We present a novel anomaly-based detection approach capable of detecting botnet Command and Control traffic in an enterprise network by estimating the trustworthiness of the traffic destinations. A traffic flow is classified as anomalous if its destination identifier does not origin from: human input, prior traffic from a trusted destination, or a defined set of legitimate applications. This allows for real-time detection of diverse types of Command and Control traffic. The detection approach and its accuracy are evaluated by experiments in a controlled environment.
DOCUMENT
We present a novel architecture for an AI system that allows a priori knowledge to combine with deep learning. In traditional neural networks, all available data is pooled at the input layer. Our alternative neural network is constructed so that partial representations (invariants) are learned in the intermediate layers, which can then be combined with a priori knowledge or with other predictive analyses of the same data. This leads to smaller training datasets due to more efficient learning. In addition, because this architecture allows inclusion of a priori knowledge and interpretable predictive models, the interpretability of the entire system increases while the data can still be used in a black box neural network. Our system makes use of networks of neurons rather than single neurons to enable the representation of approximations (invariants) of the output.
LINK
In case of a major cyber incident, organizations usually rely on external providers of Cyber Incident Response (CIR) services. CIR consultants operate in a dynamic and constantly changing environment in which they must actively engage in information management and problem solving while adapting to complex circumstances. In this challenging environment CIR consultants need to make critical decisions about what to advise clients that are impacted by a major cyber incident. Despite its relevance, CIR decision making is an understudied topic. The objective of this preliminary investigation is therefore to understand what decision-making strategies experienced CIR consultants use during challenging incidents and to offer suggestions for training and decision-aiding. A general understanding of operational decision making under pressure, uncertainty, and high stakes was established by reviewing the body of knowledge known as Naturalistic Decision Making (NDM). The general conclusion of NDM research is that experts usually make adequate decisions based on (fast) recognition of the situation and applying the most obvious (default) response pattern that has worked in similar situations in the past. In exceptional situations, however, this way of recognition-primed decision-making results in suboptimal decisions as experts are likely to miss conflicting cues once the situation is quickly recognized under pressure. Understanding the default response pattern and the rare occasions in which this response pattern could be ineffective is therefore key for improving and aiding cyber incident response decision making. Therefore, we interviewed six experienced CIR consultants and used the critical decision method (CDM) to learn how they made decisions under challenging conditions. The main conclusion is that the default response pattern for CIR consultants during cyber breaches is to reduce uncertainty as much as possible by gathering and investigating data and thus delay decision making about eradication until the investigation is completed. According to the respondents, this strategy usually works well and provides the most assurance that the threat actor can be completely removed from the network. However, the majority of respondents could recall at least one case in which this strategy (in hindsight) resulted in unnecessary theft of data or damage. Interestingly, this finding is strikingly different from other operational decision-making domains such as the military, police and fire service in which there is a general tendency to act rapidly instead of searching for more information. The main advice is that training and decision aiding of (novice) cyber incident responders should be aimed at the following: (a) make cyber incident responders aware of how recognition-primed decision making works; (b) discuss the default response strategy that typically works well in several scenarios; (c) explain the exception and how the exception can be recognized; (d) provide alternative response strategies that work better in exceptional situations.
DOCUMENT
The security of online assessments is a major concern due to widespread cheating. One common form of cheating is impersonation, where students invite unauthorized persons to take assessments on their behalf. Several techniques exist to handle impersonation. Some researchers recommend use of integrity policy, but communicating the policy effectively to the students is a challenge. Others propose authentication methods like, password and fingerprint; they offer initial authentication but are vulnerable thereafter. Face recognition offers post-login authentication but necessitates additional hardware. Keystroke Dynamics (KD) has been used to provide post-login authentication without any additional hardware, but its use is limited to subjective assessment. In this work, we address impersonation in assessments with Multiple Choice Questions (MCQ). Our approach combines two key strategies: reinforcement of integrity policy for prevention, and keystroke-based random authentication for detection of impersonation. To the best of our knowledge, it is the first attempt to use keystroke dynamics for post-login authentication in the context of MCQ. We improve an online quiz tool for the data collection suited to our needs and use feature engineering to address the challenge of high-dimensional keystroke datasets. Using machine learning classifiers, we identify the best-performing model for authenticating the students. The results indicate that the highest accuracy (83%) is achieved by the Isolation Forest classifier. Furthermore, to validate the results, the approach is applied to Carnegie Mellon University (CMU) benchmark dataset, thereby achieving an improved accuracy of 94%. Though we also used mouse dynamics for authentication, but its subpar performance leads us to not consider it for our approach.
DOCUMENT
Worldwide there is a lack of well-educated and experienced information security specialists. The first step to address this issue is arranging enough people with a well-known and acceptable basic level of information security competences. However, there might be a lot of information security education and training, but there is anything but a well-defined outflow level with a known and acceptable basic level of information security competences. There exists a chaotic situation in respect of the qualification of information security professionals, with the emergence of a large number of difficult to compare certificates and job titles. Apparently the information security field requires uniform qualifications that are internationally recognized. Such qualifications could be an excellent way of unambiguously clarifying the knowledge and skills of information security professionals. Furthermore it gives educational institutions a framework which facilitates the development of appropriate information security education and training.
DOCUMENT
Digitization of activities in hospitals receives more attention, due to Covid-19 related regulations. The use of e-health to support patient care is increasing and efficient ways to implement digitization of processes and other technological equipment are needed. We constructed a protocol for implementation and in this study, we evaluate this protocol based on a case to implement a device in the OR. We used various data sources to evaluate this protocol: semi-structured interviews, questionnaires, and project documents. Based on these findings, this protocol, including identified implementation activities and implementation instructions can be used for implementations of other devices. Implementation activities include setting up a project plan, organizational and technological preparation, maintenance, and training. In future research, these activities and instructions need to be evaluated in more complex projects and a flexible tool needs to be developed to select relevant activities and instructions for implementations of information systems or devices.
LINK
People tend to disclose personal identifiable information (PII) that could be used by cybercriminals against them. Often, persuasion techniques are used by cybercriminals to trick people to disclose PII. This research investigates whether people can be made less susceptible to persuasion by reciprocation (i.e., making people feel obligated to return a favour) and authority, particularly in regard to whether information security knowledge and positive affect moderate the relation between susceptibility to persuasion and disclosing PII. Data are used from a population-based survey experiment that measured the actual disclosure of PII in an experimental setting (N = 2426). The results demonstrate a persuasion–disclosure link, indicating that people disclose more PII when persuaded by reciprocation, but not by authority. Knowledge of information security was also found to relate to disclosure. People disclosed less PII when they possessed more knowledge of information security. Positive affect was not related to the disclosure of PII. And contrary to expectations, no moderating effects were found of information security knowledge nor positive affect on the persuasion–disclosure link. Possible explanations are discussed, as well as limitations and future research directions. Uitgegeven door Sage, APA beschrijving: van der Kleij, R., van ‘t Hoff—De Goede, S., van de Weijer, S., & Leukfeldt, R. (2023). Social engineering and the disclosure of personal identifiable information: Examining the relationship and moderating factors using a population-based survey experiment. Journal of Criminology, 56(2-3), 278-293. https://doi.org/10.1177/26338076231162660
DOCUMENT
Hoofdstuk 2 gaat over peer en professionele online support voor ouders bij het opvoeden. In totaal bevat het boek 31 hoofdstukken over sociaal netwerken, geschreven door tientallen onderzoekers wereldwijd.
MULTIFILE
Cybercriminaliteit is een veelvoorkomend probleem geworden in Nederland (CBS, 2022). Nederlandse gemeenten hebben cybercrime dan ook breed als beleidsprioriteit opgepakt. Gemeenten geven daarbij aan behoefte te hebben aan handvaten om hun inwoners en ondernemers weerbaarder te maken tegen cybercriminaliteit. In het project “Cyberweerbaarheid: Een gemeentelijk offensief ter preventie van slachtofferschap van cybercrime” werken professionals uit twaalf4 gemeenten en vier5 regionale veiligheidsnetwerken samen met onderzoekers van de Haagse Hogeschool, Hogeschool Saxion en het Nederlands Studiecentrum Criminaliteit en Rechtshandhaving (NSCR) aan wetenschappelijk onderbouwde interventies waaromee ambtenaren openbare orde en veiligheid de cyberweerbaarheid van burgers en bedrijven binnen hun gemeente kunnen vergroten. In dit rapport staat slachtofferschap van cybercriminaliteit onder mkb’ers centraal. Het midden‐ en kleinbedrijf (mkb) wordt relatief vaak slachtoffer van cybercriminaliteit en ondervindt hiervan in hoge mate schade (CBS, 2018; Notté et al., 2019). Met name de toename van slachtofferschap van ransomware binnen het mkb is een zorgelijke ontwikkeling. Het is van groot belang dat mkb’ers maatregelen nemen om een ransomware aanval te voorkomen en de schade zo veel mogelijk te beperken. Beschermende maatregelen worden echter door veel mkb’ers slechts in geringe mate ingezet (Bekkers et al., 2021; CBS, 2021; Notté et al., 2019; Veenstra et al., 2015). De cyberweerbaarheid van mkb’ers (het vermogen van een organisatie om cyberincidenten te weerstaan, daarop te kunnen reageren en van te herstellen, zodat de organisatie operationeel blijft) is daardoor te beperkt. In dit rapport presenteren we de ontwikkeling en evaluatie van een interventie genaamd “MKB Cyber Buddy’s”. Het doel van de interventie is om de weerbaarheid van mkb’ers tegen ransomware te vergroten. De interventie is er op gericht om mkb’ers niet alleen te informeren over cybercriminaliteit, maar ze ook door actieve deelname tot een positieve gedragsverandering te brengen. Onder mkb’ers verstaan we in dit onderzoek ondernemers met minimaal één en maximaal 250 werknemers. De hoofdvraag in dit rapport is: Is de interventie “MKB cyber buddy’s” een effectieve interventie voor Nederlandse gemeenten om de cyberweerbaarheid van mkb’ers in hun gemeente met betrekking tot ransomware te bevorderen? Het doel van dit rapport is tweeledig. Enerzijds beschrijft dit rapport de onderbouwing en ontwikkeling van de interventie “MKB Cyber Buddy’s”. Anderzijds beschrijft dit rapport de evaluatie van de pilot die is uitgevoerd in 2022, betreffende de effectiviteit, sterke kanten, valkuilen en onvoorziene gevolgen van de interventie. Hiermee zullen inzichten geboden worden in hoe de interventie verbeterd kan worden en in de toekomst op grotere schaal kan worden ingezet.
DOCUMENT
Het doel van dit onderzoek is te onderzoeken onder welke omstandigheden en onder welke condities relatief moderne modelleringstechnieken zoals support vector machines, neural networks en random forests voordelen zouden kunnen hebben in medisch-wetenschappelijk onderzoek en in de medische praktijk in vergelijking met meer traditionele modelleringstechnieken, zoals lineaire regressie, logistische regressie en Cox regressie.
MULTIFILE
