Cyber Science 2016 Conference Programme - C
Transcription
Cyber Science 2016 Conference Programme - C
13 - 14 JUNE LONDON, UNITED KINGDOM 2016 Cyber Science 2016 Conference Programme Pioneering Research & Innovation in Cyber Situational Awareness #CyberScience @cmricorg www.c-mric.org C-MRiC.ORG 6/13/2016 1 Sponsors 2 Contents Sponsors ................................................................................................................................................................ 1 Conference Venue ................................................................................................................................................. 3 Hotel Information / Address .................................................................................................................... 3 Directions ................................................................................................................................................... 3 Keynote Speakers .................................................................................................................................................. 5 Conference Chair ................................................................................................................................................... 9 Accepted Papers, Authors, Affiliations & Abstracts .............................................................................................. 10 CyberSA 2016 Accepted Papers ........................................................................................................................ 10 Social Media 2016 Accepted Papers ................................................................................................................. 16 Cyber Security 2016 Accepted Papers .............................................................................................................. 18 Cyber Incident 2016 Accepted Papers .............................................................................................................. 24 Best Paper Awards............................................................................................................................................... 26 Cyber SA 2016 – Joint Best Papers ................................................................................................................... 26 Social Media 2016 – Best Paper ....................................................................................................................... 26 Cyber Security 2016 – Best Paper ..................................................................................................................... 26 Cyber Incident 2016 – Best Paper..................................................................................................................... 26 Conference Presentation Programme .................................................................................................................. 27 International Journal on Cyber Situational Awareness (IJCSA) .............................................................................. 32 Upcoming Conferences ........................................................................................................................................ 33 Other Services ..................................................................................................................................................... 34 3 Conference Venue Hotel Information / Address The Stratton Suite - Holiday Inn London Mayfair, 3 Berkeley Street, W1J 8NE, London, United Kingdom Central Reservations: +44 (0) 800 40 50 60, Web: http://www.hilondonmayfairhotel.co.uk/ At the very heart of the London borough of Westminster is Mayfair, one of the city's finest residential areas and one of London's most attractive villages. Class, sophistication, and finery are all synonymous with Mayfair, which takes its name from the fortnight-long May Fair, which took place in the borough from 1686 until 1764. Situated between Oxford Street, Regent Street, Piccadilly and Park Lane, Mayfair is home to some of the finest shopping establishments in the world. Located at the centre of Mayfair, Holiday Inn London Mayfair, London, is ideally placed for both leisure and business visitors and just seconds from Green Park Tube (Underground) Station. It’s within easy walking distance of all London’s major tourist attractions and the business district. City Hall, Big Ben, Westminster Abbey, Palace of Westminster and Westminster Tube Station are just streets away! Directions By Air London Heathrow (LHR) Distance: 13 Mi / 20.9 Km East to hotel. London Gatwick (LGW) Distance: 32 Mi / 51.5 Km North to hotel. London City (LCY) Distance: 12 Mi / 19.3 Km West to hotel. Underground Station Name: Green Park About 2 minutes walk from Green Park Underground Station. By Car Satellite Navigation W1J 8NE From Piccadilly Turn into Stratton Street and follow it round onto Berkeley Street. Turn right and the hotel entrance is first on the left. From Oxford Street or Bond Street Head south down New Bond Street Turn right at Bruton Street and then left into Berkeley Square. Head south out of the square down Berkeley Street and the hotel entrance is on the left. By Train Station Name: Victoria About 20 minutes walk from Victoria Train Station. 4 Figure 1: Map to the Conference Venue - Showing Underground Stations close to the venue 5 Keynote Speakers Professor Ali Hessami FRSA – Chair, IEEE UK & RI Section Professor Hessami is the current Chair of the IEEE United Kingdom and Republic of Ireland, and Director of R&G and Innovation at Vega Systems, London, UK. He contributed significant original material to CENELEC WGA10 Report TR-50451 on Allocation of Safety Integrity & largely authored TR-50506-1 standard on the CrossAcceptance of Signalling Systems. He has chaired CENELEC Committees developing the latest EN50128 & EN50129 revisions. He represents UK on CENELEC & IEC safety systems, hardware & software standards committees whilst also an advisor to IEEE Standards Association on European Policy matters. Ali chairs the SMC Chapter in the UK&RI Section of IEEE. During December 2013, he was appointed as the Member of Professor Ali Hessami the Institution of Engineering & Technology (IET-UK) Council and as the Vice Chair of the IEEE in the UK and Ireland. Ali is also policy advisor to the IEEE Standards Association on European standardization and strategy related matters. Ali has now assumed the leadership role of the UK & Ireland IEEE Section from January 2016. Professor Frank Wang – School of Computing, University of Kent, UK Frank is a Professor of Future Computing, and a Fellow of British Computer Society. He serves the High End Computing Panel for Science Foundation Ireland (SFI) and the UK Government EPSRC e-Science Panel. Frank has attracted a number of EC/EPSRC/DTI/Industrial grants, totalling a few million euros. He has been invited to present keynote speeches and other invited talks at Princeton University (USA), Carnegie Mellon University (USA), Oxford University (UK), Edinburgh University (UK), CERN (the European Organization for Nuclear Research, Geneva), Hong Kong Professor Frank Wang University of Science & Technology (Hong Kong), Tsinghua University (Taiwan), Jawaharlal Nehru University (India), Aristotle University (Greece), Helsinki Technology University (Finland), Turkish Government The Ministry of Industry and Commerce, University of Johannesburg (South Africa), Central Philippine University (Philippine), and Princess Sumaya University for Technology (Jordan), etc. Prof Frank Wang is Co-Editor-in-Chief of Encyclopaedia of Grid Computing and Co-Editor-inChief of International Journal of Grid and High Performance Computing. 6 Dr. Janne Hagen – Norwegian Water Resources and Energy Directorate (NVE), Norway Dr. Janne Hagen, from April employed at the Norwegian Water Resources and Energy Directorate (NVE), has worked as researcher and consultant, most of the time employed at the Norwegian Defence Research Establishment (FFI) conducting research on societal security and protection of critical infrastructures. Since 2005 her scientific work turned towards cybersecurity, the last years covering information operations, strategic communication and the vulnerability of the digital society. She holds an associate professor position at the University of Stavanger. Dr Janne Hagen She has been member of several expert groups in Norway, including the Norwegian Governmental Committee of Digital Vulnerabilities in Society that delivered an Official Norwegian Report (NOU) to the Ministry of Justice and Public Security in November 2015. Dr. Thomas Owens – Brunel University, London, UK Dr Owens is the co-editor of the book on Situational Awareness in Computer Network Defense: Principle, Methods and Application, IGI Global, USA. He was the project coordinator of the European Commission IST FP5 STREP Project CONFLUENT, of the IST FP6 Integrated Project INSTINCT, and of the FP6 SSA Project PARTAKE. He is currently Project Manager of the IST PSP Project DTV4All, see www.psp-dtv4all.org As well as supervising many PhD students, he has extensive experience in a very broad range of administrative and academic roles including undergraduate courses director, postgraduate course director, chairman of MSc examination boards, and elected member of Senate. In 1995/96 he acted as Dr Thomas Owens a teaching quality assessor of teaching in Electronic and Electrical Engineering in three Welsh universities for the Higher Education Funding Council for Wales, and in 2007-9 as an external examiner of PhD students. In 2011-13 he was President of the European Advisory Board of the Institute of Studies Brazil Europe, a joint EU Brazil funded initiative. He was Visiting Professor, School of Information and Electronic Engineering, Zhejiang Gongshang University, Hangzhou, China, 8th of September, 2012 to 23rd of September, 2012. 7 Dr. Cyril Onwubiko – Cyber Security Intelligence, Research Series Limited, London, UK Dr Onwubiko is Director, Cyber Security Intelligence, at Research Series Limited where he is responsible for directing strategy, IA governance and cyber security. Prior to Research Series, he had worked in the Financial Services, Telecommunication, Health, Government and Public services Sectors. He is experienced in Cyber Security, Security Information and Event Management, Data Fusion, Intrusion Detection Systems and Computer Network Security; and vastly knowledgeable in Information Assurance, Risk Assessment & Management. Dr Cyril Onwubiko He holds a PhD in Computer Network Security from Kingston University, London, UK; MSc in Internet Engineering, from University of East London, London, UK, and BSc, first class honours, in Computer Science & Mathematics. He has authored several books including "Security Framework for Attack Detection in Computer Networks" and "Concepts in Numerical Methods.", and edited books such as "Situational Awareness in Computer Network Defense: Principles, Methods & Applications", and Cyber Science 2015 – International Conference on Cyber Situational Awareness, Data Analytics and Assessment. He has over 30 articles published in leading and most prestigious academic journals and conferences. Dr. Andrew Lenaghan – Oxford University Computer Emergency Response Team (OxCERT), Oxford, UK Dr Lenaghan works at the Oxford University Computer Emergency Response Team (oXCERT) in the UK. Formerly, he was the information security officer for Flawless Money Ltd, a member of the Information Systems Audit and Control Association (ISACA), and regular contributor to the fraud subcommittee of the Electronic Money Association. Most recently he has consulted on the IT governance and security Dr Andrew Lenaghan policy requirements for payment institutions and electronic money institution seeking authorisation by the FSA. He holds degrees in Computer Science, Human computer interaction (Lond.) and has a doctorate in computer vision and pattern recognition from Kingston University. 8 Dr. Syed Naqvi – Cyber Security and Forensics, Birmingham City University, Birmingham, UK Dr Syed Naqvi is a Senior Lecturer in Cyber Security and Forensics at Birmingham City University (BCU). He has a digital forensics practitioner background with firsthand experience of dealing with the challenges of this field. Prior to joining BCU in August 2014, he worked at the Forensic Technology Solutions (FTS) arm of PricewaterhouseCoopers Enterprise Advisory. His consultancy assignments included antitrust investigations and litigation support services for corporate disputes. His field experience includes evidence collection of several terabytes from various digital storage media across the globe. This huge amount of digital evidence was subsequently reviewed by using specialised data analytic technologies for litigation Dr Syed Naqvi support service. Syed has previously worked as a R&D Project Manager at CETIC (Belgian Applied Research Centre in ICT) where he was the Principal Investigator of Digital Forensics. He led the capacity building of Cyber Incident Response initiative. His other major assignments at CETIC include: Project Manager of a European Future Internet Security Research Experiment; Coordination of ICT Security activity of national and European FP6/FP7 projects. Syed has held a Visiting Scientist position at University of Washington at Seattle; and was a Research Fellow at Rutherford Appleton Laboratory of the Science and Technology Facilities Council of UK. He is an external reviewer of a number of international journals and has served several scientific symposia as a technical program committee member. Professor Olav Lysne – Centre for Resilient Networks and Applications (CRNA), Simula, Norway Olav Lysne is Director and founder of the Center for Resilient Networks and Applications (CRNA) at Simula research laboratory, and professor in computer science at Simula and the University of Oslo. He received the Master’s degree in 1988 and Dr. Scient. degree in 1992, both at the University of Oslo. The early research contributions of Lysne were in the field of algebraic specification and term rewriting, with a particular emphasis on automated deduction. While working in this field he was a visiting researcher at Université de Paris-Sud. Later in his career he has been working on resilient computer architecture for supercomputing and cloud infrastructures, routing and switching techniques for IP-networks and measurement Professor Olav Lysne of national network infrastructures. Lysne was the leader of the Norwegian Government’s Commission on digital vulnerability, which submitted its report to the Minster of Justice in November 2015. 9 Dr. Nick Savage – School of Portsmouth, Portsmouth, UK Computing, University of Dr Savage is the Head of the School of Computing at the University of Portsmouth and he has a passion for investigating communication networks and security. He obtained a first-class honours degree in Electronic and Computer Engineering, an MA with Distinction in University Teaching and a PhD in Telecommunications from the University of Portsmouth. He also has a MSc in Mathematics from the Open University. His previous research on communication networks has been funded by OFCOM and the EPSRC and has resulted in contributions to ITU recommendations. He has over 50 publications in journals and conference proceedings and serves as a referee for IET, IEEE and Elsevier journals. He has also chaired conferences, given plenaries and chaired sessions at various computer networking and security Dr Nick Savage conferences around the world. He is currently leading researchers in the field of communication networks and security. He is a member of Working Group 3 for the EC NIS Platform, an Academic Advocate for the Information Systems Audit and Control Association (ISACA) and a Chartered Engineer. Conference Chair Xavier Bellekens – Lecturer, University of Abertay, Dundee, Scotland, UK Mr Bellekens is a Lecturer in Ethical Hacking and Computer Security in the Division of Computing and Mathematics at the University of Abertay, Dundee. He holds a BSc in Computer Science from HENAM in Belgium and an MSc from the University of Abertay, Dundee. He is currently completing his PhD in Electronic & Electrical Engineering at the University of Strathclyde, Glasgow where he has also worked as a Research Associate on WSN for Cyber-Physical Critical Systems. His research interests include Intrusion Detection Systems, the Internet of Things, eHealth Xavier Bellekens Situational Awareness and Digital Forensics. He has also chaired numerous sessions and conferences in Computer Security and Digital Forensics around the world and serves as a reviewer for numerous international journals and as TPC for a number of leading international conferences. 10 Accepted Papers, Authors, Affiliations & Abstracts CyberSA 2016 Accepted Papers Yoram Golandsky CybeRisk Security Solutions, Tel Aviv, Israel Title: Cyber Crisis Management, Survival or Extinction? Abstract: ‘Cyber Incidents’ are common in every domain where technology is prevalent. Recurring or sequential incidents are not unusual and are often manageable. Whilst more rare, the incidents that reach crisis levels have been shown to cause an unexpected amount of damage. Companies need to remain prepared for such cyber crises. This entails not only building an Incident Response Team (IRT) and creating and testing an incident response plan, but mainly establishing the capability to properly manage business crisis triggered by cyber-attacks. Filippo Sanfilippo Norwegian University of Science and Technology (NTNU), Dept. of Engineering Cybernetics, Norway Title: A Multi-Sensor System for Enhancing Situational Awareness in Offshore Training Abstract: Real offshore operational scenarios are particularly risky. Training programmes involving specifically designed simulators constitute a promising approach for improving human reliability and safety in real applications. One of the world’s most advanced providers of simulators for such demanding offshore operations is the Offshore Simulator Centre AS (OSC). However, even though the OSC provides powerful simulation tools, techniques for visualising operational procedures that can be used to further improve situational awareness (SA), are still lacking. In this work, an integrated multi-sensor fusion system is integrated with the OSC. The proposed system is designed to improve planning, execution and assessment of demanding maritime operations by adopting newly-designed risk-evaluation tools. Different information from the simulator scene and from the real world can be collected, such as audio, video, bio-metric data from eye trackers, other sensor data and annotations. This integration is the base for research on novel SA assessment methodologies. A training methodology based on the concept of briefing/de- briefing is adopted. By using this methodology, the efficiency of the proposed system is validated in a conceptual case study that considers the training procedure performed by Statoil and partners for the world’s first sub-sea gas compression plant, in Aasgard, Norway. Roman Graf1, Florian Skopik1 and Kenny Whitebloom2 1 AIT Austrian Institute of Technology GmbH, Vienna, Austria Digital Public Library of America (DPLA) 2 Title: A Decision Support Model for Situational Awareness in National Cyber Operations Centers 11 Abstract: Advances in situational awareness technology have led to the creation of increasingly sophisticated tools across different application domains, often involving non-textual, highly dimensional, and multimedia data. Automated tools aim to address a number of situational awareness challenges, such as complex system topology, rapidly changing technologies, high noise to signal ratio, and multi-faceted threats. These factors make real-time situational awareness of cyber operations for the National Cyber Operations Centers very difficult to achieve. Appropriate data analysis techniques, in combination with modern anomaly detection output data and user knowledge, may provide solutions in real-time that could replace human input for many situational awareness analysis tasks. Philip Legg Department of Computer Science and Creative Technologies, Faculty of Environment and Technology, University of the West of England, Bristol, UK Title: Enhancing Cyber Situation Awareness for Non-Expert Users using Visual Analytics Abstract: Situation awareness is often described as the perception and comprehension of the current situation, and the projection of future status. Whilst this may be understood in an organisational cybersecurity context, there is a strong case to be made for effective cybersecurity situation awareness that is tailored to the needs of the NonExpert User (NEU). Our online usage habits are rapidly evolving with smartphones and tablets being widely used to access resources online. In order for NEUs to remain safe online, there is a need to enhance awareness and understanding of cybersecurity concerns, such as how devices may be acting online, and what data is being shared between devices. In this paper, we explore the notion of personal situation awareness for NEUs. We conduct a small-scale study to understand how NEUs perceive cybersecurity. We also propose how visual analytics could be used to help encourage NEUs to actively monitor and observe their activity for greater online awareness. The guidance developed through the course of this work can help practitioners develop tools that could help NEUs better understand their online actions, with the aim to result in safer experiences when acting online. Xavier Bellekens1, Preetila Seeam2, Quentin Franssen3, Andrew Hamilton4, Kamila Nieradzinska4 and Amar Seeam5 1 Division of Computing and Mathematics, Abertay Dundee University School of Management and Business, Aberystwyth University, (Mauritius Branch Campus), Mauritius 3 Cyber-Physical Security, Cyber Security Division, IT Risk and Assurance, Financial Service Advisory 4 Department of Electronic and Electrical Engineering, University of Strathclyde, Glasgow, G1 1XW, UK 5 School of Science and Technology, Middlesex University, (Mauritius Branch Campus), Vacoas, Mauritius 2 Title: Pervasive eHealth Services: A Security and Privacy Risk Awareness Survey Abstract: The human factor is often recognised as a major aspect of cyber-security research. Risk and situational perception are identified as key factors in the decision making process, often playing a lead role in the adoption of security mechanisms. However, risk awareness and perception have been poorly investigated in the field of eHealth wearables. Whilst end-users often have limited understanding of privacy and security of wearables, assessing the perceived risks and consequences will help shape the usability of future security mechanisms. This paper present a survey of the the risks and situational awareness in eHealth services. An analysis of the lack of security and privacy measures in connected health devices is described with recommendations to circumvent critical situations. 12 Michael Davies and Menisha Patel Department of Computer Science, University of Oxford, Oxford, England, UK Title: Are we managing the risk of sharing Cyber Situational Awareness - A UK Public Sector Case Study Abstract: The development of effective cyber situational awareness is an important goal for organizations across all sectors. The sharing of such information is seen as a key security enabler. This paper considers a case study of a UK Public Sector organization. The aim is to establish if the decision to share cyber situational awareness has been taken from an information risk management perspective, and if the organization is suitably well-placed to manage the consequences of information loss, that has occurred as a result of the sharing process. Samir Puuska, Matti J. Kortelainen, Viljami Venekoski and Jouko Vankka Department of Military Technology, National Defence University, Helsinki, Finland Title: Instant Message Classification in Finnish Cyber Security -Themed Free-Form Discussion Abstract: Instant messaging enables rapid collaboration between professionals during cyber security incidents. However, monitoring discussion manually becomes challenging as the number of communication channels increases. Failure to identify relevant information from the free-form instant messages may lead to reduced situational awareness. In this paper, the problem was approached by developing a framework for classification of instant message topics of cyber security--themed discussion in Finnish. The program utilizes open source software components in morphological analysis, and subsequently converts the messages into Bag-of-Words representations before classifying them into predetermined incident categories. We compared Support vector machines, multinomial naive Bayes and complement naive Bayes classification methods with five-fold cross-validation. A combination of SVM and CNB achieved classification accuracy of over 85 %, while multiclass SVM achieved 87 % accuracy. The implemented program recognizes cyber security -related messages in IRC chat rooms and categorizes them accordingly. Mahesh Bang and Himanshu Saraswat Cisco Systems, India Title: Building an effective and efficient continuous web application security program Abstract: Most of organizations today either have some kind of web application security program or trying to build/enhance. However most of these programs are not getting expected results to organization, neither long lasting nor able to deliver value in continuous and efficient manner and also unable to enhance mind set of developers to build/design secure web applications. 13 Shruti Kohli BCRRE, University of Birmingham, Birmingham, Great Britain Title: Developing Cyber Security Asset Management framework for UK Rail Abstract: The sophistication and pervasiveness of cyber-attacks are constantly growing, driven partly by technological progress, profitable applications in organized crime and state-sponsored innovation. The modernization of rail control systems has resulted in an increasing reliance on digital technology and increased the potential for security breaches and cyber-attacks. This research track showcases the need for developing the secure reusable scalable framework for enhancing cyber security of rail assets. A Cyber security framework has been proposed that is being developed to detect the tell-tale signs of cyber-attacks against industrial assets. This framework will be based on the concepts of developing protection profiles for railway assets such as point machine and evaluation assurance level in order to certify that chosen asset railway asset meet required security and safety properties. The benefits of the selected framework. Endeavour is to make cyber health assessment of railway assets to prevent cyber-attacks. Joe Burton Victoria University of Wellington, New Zealand Title: Cyber Attacks and Maritime Situational Awareness: Evidence from Japan and Taiwan Abstract: This paper argues that cyber-attacks are increasingly being seen as a threat to maritime situational awareness in the Asia Pacific region, and highlights how the Japanese and Taiwanese governments have been developing both offensive and defensive cyber operations to ameliorate vulnerabilities in their naval fleets vis a vis their respective relationships with China. The paper begins by exploring traditional understandings of maritime situational awareness and how changes in information communications technology have transformed the maritime strategic environment in recent decades. The paper moves on to explore how Japan and Taiwan are developing new capabilities in this area and new military doctrine to avoid disruptions to maritime operations. This section of the paper also looks at the influence of Chinese and US cyber strategies on Taiwan’s and Japan’s changing cyber doctrine. The final section of the paper presents a forward looking analysis of how cyber-attacks could affect military responses to territorial dispute in the South China Sea in particular, and the normative dangers of cyber militarization in the naval domain. The paper is based on field research conducted in Japan and Taiwan in 2014/15. Radu-Stefan Pirscoveanu, Matija Stevanovic and Jens Myrup Pedersen Department of Electronic Systems, Aalborg University, Denmark Title: Clustering Analysis of Malware Behaviour using Self Organizing Map Abstract: For the time being, malware behavioural classification is performed by means of Anti-Virus (AV) generated labels. The paper investigates the inconsistencies associated with current practices by evaluating the identified differences between current vendors. In this paper we rely on Self Organizing Map, an unsupervised machine learning algorithm, for generating clusters that capture the similarities between malware behavior. A data set of approximately 270,000 samples was used to generate the behavioral profile of malicious types in order to compare the outcome of the proposed clustering approach with the labels collected from 57 Antivirus vendors using VirusTotal. Upon evaluating the results, the paper concludes on shortcomings of relying on AV vendors for 14 labelling malware samples. In order to solve the problem, a cluster-based classification is proposed, which should provide more accurate results based on the clusters created by competitive and cooperative algorithms like Self Organizing Map that better describe the behavioural profile of malware. Mohamed Chahine Ghanem and Deepthi N. Ratnayake London Metropolitan University, London, UK Title: Enhancing WPA2-PSK four-way handshaking after re-authentication to deal with deauthentication followed by brute-force attack A novel re-authentication protocol Abstract: The nature of wireless network transmission and the emerging attacks are continuously creating or exploiting more vulnerabilities. Despite the fact that the security mechanisms and protocols are constantly upgraded and enhanced, the Small Office/Home Office (SOHO) environments that cannot afford a separate authentication system, and generally adopt the IEEE 802.11 WPA2-PSK, are still exposed to some attack categories such as de-authentication attacks that aim to push wireless client to re-authenticate to the Access Point (AP) and try to capture the keys exchanged during the handshake to compromise the network security. This kind of attack is impossible to detect or prevent in spite of having an Intrusion Detection and Prevention System (IDPS) installed on the client or on the AP, especially when the attack is not repetitive and is targeting only one client. This paper proposes a novel method which can mitigate and eliminate the risk of exposing the PSK to be captured during the re-authentication process by introducing a novel re-authentication protocol relying on an enhanced fourway handshake which does not require any hardware upgrade or heavy-weight cryptography affecting the network flexibility and performances. Eliana Stavrou1 and Andreas Pitsillides2 1 Computing Department, UCLan Cyprus, Larnaca, Cyprus Department of Computer Science, University of Cyprus, Nicosia, Cyprus 2 Title: Situation aware intrusion recovery policy in WSNs Abstract: Wireless Sensor Networks (WSNs) have been gaining tremendous research attention the last few years as they support a broad range of applications in the context of the Internet of Things. WSN-driven applications greatly depend on the sensors’ observations to support decision-making and respond accordingly to reported critical events. In case of compromisation, it is vital to recover compromised WSN services and continue to operate as expected. To achieve an effective restoration of compromised WSN services, sensors should be equipped with the logic to take recovery decisions and self-heal. Self-healing is challenging as sensors should be aware of a variety of aspects in order to take effective decisions and maximize the recovery benefits. So far situation awareness has not been actively investigated in an intrusion recovery context. This research work formulates situation aware intrusion recovery policy design guidelines in order to drive the design of new intrusion recovery solutions that are operated by an adaptable policy. An adaptable intrusion recovery policy is presented taking into consideration the proposed design guidelines. The evaluation results demonstrate that the proposed policy can address advanced attack strategies and aid the sensors to recover the network’s operation under different attack situations and intrusion recovery requirements. 15 Jan Ahrend1, Marina Jirotka1 and Kevin Jones2 1 Department of Computer Science, University of Oxford, Oxford, England, UK Airbus Group Innovations, Newport, England, UK 2 Title: On the Collaborative Practices of Cyber Threat Intelligence Analysts to Develop and Utilize Tacit Threat and Defence Knowledge Abstract: While the need for empirical investigations of cybersecurity analysts’ collaborative work practices is widely acknowledged, research efforts are fairly limited. This paper aims to provide empirical evidence to support a deeper consideration for the seemingly intangible collaborative practices that situational awareness in cybersecurity relies on and add to our understanding of what it means to “do” threat intelligence. In particular, it aims to unpack the informal forms of collaboration and coordination at work that build tacit knowledge about threat actors and defenders and that span across time, people and tools to inform the translation of threat information into actionable threat intelligence. In-depth semi-structured interviews and diary studies are conducted at three cyber threat intelligence service providers (N=5) and analyzed using thematic analysis. This paper introduces the concept of Threat and Defence Knowledge, tacit knowledge that analysts within an organization form over time and utilize through informal ways of becoming aware of this knowledge, making it available and correlating it. We find that a lack of accessibility to knowledge about relevant threat and defence factors can reduce analysts’ effectiveness at arriving at actionable threat intelligence and hence reduce the ability to be alerted in advance about cyber threats, to contain damage and obtain situational awareness. Perceived and potential shortcomings of the existing processes and tools are presented, and practices to circumvent the existing systems investigated and implications for design are considered. Palvi Aggarwal1, Cleotilde Gonzalez2 and Varun Dutt1 1 Applied Cognitive Science Laboratory, Indian Institute of Technology Mandi, India Dynamic Decision Making Laboratory, Carnegie Mellon University, Pittsburgh, USA 2 Title: Looking from the Hacker’s Perspective: Role of Deceptive Strategies in Cyber Security Abstract: Cyber-attacks are increasing in the real-world and they cause widespread damage to cyber-infrastructure and loss of information. Deception, i.e., the act of making someone believe something that is not true, could be a way of countering cyber-attacks. In this paper, we propose a deception game, which we used to evaluate the decision-making of a hacker in the presence of deception. In an experiment, using the deception game, we analyzed the effect of two between-subjects factors (N = 100 participants): Amount of deception (high and low) and the timing of deception (early and late). Results revealed that use of early deception made hackers trust the system’s response and get deceived. However, the amount of deception did not influence hacker’s trust on the system’s response. In addition, use of a deceptive strategy, i.e., when hackers moved from deception rounds to nondeception rounds, caused hackers to get deceived and not attack the system. 16 Zahid Maqbool1, V.S. Chandrasekhar Pammi2 and Varun Dutt1 1 Applied Cognitive Science Laboratory, Indian Institute of Technology, Mandi, India Centre of Behavioral and Cognitive Sciences, University of Allahabad, India 2 Title: Cybersecurity: Effect of Information Availability in Dynamic Security Games Abstract: Cyber-attacks, i.e., disruption of normal functioning of computers and loss of information, are becoming widespread. Cyber security may be studied as a non-cooperative game as described by behavioural game theory. However, current game-theoretic approaches have based their conclusions on Nash equilibriums, while disregarding the role of information availability among hackers and analysts. In this study, we investigated how information availability affected behaviour of analysts and hackers in 2x2 dynamic security games. In an experiment involving dynamic security games, interdependence information available to hackers and analysts was manipulated in two between-subjects conditions: Info and No-info. In Info condition, both players had complete information about each other’s actions and payoffs, while this information was missing in No-Info condition. Results showed that presence of information caused analysts and hackers to increase their proportion of defend and attack actions, respectively. We highlight the relevance of our results to cyber-attacks in the real world. Social Media 2016 Accepted Papers Ryan Heartfield and George Loukas Computing and Information Systems, University of Greenwich, UK Title: Evaluating the reliability of users as human sensors of social media security threats Abstract: While the human as a sensor concept has been utilised extensively for the detection of threats to safety and security in physical space, especially in emergency response and crime reporting, the concept is largely unexplored in the area of cyber security. Here, we evaluate the potential of utilising users as human sensors for the detection of cyber threats, specifically on social media. For this, we have conducted an online test and accompanying questionnaire-based survey, which was taken by 4,457 users. The test included eight realistic social media scenarios (four attack and four non-attack) in the form of screenshots, which the participants were asked to categorise as "likely attack" or "likely not attack". We present the overall performance of human sensors in our experiment for each exhibit, and also apply logistic regression to evaluate the feasibility of predicting that performance based on different characteristics of the participants. Such prediction would be useful where accuracy of human sensors in detecting and reporting social media security threats is important. We identify features that are good predictors of a human sensor's performance and evaluate them in both a theoretical ideal case and two more realistic cases, the latter corresponding to limited access to a user's characteristics. 17 Paul Baxter and Trevor Wood Cambridge Consultants Title: Generating Insight from Data Abstract: There are many different tools available for web analytics for business intelligence and empowerment. To be useful for a user community, data analytics requires ascertaining the users’ needs to drive a combination of appropriate analytical algorithms and effective visualization. Should any of these three be missing or tackled without regard for the others, data analysis will be carried out without enabling the users to move from data to action. Using the example of the Transport for London (TfL) open data set on tube journeys we provide two examples of the combination of algorithms, visualization and user requirements, one of which is described in detail here, while the other is described at a summary level Jennifer Cole, Chris Watkins and Dorothea Kleine Department of Computer Science, Royal Holloway, University of London, Egham, UK Title: Internet Discussion Forums: Maximizing Choice in Health-seeking Behaviour During Public Health Emergencies Abstract: This paper introduces a new approach for assessing how the technology affordances of internet discussion forums may influence health-seeking behaviour. The approach combines theories from computer science, behavioural science and development studies to explore the potential benefits of group decision making and problem solving in online environments and relates these to Computer Science theories of Collective Intelligence developed in particular by Pierre Levy. The approach seeks to test whether internet discussion forums are able to provide the ‘clever mechanism’ considered necessary to harness the Wisdom of Crowds when the optimal decision making processes are constrained. This will be cross-referenced against Amartya Sen’s Maximization and the Act of Choice to show how discussion forums’ technology affordances may add value to the choices available in sub-optimal conditions, suggesting a public health emergency as a possible case-study. 18 Cyber Security 2016 Accepted Papers Muhammad Aminu Ahmad1, Steve Woodhead1 and Diane Gan2 1 Department of Engineering Science Department of Computing and Information system University of Greenwich, UK 2 Title: A Countermeasure Mechanism for Fast Scanning Malware Abstract: This paper presents a cross-layer countermeasure mechanism to detect and contain self-propagating malware. The mechanism uses a detection technique at the network layer and a data-link containment solution to block traffic from an infected host. The concept has been demonstrated using a software prototype. An empirical analysis of network worm propagation has been conducted to test the capabilities of the developed mechanism. The results show that the developed mechanism is effective in containing self-propagating malware with almost no false positives. Kamile Nur Sevis1 and Ensar Seker2 1 National Common Criteria Evaluation Laboratory, TUBITAK (The Scientific and Technological Research Council of Turkey), Kocaeli, TURKEY 2 Cyber Security Institute, TUBITAK (The Scientific and Technological Research Council of Turkey), Kocaeli, TURKEY Title: Cyber Warfare: Terms, Issues, Laws and Controversies Abstract: Recent years have shown us the importance of cybersecurity. Especially, when the matter is national security, it is even more essential and crucial. Increasing cyber-attacks, especially between countries in governmental level, created a new term cyber warfare. Creating some rules and regulations for this kind of war is necessary therefore international justice systems are working on it continuously. In this paper, we mentioned fundamental terms of cybersecurity, cyber capabilities of some countries, some important cyber attacks in near future, and finally, globally applied cyber warfare law for this attacks. Tomáš Sochor, Matej Zuzčák and Petr Bujok Department of Informatics and Computers, University of Ostrava, Ostrava, Czech Republic Title: Statistical Analysis of Attacking Autonomous Systems Abstract: The paper is devoted to the analysis of activities attacking against the research honeynet from various autonomous systems (AS) in the Internet. Differences in behavior of attackers from different ASes as well as activities done in the honeynet on individual probes. The probes are distributed across various network types – academic, commercial VPS, ISP – in 2 central European countries, namely Czechia and Slovakia. Advanced statistical methods were applied to extract a closer idea on attackers’ activities. 19 Thomas Mundt and Peter Wickboldt Department of Computer Science, University of Rostock, Rostock, Germany Title: Security in building automation systems - A first analysis Abstract: The purpose of building automation systems is to support all house functions, such as controlling lighting, air conditioning, heating, shading, access, and hence, increase comfort, save energy and provide easier administration. Those systems are highly complex and ubiquitous as they have interfaces to many other networks and systems in a building. This increases the risk that attackers use security gaps to affect the entire infrastructure. In this paper we report about a security analysis of building automation systems. Catrin Burrows and Pooneh Bagheri Zadeh De Montfort University, UK Title: A Mobile Forensic Investigation into Steganography Abstract: Mobile devices are becoming a more popular tool to use in day to day life; this means that they can accumulate a sizeable amount of information, which can be used as evidence if the device is involved in a crime. Steganography is one way to conceal data, as it obscures the data as well as concealing that there is hidden content. This paper investigates different steganography techniques, steganography artefacts created and the forensic investigation tools used in detecting and extracting steganography in mobile devices. Steganography techniques are used to generate different artefacts on two main mobile device platforms, Android and Apple devices. Furthermore Forensic investigation tools are employed to detect and possibly reveal the hidden data. Finally a set of mobile forensic investigation policy and guidelines are developed. Cyril Onwubiko Cyber Security Intelligence, E-Security Group, Research Series, London, UK Title: Exploring Web Analytics to enhance Cyber Situational Awareness for the Protection of Online Web Services Abstract: Web Analytics is a tool for monitoring online interactions to digital services, typically focused on entity profiling and analysis for market campaign, user behaviour, site performance and market intelligence. In this research, web analytics is applied for intelligence-centric data gathering and analysis to enhanced cyber situational awareness for monitoring critical online web services. A number of intelligence sources such as web logs, browser fingerprints, mobile and tablet fingerprints and endpoint fingerprint are gathered, fused, analysed in real time for enhanced situational awareness for the protection of online web services. 20 Mohammed Alzaylaee, Suleiman Yerima and Sakir Sezer Centre for Secure Information Technologies (CSIT), Queen’s University Belfast, Belfast, Northern Ireland Title: DynaLog: An automated dynamic analysis framework for characterizing Android applications Abstract: Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware that are becoming more sophisticated to evade state-of-the-art detection approaches. Many Android malware families employ obfuscation techniques in order to avoid detection and this may defeat static analysis based approaches. Dynamic analysis on the other hand may be used to overcome this limitation. Hence in this paper we propose DynaLog, a dynamic analysis based framework for characterizing Android applications. The framework provides the capability to analyse the behaviour of applications based on an extensive number of dynamic features. It provides an automated platform for mass analysis and characterization of apps that is useful for quickly identifying and isolating malicious applications. The DynaLog framework leverages existing open source tools to extract and log high level behaviours, API calls, and critical events that can be used to explore the characteristics of an application, thus providing an extensible dynamic analysis platform for detecting Android malware. DynaLog is evaluated using real malware samples and clean applications demonstrating its capabilities for effective analysis and detection of malicious applications. Gaofeng Zhang1, Paolo Falcarin1, Elena Gómez-Martínez1, Christophe Tartary1, Shareeful Islam1, Bjorn De Sutter2 and Jerome D’annoville3 1 University of East London, London, UK Ghent University, Ghent, Belgium 3 Gemalto, Meudon, France 2 Title: Attack Simulation based Software Protection Assessment Method for Protection Optimisation Abstract: Software protection is an essential aspect of information security to withstand malicious activities on software. In this regard, for developers and software companies, software protection assessment is a key function for preserving their software assets. In this way, the assessment needs to evaluate multiple protection methods together as protection solutions for their optimisation. Due to the complexity of protection solutions, existing protection assessment methods need to be improved. Besides, the uncertain processes of various software attacks are another challenges for existing assessment methods. To solve these issues, we present a novel attack simulation based software protection assessment method to assess various protection solutions for protection optimisation. Specially, relying on Petri Net based attack models, Monte Carlo based attack simulation simulates software attacking processes to deal with the uncertainty. Then, based on this simulation, a novel protection comparison model is proposed to compare different protection solutions with numeric confidences, which provides a convenient approach to assess complicated protection solutions via the previous simulation. Based on this comparison model, our novel protection assessment method is proposed to identify the premier protection solutions from potential protection solutions for protection optimisation in specific software protection situations, which includes various software attacks. We illustrate this method by means of a software protection assessment process to demonstrate that our method can provide a suitable software protection assessment for developers and software companies. 21 Egon Kidmose, Matija Stevanovic and Jens Myrup Pedersen Department of Electronic Systems, Aalborg University, Denmark Title: Correlating intrusion detection alerts on bot malware infections using neural network Abstract: Millions of computers are infected with bot malware, form botnets and enable botmaster to perform malicious and criminal activities. Intrusion Detection Systems are deployed to detect infections, but they raise many correlated alerts for each infection, requiring a large manual investigation effort. This paper presents a novel method with a goal of determining which alerts are correlated, by applying Neural Networks and clustering, thus reducing the number of alerts to manually process. The main advantage of the method is that no domain knowledge is required for designing feature extraction or any other part; as such knowledge is inferred by Neural Networks. Evaluation has been performed with traffic traces of real bot binaries executed in a lab setup. The method is trained on labelled Intrusion Detection System alerts and is capable of correctly predicting which of seven incidents an alert pertains, 56.15% of the times. Based on the observed performance it is concluded that the task of understanding Intrusion Detection System alerts can be handled by a Neural Network, showing the potential for reducing the need for manual processing of alerts. Finally, it should be noted that, this is achieved without any feature engineering and with no use of domain specific knowledge. Reza Montasari1, Pekka Peltola2 and Victoria Carpenter3 1 Computing and Mathematics, University of Derby, Derby, UK Nottingham Geospatial Institute, University of Nottingham, Nottingham, UK 3 Academic Development Directorate, York St John University, York, UK 2 Title: Gauging the Effectiveness of Computer Misuse Act in Dealing with Cybercrimes Abstract: Computer and Internet technology has become a vital part of a daily life for many as it has brought many enhancements to the quality of many individuals’ lives. Although advances in computer and Internet technology are utilised by many people for various respectable reasons, at the same time it has become a tool in the hands of cybercriminals for various nefarious reasons. Cybercrime has become a fast-growing type of crime where more and more criminals exploit the speed, convenience and anonymity of the Internet to perpetrate various criminal activities that have no border. This paper examines the phenomenon of cybercrime and the difficulties and challenges that it presents due to the way that it is being regulated in England and Wales. A major focus will be placed on the area of hacking. To this end, the effectiveness of the Computer Misuse Act in dealing with cybercrimes both in the past and in the future will be examined. 22 Zbigniew Hulicki Department of Telecommunication, AGH University of Science and Technology, Kraków, Poland Title: The IM System with a Cryptographic Feature Abstract: The paper does concern the IM (Instant Messaging) system with a cryptographic feature designed for the portable subscriber appliances working with the Android operating system. Unlike the existing applications with a text messaging function, the proposed system uses XML (Extensible Markup Language) tool to specify the message structure and in order to ensure appropriate confidentiality of talks it does encrypt messages to be transmitted between the end user and server system. The results of a preliminary performance evaluation of encryption algorithms, used in the proposed system, will be discussed together with possible applications and further modifications of that IM system. Andrea Cullen and Lorna Armitage School of Electrical Engineering and Computer Science, University of Bradford, Bradford, UK Title: The Social Engineering Attack Spiral (SEAS) Abstract: Cybercrime is on the increase and attacks are becoming ever more sophisticated. Organisations are investing huge sums of money and vast resources in trying to establish effective and timely countermeasures. This is still a game of catch up, where hackers have the upper hand and potential victims are trying to produce secure systems hardened against what feels like are inevitable future attacks. The focus so far has been on technology and not people and the amount of resource allocated to countermeasures and research into cyber security attacks follows the same trend. This paper adds to the growing body of work looking at social engineering attacks and therefore seeks to redress this imbalance to some extent. The objective is to produce a model for social engineering that provides a better understanding of the attack process such that improved and timely countermeasures can be applied and early interventions implemented. Fara Yahya, Robert Walters and Gary Wills University of Southampton, United Kingdom Title: Goal-Based Security Components for Cloud Storage Security Framework: A Preliminary Study Abstract: There are a variety of ways to ensure the security of data in the cloud depending on the set of anticipated concerns. Many cloud storage secure data either by encrypting data on transfer, or by encrypting data at rest. These security protections seem very different, and currently there are no common goal-based security components for comparing them. In this paper we investigate the security components forming security, which ensures data are securely protected in cloud storage. We will show security components that were extracted by synthesising existing security frameworks and industry accepted standards to satisfy the concerns for which there is little extant research. The components are also mapped to security concerns happening in the cloud. A triangulation method was applied to investigate the important security components. This exploratory research has been considered by security experts and practitioners who confirmed the proposed framework. 23 Louai Maghrabi, Eckhard Pfluegel and Senna Fathima Noorji Faculty of Science, Engineering & Computing, Kingston University, London, UK Title: Designing Utility Functions for Game-Theoretic Cloud Security Assessment: A Case for Using the Common Vulnerability Scoring System Abstract: Abstract—In recent years, cloud computing has emerged as a key computing paradigm because of its ubiquitous, convenient and scalable on-demand access to a shared pool of computing resources. Although the use of the cloud has many advantages, a great number of security threats exist affecting assets that are present in a cloud environment. In order to mitigate these threats, frameworks have been developed to asses the security of an organisation, based on analysing risks to critical assets. However, these frameworks are not yet sufficiently developed to specifically address risks in cloud environments. In this paper, we advocate the use of game theory to improve the security assessment of cloud environments, in particular the risk analysis step in OCTAVE. We extend previous game-theoretic models for security risk assessment within cloud environments by designing cost and benefit functions that are to a large extent informed by the Common Vulnerability Scoring System (CVSS). Dylan Smyth, Victor Cionca, Sean McSweeney and Donna O'Shea Nimbus Centre, Cork Institute of Technology, Ireland Title: Exploiting Pitfalls in Software-Defined Networking Implementation Abstract: The centralised control provided by Software Defined Networking allows an increase in network security as all the traffic can be vetted before leaving the attachment switch. Nevertheless, as in any complex system, there are implementation and policy compromises which lead to security vulnerabilities. This paper exploits such vulnerabilities to implement a suite of attacks, consisting of ARP cache poisoning, Man in the Middle, a firewall and ACL bypassing port scan called Phantom Host Scan, and a Distributed Denial of Service called Phantom Storm which induces the participation of legitimate hosts. These attacks were successfully implemented in a Floodlight controlled network. Boojoong Kang, Suleiman Yerima, Kieran Mclaughlin and Sakir Sezer Queen’s University Belfast, Belfast, Northern Ireland, United Kingdom Title: N-opcode Analysis for Android Malware Classification and Categorization Abstract: Malware detection is a growing problem particularly on the Android mobile platform due to its increasing popularity and accessibility to numerous third party app markets. This has also been made worse by the increasingly sophisticated detection avoidance techniques employed by emerging malware families. This calls for more effective techniques for detection and classification of Android malware. Hence, in this paper we present an n-opcode analysis based approach that utilizes machine learning to classify and categorize Android malware. This approach enables automated feature discovery that eliminates the need for applying expert or domain knowledge to define the needed features. Our experiments on 2520 samples that were performed using up to 10-gram opcode features showed that an f-measure of 98% is achievable using this approach. 24 Marcelo Fontenele and Lily Sun School of Systems Engineering, University of Reading, United Kingdom Title: Knowledge Management of Cyber Security Expertise: an ontological approach to talent discovery Abstract: Cyber security is a dynamic knowledge environment, where attracting talented people are paramount. However, current initiatives disregard mechanisms able to search for suited individuals. Approaching cyber security as an organisation can help to manage capabilities and improve domain-oriented talent discovery. This paper presents an ontological approach to support talent discovery as a means of improving allocation of expertise for cyber security projects. A case study is conducted among experts in a cyber security community. Our method is capable of selecting, ranking and evaluating experts given a set of criteria specified in a project profile. The approach combines values of quantitative and qualitative nature provided by the profile owner and derived from external appraisals. Moreover, the ontology model delivers a systematic integration of talent practices, which embeds a feedback loop that favours ongoing improvement. The model was successfully experimented and further appraised in terms of acceptance by a board of experts. Cyber Incident 2016 Accepted Papers Abdulrahman Alruban, Nathan Clarke, Fudong Li and Steven Furnell Centre for Security, Communications and Network Research, Plymouth University, Plymouth, UK Title: Proactive Biometric-Enabled Forensic Imprinting Abstract: Threats to enterprises have become widespread in the last decade. A major source of such threats originates from insiders who have legitimate access to the organization’s internal systems and databases. Therefore, preventing or responding to such incidents has become a challenging task. Digital forensics has grown into a defacto standard in the examination of electronic evidence; however, a key barrier is often being able to associate an individual to the stolen data. Stolen credentials and the Trojan defense are two commonly cited arguments used. This paper proposes a model that can more inextricably links the use of information (e.g. documents and emails) to the individual users who use and access them through the use of steganography and transparent biometrics. The initial experimental results of the proposed approach have shown that it is possible to correlate an individual’s biometric feature vector with a digital object such as images and still successfully recover the sample even with significant file modification. In addition, a reconstruction of the feature vector from these unmodified images was possible by using those generated imprints with an accuracy of 100% in some scenarios. 25 Aisha Abubakar, Pooneh Bagheri Zadeh, Richard Howley and Helge Janicke De Montfort University, Leicester, UK Title: Root Cause Analysis (RCA) as a Preliminary Tool into the Investigation of Identity Theft Abstract: Identity theft is an old phenomenon, offences such as impersonation, falsification and misuse of identity documents have been known for more than a century. However, the advent of technology changed the method used for conducting this crime, whereby through the use of the Internet, personal information is stolen and misused by criminals. The crime has its causes originating from human error and judgement to failure of computing and networking systems that allow unauthorized access to personal information. In order to provide a better tool of investigating this crime, there is the need to explore the causes of the crime thereby providing a better framework for investigating Identity theft crimes. This study uses Root Cause Analysis (RCA) as a preliminary tool that serves to provide a depicted identification of the causes of Identity theft paving the way into investigating the crime and creating incident response plans. Mary Geddes and Pooneh Bagheri Zadeh De Montfort University, Leicester, UK Title: Forensic Analysis of Private Browsing Abstract: Private browsing is popular for many users who wish to keep the internet usage hidden from other users on the same computer. This research will examine what artefacts are left on the users’ computer using digital forensic tools. The results from this research will allow recommendations for forensic analysts on ways to analyse private browsing artefacts. Taolue Chen1, Tingting Han2, Florian Kammueller3, Ibrahim Nemli4 and Christian Probst4 1 Middlesex University London, United Kingdom Birkbeck, University of London, United Kingdom 3 Middlesex University London, United Kingdom and TU Berlin 4 Technical University Denmark, Denmark 2 Title: Model Based Analysis of Insider Threats Abstract: In order to detect malicious insider attacks it is important to model and analyse infrastructures and policies of organisations and the insiders acting within them. We extend formal approaches that allow modelling such scenarios by quantitative aspects to enable a precise analysis of security designs. Our framework enables evaluating the risks of an insider attack to happen quantitatively. The framework first identifies an insider’s intention to perform an inside attack, using Bayesian networks, and in a second phase computes the probability of success for an inside attack by this actor, using probabilistic model checking. We provide prototype tool support using Matlab for Bayesian networks and PRISM for the analysis of Markov decision processes, and validate the framework with case studies. 26 Best Paper Awards Best papers are selected for each conference based on the double or multiple blind peer reviews scores. Scores are computed based on the average score, weighted against reviews by reviewers’ confidence. It is an excellent, very rigorous and transparent process. Cyber SA 2016 – Joint Best Papers Paper Titled: Enhancing Cyber Situation Awareness for Non-Expert Users using Visual Analytics Philip Legg Department of Computer Science and Creative Technologies, Faculty of Environment and Technology, University of the West of England, Bristol, UK Paper Titled: Instant Message Classification in Finnish Cyber Security -Themed Free-Form Discussion Samir Puuska, Matti J. Kortelainen, Viljami Venekoski and Jouko Vankka Department of Military Technology, National Defence University, Helsinki, Finland Social Media 2016 – Best Paper Paper Titled: Evaluating the reliability of users as human sensors of social media security threats Ryan Heartfield and George Loukas Computing and Information Systems, University of Greenwich, UK Cyber Security 2016 – Best Paper Paper Titled: Attack Simulation based Software Protection Assessment Method for Protection Optimisation Gaofeng Zhang1, Paolo Falcarin1, Elena Gómez-Martínez1, Christophe Tartary1, Shareeful Islam1, Bjorn De Sutter2 and Jerome D’annoville3 1 University of East London, London, UK Ghent University, Ghent, Belgium 3 Gemalto, Meudon, France 2 Cyber Incident 2016 – Best Paper Paper Titled: Proactive Biometric-Enabled Forensic Imprinting Abdulrahman Alruban, Nathan Clarke, Fudong Li and Steven Furnell Centre for Security, Communications and Network Research, Plymouth University, Plymouth, UK 27 Conference Presentation Programme 2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA 2016) In conjunction with International Conference on Social Media, Wearable and Web Analytics Cyber Science 2016 (Social Media 2016) International Conference on Cyber Security and Protection of Digital Services (Cyber Security 2016) International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident 2016) Mayfair, London, United Kingdom. June 13 – 14, 2016 Monday, June 13, 2016 08:00 – 09:00 09:00 – 09:05 09:05 – 09:10 09:10 – 09:15 09:15 – 09:35 09:35 – 09:50 Day 1 Registration, Networking and Refreshments in the Stratton Suite Opening: Welcome Session Dr Cyril Onwubiko – Chair, Cyber Security Intelligence, Research Series, London, UK Announcements & Introduction Xavier Bellekens – Conference Chair Keynote Introduction: IEEE UK&RI Professor Ali Hessami – Chair, IEEE UK&RI and Director of R&D and Innovation at Vega Systems, London, UK Keynote: Cyber Science: Fact or Fiction? Professor Frank Wang – Professor of Future Computing & Head of School of Computing, University of Kent, Canterbury, UK & IEEE Computer Society Chair Keynote: Cyber Security in SCADA, Utility, Energy and Critical Networks Dr Janne Hagen – Norwegian Water Resources and Energy Directorate (NVE), Oslo, Norway 09:50 – 10:00 Coffee Break & Social Networking 10:00 – 10:20 Keynote: Systems Integration and Security for Internet of Things (IoT) Dr Nick Savage – Head School of Computing, University of Portsmouth, Portsmouth, UK 10:20 – 10:40 Keynote: Trust and Verification in National Security: Can Electronic Equipment from Untrusted Vendors be Verified? Professor Olav Lysne – Director and founder of the Center for Resilient Networks and Applications (CRNA) at Simula research laboratory, Oslo, Norway Coffee Break & Social Networking 10:40 – 10:50 CyberSA 2016 28 Track 1: Situation Awareness for Intelligence & Analytics 10:50 – 11:30 Enhancing Cyber Situation Awareness for Non-Expert Users using Visual Analytics Philip Legg On the Collaborative Practices of Cyber Threat Intelligence Analysts to Develop and Utilize Tacit Threat and Defence Knowledge Jan Ahrend, Marina Jirotka and Kevin Jones A Multi-Sensor System for Enhancing Situational Awareness in Offshore Training Filippo Sanfilippo A Decision Support Model for Situational Awareness in National Cyber Operations Centers Roman Graf, Florian Skopik and Kenny Whitebloom 11:30 – 11:40 Panel Session Questions 11:40 – 11:50 Coffee Break & Social Networking Social Media 2016 Track 1: Social Media for Enhanced Health Informatics and Health Situation Awareness 11:50 – 12:20 12:20 – 12:30 12:30 – 13:30 Evaluating the Reliability of Users as Human Sensors of Social Media Security Threats Ryan Heartfield and George Loukas Internet Discussion Forums: Maximizing Choice in Health-seeking Behaviour During Public Health Emergencies Jennifer Cole, Chris Watkins and Dorothea Kleine Generating Insight from Data Paul Baxter and Trevor Wood Panel Session Questions Lunch Cyber Security 2016 Track 1: Cyber Security Applications 13:30 – 14:30 14:30 – 14:40 14:40 – 14:50 Security in building automation systems - A first analysis Thomas Mundt and Peter Wickboldt DynaLog: An automated dynamic analysis framework for characterizing Android applications Mohammed Alzaylaee, Suleiman Yerima and Sakir Sezer Goal-Based Security Components for Cloud Storage Security Framework: A Preliminary Study Fara Yahya, Robert Walters and Gary Wills The IM System with a Cryptographic Feature Zbigniew Hulicki A Mobile Forensic Investigation into Steganography Catrin Burrows and Pooneh Bagheri Zadeh [Abstract / WIP] Panel Session Questions Coffee Break & Social Networking 29 Cyber Incident 2016 Track 1: Digital Forensics & Biometrics 14:50 – 15:10 15:10 – 15:20 Proactive Biometric-Enabled Forensic Imprinting Abdulrahman Alruban, Nathan Clarke, Fudong Li and Steven Furnell Forensic Analysis of Private Browsing Mary Geddes and Pooneh Bagheri Zadeh Panel Session Questions Cyber Security 2016 Track 2: Cyber Security Threats and Threat Intelligence 15:20 – 15:50 15:50 – 16:00 16:00 – 16:10 16:10 – 16:40 16:40 – 16:50 16:50 – 17:00 17:00 – 17:30 17:30 – 17:40 17:40 – 17:50 17:50 N-opcode Analysis for Android Malware Classification and Categorization Boojoong Kang, Suleiman Yerima, Kieran Mclaughlin and Sakir Sezer Correlating Intrusion Detection Alerts on Bot Malware Infections using Neural Network Egon Kidmose, Matija Stevanovic and Jens Myrup Pedersen A Countermeasure Mechanism for Fast Scanning Malware Muhammad Aminu Ahmad, Steve Woodhead and Diane Gan Panel Session Questions Coffee Break & Social Networking CyberSA 2016 Track 2: Situation Awareness Applications for Wireless Security Situation aware intrusion recovery policy in WSNs Eliana Stavrou and Andreas Pitsillides Enhancing WPA2-PSK four-way handshaking after re-authentication to deal with deauthentication followed by brute-force attack A novel re-authentication protocol Mohamed Chahine Ghanem and Deepthi N. Ratnayake Building an effective and efficient continuous web application security program Mahesh Bang and Himanshu Saraswat Panel Session Questions Coffee Break & Social Networking CyberSA 2016 Track 3: Situation Awareness Tools & Techniques Looking from the Hacker’s Perspective: Role of Deceptive Strategies in Cyber Security Palvi Aggarwal, Cleotilde Gonzalez and Varun Dutt Clustering Analysis of Malware Behavior using Self Organizing Map Radu-Stefan Pirscoveanu, Matija Stevanovic and Jens Myrup Pedersen Cybersecurity: Effect of Information Availability in Dynamic Security Games Zahid Maqbool, V.S. Chandrasekhar Pammi and Varun Dutt Panel Session Questions Coffee Break & Social Networking Social Event: Drinks, Chat and Social Networking 30 2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA 2016) In conjunction with International Conference on Social Media, Wearable and Web Analytics Cyber Science 2016 (Social Media 2016) International Conference on Cyber Security and Protection of Digital Services (Cyber Security 2016) International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident 2016) London, United Kingdom. June 13 – 14, 2016. Tuesday, June 14, 2016 08:00 – 09:00 Day 2 Coffee/Tea, Networking and Refreshments in the Kensington & Chelsea Suite 09:00 – 09:10 Day 2 Opening & Welcome Session, Announcements & Introduction Xavier Bellekens – Conference Chair Keynote: Cyber Operations (CyberOps) Capability for the Mission Dr Cyril Onwubiko – Chair, Cyber Security Intelligence, E-Security Group, Research Series, London, UK Keynote: Community Situation Awareness for Emerging Networks Dr Thomas Owens – Directory of Quality (ECE) & Senior Lecturer in Communications, Brunel University London, London, UK Coffee Break & Social Networking 09:10 – 09:30 09:30 – 09:50 09:50 – 10:00 10:00 – 10:20 Keynote: Situational Awareness for CERTs Dr Andrew Lenaghan – OxCERT, Oxford University, Oxford, UK 10:20 – 10:40 Keynote: Role of Digital Forensics in the Emerging Dimensions of Cybercrime Investigations Dr Syed Naqvi – Senior Lecturer Cyber Security and Forensics, Birmingham City University, Birmingham, UK Coffee Break & Social Networking 10:40 – 10:50 CyberSA 2016 Track 4: Cyber Situational in Cyber Risk & Crisis Management 10:50 – 11:20 Cyber Crisis Management, Survival or Extinction? Yoram Golandsky Are we managing the risk of sharing Cyber Situational Awareness - A UK Public Sector Case Study [Abstract / WIP] Michael Davies and Menisha Patel 31 11:20 – 11:30 11:30 – 11:40 Pervasive eHealth Services A Security and Privacy Risk Awareness Survey Xavier Bellekens, Preetila Seeam, Quentin Franssen, Andrew Hamilton, Kamila Nieradzinska and Amar Seeam Panel Session Questions Coffee Break & Social Networking Cyber Security 2016 Track 3: Cyber Security Theories, Laws and Policies 11: 40 – 12:20 Statistical Analysis of Attacking Autonomous Systems Tomáš Sochor, Matej Zuzčák and Petr Bujok Gauging the Effectiveness of Computer Misuse Act in Dealing with Cybercrimes Reza Montasari, Pekka Peltola and Victoria Carpenter The Social Engineering Attack Spiral (SEAS) Andrea Cullen and Lorna Armitage Cyber Warfare: Terms, Issues, Laws and Controversies Kamile Nur Sevis and Ensar Seker 12:20 – 12:30 Panel Session Questions 12:30 – 13:30 Lunch Cyber Incident 2016 Track 2: Controls and Countermeasures to Cyber Threats (C3T) 13:30 – 13:50 Root Cause Analysis (RCA) as a Preliminary Tool into the Investigation of Identity Theft Aisha Abubakar, Pooneh Bagheri Zadeh, Richard Howley and Helge Janicke Model Based Analysis of Insider Threats [Abstract / WIP] Taolue Chen, Tingting Han, Florian Kammueller, Ibrahim Nemli and Christian Probst 13:50 – 14:00 Panel Session Questions CyberSA 2016 Track 5: National Cyber Situation Awareness 14:00 – 14:30 Instant Message Classification in Finnish Cyber Security -Themed Free-Form Discussion Samir Puuska, Matti J. Kortelainen, Viljami Venekoski and Jouko Vankka Cyber Attacks and Maritime Situational Awareness: Evidence from Japan and Taiwan Joe Burton 14:30 – 14:40 Developing Cyber Security Asset Management framework for UK Rail Shruti Kohli Panel Session Questions 14:40 – 14:50 Coffee Break & Social Networking Cyber Security 2016 32 Track 4: Cyber Security Applications, Tools and Techniques 14:50 – 15:20 15:20 – 15:30 Designing Utility Functions for Game-Theoretic Cloud Security Assessment: A Case for Using the Common Vulnerability Scoring System Louai Maghrabi, Eckhard Pfluegel and Senna Fathima Noorji Attack Simulation based Software Protection Assessment Method for Protection Optimisation Gaofeng Zhang, Paolo Falcarin, Elena Gómez-Martínez, Christophe Tartary, Shareeful Islam, Bjorn De Sutter and Jerome D’annoville Exploiting Pitfalls in Software-Defined Networking Implementation Dylan Smyth, Victor Cionca, Sean McSweeney and Donna O'Shea Panel Session Questions Track 5: Cyber Security for Web Analytics, Business Intelligence & Knowledge Management 15:30 – 15:50 Knowledge Management of Cyber Security Expertise: an ontological approach to talent discovery Marcelo Fontenele and Lily Sun Exploring Web Analytics to enhance Cyber Situational Awareness for the Protection of Online Web Services Cyril Onwubiko 15:50 – 16:00 Panel Session Questions 16:00 Thanks & Closing Remarks: Dr Cyril Onwubiko on behalf of Centre for Multidisciplinary Research, Innovation & Collaboration (C-MRiC.ORG) & IEEE TCS 16:00 Best Paper Awards & Group Conference Photographs International Journal on Cyber Situational Awareness (IJCSA) ISSN: (Print) 2057-2182 ISSN: (Online) 2057-2182 The International Journal on Cyber Situational Awareness (IJCSA) is a comprehensive reference journal, dedicated to disseminating the most innovative, systematic, topical and emerging theory, methods and applications on Situational Awareness (SA) across Cyber Systems, Cyber Security, Cyber Physical Systems, Computer Network Defence, Enterprise Internet of Things (EIoT), Security Analytics and Intelligence to students, scholars, and academia, as well as industry practitioners, engineers and professionals. http://www.c-mric.com/journals-ijcsa Editor-in-Chief: Dr Cyril Onwubiko Associate Editors: Professor Frank Wang Dr Thomas Owens 33 Upcoming Conferences Joint and Co-located Conferences: Cyber Science 2016, June 13-14, London, UK Cyber SA 2016 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA 2016) Social Media 2016 International Conference on Social Media, Wearable and Web Analytics (Social Media 2016) Cyber Security 2016 International Conference on Cyber Security and Protection of Digital Services (Cyber Security 2016) Cyber Incident 2016 International Conference on Cyber Incident Response, Coordination, Containment & Control (Cyber Incident 2016) Joint and Co-located Conferences: Cyber Policy 2016, Oxford, UK Business Intelligence 2016 e-Policy 2016 GRC 2016 Privacy 2016 International Conference on ICT and Business Information Systems for Business Intelligence (Business Intelligence 2016) International Conference on Digital Society, Border Control and Cyber Policy (e-Policy 2016) International Conference on Governance, Risk Management, Compliance (GRC 2016) International Conference on Privacy, Data Protection and Information Assurance (Privacy 2016) Joint and Co-located Conferences: Counter Fraud 2016, Oxford, UK Fraud-Detect 2016 International Conference on Web Fraud Detection, Financial and Fraud Analysis (Fraud-Detect 2016) Geo-IP 2016 Digital Forensics 2016 International Conference on Geolocation and CyberTravel for Law Enforcement and Fraud Control (Geo-IP 2016) International Conference on Digital Forensics, Readiness and Investigation (Digital Forensics 2016) Mobile AppSecurity 2016 International Conference on Web and Mobile Application Security (Mobile AppSecurity 2016) 34 Joint and Co-located Conferences: Security Management 2016, London, UK Tools 2016 International Conference on Tools for Analytics, Visualisation and Data Mining (Tools 2016) SOC 2016 International Conference on Security Operation Centres, Automation, Remediation and Optimisation (SOC 2016) International Conference on Telecommunications, Computer Science and Information Systems (Telecom 2016) Telecom 2016 Joint and Co-located Conferences: Health Informatics 2016, London, UK HealthCare 2016 Cloud-Ability 2016 Health IT 2016 e-Learning 2016 International Conference on ICT in HealthCare Management (HealthCare 2016) International Conference on Cloud-Based Computing Architectures, Security and Reliability (Cloud-Ability 2016) International Conference on Health Informatics and Computer Assisted Medicine (Health IT 2016) International Conference on Web-Based Learning, Interaction and Accessibility (e-Learning 2016) Other Services Innovation, Research & Development ranging from national cyber security programmes, enterprise security management, information assurance, protection strategy & consultancy Training and technology-inspired programmes, and undertake independent bespoke technologybased & survey-based research engagements. Security Testing and Lab Experimentations Conference Organisation Printing and Publications Consultancy Organiser / Contact Us Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC.ORG) Centre for Multidisciplinary Research, Innovation and Collaboration (C-MRiC) is a nonprofit non-governmental organisation. The aim is to participate, encourage and promote collaborative scientific, industrial and academic inter-workings among individual researchers, practitioners, members of existing associations, academia, standardisation bodies, and including government departments and agencies. The purpose is to build bridges between academia and industry, and to encourage interplay of different cultures. C-MRiC is committed to outstanding research and innovation through collaboration, and to disseminate scientific and industrial contributions through seminars and publications. Its products range from conferences on advanced and emerging aspects of societal issues, ranging from Cyber security to environmental pollution, and from Health IT to Wearable, with the best of breeds of such contributions featuring in our journal publications. C-MRiC is reliant on individual and corporate voluntary and free memberships to support its activities such as peer reviews, editorials, participating, organising and promoting conference and journal publications. We collaborate with academia, industries and government departments and agencies in a number of initiatives, ranging from national cyber security, enterprise security, information assurance, protection strategy, climate control to health and life sciences. We participate in academic and industrial initiatives, national and international collaborative technology-inspired programmes, and undertake independent bespoke technology-based & survey-based research engagements. C-MRiC is free membership to both individuals and corporate entities; it is voluntary, open and professional. Membership to C-MRiC entitles you free access to our publications, early sightings to research and innovations, and allows you to submit, request and pioneer research, conference or journal project through us. Members are selected based on expertise to support some of our activities on a voluntary basis, such as peer reviews, editorials, participating, organising and promoting conference and journal publications. Address: 1 Meadway, Woodford Green, Essex, IG8 7RF, UK Email: [email protected] Twitter: Web: http://www.c-mric.org