i o b l o x

This space contains links to research papers, event sources and useful resources on cybersecurity. For researchers interested in modelling threat and anomaly detection techniques there are a number of public datasets available.

Threat Taxonomy

• Denial of Service (DoS) – attempts to render a service unavailable, either by flooding the network with high volume event traffic (a volumetric attack such as TCP SYNflood) or by gradually using up all the resources of the service (through resource starvation). Volumetric attacks are often easier to detect since they are easily detected and classified, resource starvation attacks may be much stealthier and use legitimate flow features that are much harder to classify.
• Distributed Denial of Service (DDoS) – a DDoS attack is essentially a DoS attack that is mounted from multiple networked systems (often from a compromised Botnet). Such attacks typically generate huge volumes of traffic with the potential to take down corporate networks, gaming servers, or even substantial parts of the Internet.
• Botnet – a botnet is a cluster of vulnerable networked devices that have been compromised by an attacker, and their resources and/or geo-location used by to perform various malicious actions; such as mounting a DDoS attack, stealing sensitive content, transmitting spam, Man-in-the-Middle (MiM) attacks or eavesdropping on sensitive traffic or video feeds.
• Advanced Persistent Threat (APT) – is a set of stealthy and continuous computer hacking processes, often orchestrated by well-organised individuals (possibly even state sponsored) targeting a specific organisation or entity. An APT often targets private organisations, but the scope can extend to entire states, usually for business or political motives. APTs usually employ a high degree of covertness over a long period of time.
• Brute Force Attack – a popular method for discovering authentication credentials and hidden content or web pages on servers. Brute force attacks normally work by iterating through many guesses, parsing web content for links, attempting to ‘walk’ a web tree etc.
• Web Service Attacks - many organisations today rely almost entirely on the Internet, and the technologies used to create web commerce sites are evolving rapidly, making them vulnerable to a broad range of attacks. The objectives of such attacks can be wide ranging: from stealing sensitive content, breaching Personally Identifiable Information (PII), or defacing a service to damage brand reputation. Attack techniques range from compromising vulnerabilities (e.g. SQL Injection, Cross-Site Scripting (XSS) etc.), to brute force attacks.
• Infiltration Attack - attackers can gain privileged access to sensitive
internal assets through a range of malware techniques. Often these attacks are preceded by reconnaissance activities such as a port scan, where vulnerable TCP and UDP ports may be discovered using tools such as Network mapper (NMAP). Vulnerabilities in software can be exploited to elevate access privileges; with Rootkit malware installed to provide a ‘backdoor’ into a vulnerable machine. Once an attacker has privileged access they may spend months scanning the network for sensitive assets and executing further malicious acts.
• Masquerade Attack - is an attack that uses forged identities to gain unauthorised access to networks and systems. Attacks are often performed using stolen user credentials (e.g. via social engineering), by exploiting vulnerabilities in software or protocols, or by bypassing security controls entirely (e.g. by accessing an unlocked computer). The main characteristic of such an attack is that the attacker is masquerading as a legitimate user, and as such it may be very difficult to detect.
• Malware - malicious software designed specifically to harm a user or organisations assets or data. Malware comes in different forms, each with distinct features and behaviour: i) Backdoor, enables unauthorised access to compromised computers, ii) Exploit, uses a software vulnerability to gain authorised access, iii) Virus, is a self-replicating or parasitic infector, iv) Worm, a self-replicating stand-alone malware, v) Trojan, non-replicating software with hidden functionality. vi) RootKit, stealthy software that actively hides itself, vii) SpyWare, software that invades user privacy through information gathering, viii) HackTool, exploit, attack and scanning & reconnaissance tools and libraries.