takens' theorem in nonlinear dynamics allows reconstruction of topologically invariant, time-delay-embedding states from the computer data in a sufficiently high-dimensional space. The resultant dynamical states were nodes, and the state-to-state transitions were links in a mathematical graph. Alternatively, sequential tabulation of executing instructions provides the nodes with corresponding instruction-to-instruction links. Graph theorems guarantee graph-invariant measures to quantify the dynamical changes in the running applications. Results showed a successful detection of cyber events.
Keywords: Energy Delivery Systems, cyber anomaly detection, cyber-attacks, graph theory, malware, phase-space analysis, rootkits (ID#: 15-6453)


Mohammad Ashraf Hossain Sadi, Mohd. Hassan Ali, Dipankar Dasgupta, Robert K. Abercrombie. “OPNET/Simulink Based Testbed for Disturbance Detection in the Smart Grid.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 17. Doi: 10.1145/2746266.2746283
Abstract: The important backbone of the Smart Grid is the cyber/information infrastructure, which is primarily used to communicate with different grid components. Smart grid is a complex cyber physical system containing a numerous and variety number of sources, devices, controllers and loads. Therefore, smart grid is vulnerable to the grid related disturbances. For such a dynamic system, disturbance and intrusion detection is a paramount issue. This paper presents a Simulink and Opnet based co-simulated platform to carry out a cyber-intrusion in a cyber-network for modern power systems and smart grid. The IEEE 30 bus power system model is used to demonstrate the effectiveness of the simulated testbed. The experiments were performed by disturbing the circuit breakers reclosing time through a cyber-attack. Different disturbance situations in the considered test system are considered and the results indicate the effectiveness of the proposed co-simulated scheme.
Keywords: Cyber-attacks, Simulation Testbed, Smart Grid security (ID#: 15-6454)


Jaewon Yang, Xiuwen Liu, Shamik Bose. “Preventing Cyber-induced Irreversible Physical Damage to Cyber-Physical Systems.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 8. Doi: 10.1145/2746266.2746274
Abstract: Ever since the discovery of the Stuxnet malware, there have been widespread concerns about disasters via cyber-induced physical damage on critical infrastructures. Cyber physical systems (CPS) integrate computation and physical processes; such infrastructure systems are examples of cyber-physical systems, where computation and physical processes are integrated to optimize resource usage and system performance. The inherent security weaknesses of computerized systems and increased connectivity could allow attackers to alter the systems' behavior and cause irreversible physical damage, or even worse cyber-induced disasters. However, existing security measures were mostly developed for cyber-only systems and they cannot be effectively applied to CPS directly. Thus, new approaches to preventing cyber physical system disasters are essential. We recognize very different characteristics of cyber and physical components in CPS, where cyber components are flexible with large attack surfaces while physical components are inflexible and relatively simple with very small attack surfaces. This research focuses on the components where cyber and physical components interact. Securing cyber-physical interfaces will complete a layer-based defense strategy in the "Defense in Depth Framework". In this paper we propose Trusted Security Modules as a systematic solution to provide a guarantee of preventing cyber-induced physical damage even when operating systems and controllers are compromised. TSMs will be placed at the interface between cyber and physical components by adapting the existing integrity enforcing mechanisms such as Trusted Platform Module, Control-Flow Integrity, and Data-Flow Integrity.
Keywords: Cyber-induced physical damage, Trusted Security Module (ID#: 15-6455)


Corinne L. Jones, Robert A. Bridges, Kelly M. T. Huffer, John R. Goodall. “Towards a Relation Extraction Framework for Cyber-Security Concepts.” CISR '15 Proceedings of the 10th Annual Cyber and Information Security Research Conference, April 2015, Article No. 11. Doi: 10.1145/2746266.2746277
Abstract: In order to assist security analysts in obtaining information pertaining to their network, such as novel vulnerabilities, exploits, or patches, information retrieval methods tailored to the security domain are needed. As labeled text data is scarce and expensive, we follow developments in semi-supervised Natural Language Processing and implement a bootstrapping algorithm for extracting security entities and their relationships from text. The algorithm requires little input data, specifically, a few relations or patterns (heuristics for identifying relations), and incorporates an active learning component which queries the user on the most important decisions to prevent drifting from the desired relations. Preliminary testing on a small corpus shows promising results, obtaining precision of .82.
Keywords: active learning, bootstrapping, cyber security, information extraction, natural language processing, relation extraction (ID#: 15-6456)


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.