Digital Communications and Networking Commons^™

Exploiting The Iot Through Network-Based Covert Channels, Kyle S. Harris

Theses and Dissertations

Information leaks are a top concern to industry and government leaders. The IoT is a technology capable of sensing real-world events. A method for exfiltrating data from these devices is by covert channel. This research designs a novel IoT CTC without the need for inter-packet delays to encode data. Instead, it encodes data within preexisting network information, namely ports or addresses. Additionally, the CTC can be implemented in two different modes: Stealth and Bandwidth. Performance is measured using throughput and detectability. The Stealth methods mimic legitimate traffic captures while the Bandwidth methods forgo this approach for maximum throughput. Detection results …

Stock Markets Performance During A Pandemic: How Contagious Is Covid-19?, Yara Abushahba

Theses and Dissertations

Background and Motivation: The coronavirus (“COVID-19”) pandemic, the subsequent policies and lockdowns have unarguably led to an unprecedented fluid circumstance worldwide. The panic and fluctuations in the stock markets were unparalleled. It is inarguable that real-time availability of news and social media platforms like Twitter played a vital role in driving the investors’ sentiment during such global shock.

Purpose:The purpose of this thesis is to study how the investor sentiment in relation to COVID-19 pandemic influenced stock markets globally and how stock markets globally are integrated and contagious. We analyze COVID-19 sentiment through the Twitter posts and investigate its …

Enumerating And Locating Bluetooth Devices For Casualty Recovery In A First-Responder Environment, Justin M. Durham

Theses and Dissertations

It is difficult for first-responders to quickly locate casualties in an emergency environment such as an explosion or natural disaster. In order to provide another tool to locate individuals, this research attempts to identify and estimate the location of devices that would likely be located on or with a person. A variety of devices, such as phones, smartwatches, and Bluetooth-enabled locks, are tested in multiple environments and at various heights to determine the impact that placement and interference played in locating the devices. The hypothesis is that most Bluetooth devices can be successfully enumerated quickly, but cannot be accurately located …

Long Distance Bluetooth Low Energy Exploitation On A Wireless Attack Platform, Stephanie L. Long

Theses and Dissertations

In the past decade, embedded technology, known as the Internet of Things, has expanded for many uses. The smart home infrastructure has drastically grown to include networked refrigerators, lighting systems, speakers, watches, and more. This increase in the use of wireless protocols provides a larger attack surface for cyber actors than ever before. Wireless loT traffic is susceptible for sniffing by an attacker. The attack platform skypie is upgraded to incorporate Bluetooth Low Energy (BLE) beacon collection for pattern-of-life data, as well as device characteristic enumeration and potential characteristic modification. This platform allows an attacker to mount the skypie to …

Direct Digital Synthesis: A Flexible Architecture For Advanced Signals Research For Future Satellite Navigation Payloads, Pranav R. Patel

Theses and Dissertations

In legacy Global Positioning System (GPS) Satellite Navigation (SatNav) payloads, the architecture does not provide the flexibility to adapt to changing circumstances and environments. GPS SatNav payloads have largely remained unchanged since the system became fully operational in April 1995. Since then, the use of GPS has become ubiquitous in our day-to-day lives. GPS availability is now a basic assumption for distributed infrastructure; it has become inextricably tied to our national power grids, cellular networks, and global financial systems. Emerging advancements of easy to use radio technologies, such as software-defined radios (SDRs), have greatly lowered the difficulty of discovery and …

Joint 1d And 2d Neural Networks For Automatic Modulation Recognition, Luis M. Rosario Morel

Theses and Dissertations

The digital communication and radar community has recently manifested more interest in using data-driven approaches for tasks such as modulation recognition, channel estimation and distortion correction. In this research we seek to apply an object detector for parameter estimation to perform waveform separation in the time and frequency domain prior to classification. This enables the full automation of detecting and classifying simultaneously occurring waveforms. We leverage a lD ResNet implemented by O'Shea et al. in [1] and the YOLO v3 object detector designed by Redmon et al. in [2]. We conducted an in depth study of the performance of these …

Interoperable Ads-B Confidentiality, Brandon C. Burfeind

Theses and Dissertations

The worldwide air traffic infrastructure is in the late stages of transition from legacy transponder systems to Automatic Dependent Surveillance - Broadcast (ADS-B) based systems. ADS-B relies on position information from GNSS and requires aircraft to transmit their identification, state, and position. ADS-B promises the availability of high-fidelity air traffic information; however, position and identification data are not secured via authentication or encryption. This lack of security for ADS-B allows non-participants to observe and collect data on both government and private flight activity. This is a proposal for a lightweight, interoperable ADS-B confidentiality protocol which uses existing format preserving encryption …

Leveraging Peer-To-Peer Energy Sharing For Resource Optimization In Mobile Social Networks, Aashish Dhungana

Theses and Dissertations

Mobile Opportunistic Networks (MSNs) enable the interaction of mobile users in the vicinity through various short-range wireless communication technologies (e.g., Bluetooth, WiFi) and let them discover and exchange information directly or in ad hoc manner. Despite their promise to enable many exciting applications, limited battery capacity of mobile devices has become the biggest impediment to these appli- cations. The recent breakthroughs in the areas of wireless power transfer (WPT) and rechargeable lithium batteries promise the use of peer-to-peer (P2P) energy sharing (i.e., the transfer of energy from the battery of one member of the mobile network to the battery of …

The Trust-Based Interactive Partially Observable Markov Decision Process, Richard S. Seymour

Theses and Dissertations

Cooperative agent and robot systems are designed so that each is working toward the same common good. The problem is that the software systems are extremely complex and can be subverted by an adversary to either break the system or potentially worse, create sneaky agents who are willing to cooperate when the stakes are low and take selfish, greedy actions when the rewards rise. This research focuses on the ability of a group of agents to reason about the trustworthiness of each other and make decisions about whether to cooperate. A trust-based interactive partially observable Markov decision process (TI-POMDP) is …

Confidence Inference In Defensive Cyber Operator Decision Making, Graig S. Ganitano

Theses and Dissertations

Cyber defense analysts face the challenge of validating machine generated alerts regarding network-based security threats. Operations tempo and systematic manpower issues have increased the importance of these individual analyst decisions, since they typically are not reviewed or changed. Analysts may not always be confident in their decisions. If confidence can be accurately assessed, then analyst decisions made under low confidence can be independently reviewed and analysts can be offered decision assistance or additional training. This work investigates the utility of using neurophysiological and behavioral correlates of decision confidence to train machine learning models to infer confidence in analyst decisions. Electroencephalography …

Near Real-Time Rf-Dna Fingerprinting For Zigbee Devices Using Software Defined Radios, Frankie A. Cruz

Theses and Dissertations

Low-Rate Wireless Personal Area Network(s) (LR-WPAN) usage has increased as more consumers embrace Internet of Things (IoT) devices. ZigBee Physical Layer (PHY) is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 specification designed to provide a low-cost, low-power, and low-complexity solution for Wireless Sensor Network(s) (WSN). The standard’s extended battery life and reliability makes ZigBee WSN a popular choice for home automation, transportation, traffic management, Industrial Control Systems (ICS), and cyber-physical systems. As robust and versatile as the standard is, ZigBee remains vulnerable to a myriad of common network attacks. Previous research involving Radio Frequency-Distinct Native Attribute …

A Blockchain-Based Anomalous Detection System For Internet Of Things Devices, Joshua K. Mosby

Theses and Dissertations

Internet of Things devices are highly susceptible to attack, and owners often fail to realize they have been compromised. This thesis describes an anomalous-based intrusion detection system that operates directly on Internet of Things devices utilizing a custom-built Blockchain. In this approach, an agent on each node compares the node's behavior to that of its peers, generating an alert if they are behaving differently. An experiment is conducted to determine the effectiveness at detecting malware. Three different code samples simulating common malware are deployed against a testbed of 12 Raspberry Pi devices. Increasing numbers are infected until two-thirds of the …

Estimating Defensive Cyber Operator Decision Confidence, Markus M. Borneman

Theses and Dissertations

As technology continues to advance the domain of cyber defense, signature and heuristic detection mechanisms continue to require human operators to make judgements about the correctness of machine decisions. Human cyber defense operators rely on their experience, expertise, and understanding of network security, when conducting cyber-based investigations, in order to detect and respond to cyber alerts. Ever growing quantities of cyber alerts and network traffic, coupled with systemic manpower issues, mean no one has the time to review or change decisions made by operators. Since these cyber alert decisions ultimately do not get reviewed again, an inaccurate decision could cause …

Progressive Network Deployment, Performance, And Control With Software-Defined Networking, Daniel J. Casey

Theses and Dissertations

The inflexible nature of traditional computer networks has led to tightly-integrated systems that are inherently difficult to manage and secure. New designs move low-level network control into software creating software-defined networks (SDN). Augmenting an existing network with these enhancements can be expensive and complex. This research investigates solutions to these problems. It is hypothesized that an add-on device, or "shim" could be used to make a traditional switch behave as an OpenFlow SDN switch while maintaining reasonable performance. A design prototype is found to cause approximately 1.5% reduction in throughput for one ow and less than double increase in latency, …

Quality Of Service Impacts Of A Moving Target Defense With Software-Defined Networking, Samuel A. Mayer

Theses and Dissertations

An analysis of the impact a defensive network technique implemented with software-defined networking has upon quality of service experienced by legitimate users. The research validates previous work conducted at AFIT to verify claims of defensive efficacy and then tests network protocols in common use (FTP, HTTP, IMAP, POP, RTP, SMTP, and SSH) on a network that uses this technique. Metrics that indicate the performance of the protocols under test are reported with respect to data gathered in a control network. The conclusions of these experiments enable network engineers to determine if this defensive technique is appropriate for the quality of …

Consuming Digital Debris In The Plasticene, Stephen R. Parks

Theses and Dissertations

Claims of customization and control by socio-technical industries are altering the role of consumer and producer. These narratives are often misleading attempts to engage consumers with new forms of technology. By addressing capitalist intent, material, and the reproduction limits of 3-D printed objects’, I observe the aspirational promise of becoming a producer of my own belongings through new networks of production. I am interested in gaining a better understanding of the data consumed that perpetuates hyper-consumptive tendencies for new technological apparatuses. My role as a designer focuses on the resolution of not only the surface of the object through 3-D …

Active Response Using Host-Based Intrusion Detection System And Software-Defined Networking, Jonathon S. Goodgion

Theses and Dissertations

This research proposes AHNSR: Active Host-based Network Security Response by utilizing Host-based Intrusion Detection Systems (HIDS) with Software-Defined Networking (SDN) to enhance system security by allowing dynamic active response and reconstruction from a global network topology perspective. Responses include traffic redirection, host quarantining, filtering, and more. A testable SDN-controlled network is constructed with multiple hosts, OpenFlow enabled switches, and a Floodlight controller, all linked to a custom, novel interface for the Open-Source SECurity (OSSEC) HIDS framework. OSSEC is implemented in a server-agent architecture, allowing scalability and OS independence. System effectiveness is evaluated against the following factors: alert density and a …

A Framework For Categorization Of Industrial Control System Cyber Training Environments, Evan G. Plumley

Theses and Dissertations

First responders and professionals in hazardous occupations undergo training and evaluations for the purpose of mitigating risk and damage. For example, helicopter pilots train with multiple categorized simulations that increase in complexity before flying a real aircraft. However in the industrial control cyber incident response domain, where incident response professionals help detect, respond and recover from cyber incidents, no official categorization of training environments exist. To address this gap, this thesis provides a categorization of industrial control training environments based on realism. Four levels of environments are proposed and mapped to Blooms Taxonomy. This categorization will help organizations determine which …

Applying Cyber Threat Intelligence To Industrial Control Systems, Matthew P. Sibiga

Theses and Dissertations

A cybersecurity initiative known as cyber threat intelligence (CTI) has recently been developed and deployed. The overall goal of this new technology is to help protect network infrastructures. Threat intelligence platforms (TIPs) have also been created to help facilitate CTI effectiveness within organizations. There are many benefits that both can achieve within the information technology (IT) sector. The industrial control system (ICS) sector can also benefit from these technologies as most ICS networks are connected to IT networks. CTI and TIPs become resourceful when using indicators of compromise (IOCs) from known ICS malware attacks and an open source intrusion detection …

Applied Hypergame Theory For Network Defense, Alan S. Gibson

Theses and Dissertations

Cyber operations are the most important aspect of military conflicts in the 21st century, but unfortunately they are also among the least understood. The continual battle for network dominance between attackers and defenders is considered to be a complex game. Hypergame theory is an extension of game theory that addresses the kind of games where misperception exists, as is often the case in military engagements. Hypergame theory, like game theory, uses a game model to determine strategy selection, but goes beyond game theory by examining subgames that exist within the full game. The inclusion of misperception and misinformation in the …

Rootkit Detection Using A Cross-View Clean Boot Method, Bridget N. Flatley

Theses and Dissertations

In cyberspace, attackers commonly infect computer systems with malware to gain capabilities such as remote access, keylogging, and stealth. Many malware samples include rootkit functionality to hide attacker activities on the target system. After detection, users can remove the rootkit and associated malware from the system with commercial tools. This research describes, implements, and evaluates a clean boot method using two partitions to detect rootkits on a system. One partition is potentially infected with a rootkit while the other is clean. The method obtains directory listings of the potentially infected operating system from each partition and compares the lists to …

Mobile Network Defense Interface For Cyber Defense And Situational Awareness, James C. Hannan

Theses and Dissertations

Today's computer networks are under constant attack. In order to deal with this constant threat, network administrators rely on intrusion detection and prevention services (IDS) (IPS). Most IDS and IPS implement static rule sets to automatically alert administrators and resolve intrusions. Network administrators face a difficult challenge, identifying attacks against a vast number of benign network transactions. Also after a threat is identified making even the smallest policy change to the security software potentially has far-reaching and unanticipated consequences. Finally, because the administrator is primarily responding to alerts they may lose situational awareness of the network. During this research a …

A Novel Malware Target Recognition Architecture For Enhanced Cyberspace Situation Awareness, Thomas E. Dube

Theses and Dissertations

The rapid transition of critical business processes to computer networks potentially exposes organizations to digital theft or corruption by advanced competitors. One tool used for these tasks is malware, because it circumvents legitimate authentication mechanisms. Malware is an epidemic problem for organizations of all types. This research proposes and evaluates a novel Malware Target Recognition (MaTR) architecture for malware detection and identification of propagation methods and payloads to enhance situation awareness in tactical scenarios using non-instruction-based, static heuristic features. MaTR achieves a 99.92% detection accuracy on known malware with false positive and false negative rates of 8.73e-4 and 8.03e-4 respectively. …

Holistic Network Defense: Fusing Host And Network Features For Attack Classification, Jenny W. Ji

Theses and Dissertations

This work presents a hybrid network-host monitoring strategy, which fuses data from both the network and the host to recognize malware infections. This work focuses on three categories: Normal, Scanning, and Infected. The network-host sensor fusion is accomplished by extracting 248 features from network traffic using the Fullstats Network Feature generator and from the host using text mining, looking at the frequency of the 500 most common strings and analyzing them as word vectors. Improvements to detection performance are made by synergistically fusing network features obtained from IP packet flows and host features, obtained from text mining port, processor, logon …

Malicious And Malfunctioning Node Detection Via Observed Physical Layer Data, Tyler J. Hardy

Theses and Dissertations

There are many mechanisms that can cause inadequate or unreliable information in sensor networks. A user of the network might be interested in detecting and classifying specific sensors nodes causing these problems. Several network layer based trust methods have been developed in previous research to assess these issues; in contrast this work develops a trust protocol based on observations of physical layer data collected by the sensors. Observations of physical layer data are used for decisions and calculations, and are based on just the measurements collected by the sensors. Although this information is packaged and distributed on the network layer, …

A Multi Agent System For Flow-Based Intrusion Detection Using Reputation And Evolutionary Computation, David Hancock

Theses and Dissertations

The rising sophistication of cyber threats as well as the improvement of physical computer network properties present increasing challenges to contemporary Intrusion Detection (ID) techniques. To respond to these challenges, a multi agent system (MAS) coupled with flow-based ID techniques may effectively complement traditional ID systems. This paper develops: 1) a scalable software architecture for a new, self-organized, multi agent, flow-based ID system; and 2) a network simulation environment suitable for evaluating implementations of this MAS architecture and for other research purposes. Self-organization is achieved via 1) a reputation system that influences agent mobility in the search for effective vantage …

Polarimetric Enhancements To Electro-Optical Aided Navigation Techniques, Jeremiah D. Johnson

Theses and Dissertations

Navigation in indoor and urban environments by small unmanned systems is a topic of interest for the Air Force. The Advanced Navigation Technology Center at the Air Force Institute of Technology is continually looking for novel approaches to navigation in GPS deprived environments. Inertial sensors have been coupled with image aided concepts, such as feature tracking, with good results. However, feature density in areas with large, flat, smooth surfaces tends to be low. Polarimetric sensors have been used for surface reconstruction, surface characterization and outdoor navigation. This thesis combines aspects of some of these algorithms along with a realistic, micro-facet …

Spear Phishing Attack Detection, David T. Merritt

Theses and Dissertations

This thesis addresses the problem of identifying email spear phishing attacks, which are indicative of cyber espionage. Spear phishing consists of targeted emails sent to entice a victim to open a malicious file attachment or click on a malicious link that leads to a compromise of their computer. Current detection methods fail to detect emails of this kind consistently. The SPEar phishing Attack Detection system (SPEAD) is developed to analyze all incoming emails on a network for the presence of spear phishing attacks. SPEAD analyzes the following file types: Windows Portable Executable and Common Object File Format (PE/COFF), Adobe Reader, …

Evaluating Information Assurance Control Effectiveness On An Air Force Supervisory Control And Data Acquisition (Scada) System, Jason R. Nielsen

Theses and Dissertations

Supervisory Control and Data Acquisition (SCADA) systems are increasingly being connected to corporate networks which has dramatically expanded their attack surface to remote cyber attack. Adversaries are targeting these systems with increasing frequency and sophistication. This thesis seeks to answer the research question addressing which Information Assurance (IA) controls are most significant for network defenders and SCADA system managers/operators to focus on in order to increase the security of critical infrastructure systems against a Stuxnet-like cyber attack. This research applies the National Institute of Science and Technology (NIST) IA controls to an attack tree modeled on a remote Stuxnet-like cyber …

Hijacking User Uploads To Online Persistent Data Repositories For Covert Data Exfiltration, Curtis P. Barnard

Theses and Dissertations

As malware has evolved over the years, it has gone from harmless programs that copy themselves into other executables to modern day botnets that perform bank fraud and identity theft. Modern malware often has a need to communicate back to the author, or other machines that are also infected. Several techniques for transmitting this data covertly have been developed over the years which vary significantly in their level of sophistication. This research creates a new covert channel technique for stealing information from a network by piggybacking on user-generated network traffic. Specifically, steganography drop boxes and passive covert channels are merged …