Remote Physical Device Fingerprinting

We introduce the area of remote physical device fingerprinting, or fingerprinting a physical device, as opposed to an operating system or class of devices, remotely, and without the fingerprinted device's known cooperation. We accomplish this goal by exploiting small, microscopic deviations in device hardware: clock skews. Our techniques do not require any modification to the fingerprinted devices. Our techniques report consistent measurements when the measurer is thousands of miles, multiple hops, and tens of milliseconds away from the fingerprinted device, and when the fingerprinted device is connected to the Internet from different locations and via different access technologies. Further one can apply our passive and semi-passive techniques when the fingerprinted device is behind a NAT or firewall, and also when the device's system time is maintained via NTP or SNTP. One can use our techniques to obtain information about whether two devices an the Internet, possibly shifted in time or IP addresses, are actually the same physical device. Example applications include: computer forensics; tracking, with some probability, a physical device as it connects to the Internet from different public access points; counting the number of devices behind a NAT even when the devices use constant or random IP ID; remotely probing a block of addresses to determine if the addresses correspond to virtual hosts, e.g., as part of a virtual honeynet; and unanonymizing anonymized network traces.

As a new research area, Digital Forensics is a subject in a rapidly developing society. Cyber Security for Big Data in the Cloud is getting more attention than ever. A computing breach requires digital forensics to seize digital evidence to determine who is responsible and what has been done maliciously and the possible further consequences. In particular, for Big Data attack cases, Digital Forensics is facing even more challenge for earlier digital breach investigations. For the PPI (Protection of Personal Information) a GDPR (General Data Protection Regulation) law has been launched to be implemented from the 25th May 2018. This compulsory regulation will have an important impact on healthcare PPI in the cloud (ICO, 2017, Deloitte, 2014). Nowadays, Big Data with the characteristics of three “V”s (Volume, Velocity, and Variety), are either synchronized with the Cloud, or stored in the Cloud, in order to solve the storage capacity and so on problems, which made Digital Forensics investigation even more difficult. The Big Data Digital Forensics issue for the Cloud is difficult. One of them is the need to identify which physical devices have been compromised. Data are distributed in the Cloud, so the customer or digital forensics practitioner cannot have full access control like the traditional investigation does. Smart City are making use of ICT (information communications technology) to collect, detect, analyze and integrate the key information data of core systems in running the cities. Meanwhile, the Control Centre is making intelligent responses to different requirements that include daily livelihood, PPI security, environmental protection, public safety, industrial and commercial activities and city services. The Smart City healthcare Big Data are collected and gathered by the IoT (Internet of Things) (Liu, 2014, Qi, 2016) and applying GDPR prevent Cyberstalking and Cybercrimes. This paper summerises our review on the trends of Digital Forensics used for Big Data. The evidence acquisition challenge is discussed. A case study of a Smart City project with IoT services collecting Big Data which are stored in the Cloud computing environment is represented. The techniques can be generalised to other Big Data in the Cloud environment.

Cloud computing is a new computing paradigm which presents challenges for digital forensic investigators. Digital forensics is a branch of computer security that makes use of electronic evidence to build up a criminal case or for troubleshooting purposes. Advances have been made since the advent of Cloud computing in addressing issues that came with the Cloud including that of security. However, not all aspects of security are advancing. Developments in digital forensics still leave a lot to be desired in terms of standards and appropriate digital forensic tools that are applicable in the Cloud. To achieve that, standards as well as standard tools are required for successful evidence collection, preservation, analysis and conviction in case of a criminal case. This paper contributes towards addressing issues in digital forensics by presenting an algorithm that can be used in the evidence identification phase of a digital forensic process. Data in Cloud environments exist in the Internet or in networked environments and data is always accessed remotely. There is therefore at least one connection to a host that exists in a Cloud environment. In a case of a computer system that hosts a Cloud service, the number of connections from clients can be very large. In such a scenario it is very hard to identify an attacker from both active and recently disconnected connections to a host. This may require an investigator to probe all individual IP addresses connected to the host which can be time consuming and costly. There is therefore a need for a mechanism that can identify and rank remote hosts that are connected to a victim host and that may be associated with a malicious activity. In this paper we present an algorithm that uses probabilities to identify and rank suspicious remote hosts connected to a victim host. This algorithm helps minimize the effort required of investigators to probe each IP address that is connected to a victim as connected IP addresses will be prioritized according to their rank.

Nowadays there are many intelligent electronic devices in the everyday environments: appliances, industrial machinery, devices for service providers in the cities, etc. These electronic devices usually communicate with other devices and people in order to perform tasks or provide services. The most common form of interaction between people and devices is using the device interfaces (buttons, touch screens, etc.). However, there are other ways of interacting such as Smartphone's, which are used to communicate users with electronic devices. Normally, the user selects the commands or actions from an application installed on the Smartphone. This application uses the Smartphone communication hardware elements (e.g., Bluetooth, Wi-Fi) to send the selected commands to the electronic device. Native mobile applications are platform-dependent (Android, Symbian, etc.) and are developed for multiple platform usually have high development costs. We present a proposal that allows web applications to access the device communication hardware elements, making possible the communication with physical devices.

Modern workloads often exceed the processing and I/O capabilities provided by resource virtualization, requiring direct access to the physical hardware in order to reduce latency and computing overhead. For computers interconnected in a cluser, access to remote hardware resources often requires facilitation both in hardware and specialized drivers with virtualization support. This limits the availability of resources to specific devices and drivers that are supported by the virtualization technology being used, as well as what the interconnection technology supports. For PCI Express (PCIe) clusters, we have previously proposed Device Lending as a solution for enabling direct low latency access to remote devices. The method has extremely low computing overhead, and does not require any application- or device-specific distribution mechanisms. Any PCIe device, such as network cards disks, and GPUs, can easily be shared among the connected hosts. In this work, we have extended our solution with support for a virtual machine (VM) hypervisor. Physical remote devices can be “passed through” to VM guests, enabling direct access to physical resources while still retaining the flexibility of virtualization. Additionally, we have also implemented multi-device support, enabling shortest-path peer-to-peer transfers between remote devices residing in different hosts.Our experimental results prove that multiple remote devices can be used, achieving bandwidth and latency close to native PCIe, and without requiring any additional support in device drivers. I/O intensive workloads run seamlessly using both local and remote resources. With our added VM and multi-device support, Device Lending offers highly customizable configurations of remote devices that can be dynamically reassigned and shared to optimize resource utilization, thus enabling a flexible composable I/O infrastructure for VMs as well as bare-metal machines.

Nowadays industrial control devices are crucial for infrastructure-critical systems such as factories, power plants, and water treatment facilities. Devices with IP addresses are visible on the Internet and they connect cyber space and physical world. The first step in protecting devices from attackers is a deep understanding of the devices' characteristics in the cyber space. In this paper, we take a first step in this direction by investigating physical devices running one of the two specific protocols that are widely adopted in industrial control systems. In order to detect these devices in real-time, we propose a two-stage discovery mechanism: first filtering out unqualified hosts from 4 billion remote hosts and then identifying physical devices from qualified candidates. We have conducted a real-world experiment to verify the mechanism and identified dozens of thousands of physical devices from the entire Internet. Results show that our method discovers all devices in 20 hours with 89.5% precision and 79.3% recall.

Cyber-physical systems are an emergent paradigm to design complex, adaptive and smart systems, combining computational applications with physical hardware devices. Multi-agent systems play an important role in such systems to provide flexibility, robustness and adaptation, but their alignment will require the integration of agents with physical devices. This process is usually complex and time consuming due to the proprietary protocols provided by the hardware automation devices. This paper describes the deployment of an agent-based system in a small-scale flexible production system composed by a set of heterogeneous automation devices, such as programmable logic controllers and robots.

Spam related cyber crimes have become a serious threat to society. Current spam research mainly aims to detect spam more effectively. We believe the identification and disruption of the supporting infrastructure used by spammers is a more effective way of stopping spam than filtering. The termination of spam hosts will greatly reduce the profit a spammer can generate and thwart his ability to send more spam. This research proposes an algorithm for clustering spam domains extracted from spam emails based on the hosting IP addresses and tracing the IP addresses over a period of time. The results show that many seemingly unrelated spam campaigns are actually related if the domain names in the URLs are investigated; spammers have a sophisticated mechanism for combating URL blacklisting by registering many new domain names every day and flushing out old domains; the domains are hosted at different IP addresses across several networks, mostly in China where legislation is not as tight as in the United States; old IP addresses are replaced by new ones from time to time, but still show strong correlation among them. This paper demonstrates an effective use of data mining to relate spam emails for the purpose of identifying the supporting infrastructure used for spamming and other cyber criminal activities.

Passive delivery techniques for transcutaneous immunization

Audience Response Systems are widely used in various events as a media to gather information, to collect data, and to know the opinions of the general public towards particular issues, topics, news. Audience Response System can also be used to find out the client or customer satisfaction to the quality of products or services. Unfortunately most of the audience response systems that exist today are in the form of a physical (or remote) device which is severely limited in use. Along with the development of technology, almost all people have a smartphone to support their daily activities. The physical remote device called a clicker can be replaced with an application or program that can be installed on smartphones, while the polls are created through the website. In this research, the Audience response system was built using Node.js, PhoneGap platform, and the WebSocket Socket.IO as Javascript library to support bi-directional data communications. Based on testing result, this application can run properly all the functionalities that have been mentioned such as login to the system, create a poll, join a poll, and give a vote. The realiability of the system is 93%..

Commonly used identifiers for IEEE 802.11 access points (APs), such as network name (SSID), MAC, or IP address can be easily spoofed. This allows an attacker to fake a real AP and intercept, collect, or alter (potentially even encrypted) data. In this paper, we address the aforementioned problem by studying limits of unique remote physical device identification based on their clock skew - an unavoidable phenomenon that causes clocks to run at marginal but measurably different speed. To this end, we propose an algorithm for passive fingerprinting using timestamps regularly sent by APs in beacon frames. The major advantages of our method are that it is online and that we are able to eliminate the influence of clock skew of the measurement device. Hence, fingerprints performed by different devices become comparable. We calculate the precision of our clock skew measurement algorithm and provide a termination criterion for estimation of the clock skew with arbitrary precision. Moreover, conducting a large scale evaluation, we study the stability and uniqueness of clock skew as a means for remote wireless device identification.

Reproducing experiments is a key component to further research and knowledge. Testbeds provide a controlled and configurable environment in which experiments can be conducted in a repeatable and observable manner. In the field of system security, and binary analysis, several challenges hinder reproducible research, in particular when code is interacting tightly with low level hardware and physical devices. In those conditions, dynamic analysis techniques often require the physical device to correctly complete (hardware-in-the-loop). In recent years many re-hosting techniques have been developed and evaluating their respective performance requires to compare them with an hardware-in-the-loop evaluation. However, it is challenging to share, acquire or maintain the original devices. In this paper, we tackle this problem by proposing a new infrastructure, and online service called “Bench of Embedded system Experiments for Reproducible Research” (BEERR). It aims to both make physical devices available remotely and facilitate the setup and reproduction of published experiments.

Chapter 4 - The intersection between social media, crime, and digital forensics: #WhoDunIt?

Utilizing data lifetime of TCP buffers in digital forensics: Empirical study

In the medium and low voltage power grid, the serial power grid connection is a common operation mode of the power grid. The remote backup power automatic throw-in can effectively solve the power supply reliability of the serial power grid connection, but limited by communication, the remote backup power automatic throw-in is rarely used in the medium and low voltage power grid. This paper provides a principle and implementation of remote backup power automatic throw-in of substation with multiple-communication modes. By setting a wireless router in each remote backup power automatic throw-in device, The router realizes the point-to-point communication of the remote backup power automatic throw-in device by using the generic routing encapsulation(GRE) tap mode, thus realizing the information interaction function of the substation remote backup power automatic throw-in device with multiple-communication modes. The simulation model built in RTDS verifies that the proposed remote backup power automatic throw-in device with multiple communication modes is feasible. This method does not need to change the original software and hardware of remote backup power automatic throw-in device, avoids the problem that the existing technical scheme is easily limited by communication, makes the remote backup power automatic throw-in device more convenient, reliable and simple in structure, and greatly improves the possibility of application in medium and low voltage power grids.