Claude Fachkha | New York University (original) (raw)

Papers by Claude Fachkha

arXiv (Cornell University), Feb 2, 2024

For a state or non-state actor whose credibility is bankrupt, relying on bots to conduct non-attr... more For a state or non-state actor whose credibility is bankrupt, relying on bots to conduct non-attributable, non-accountable, and seemingly-grassroots-but-decentralized-in-actuality influence/information operations (info ops) on social media can help circumvent the issue of trust deficit while advancing its interests. Planning and/or defending against decentralized info ops can be aided by computational simulations in lieu of ethically-fraught live experiments on social media. In this study, we introduce Diluvsion, an agent-based model for contested information propagation efforts on Twitter-like social media. The model emphasizes a user's belief in an opinion (stance) being impacted by the perception of potentially illusory popular support from constant incoming floods of indirect information, floods that can be cooperatively engineered in an uncoordinated manner by bots as they compete to spread their stances. Our model, which has been validated against real-world data, is an advancement over previous models because we account for engagement metrics in influencing stance adoption, non-social tie spreading of information, neutrality as a stance that can be spread, and themes that are analogous to media's framing effect and are symbiotic with respect to stance propagation. The strengths of the Diluvsion model are demonstrated in simulations of orthodox info ops, e.g., maximizing adoption of one stance; creating echo chambers; inducing polarization; and unorthodox info ops, e.g., simultaneous support of multiple stances as a Trojan horse tactic for the dissemination of a theme.

IEEE Access, Dec 31, 2022

Mobile money helps people accumulate, send and receive money using their mobile phones without ha... more Mobile money helps people accumulate, send and receive money using their mobile phones without having a bank account (i.e., in some African countries). Such technology is heavily and efficiently used in many areas where bank services are unavailable and/or in crisis (i.e., during the Covid-19 pandemic) when transportation and services are limited. However, malicious users such as scammers have leveraged social engineering techniques to abuse mobile money services through scams, and frauds, among others. Existing countermeasures, which are specific to mobile money security, mostly ignore the dynamic aspect of interactions between the malicious party and the victim. Considering the above insufficiency, this paper proposes a new approach to characterize mobile money phishing attacks based on reinforcement learning (RL) through Q−learning and Markov decision processes (MDP) and on deep reinforcement learning (DRL) through DRL algorithms, namely, Deep sarsa, Advantage Actor-Critic (A2C), Deep Deterministic Policy Gradient (DDPG), and Deep Q-learning (DQN). In fact, the proposed approach models the optimal sequences of attacker actions to achieve their goals through reinforcement learning and deep reinforcement methods. We experiment on real attack scenarios that have been encountered at Orange and MTN telecoms. Furthermore, we compared reinforcement learning and deep reinforcement learning algorithms to each other and thereby demonstrated the difference between them. This analysis showed a better performance in learning with RL. We also deduced that Q− learning takes less execution time than CDM and therefore its learning quality is better for characterizing mobile money phishing attacks. Finally, we found that some deep reinforcement algorithms, such as Deep Sarsa and A2C, can improve the characterization of scammervictim interactions during mobile payments.

AIMS Mathematics

Stability theory has significant applications in technology, especially in control systems. On th... more Stability theory has significant applications in technology, especially in control systems. On the other hand, the newly defined generalized mean-square stochastic fractional (GMSF) operators are particularly interesting in control theory and systems due to their various controllable parameters. Thus, the combined study of stability theory and GMSF operators becomes crucial. In this research work, we construct a new class of GMSF differential equations and provide a rigorous proof of the existence of their solutions. Furthermore, we investigate the stability of these solutions using the generalized Ulam-Hyers-Rassias stability criterion. Some examples are also provided to demonstrate the effectiveness of the proposed approach in solving fractional differential equations (FDEs) and evaluating their stability. The paper concludes by discussing potential applications of the proposed results in technology and outlining avenues for future research.

Advances in digital crime, forensics, and cyber terrorism book series, 2015

Billions of users utilize the largest and more complex network of information, namely, the Intern... more Billions of users utilize the largest and more complex network of information, namely, the Internet. Despite the fact that this IT critical infrastructure provides various communication services, adversaries are abusing the Internet security and privacy to execute cyber attacks for various reasons. To cope with these threats, security operators utilize various security tools and techniques to monitor the cyber space. An efficient way to monitor and infer threat activities online is to collect information from trap-based monitoring sensors. This chapter primarily defines the cyberspace trap-based monitoring systems and their taxonomies. Moreover, it presents the state-of-the-art in terms of research contributions and techniques, tools and technologies. Furthermore, it identifies the gaps in terms of science and technology. Additionally, it presents some case studies and practical approaches corresponding to large-scale cyber monitoring systems such as Nicter. In this context, we further present some related security policies and legal issues on network monitoring. In a nutshell, the chapter aims to provide an overview on the Internet monitoring space and provides a guideline for readers to help them understand the concepts of observing, detecting and analyzing cyber attacks through network traps.

This paper presents a new approach to infer malware-infected machines by solely analyzing their g... more This paper presents a new approach to infer malware-infected machines by solely analyzing their generated probing activities. In contrary to other adopted methods, the proposed approach does not rely on symptoms of infection to detect compromised machines. This allows the inference of malware infection at very early stages of contamination. The approach aims at detecting whether the machines are infected or not as well as pinpointing the exact malware type/family, if the machines were found to be compromised. The latter insights allow network security operators of diverse organizations, Internet service providers and backbone networks to promptly detect their clients' compromised machines in addition to effectively providing them with tailored anti-malware/patch solutions. To achieve the intended goals, the proposed approach exploits the darknet Internet space and employs statistical methods to infer large-scale probing activities. Subsequently, such activities are correlated with malware samples by leveraging fuzzy hashing and entropy based techniques. The proposed approach is empirically evaluated using 60 GB of real darknet traffic and 65 thousand real malware samples. The results concur that the rationale of exploiting probing activities for worldwide early malware infection detection is indeed very promising. Further, the results demonstrate that the extracted inferences exhibit noteworthy accuracy and can generate significant cyber security insights that could be used for effective mitigation.

Springer eBooks, Aug 13, 2017

The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have ... more The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have radically altered the globe. A plethora of nations have been at the very forefront of this change, fully embracing the opportunities provided by the advancements in science and technology in order to fortify the economy and to increase the productivity of everyday’s life. However, the significant dependence on cyberspace has indeed brought new risks that often compromise, exploit, and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, generating cyber threat intelligence related to probing/scanning and Distributed Denial of Service (DDoS) activities renders an effective tactic to achieve the latter.

Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant att... more Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community, undoubtedly, there still exists a substantial lack of a comprehensive and a holistic understanding of attackers' malicious strategies, aims and intentions. To this end, this paper uniquely exploits passive monitoring and analysis of a newly deployed network telescope IP address space in a first attempt ever to build broad notions of real CPS maliciousness. Specifically, we approach this problem by inferring, investigating, characterizing and reporting large-scale probing activities that specifically target more than 20 diverse, heavily employed CPS protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise that is embedded in network telescope traffic. Subsequently, we generate amalgamated statistics, inferences and insights characterizing such inferred scanning activities in terms of their probe types, the distribution of their sources and their packets' headers, among numerous others, in addition to examining and visualizing the co-occurrence patterns of such events. Further, we propose and empirically evaluate an innovative hybrid approach rooted in time-series analysis and context triggered piecewise hashing to infer, characterize and cluster orchestrated and well-coordinated probing activities targeting CPS protocols, which are generated from Internet-scale unsolicited sources. Our analysis and evaluations, which draw upon extensive network telescope data observed over a recent one month period, demonstrate a staggering 33 thousand probes towards ample of CPS protocols, the lack of interest in UDP-based CPS services, and the prevalence of probes towards the ICCP and Modbus protocols. Additionally, we infer a considerable 74% of CPS probes that were persistent throughout the entire analyzed period targeting prominent protocols such as DNP3 and BACnet. Further, we uncover close to 9 thousand large-scale, stealthy, previously undocumented orchestrated probing events targeting a number of such CPS protocols. We validate the various outcomes through cross-validations against publicly available threat repositories. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

Wireless Communications and Mobile Computing, Aug 6, 2014

This work proposes a distributed denial-of-service (DDoS) inference and forecasting model that ai... more This work proposes a distributed denial-of-service (DDoS) inference and forecasting model that aims at providing insights to organizations, security operators, and emergency response teams during and after a DDoS attack. Specifically, our work strives to predict, within minutes, the attacks' features, namely intensity/rate (packets/second) and size (estimated number of used compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. Our analysis employs real darknet data to explore the feasibility of applying the inference and forecasting models on DDoS attacks and evaluate the accuracy of the predictions. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods, and forecasting approaches. The extracted inferences from various DDoS case studies exhibit a promising accuracy reaching at some points less than 1% error rate. Further, our approach could lead to a better understanding of the scale, speed, and size of DDoS attacks and generates inferences that could be adopted for immediate response and mitigation. Moreover, the accumulated insights could be used for the purpose of long-term large-scale DDoS analysis.

The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial ... more The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.

IEEE Communications Surveys and Tutorials, 2016

Today, the Internet security community is largely emphasizing on cyberspace monitoring for the pu... more Today, the Internet security community is largely emphasizing on cyberspace monitoring for the purpose of generating cyber intelligence. In this paper, we present a survey on darknet. The latter is an effective approach to observe Internet activities and cyber attacks via passive monitoring. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. Moreover, in order to provide realistic measures and analysis of darknet information, we report case studies, namely, Conficker worm in 2008 and 2009, Sality SIP scan botnet in 2011 and the largest amplification attack in 2014. Finally, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Darknet projects are found to monitor various cyber threat activities and are distributed in one third of the global Internet. We further identify that Honeyd is probably the most practical tool to implement darknet sensors, and future deployment of darknet will include mobile-based VOIP technology. In addition, as far as darknet analysis is considered, computer worms and scanning activities are found to be the most common threats that can be investigated throughout darknet; Code Red and Slammer/Sapphire are the most analyzed worms. Furthermore, our study uncovers various lacks in darknet research. For instance, less than 1% of the contributions tackled Distributed Reflection Denial of Service (DRDoS) amplification investigations and at most 2% of research works pinpointed spoofing activities. Last but not least, our survey identifies specific darknet areas, such as IPv6 darknet, event monitoring and game engine visualization methods, that require a significantly greater amount of attention from the research community.

Cyberspace has become a massive battlefield between computer criminals and computer security expe... more Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques

IEEE Access, 2023

The proliferation of ransomware has become a significant threat to cybersecurity in recent years,... more The proliferation of ransomware has become a significant threat to cybersecurity in recent years, causing significant financial, reputational, and operational damage to individuals and organizations. This paper aims to provide a comprehensive overview of the evolution of ransomware, its taxonomy, and its state-of-the-art research contributions. We begin by tracing the origins of ransomware and its evolution over time, highlighting the key milestones and major trends. Next, we propose a taxonomy of ransomware that categorizes different types of ransomware based on their characteristics and behavior. Subsequently, we review the existing research over several years in regard to detection, prevention, mitigation, and prediction techniques. Our extensive analysis, based on more than 150 references, has revealed that significant research, specifically 72.8%, has focused on detecting ransomware. However, a lack of emphasis has been placed on predicting ransomware. Additionally, of the studies focused on ransomware detection, a significant portion, 70%, have utilized Machine Learning methods. This study uncovers a range of shortcomings in research pertaining to real-time protection and identifying zero-day ransomware, and two issues specific to Machine Learning models. Adversarial machine learning exploitation and concept drift have been identified as under-researched areas in the field. This survey is a constructive roadmap for researchers interested in ransomware research matters. INDEX TERMS Ransomware, malware analysis, machine learning, deep learning, cyber attacks, adversarial machine learning.

Electric Vehicle Charging Management Systems (EVCMS) are a collection of specialized software tha... more Electric Vehicle Charging Management Systems (EVCMS) are a collection of specialized software that allow users to remotely operate Electric Vehicle Charging Stations (EVCS). With the increasing number of deployed EVCS to support the growing global EV fleet, the number of EVCMS are consequently growing, which introduces a new attack surface. In this paper, we propose a novel multi-stage framework, ChargePrint, to discover Internet-connected EVCMS and investigate their security posture. ChargePrint leverages identifiers extracted from a small seed of EVCMS to extend the capabilities of device search engines through iterative fingerprinting and a combination of classification and clustering approaches. Using initial seeds from 1,800 discovered hosts that deployed 9 distinct EVCMS, we identified 27,439 online EVCS instrumented by 44 unique EVCMS. Consequently, our in-depth security analysis highlights the insecurity of the deployed EVCMS by uncovering 120 0day vulnerabilities, which shed light on the feasibility of cyber attacks against the EVCS, its users, and the connected power grid. Finally, while we recommend countermeasures to mitigate future threats, we contribute to the security of the EVCS ecosystem by conducting a Coordinated Vulnerability Disclosure (CVD) effort with system developers/vendors who acknowledged and assigned the discovered vulnerabilities more than 20 CVE-IDs.

While the security issue associated with the Internet-of-Things (IoT) continues to attract signif... more While the security issue associated with the Internet-of-Things (IoT) continues to attract significant attention from the research and operational communities, the visibility of IoT security-related data hinders the prompt inference and remediation of IoT maliciousness. In an effort to address the IoT security problem at large, in this work, we extend passive monitoring and measurements by investigating network telescope data to infer and analyze malicious activities generated by compromised IoT devices deployed in various domains. Explicitly, we develop a data-driven approach to pinpoint exploited IoT devices, investigate and differentiate their illicit actions, and examine their hosting environments. More importantly, we conduct discussions with various entities to obtain IP allocation information, which further allows us to attribute IoT exploitations per business sector (i.e., education, financial, manufacturing, etc.). Our analysis draws upon 1.2 TB of darknet data that was collected from a /8 network telescope for a 1 day period. The outcome signifies an alarming number of compromised IoT devices. Notably, around 940 of them fell victims of DDoS attacks, while 55,000 IoT nodes were shown to be compromised, aggressively probing Internet-wide hosts. Additionally, we inferred alarming IoT exploitations in various critical sectors such as the manufacturing, financial and healthcare realms.

arXiv (Cornell University), Feb 2, 2024

For a state or non-state actor whose credibility is bankrupt, relying on bots to conduct non-attr... more For a state or non-state actor whose credibility is bankrupt, relying on bots to conduct non-attributable, non-accountable, and seemingly-grassroots-but-decentralized-in-actuality influence/information operations (info ops) on social media can help circumvent the issue of trust deficit while advancing its interests. Planning and/or defending against decentralized info ops can be aided by computational simulations in lieu of ethically-fraught live experiments on social media. In this study, we introduce Diluvsion, an agent-based model for contested information propagation efforts on Twitter-like social media. The model emphasizes a user's belief in an opinion (stance) being impacted by the perception of potentially illusory popular support from constant incoming floods of indirect information, floods that can be cooperatively engineered in an uncoordinated manner by bots as they compete to spread their stances. Our model, which has been validated against real-world data, is an advancement over previous models because we account for engagement metrics in influencing stance adoption, non-social tie spreading of information, neutrality as a stance that can be spread, and themes that are analogous to media's framing effect and are symbiotic with respect to stance propagation. The strengths of the Diluvsion model are demonstrated in simulations of orthodox info ops, e.g., maximizing adoption of one stance; creating echo chambers; inducing polarization; and unorthodox info ops, e.g., simultaneous support of multiple stances as a Trojan horse tactic for the dissemination of a theme.

IEEE Access, Dec 31, 2022

Mobile money helps people accumulate, send and receive money using their mobile phones without ha... more Mobile money helps people accumulate, send and receive money using their mobile phones without having a bank account (i.e., in some African countries). Such technology is heavily and efficiently used in many areas where bank services are unavailable and/or in crisis (i.e., during the Covid-19 pandemic) when transportation and services are limited. However, malicious users such as scammers have leveraged social engineering techniques to abuse mobile money services through scams, and frauds, among others. Existing countermeasures, which are specific to mobile money security, mostly ignore the dynamic aspect of interactions between the malicious party and the victim. Considering the above insufficiency, this paper proposes a new approach to characterize mobile money phishing attacks based on reinforcement learning (RL) through Q−learning and Markov decision processes (MDP) and on deep reinforcement learning (DRL) through DRL algorithms, namely, Deep sarsa, Advantage Actor-Critic (A2C), Deep Deterministic Policy Gradient (DDPG), and Deep Q-learning (DQN). In fact, the proposed approach models the optimal sequences of attacker actions to achieve their goals through reinforcement learning and deep reinforcement methods. We experiment on real attack scenarios that have been encountered at Orange and MTN telecoms. Furthermore, we compared reinforcement learning and deep reinforcement learning algorithms to each other and thereby demonstrated the difference between them. This analysis showed a better performance in learning with RL. We also deduced that Q− learning takes less execution time than CDM and therefore its learning quality is better for characterizing mobile money phishing attacks. Finally, we found that some deep reinforcement algorithms, such as Deep Sarsa and A2C, can improve the characterization of scammervictim interactions during mobile payments.

AIMS Mathematics

Stability theory has significant applications in technology, especially in control systems. On th... more Stability theory has significant applications in technology, especially in control systems. On the other hand, the newly defined generalized mean-square stochastic fractional (GMSF) operators are particularly interesting in control theory and systems due to their various controllable parameters. Thus, the combined study of stability theory and GMSF operators becomes crucial. In this research work, we construct a new class of GMSF differential equations and provide a rigorous proof of the existence of their solutions. Furthermore, we investigate the stability of these solutions using the generalized Ulam-Hyers-Rassias stability criterion. Some examples are also provided to demonstrate the effectiveness of the proposed approach in solving fractional differential equations (FDEs) and evaluating their stability. The paper concludes by discussing potential applications of the proposed results in technology and outlining avenues for future research.

Advances in digital crime, forensics, and cyber terrorism book series, 2015

Billions of users utilize the largest and more complex network of information, namely, the Intern... more Billions of users utilize the largest and more complex network of information, namely, the Internet. Despite the fact that this IT critical infrastructure provides various communication services, adversaries are abusing the Internet security and privacy to execute cyber attacks for various reasons. To cope with these threats, security operators utilize various security tools and techniques to monitor the cyber space. An efficient way to monitor and infer threat activities online is to collect information from trap-based monitoring sensors. This chapter primarily defines the cyberspace trap-based monitoring systems and their taxonomies. Moreover, it presents the state-of-the-art in terms of research contributions and techniques, tools and technologies. Furthermore, it identifies the gaps in terms of science and technology. Additionally, it presents some case studies and practical approaches corresponding to large-scale cyber monitoring systems such as Nicter. In this context, we further present some related security policies and legal issues on network monitoring. In a nutshell, the chapter aims to provide an overview on the Internet monitoring space and provides a guideline for readers to help them understand the concepts of observing, detecting and analyzing cyber attacks through network traps.

This paper presents a new approach to infer malware-infected machines by solely analyzing their g... more This paper presents a new approach to infer malware-infected machines by solely analyzing their generated probing activities. In contrary to other adopted methods, the proposed approach does not rely on symptoms of infection to detect compromised machines. This allows the inference of malware infection at very early stages of contamination. The approach aims at detecting whether the machines are infected or not as well as pinpointing the exact malware type/family, if the machines were found to be compromised. The latter insights allow network security operators of diverse organizations, Internet service providers and backbone networks to promptly detect their clients' compromised machines in addition to effectively providing them with tailored anti-malware/patch solutions. To achieve the intended goals, the proposed approach exploits the darknet Internet space and employs statistical methods to infer large-scale probing activities. Subsequently, such activities are correlated with malware samples by leveraging fuzzy hashing and entropy based techniques. The proposed approach is empirically evaluated using 60 GB of real darknet traffic and 65 thousand real malware samples. The results concur that the rationale of exploiting probing activities for worldwide early malware infection detection is indeed very promising. Further, the results demonstrate that the extracted inferences exhibit noteworthy accuracy and can generate significant cyber security insights that could be used for effective mitigation.

Springer eBooks, Aug 13, 2017

The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have ... more The explosive growth, complexity, adoption, and dynamism of cyberspace over the last decade have radically altered the globe. A plethora of nations have been at the very forefront of this change, fully embracing the opportunities provided by the advancements in science and technology in order to fortify the economy and to increase the productivity of everyday’s life. However, the significant dependence on cyberspace has indeed brought new risks that often compromise, exploit, and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, generating cyber threat intelligence related to probing/scanning and Distributed Denial of Service (DDoS) activities renders an effective tactic to achieve the latter.

Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant att... more Although the security of Cyber-Physical Systems (CPS) has been recently receiving significant attention from the research community, undoubtedly, there still exists a substantial lack of a comprehensive and a holistic understanding of attackers' malicious strategies, aims and intentions. To this end, this paper uniquely exploits passive monitoring and analysis of a newly deployed network telescope IP address space in a first attempt ever to build broad notions of real CPS maliciousness. Specifically, we approach this problem by inferring, investigating, characterizing and reporting large-scale probing activities that specifically target more than 20 diverse, heavily employed CPS protocols. To permit such analysis, we initially devise and evaluate a novel probabilistic model that aims at filtering noise that is embedded in network telescope traffic. Subsequently, we generate amalgamated statistics, inferences and insights characterizing such inferred scanning activities in terms of their probe types, the distribution of their sources and their packets' headers, among numerous others, in addition to examining and visualizing the co-occurrence patterns of such events. Further, we propose and empirically evaluate an innovative hybrid approach rooted in time-series analysis and context triggered piecewise hashing to infer, characterize and cluster orchestrated and well-coordinated probing activities targeting CPS protocols, which are generated from Internet-scale unsolicited sources. Our analysis and evaluations, which draw upon extensive network telescope data observed over a recent one month period, demonstrate a staggering 33 thousand probes towards ample of CPS protocols, the lack of interest in UDP-based CPS services, and the prevalence of probes towards the ICCP and Modbus protocols. Additionally, we infer a considerable 74% of CPS probes that were persistent throughout the entire analyzed period targeting prominent protocols such as DNP3 and BACnet. Further, we uncover close to 9 thousand large-scale, stealthy, previously undocumented orchestrated probing events targeting a number of such CPS protocols. We validate the various outcomes through cross-validations against publicly available threat repositories. We concur that the devised approaches, techniques, and methods provide a solid first step towards better comprehending real CPS unsolicited objectives and intents. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author's employer if the paper was prepared within the scope of employment.

Wireless Communications and Mobile Computing, Aug 6, 2014

This work proposes a distributed denial-of-service (DDoS) inference and forecasting model that ai... more This work proposes a distributed denial-of-service (DDoS) inference and forecasting model that aims at providing insights to organizations, security operators, and emergency response teams during and after a DDoS attack. Specifically, our work strives to predict, within minutes, the attacks' features, namely intensity/rate (packets/second) and size (estimated number of used compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. Our analysis employs real darknet data to explore the feasibility of applying the inference and forecasting models on DDoS attacks and evaluate the accuracy of the predictions. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods, and forecasting approaches. The extracted inferences from various DDoS case studies exhibit a promising accuracy reaching at some points less than 1% error rate. Further, our approach could lead to a better understanding of the scale, speed, and size of DDoS attacks and generates inferences that could be adopted for immediate response and mitigation. Moreover, the accumulated insights could be used for the purpose of long-term large-scale DDoS analysis.

The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial ... more The use of inter-connectivity of Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) networks in smart technologies have exposed them to a large variety of security threats. Furthermore, very few investigations are done in this field from the Internet (cyber) perspective. Therefore, this paper investigates unauthorized, malicious and suspicious SCADA activities by leveraging the darknet address space. In particular, this work investigates Modbus service, which is a de facto standard protocol for communication and it is the most available and used to connect electronic devices in critical and industrial infrastructures. This study is based on real Internet data collected throughout a one-month period. Among the 8 various inferred scanning activities, we find that TCP distributed portscan is the only non-typical Modbus scan. Furthermore, our analyses fingerprint a large variety of Modbus scanners and uncover 6 other services that tag along with Modbus 74% of the time. Finally, we list case studies related to synchronized and automated SCADA scanning campaigns originated from unknown sources.

IEEE Communications Surveys and Tutorials, 2016

Today, the Internet security community is largely emphasizing on cyberspace monitoring for the pu... more Today, the Internet security community is largely emphasizing on cyberspace monitoring for the purpose of generating cyber intelligence. In this paper, we present a survey on darknet. The latter is an effective approach to observe Internet activities and cyber attacks via passive monitoring. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. Moreover, in order to provide realistic measures and analysis of darknet information, we report case studies, namely, Conficker worm in 2008 and 2009, Sality SIP scan botnet in 2011 and the largest amplification attack in 2014. Finally, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Darknet projects are found to monitor various cyber threat activities and are distributed in one third of the global Internet. We further identify that Honeyd is probably the most practical tool to implement darknet sensors, and future deployment of darknet will include mobile-based VOIP technology. In addition, as far as darknet analysis is considered, computer worms and scanning activities are found to be the most common threats that can be investigated throughout darknet; Code Red and Slammer/Sapphire are the most analyzed worms. Furthermore, our study uncovers various lacks in darknet research. For instance, less than 1% of the contributions tackled Distributed Reflection Denial of Service (DRDoS) amplification investigations and at most 2% of research works pinpointed spoofing activities. Last but not least, our survey identifies specific darknet areas, such as IPv6 darknet, event monitoring and game engine visualization methods, that require a significantly greater amount of attention from the research community.

Cyberspace has become a massive battlefield between computer criminals and computer security expe... more Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques

IEEE Access, 2023

The proliferation of ransomware has become a significant threat to cybersecurity in recent years,... more The proliferation of ransomware has become a significant threat to cybersecurity in recent years, causing significant financial, reputational, and operational damage to individuals and organizations. This paper aims to provide a comprehensive overview of the evolution of ransomware, its taxonomy, and its state-of-the-art research contributions. We begin by tracing the origins of ransomware and its evolution over time, highlighting the key milestones and major trends. Next, we propose a taxonomy of ransomware that categorizes different types of ransomware based on their characteristics and behavior. Subsequently, we review the existing research over several years in regard to detection, prevention, mitigation, and prediction techniques. Our extensive analysis, based on more than 150 references, has revealed that significant research, specifically 72.8%, has focused on detecting ransomware. However, a lack of emphasis has been placed on predicting ransomware. Additionally, of the studies focused on ransomware detection, a significant portion, 70%, have utilized Machine Learning methods. This study uncovers a range of shortcomings in research pertaining to real-time protection and identifying zero-day ransomware, and two issues specific to Machine Learning models. Adversarial machine learning exploitation and concept drift have been identified as under-researched areas in the field. This survey is a constructive roadmap for researchers interested in ransomware research matters. INDEX TERMS Ransomware, malware analysis, machine learning, deep learning, cyber attacks, adversarial machine learning.

Electric Vehicle Charging Management Systems (EVCMS) are a collection of specialized software tha... more Electric Vehicle Charging Management Systems (EVCMS) are a collection of specialized software that allow users to remotely operate Electric Vehicle Charging Stations (EVCS). With the increasing number of deployed EVCS to support the growing global EV fleet, the number of EVCMS are consequently growing, which introduces a new attack surface. In this paper, we propose a novel multi-stage framework, ChargePrint, to discover Internet-connected EVCMS and investigate their security posture. ChargePrint leverages identifiers extracted from a small seed of EVCMS to extend the capabilities of device search engines through iterative fingerprinting and a combination of classification and clustering approaches. Using initial seeds from 1,800 discovered hosts that deployed 9 distinct EVCMS, we identified 27,439 online EVCS instrumented by 44 unique EVCMS. Consequently, our in-depth security analysis highlights the insecurity of the deployed EVCMS by uncovering 120 0day vulnerabilities, which shed light on the feasibility of cyber attacks against the EVCS, its users, and the connected power grid. Finally, while we recommend countermeasures to mitigate future threats, we contribute to the security of the EVCS ecosystem by conducting a Coordinated Vulnerability Disclosure (CVD) effort with system developers/vendors who acknowledged and assigned the discovered vulnerabilities more than 20 CVE-IDs.

While the security issue associated with the Internet-of-Things (IoT) continues to attract signif... more While the security issue associated with the Internet-of-Things (IoT) continues to attract significant attention from the research and operational communities, the visibility of IoT security-related data hinders the prompt inference and remediation of IoT maliciousness. In an effort to address the IoT security problem at large, in this work, we extend passive monitoring and measurements by investigating network telescope data to infer and analyze malicious activities generated by compromised IoT devices deployed in various domains. Explicitly, we develop a data-driven approach to pinpoint exploited IoT devices, investigate and differentiate their illicit actions, and examine their hosting environments. More importantly, we conduct discussions with various entities to obtain IP allocation information, which further allows us to attribute IoT exploitations per business sector (i.e., education, financial, manufacturing, etc.). Our analysis draws upon 1.2 TB of darknet data that was collected from a /8 network telescope for a 1 day period. The outcome signifies an alarming number of compromised IoT devices. Notably, around 940 of them fell victims of DDoS attacks, while 55,000 IoT nodes were shown to be compromised, aggressively probing Internet-wide hosts. Additionally, we inferred alarming IoT exploitations in various critical sectors such as the manufacturing, financial and healthcare realms.