Ebook: Proceedings of the Singapore Cyber-Security Conference (SG-CRC) 2016

Welcome to the First Singapore-Cybersecurity R&D Conference (SG-CRC 2016)! This inaugural conference brings together researchers from across the globe engaged in advancing the state of the art in the broad area of cyber security. The conference is sponsored by the National Research Foundation (NRF), Singapore, and organised jointly by the Singapore University of Technology and Design and the National University of Singapore.

A total of 22 submissions were received in response to the call for papers. Each submission was reviewed by at least two members of an international programme committee. Based on the reviews, six papers were selected for presentation under the “Regular” paper category and seven in the short paper category. In addition to research paper presentations, leading researchers in cybersecurity have been invited to deliver a keynote address and make special presentations. The conference programme also includes industry tools presentations, panel discussions, and a poster session.

The paper titled “Image Region Forgery Detection: A Deep Learning Approach” focuses on the detection of tempered images. The technique proposed is independent of image format, e.g., JPEG. The proposed technique uses a two-stage deep learning approach to learn complex features of the image, in a variety of formats format. For JPEG images 87.51% tampered region localisation accuracy was obtained while for TIFF images the localisation rate was 81.91%.

Android malware is the focus of “Q-Floid: Android Malware detection with Quantitative Data Flow Graphs.” This paper moves beyond the conventional signature-based malware detection techniques by using a more quantitative data-flow based technique applied to system entities such as processes, files, and sockets. The proposed approach obtained a malware detection rate of 93% for variants of known malware and up to 84% for new malware families.

“Cyber and Physical Access Control in Legacy System Using Passwords” addresses the issue of managing a large number of passwords by humans. A visual cryptography technique is proposed that allows the storage of cipher texts of passwords on mobile phones and decrypt them on demand. The proposed approach allows a simple though effective solution to the problem of access control using passwords.

“Data Driven Physical Modeling For Intrusion Detection In Cyber Physical Systems (CPS)” proposes a machine learning-based technique for intrusion detection. The proposed technique quickly detects attacks at the physical process layer. The technique was applied on a replicated version of a modern water treatment facility and found to be fast, scalable, robust to noise, and exhibiting a low false positive (FP) rate with high precision and recall.

A novel approach for detecting multi-point attacks in a CPS is proposed in “Detecting Multi-Point Attacks in a Water Treatment System Using Intermittent Control Actions.” The technique makes use of control actions that are not part of the standard control algorithms implemented in the controllers. Instead, these control actions are executed on selected components to monitor the system process. The strengths and limitations of the approach were assessed experimentally in an operational water treatment plant.

Challenges in setting up Man-In-The-Middle attacks are the focus of “Attacking Fieldbus Communications in ICS: Applications to the SWaT Testbed.” Attacks were successfully launched on fieldbus communications in a working water treatment plant. In such attacks, the attacker manipulates or replaces sensor data as reported from the field devices to the control components. The efficacy of the proposed framework for launching attacks is demonstrated experimentally where an adversary can intelligently design and launch attacks that remain undetected for a typical bad-data detection mechanism.

Seven short papers focus on the following areas: Directed-Tree-Transitive Signature scheme, large scale collection of information based on Juice-filming attacks, social-engineering attacks based on telephones, privacy and data aggregation, simulation of cyber attacks, steganography in the context of ECG data, and file classification. A student paper explores the idea of identifying hardware via sensor fingerprinting in a CPS. An experiment to evaluate the proposed method for hardware tampering revealed high detection rate when applied to two water level sensors in an operational CPS.

The conference also contains updates from seven projects funded by NRF under the National Cyber-security Research (NCR) program. These projects cover various themes such as software security, cyber-physical system security, mobile security and formal verification.

The success of this conference is due to the participation and contribution of a large number of people. First, we thank the many researchers who spent time in writing and submitting to this inaugural SG-CRC. Thanks to members of the Steering and Programme Committees for assisting and advising on the details of conference planning and completing on time the important task of paper reviews. Thanks to members of the organising committee who exhibited total dedication and commitment to make a successful conference. Last, but not least, our sincere thanks and appreciation to NRF and the staff who originated the idea of SG-CRC and provided constant support at all stages of organising the conference.

With best wishes for a successful conference, yours sincerely,

Aditya Mathur, Conference Co-Chair

Professor, Head of Pillar ISTD, and Centre Director iTrust

Singapore University of Technology and Design

Singapore

Abhik Roychoudhury, Co-Chair

Professor and Vice Dean, School of Computing

National University of Singapore

Singapore

In digital forensics, the detection of the presence of tampered images is of significant importance. The problem with the existing literature is that majority of them identify certain features in images tampered by a specific tampering method (such as copy-move, splicing, etc). This means that the method does not work reliably across various tampering methods. In addition, in terms of tampered region localization, most of the work targets only JPEG images due to the exploitation of double compression artifacts left during the re-compression of the manipulated image. However, in reality, digital forensics tools should not be specific to any image format and should also be able to localize the region of the image that was modified.

In this paper, we propose a two stage deep learning approach to learn features in order to detect tampered images in different image formats. For the first stage, we utilize a Stacked Autoencoder model to learn the complex feature for each individual patch. For the second stage, we integrate the contextual information of each patch so that the detection can be conducted more accurately. In our experiments, we were able to obtain an overall tampered region localization accuracy of 91.09% over both JPEG and TIFF images from CASIA dataset, with a fall-out of 4.31% and a precision of 57.67% respectively. The accuracy over the JPEG tampered images is 87.51%, which outperforms the 40.84% and 79.72% obtained from two state of the art tampering detection approaches.

Due to the rapid proliferation of Android malware, conventional anti-malware signature-based solutions face significant challenges to battle against cybercrime. In this work, we propose to use quantitative data flow profiles between system entities such as processes, files and sockets to detect malicious applications on Android, an approach which has been shown to be promising for detecting Windows malware. Our approach uses features based on graph-theoretical metrics as a basis for the analysis. Those features are trained through multiple machine learning algorithms obtaining malware detection rates of up to 93% for variants of known (trained) families and detection of new families of up to 84%.

Passwords—secret combinations of symbols—play an important role in physical world security (e.g. watchword to prevent unauthorized entry into military forbidden area) from ancient times. With emergence and advance of digital computers and computer network, passwords are also widely adopted in cyber world security protection. In most applications, password protection stands on the frontier of cyber/physical security defense. Compromise of passwords might render the whole system insecure, and make thereafter sophisticated cryptography solution ineffective. However, secure management of a large number of random passwords is a great challenge to human brains. We propose a visual cryptography technique, which allows users to store and manage ciphertexts of randomly chosen passwords in mobile phone and decrypt them manually on demand. The stored passwords remain confidential, even if the mobile phone is infected by spyware (Assume the spyware can capture phone screen, and monitor phone CPU and RAM). We also analyze the security and feasibility of proposed method. Leveraging on this technique, we give a simple access control system based on passwords, which provides a low cost alternative solution for legacy system besides smart card based solution.

Cyber physical systems are critical to the infrastructure of a country. They are becoming more vulnerable to cyber attacks due to their use of off the shelf servers and industrial network protocols. Availability on World Wide Web for monitoring and reporting, has further aggravated their risk of being attacked. Once an attacker breaches the network security, he can affect the operations of the system which may even lead to a catastrophe. Mathematical and formal models try to detect the departure of the system from its expected behaviour but are difficult to build, and are sensitive to noise. Furthermore they take a lot of time to detect the attack. We here propose a behaviour based machine learning intrusion detection approach that quickly detects attacks at the physical process layer. We validate our result on a complete replicate of the physical and control components of a real modern water treatment facility. Our approach is fast, scalable, robust to noise, and exhibits a low false positive (FP) rate with high precision and recall. The model can be easily updated to match the changing behaviour of the system and environment.

A novel technique for detecting multi-point attacks on an Industrial Control System (ICS) is described. The technique, referred to as Intermittent Control Actions (ICA), sends control signals intermittently to selected components to monitor the system using a process invariant. ICA was assessed experimentally for its effectiveness in an operational water treatment testbed. The experiments revealed (a) multi-point attack scenarios where ICA succeeds or fails to detect an attack, (b) issues in the design of key ICS components to ensure that the control actions in ICA do not lead to undesirable process behavior, and (c) constraints on the design of the physical system for safe use of ICA.

The study of cyber-attacks in industrial control systems is of growing interest among the research community. Nevertheless, restricted access to real industrial control systems that can be used to test attacks has limited the study of their implementation and potential impact. In this work, we discuss practical attacks applied to a room-sized water treatment testbed. The testbed includes a complete physical process, industrial communication systems, and supervisory controls. We implement scenarios in which the attacker manipulates or replaces sensor data as reported from the field devices to the control components. As a result, the attacker can change the system state vector as perceived by the controls, which will cause incorrect control decisions and potential catastrophic failures. We discuss practical challenges in setting up Man-In-The-Middle attacks on fieldbus communications in the industrial EtherNet/IP protocol and topologies such as Ethernet rings using the Device-Level-Ring protocol. We show how the attacker can overcome those challenges, and insert herself into the ring. Once established as a Man-in-the-Middle attacker, we launched a range of attacks to modify sensor measurements and manipulate actuators. We show the efficacy of the proposed methodology in two experimental examples, where an adversary can intelligently design attacks that remain undetected for a typical bad-data detection mechanism.

In early 2000's, Rivest [1,2] and Micali [2] introduced the notion of transitive signature, which allows a third party with public key to generate a valid signature for a composed edge (v_i,v_k), from the signatures for two edges (v_i,v_j) and (v_j,v_k). Since then, a number of works, including [2,3,4,5,6], have been devoted on transitive signatures. Most of them address the undirected transitive signature problem, and the directed transitive signature is still an open problem. S. Hohenberger [4] even showed that a directed transitive signature implies a complex mathematical group, whose existence is still unknown. Recently, a few directed transitive signature schemes [7,8] on directed trees are proposed. The drawbacks of these schemes include: the size of composed signature increases linearly with the number of nested applications of composition and the creating history of composed edge is not hidden properly. This paper presents a RSA-Accumulator [9] based scheme DTTS—a Directed-Tree-Transitive Signature scheme, to address these issues. Like previous works [7,8], DTTS is designed only for directed trees, however, it features with constant (composed) signature size and privacy-preserving property. We prove that DTTS is transitively unforgeable under adaptive chosen message attack in the standard model.

Cyber security refers to protecting computers, networks, programs and data from unauthorized access, change or destruction. With the wide adoption of smartphones, a lot of sensitive information can be cleaned from users' interaction with their smartphones and tablets. In our previous effort, we have developed a type of charging attacks called juice filming attacks, which can sniff smartphone users' information when they are interacting with their phones during charging. With the increasing number of public charging stations, we notice that this type of charging attacks may become a big threat to compromise users' privacy. In this work, we propose a framework of collecting smartphone information in large-scale based on juice filming attacks. Then, we show that such charging attacks work well not only on Android phones, but also on the newly released iPhones. Our work points out that the proposed framework is feasible to threaten users' privacy in practice.

The objective of this study is to evaluate the effectiveness of an information campaign to counter a social engineering attack via the telephone. Four different offenders phoned 48 employees and made them believe that their PC was distributing spam emails. Targets were told that this situation could be solved by downloading and executing software from a website (i.e. an untrusted one). A total of 46.15 % of employees not exposed to the intervention followed the instructions of the offender. This was significantly different to those exposed to an intervention 1 week prior to the attack (9.1 %); however there was no effect for those exposed to an intervention 2 weeks prior to the attack (54.6 %). This research suggests that scam awareness-raising campaigns reduce vulnerability only in the short term.

There are several recent research studies on privacy-preserving aggregation of time series data, where an aggregator computes an aggregation of multiple users' data without learning each individual's private input value. However, none of the existing schemes allows the aggregation result to be verified for integrity. In this paper, we present a new data aggregation scheme that protects user privacy as well as integrity of the aggregation. Towards this end, we first propose an aggregate signature scheme in a multi-user setting without using bilinear maps. We then extend the aggregate signature scheme into a solution for privacy-preserving and verifiable data aggregation. The solution allows multiple users to periodically send encrypted data to an untrusted aggregator such that the latter is able to compute the sum of the input data values and verify its integrity, without learning any other information. A formal security analysis shows that the solution is semantically secure and unforgeable.

In this work, we discuss the use of EPANET to simulate the effects of malicious cyber-physical attacks on water distribution systems. EPANET—a standard numerical modeling environment developed by the US Environmental Protection Agency—models hydraulic and water-quality behavior of pressurized pipe networks. EPANET promises to be well suited to show the effects of direct attacks on hydraulic actuators, such as pumps, or the effects of attacks on sensors. Using the C-Town benchmark network, we show that EPANET has some limitations when modeling these attacks, and we report the workarounds needed to overcome these limitations. In particular, we describe attacks that change the control strategies of pumps, and attacks that alter the tank water level reported by sensors.

ECG steganography hides patient data inside their ECG signal to ensure the protection of patient's identity. In this work, an attempt has been made to evaluate ECG Steganography where Quantization Index Modulation (QIM) method is used to embed patient data into the Contourlet transform coefficients of ECG image. Tompkins QRS detection algorithm is used to construct ECG image and which is decomposed into a series of multiscale, local and directional image expansion using contour segments. QIM scheme is applied on the appropriate coefficients of the selected frequency sub-bands. QIM divides the selected frequency sub-bands into non overlapping blocks of matrix size 2×2. Two quantizers are used to embed binary watermark 0 and 1. The reverse Contourlet transform provides the watermarked ECG image from which 1D stego-ECG signal is re-ordered. The proposed scheme retrieves the watermark without the need of cover image. The deterioration due to the modified coefficients are reduced using adaptive selection of a coefficient to hide watermark bit. The efficiency of ECG steganography is measured using imperceptibility of watermark and Bit Error Rate of the retrieved watermark. Similarity metrics such as Peak Signal to Noise ratio, Percentage Residual Difference and Kullback-Leibler distance are used to estimate the imperceptibility of watermark on the stego-ECG signal. It is demonstrated that the proposed approach provides higher imperceptibility and less Bit Error Rate in the retrieved watermark, which is closed to zero. ECG signals obtained from MIT-BIH normal sinus rhythm data base are used to evaluate the performance of the proposed ECG Steganography approach.

Accurate classification of file types carried by network traffic aids in securing a network against various types of malicious activities such as malware infection, data exfiltration, botnet communication, etc. An important challenge here is to accurately classify files without slowing down network traffic. Therefore, the cost of accurate file-type classification has to be known. In this work, we carry out a preliminary but extensive investigation to evaluate different sets of features for file-type classification. The objective is to detect not only file types under normal scenario, but also files that are transferred with obfuscated headers. Our experiments show that the feature vector consisting of unigram frequencies leads to high accuracy; yet, combining this feature set with entropy feature vector leads to improvement in accuracies.