Identifying and Modelling Victim, Business, Regulatory and Malware Behaviours in a Changing Cyberthreat Landscape

Lead Research Organisation: Cardiff University
Department Name: Computer Science

Abstract

HM Cabinet Office and Detica reported in 2011 that the annual cost to the UK economy from cybercrime was £27 billion. Regardless of the accuracy of this estimate the British Crime Survey and Eurostat ICT survey evidence that cybercrime is now the typical volume property crime in the UK, impacting more of the public than traditional acquisitive crimes such as burglary and car theft. Because of its global nature similar estimates of the prevalence and losses of cybercrime are found in most other countries. However, whilst most politicians, police, and business leaders agree that cybercrimes are one of the greatest crime challenges of modern times, few seem to fully understand what causes them and how to best predict their occurrence and limit their impact upon the UK economy and society.

This project aims to address these uncertainties using methods and concepts from a range of disciplines including criminology, psychology, economics, mathematics and computer science. The key objectives of the project are to identify, understand and predict:

1. The behaviour of malware and human cyber perpetrators within and outside of Cloud environments;
2. Business risk assessment practices, threat awareness levels, and adaptive behaviours as related to cybercrime;
3. The response of criminal justice agencies to cybercrime and business trust in the regulatory system;
4. Business and criminal justice cyber security practices (e.g. information sharing) in relation to issues of privacy, accountability and civil liberties.

The project will develop a computational tool that will assist in the prediction of business related cyber attacks. For the first time both technical (e.g. malware behaviour, network vulnerabilities etc.) and human/organisational (level of cooperation, perception of risk, threat assessment, costs, criminal justice response etc.) measures will be combined in this predictive process. It is envisaged that this tool will assist both policy makers and practitionrs in the field of cyber security and crime. It will identify which businesses (by sector, size, level of cooperation etc.) are most vulnerable to attack allowing policy, codes of practice and advice to be tailored and targeted. The tool also has the potential to provide digital and human/organisational forms of evidence and other information relevant to investigation and prosecution proceedings. In order to disseminate the tool and results from the research we will incorporate an action research element where we will develop a forum (two workshops in years 2&3) where initial or draft (but verified) findings are released in stages, through briefing papers to businesses of varying sectors and sizes (particularly SMEs). We will also disseminate results via peer-reviewed journal articles and conferences. Throughout the project via the advisory group we will link into other key commercial initiatives (e.g. Saturn project at BT Labs) and statutory and third sector organisations such as ENISA, the Honeynet Project, Home Office; Cabinet Office Identity Assurance Programme; Office for National Statistics; National Fraud Authority; Serious Fraud Office; Trading Standards; Serious Organised Crime Agency/National Crime Agency; Association of Chief Police Officers; Met Police Central eCrime Unit; NPIA/Police College; EADS; Get Safe Online, Liberty and Wise Kids.

Planned Impact

Governments, critical national infrastructure, and enterprise organisations all suffer from various security breaches and information leakage. A key challenge has always been to determine who is doing it. Detica/Cabinet Office estimated that cybercrime cost £27 billion to UK society and economy, and though this has been strongly critiqued (University of Cambridge, 2012), all parties agree that there is consequently a significant benefit to being able to link such activities to perpetrators. This project will help organisations in identifying threats such as insider abuse of systems, malicious software activity, industrial espionage and fraud. The following stakeholder groups will benefit from the findings of this research:: (i) academics through advancements in knowledge that directly results from the research; (ii) practitioners (police, private security agencies but also lawyers and court officials) through advancements in practitioner knowledge that result from the research; (iii) Criminal Justice Policy makers, through advancements in academic and practical knowledge that result from the research; (iv) public (including organisations), through carefully explained advancements in knowledge that result from the research. The findings will be of interest to those specifically interested in how the cybercrime problem is constructed by the UK Information Assurance (UKIA) community and beyond, and in those interested in robust measures of cybercrime costs and relative importance of key cyber security factors. Most obviously such users would include police, government departments, private sector regulators, and regulatory groups. Voluntary sector organisations involved in educating the public and business will also benefit from these findings.

The key deliverable of the consortium is a computational tool that will assist in the prediction of business related cyber attacks. For the first time both technical (e.g. malware behaviour, network vulnerabilities etc.) ad human/organisational (level of cooperation, perception of risk, threat assessment, costs, criminal justice response etc.) measures will be combined in this predictive process. It is envisaged that this tool will assist both policy makers and practitioners in the field of cyber security and crime. It will identify which businesses (by sector, size, level of cooperation etc.) are most vulnerable to attack allowing policy, codes of practice and advice to be tailored and targeted. The tool also has the potential to provide digital and human/organisational forms of evidence and other information relevant to investigation and prosecution proceedings.

Some of the data sets acquired during this project will also be made available to selected user communities. These will contain pre-processed (or where necessary, anonymized) data describing attack vectors, attack patterns on distributed systems, as well as attack demographics. As a main point, the data sources will present real-time visualisation feeds of the current attack vectors tailored to the targeted users' systems in the light of attacks on related/similar systems. With access to the data sources we offer, targeted users will be better prepared to deal with security threats and complement signature-based detection of malicious software in their systems.

These deliverables and research outcomes will contribute to knowledge of how the cybercrime problem is constructed, how the associated risks are assessed and what cybercrime costs. This knowledge will be of use to policy makers, regulators, educators and the business community. Improved knowledge is crucial for understanding the regulation of cybercrimes, especially how the law is being applied. This knowledge will help to bridge the gap between public demands for security and what government, and especially, the police can provide.
 
Description This research work has demonstrated how both technical and social cybersecurity metrics can be combined into a risk model. Technical metrics have primarily been derived based on monitoring data acquired from an intrusion detection/prevention system. Social metrics have been derived through a survey. The project has involved collaboration between computer science, social science, mathematics.
Exploitation Route The findings have been used to assess the impact of malware propagation via Twitter (social media) feeds.
Sectors Digital/Communication/Information Technologies (including Software),Financial Services, and Management Consultancy,Security and Diplomacy
 
Description Currently, the outcome of this work is being made use of in our Information Services division (at Cardiff University), to identify network risk. Additional work on this is on-going and will continue until the end of the project.
First Year Of Impact 2015
Sector Digital/Communication/Information Technologies (including Software)
Impact Types Policy & public services
 
Description Conference 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Industry/Business
Results and Impact Burnap, P. and Williams, M. L. 2015. Plenary: Computational & social security analytics using Big Data. Presented at: International Conference on Computational Social Science, Helsinki, Finland, 8-11 June 2015.
Year(s) Of Engagement Activity 2015
 
Description Invited talk: Cloud Security Engineering 
Form Of Engagement Activity A talk or presentation
Part Of Official Scheme? No
Geographic Reach International
Primary Audience Professional Practitioners
Results and Impact This was an international conference "Frontiers of Information Technology", Islamabad, Pakistan (December 2015). The presentation led to visits to a number of local Universities -- primarily NUST (National University of Science & Technology), COMSATS, LUMS (Lahore University of Management Sciences) and ITU (Information Technology University).
Year(s) Of Engagement Activity 2015
URL http://fit.edu.pk/
 
Description University Information Services 
Form Of Engagement Activity A formal working group, expert panel or dialogue
Part Of Official Scheme? Yes
Geographic Reach National
Primary Audience Professional Practitioners
Results and Impact This activity has resulted in the Information Services sharing their data with us. We are very pleased with this outcome -- as most projects in the security domain have difficulty sourcing real world data.

This has resulted in us engaging with other intrusion detection system vendors -- e.g. AlertLogic.
Year(s) Of Engagement Activity 2014