Papers by Michael Goldsmith
Proceedings of the 5th International Conference on Information Systems Security and Privacy, 2019
This paper presents novel attacks on voice-controlled digital assistants using nonsensical word s... more This paper presents novel attacks on voice-controlled digital assistants using nonsensical word sequences. We present the results of a small-scale experiment which demonstrates that it is possible for malicious actors to gain covert access to a voice-controlled system by hiding commands in apparently nonsensical sounds of which the meaning is opaque to humans. Several instances of nonsensical word sequences were identified which triggered a target command in a voice-controlled digital assistant, but which were incomprehensible to humans, as shown in tests with human experimental subjects. Our work confirms the potential for hiding malicious voice commands to voice-controlled digital assistants or other speech-controlled devices in speech sounds which are perceived by humans as nonsensical. This paper also develops a novel attack concept which involves gaining unauthorised access to a voice-controlled system using apparently unrelated utterances. We present the results of a proof-of-concept study showing that it is possible to trigger actions in a voice-controlled digital assistant using utterances which are accepted by the system as a target command despite having a different meaning to the command in terms of human understanding.
Abstract. CSP, Hoare’s Communicating Sequential Processes, [1, 2] is one of the formalisms that u... more Abstract. CSP, Hoare’s Communicating Sequential Processes, [1, 2] is one of the formalisms that underpins the antecedents of CPA, and this year celebrates its Silver Jubilee [3]. Formal Systems ’ own FDR refinement checker [4] is among the most powerful explicit exhaustive finite-state exploration tools, and is tailored specifically to the CSP semantics. The CSPM ASCII form of CSP, in which FDR scripts are expressed, is the de-facto standard for CSP tools. Recent work has experimentally extended the notation to include a probabilistic choice construct, and added functionality into FDR to produce models suitable for analysis by the Birmingham University PRISM tool [5]. 1
Proceedings 2019 Workshop on Usable Security, 2019
Cybercrime investigators face numerous challenges when policing online crimes. Firstly, the metho... more Cybercrime investigators face numerous challenges when policing online crimes. Firstly, the methods and processes they use when dealing with traditional crimes do not necessarily apply in the cyber-world. Additionally, cyber criminals are usually technologically-aware and constantly adapting and developing new tools that allow them to stay ahead of law enforcement investigations. In order to provide adequate support for cybercrime investigators, there needs to be a better understanding of the challenges they face at both technical and sociotechnical levels. In this paper, we investigate this problem through an analysis of current practices and workflows of investigators. We use interviews with experts from government and private sectors who investigate cybercrimes as our main data gathering process. From an analysis of the collected data, we identify several outstanding challenges faced by investigators. These pertain to practical, technical, and social issues such as systems availability, usability, and in computer-supported collaborative work. Importantly, we use our findings to highlight research areas where user-centric workflows and tools are desirable. We also define a set of recommendations that can aid in providing a better foundation for future research in the field and allow more effective combating of cybercrimes.
J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl., 2017
The threat that organisations face from within is growing significantly, as it has been widely de... more The threat that organisations face from within is growing significantly, as it has been widely demonstrated by the harm that insiders have caused recently. For many years the security community has invested in barriers and perimeters, of increasing sophistication, designed to keep those with malign intent outside of the organisations’ information infrastructures. But assuming that one can keep the threat out of an organisation is simply not a practical stance to adopt. In our research we are concerning ourselves with how technology might be deployed to help with the detection of insider threats both automatically and in support of human-led mechanisms. This paper describes our recent research into how we might support threat detection when actions taken can be immediately determined as of concern. In particular we capture actions that fall into one of two categories: those that violate a policy which is specifically crafted to describe behaviours that should be avoided; or those tha...
Graphical Models for Security, 2019
The risk from insider threats is rising significantly, yet the majority of organizations are ill-... more The risk from insider threats is rising significantly, yet the majority of organizations are ill-prepared to detect and mitigate them. Research has focused on providing rule-based detection systems or anomaly detection tools which use features indicative of malicious insider activity. In this paper we propose a system complimentary to the aforementioned approaches. Based on theoretical advances in describing attack patterns for insider activity, we design and validate a state-machine system that can effectively combine policies from rule-based systems and alerts from anomaly detection systems to create attack patterns that insiders follow to execute an attack. We validate the system in terms of effectiveness and scalability by applying it on ten synthetic scenarios. Our results show that the proposed system allows analysts to craft novel attack patterns and detect insider activity while requiring minimum computational time and memory.
IEEE Access, 2019
Complex dependencies exist across the technology estate, users and purposes of machines. This can... more Complex dependencies exist across the technology estate, users and purposes of machines. This can make it difficult to efficiently detect attacks. Visualization to date is mainly used to communicate patterns of raw logs, or to visualize the output of detection systems. In this paper we explore a novel approach to presenting cybersecurity-related information to analysts. Specifically, we investigate the feasibility of using visualizations to make analysts become anomaly detectors using Pattern-of-Life Visual Metaphors. Unlike glyph metaphors, the visualizations themselves (rather than any single visual variable on screen) transform complex systems into simpler ones using different mapping strategies. We postulate that such mapping strategies can yield new, meaningful ways to showing anomalies in a manner that can be easily identified by analysts. We present a classification system to describe machine and human activities on a host machine, a strategy to map machine dependencies and activities to a metaphor. We then present two examples, each with three attack scenarios, running data generated from attacks that affect confidentiality, integrity and availability of machines. Finally, we present three in-depth use-case studies to assess feasibility (i.e. can this general approach be used to detect anomalies in systems?), usability and detection abilities of our approach. Our findings suggest that our general approach is easy to use to detect anomalies in complex systems, but the type of metaphor has an impact on user's ability to detect anomalies. Similar to other anomaly-detection techniques, false positives do exist in our general approach as well. Future work will need to investigate optimal mapping strategies, other metaphors, and examine how our approach compares to and can complement existing techniques.
2015 European Intelligence and Security Informatics Conference, 2015
Cybercrime tackling is a major challenge for Law Enforcement Agencies (LEAs). Traditional digital... more Cybercrime tackling is a major challenge for Law Enforcement Agencies (LEAs). Traditional digital forensics and investigation procedures are not coping with the sheer amount of data to analyse, which is stored in multiple devices seized from distinct, possibly-related cases. Moreover, inefficient information representation and exchange hampers evidence recovery and relationship discovery. Aiming at a better balance between human reasoning skills and computer processing capabilities, this paper discusses how semantic technologies could make cybercrime investigation more efficient. It takes the example of online banking fraud to propose an ontology aimed at mapping criminal organisations and identifying malware developers. Although still on early stage of development, it reviews concepts to extend from well-established ontologies and proposes novel abstractions that could enhance relationship discovery. Finally, it suggests inference rules based on empirical knowledge which could better address the needs of the human analyst.
Due to the ever increasing popularity of the Internet, institutions are migrating their services ... more Due to the ever increasing popularity of the Internet, institutions are migrating their services to the digital realm. Banks are among the most representative examples: in order to better meet their clients' requirements, but also to reduce operational costs, online banking platforms were created and their use stimulated. However, the users' mass adoption to this novel technology without proper awareness campaigns resulted in a large increase of online banking fraud occurrence rates. This poses great challenges to Law Enforcement Agencies dedicated to cybercrime investigation: in addition to personnel skills training, there is an urgent need for new approaches correlating the horizontally sparse and concealed evidence resulted from such offence. As semantic technologies enable the more intelligent use of computer resources regarding data from a specific domain, this paper proposes the creation of an online banking malware investigation ontology.
2015 IEEE International Symposium on Technologies for Homeland Security (HST), 2015
2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
The rapid expansion of cyberspace has greatly facilitated the strategic shift of traditional crim... more The rapid expansion of cyberspace has greatly facilitated the strategic shift of traditional crimes to online platforms. This has included malicious actors, such as extremist organisations, making use of online networks to disseminate propaganda and incite violence through radicalising individuals. In this article, we seek to advance current research by exploring how supporters of extremist organisations craft and disseminate their content, and how posts from counter-extremism agencies compare to them. In particular, this study will apply computational techniques to analyse the narratives of various pro-extremist and counter-extremist Twitter accounts, and investigate how the psychological motivation behind the messages compares between pro-ISIS and counter-extremism narratives. Our findings show that pro-extremist accounts often use different strategies to disseminate content (such as the types of hashtags used) when compared to counter-extremist accounts across different types of organisations, including accounts of governments and NGOs. Through this study, we provide unique insights into both extremist and counter-extremist narratives on social media platforms. Furthermore, we define several avenues for discussion regarding the extent to which counter-messaging may be effective at diminishing the online influence of extremist and other criminal organisations.
Cybersecurity in Working from Home: An Exploratory Study
SSRN Electronic Journal, 2021
This paper presents the findings of an exploratory study of the implications of a shift to workin... more This paper presents the findings of an exploratory study of the implications of a shift to working from home (WFH) in the context of the COVID pandemic. The literature and news coverage of this topic focuses on rising concerns over cybersecurity, but exploratory interviews suggest a need to reframe this issue. A focus on the threats or rising security problems tied to WFH is important but too narrow. An equally critical question is whether early experiences with and adaptation to WFH created a cybersecurity infrastructure and practices that have enabled a much greater scale of WFH. In essence, for some kinds of work for some types of individuals, is it possible that advances in cybersecurity have been an enabler of WFH and other remote telework, rather than a barrier? This question provides a basis for expanding research on whether cybersecurity is a barrier or enabler of WFH patterns, including many mixed or hybrid modes of splitting work between the office, home and other remote l...
Process algebras like CSP and CCS inspired the original occam model of communication and process ... more Process algebras like CSP and CCS inspired the original occam model of communication and process encapsulation. Later the π-calculus and various treatments handling mobility in CSP added support for mobility, as realised in practical programming systems such as occam-π, JCSP, CHP and Sufrin’s CSO, which allow a rather abstract notion of motion of processes and channel ends between parents or owners. Milner’s Space and Motion of Communicating Agents on the other hand describes the bigraph framework, which makes location more of a first-class citizen of the calculus and evolves through reaction rules which rewrite both place and link graphs of matching sections of a system state, allowing more dramatic dynamic reconfigurations of a system than simple process spawning or migration. I consider the tractability of the notation, and to what extent the additional flexibility reflects or elicits desirable programming paradigms.
2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2020
Among the various types of spyware, screenloggers are distinguished by their ability to capture s... more Among the various types of spyware, screenloggers are distinguished by their ability to capture screenshots. This gives them considerable nuisance capacity, giving rise to theft of sensitive data or, failing that, to serious invasions of the privacy of users. Several examples of attacks relying on this screen capture feature have been documented in recent years. However, there is not sufficient empirical and experimental evidence on this topic. Indeed, to the best of our knowledge, there is no dataset dedicated to screenshot-taking malware until today. The lack of datasets or common testbed platforms makes it difficult to analyse and study their behaviour in order to develop effective countermeasures. The screenshot feature is often a smart feature that does not activate automatically once the malware has infected the machine; the activation mechanisms of this function are often more complex. Consequently, a dataset which is completely dedicated to them would make it possible to better understand the subtleties of triggering screenshots and even to learn to distinguish them from the legitimate applications widely present on devices. The main purpose of this paper is to build such a dataset and analyse the behaviour of screenloggers.
Proceedings of the 2017 on Multimedia Privacy and Security, 2017
The version in the Kent Academic Repository may differ from the final published version. Users ar... more The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.
PSU Research Review, 2017
Purpose Several attack models attempt to describe behaviours of attacks with the intent to unders... more Purpose Several attack models attempt to describe behaviours of attacks with the intent to understand and combat them better. However, all models are to some degree incomplete. They may lack insight about minor variations about attacks that are observed in the real world (but are not described in the model). This may lead to similar attacks being classified as the same type of attack, or in some cases the same instance of attack. The appropriate solution would be to modify the model or replace it entirely. However, doing so may be undesirable as the model may work well for most cases or time and resource constraints may factor in as well. This paper aims to explore the potential value of adding information about attacks and attackers to existing models. Design/methodology/approach This paper investigates used cases of minor variations in attacks and how it may and may not be appropriate to communicate subtle differences in existing attack models through the use of annotations. In pa...
Policy refinement checking
Property-based compression strategies
… architectures 2004: WoTUG-27: proceedings of …, 2004
CSP, Hoare's Communicating Sequential Processes, [1, 2] is one of the formalisms that underpins t... more CSP, Hoare's Communicating Sequential Processes, [1, 2] is one of the formalisms that underpins the antecedents of CPA, and this year celebrates its Silver Jubilee [3]. Formal Systems' own FDR refinement checker [4] is among the most powerful explicit exhaustive finite-state exploration tools, and is tailored specifically to the CSP semantics. The CSP M ASCII form of CSP, in which FDR scripts are expressed, is the de-facto standard for CSP tools. Recent work has experimentally extended the notation to include a probabilistic choice construct, and added functionality into FDR to produce models suitable for analysis by the Birmingham University PRISM tool [5].
Preface ix properties required of it, into a CSP model of the protocol as described in Chapter 2,... more Preface ix properties required of it, into a CSP model of the protocol as described in Chapter 2, and a number of assertions to be checked. This model can then be analyzed using the model-checker FDR discussed in Chapter 4. Chapter 6 discusses in more detail some of the CSP modelling that is carried out by Casper, particularly how the hostile environment is modelled to allow efficient analysis by the model-checker. Chapter 7 is concerned with direct verification of CSP models of protocols. It introduces the 'rank function' approach to proving protocols correct. This allows proofs to be constructed that verify protocol descriptions of arbitrary size against their requirements. The theorem-proving and bespoke tool support available for this approach is also discussed. Chapter 8 addresses the problem of scale. Real-world protocols are very large and their analysis is difficult because of the volume of detail contained in their description. This chapter is concerned with 'simplifying transformations', which allow extraneous detail to be abstracted away when checking a protocol against a particular property in such a way that verification of the abstract protocol implies correctness of the full protocol. The approach is illustrated with the CyberCash main sequence protocol. Chapter 9 discusses the literature on security protocol verification and its historical context. There are a number of different approaches to the problems addressed in this book, and this chapter covers many of those that have been most influential in the field. Chapter 10 discusses the broader issues, open problems and areas of ongoing research, and gives indications of areas for possible further developments and research. One area of current research discussed in this chapter, of particular importance to the model-checking approach of this book, is the development of techniques based on 'data independence', which allow the results of model-checking to be lifted to protocol models of arbitrary size. There are three appendices. The first covers some background mathematics and cryptography, introducing the RSA and the ElGamal schemes; the second is an example of Casper applied to the Yahalom protocol, containing the input file and the CSP model produced by Casper; and the third contains a verification using rank functions of the simplified CyberCash protocol descriptions produced in Chapter 8. The book has an associated website: www.cs.rhbnc.ac.uk/books /secprot/ This website provides access to all of the tools discussed in this book, and to the protocol examples that are used throughout (as well as others). Readers are recommended to download the tools and experiment with protocol analysis while reading the book. The website also provides exercises (and answers!), as well as a variety of other related material. x Preface the approach. Thanks are also due to Inmos, ONR, DERA and ESPRIT, for funding developments to FDR over the years. Peter Ryan would also like to thank the Department of Computer Science, Royal Holloway, and Microsoft Research, Cambridge, for hospitality during the writing of this book.
Insider Attacks in Cloud Computing
2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012
The computer-security industry is familiar with the concept of a Malicious Insider. However, a ma... more The computer-security industry is familiar with the concept of a Malicious Insider. However, a malicious insider in the cloud might have access to an unprecedented amount of information and on a much greater scale. Given the level of threat posed by insiders, and the rapid growth of the cloud computing ecosystem, we examine here the concept of insider attacks in cloud computing. Specifically, if more of our assets are going to reside in the cloud, and as increasingly our lives, enterprises and prosperity may depend upon cloud, it is imperative that we understand the scope for insider attacks so that we might best prepare defenses. We need to understand whether cloud might expose our assets to increased threat in terms of both actors and attack surface. We present here an assessment of current insider threat definitions and classifications, and their applicability to the cloud. We elucidate the nature of insiders with reference to the cloud ecosystem and close with examples of insider attacks which are specific to cloud environments (and hence hard to detect using current techniques).
Uploads
Papers by Michael Goldsmith