Cyber Threat Intelligence
Adversarial machine learning for building anti-forensics and anti-anti forensics systems:
Machine learning algorithms are developed for stationary environments. However, intelligent and adaptive adversaries can carefully craft input data to always bypass AI-based cyber security systems. Therefore, direct utilisation of machine learning algorithms would provide limited benefit in cyber security domain. In adversarial machine learning we try to first identify potential vulnerabilities of machine learning algorithms during learning and classification and build attacks that correspond to detected vulnerabilities (anti-forensics). Afterwards, we are building countermeasures to improve the security of machine learning algorithms (anti-anti-forensics).
Internet Of Things Security
Internet of Things (IoT) forensics:
With the fast integration of computation and networking in all physical process and development of lots of smart-contexts, the spectrum of devices that can be investigated is extensive. A range of devices and protocols from PDAs and mobile devices to automobiles, sensors, and robots which are interconnected pervasively! The examination of these devices is a crucial component in future legal, governmental, and business investigations. Therefore, we need models and frameworks that for forensically sound collection, preservation, analysis and documentation of evidences in these environments. In this project, we build tools, techniques and procedures for cyber investigation and threat hunting in Internet of Things (IoT), Internet of Battlefield of Things (IoBT), Internet of Medical Things (IoMT), and Internet of Robotic Things (IoRT).
Cyber Threat Hunting
Multi-view and multi-kernel learning systems to achieve a global view of emerging cyber threats:
An increasing number of AI agents are deployed to assist security analysts and forensics investigators in detection and prevention of cyber-attacks. Each of these AI agents may use its own machine learning algorithm and monitor a specific aspect of an attack. Multi-view and multi-kernel learning techniques can be used to merge different views of different machine learning algorithms and achieve a more accurate and global view of emerging threats. Such a global multi-view system would be a precious tool to assist in attack attribution activities.
AI-based decision support systems for cyber threat hunting:
Cyber threat hunting is about detecting remnant of attackers’ activities that bypassed all passive network and data protection mechanisms before they meet their objectives (from Exploitation to Actions on Objectives stage of the Cyber Kill Chain model). Cyber defence and protection mechanisms are only good in thwarting risk of script kiddies and stand-alone hackers but are of little use against funded (i.e. state sponsored) hacking teams. Once an organisation is in the target list of an Advanced Persistent Threat (APT) actor, the APT actor is not giving up until bypassing all layers of passive defence mechanisms. Upon having a foothold in the target network, attackers tend to only use normal administrative tools to install their tools on as many nodes in the target network as possible and setup C2 connections to achieve their objectives. This would make finding attackers who bypassed passive detection and prevention mechanisms significantly difficult. Active AI agents can be used to support threat hunters and forensics investigators in finding remnants of residual adversaries in an enterprise in a timely manner.
Smart cyber-deception systems:
Honeypots, honeynets, and honeytokens have been used for many years by security researchers but their deployment was very marginal in real enterprise networks. An enterprise does not see enough values (in compare with cost) in deploying honeypots especially as detecting a honeypot is not very difficult for an experienced attacker i.e. by looking at the pattern and volume of communications between different nodes in the network. AI can be used in creating honeypots that closely mimic activities of real nodes in a network, making it very difficult for an attacker to detect a honeypot without a direct engagement.