6th European Conference - Academic Conferences

The Proceedings
of the
6th International
Conference on Information
Warfare and Security
The George Washington University,
Washington, DC, USA
17-18 March 2011
Edited by
Leigh Armistead
Edith Cowan University
Programme Chair

Copyright The Authors, 2011. All Rights Reserved.
No reproduction, copy or transmission may be made without written permission from the individual authors.
Papers have been double-blind peer reviewed before final submission to the conference. Initially, paper
abstracts were read and selected by the conference panel for submission as possible papers for the
conference.
Many thanks to the reviewers who helped ensure the quality of the full papers.
These Conference Proceedings have been submitted to Thomson ISI for indexing.
Further copies of this book and previous year’s proceedings can be purchased from http://academicconferences.org/2-proceedings.htm
ISBN:97-1-906638-92-4 Book
Published by Academic Publishing International Limited
Reading
UK
44-118-972-4148
www.academic-publishing.org

Contents
Paper Title Author(s) Page
No.
Preface iii
Biographies of Conference Chairs,
Programme Chair, Keynote Speaker and
Mini-track Chairs
Biographies of contributing authors v
Using the Longest Common Substring on
Dynamic Traces of Malware to Automatically
Identify Common Behaviors
Modeling and Justification of the Store and
Forward Protocol: Covert Channel Analysis
The Evolution of Information Assurance (IA)
and Information Operations (IO) Contracts
across the DoD: Growth Opportunities for
Academic Research – an Update
The Uses and Limits of Game Theory in
Conceptualizing Cyberwarfare
Jaime Acosta 1
Hind Al Falasi and Liren Zhang 8
Edwin Leigh Armistead and Thomas Murphy 14
Merritt Baer 23
Who Needs a Botnet if you Have Google? Ivan Burke and Renier van Heerden 32
Mission Resilience in Cloud Computing: A
Biologically Inspired Approach
Link Analysis and Link Visualization of
Malicious Websites
The Strategies for Critical Cyber
Infrastructure (CCI) Protection by Enhancing
Software Assurance
Building an Improved Taxonomy for IA
Education Resources in PRISM
Using Dynamic Addressing for a Moving
Target Defense
Changing the Face of Cyber Warfare with
International Cyber Defense Collaboration
Cyber Strategy and the Law of Armed
Conflict
eGovernance and Strategic Information
Warfare – non Military Approach
Intelligence-Driven Computer Network
Defense Informed by Analysis of Adversary
Campaigns and Intrusion Kill Chains
The Hidden Grand Narrative of Western
Military Policy: A Linguistic Analysis of
American Strategic Communication
Host-Based Data Exfiltration Detection via
System Call Sequences
Detection of YASS Using Calibration by
Motion Estimation
Marco Carvalho, Dipankar Dasgupta, Michael
Grimaila and Carlos Perez
Manoj Cherukuri and Srinivas Mukkamala 52
Mecealus Cronkrite, John Szydlik and Joon Park 68
Vincent Garramone, Daniel Likarish 76
Stephen Groat, Matthew Dunlop, Randy Marchany
and Joseph Tront
Marthie Grobler, Joey Jansen van Vuuren and
Jannie Zaaiman,
Ulf Haeussler 99
Karim Hamza and Van Dalen 106
Eric Hutchins, Michael Cloppert and Rohan Amin 113
Saara Jantunen and Aki-Mauri Huhtinen 126
Brian Jewell and Justin Beaver 134
Kesav Kancherla and Srinivas Mukkamala 143
i
iv
42
84
92

Paper Title Author(s) Page
No.
Developing a Knowledge System for
Information Operations
CAESMA – An On-Going Proposal of a
Network Forensic Model for VoIP traffic
Secure Proactive Recovery – a Hardware
Based Mission Assurance Scheme
Identifying Cyber Espionage: Towards a
Synthesis Approach
Security Analysis of Webservers of
Prominent Organizations in Pakistan
International Legal Issues and Approaches
Regarding Information Warfare
International Legal Issues and Approaches
Regarding Information Warfare
Louise Leenen, Ronell Alberts, Katarina Britz,
Aurona Gerber and Thomas Meyer
Jose Mas y Rubi, Christian Del Carpio, Javier
Espinoza, and Oscar Nuñez Mori
Ruchika Mehresh, Shambhu Upadhyaya and Kevin
Kwiat
151
160
171
David Merritt and Barry Mullins 180
Muhammad Naveed 188
Alexandru Nitu 200
Cyberwarfare and Anonymity Christopher Perr 207
Catch Me If You Can: Cyber Anonymity David Rohret and Michael Kraft 213
Neutrality in the Context of Cyberwar Julie Ryan and Daniel Ryan 221
Labelling: Security in Information
Management and Sharing
Information Management Security for Inter-
Organisational Business Processes,
Services and Collaboration
Anatomy of Banking Trojans – Zeus
Crimeware (how Similar are its Variants)
Terrorist use of the Internet: Exploitation and
Support Through ICT Infrastructure
Evolving an Information Security Curriculum:
New Content, Innovative Pedagogy and
Flexible Delivery Formats
Harm Schotanus, Tim Hartog, Hiddo Hut and Daniel
Boonstra
Maria Th. Semmelrock-Picej, Alfred Possegger and
Andreas Stopper
228
238
Madhu Shankarapani and Srinivas Mukkamala 252
Namosha Veerasamy and Marthie Grobler 260
Tanya Zlateva, Virginia Greiman, Lou Chitkushev
and Kip Becker
Research in Progress Papers 277
Towards Persistent Control over Shared
Information in a Collaborative Environment
3D Execution Monitor (3D-EM): Using 3D
Circuits to Detect Hardware Malicious
Inclusions in General Purpose Processors
Towards An Intelligent Software Agent
System As Defense Against Botnets
268
Shada Alsalamah, Alex Gray and Jeremy Hilton 279
Michael Bilzor 289
Evan Dembskey and Elmarie Biermann 299
Theoretical Offensive Cyber Militia Models Rain Ottis 308
Work in Progress 315
Large-scale analysis of continuous data in
cyber-warfare threat detection
A System and Method for Designing Secure
Client-Server Communication Protocols
Based on Certificateless PKI
William Acosta 317
Natarajan Vijayarangan 320
ii

Preface
These Proceedings are the work of researchers contributing to the 6th International Conference on
Information Warfare and Security (ICIW 2011), hosted this year by the George Washington University,
Washington DC, USA. The Conference Chair is Dr. Julie Ryan from the George Washington University,
Washington, DC, USA and I am again the Programme Chair.
The opening keynote address this year is given by Matthew A. Stern, General Dynamics Advanced
Information Systems, USA The second day will be opened by Mathew “Pete” Peterson from the Naval
Criminal Investigative Service, USA.
An important benefit of attending this conference is the ability to share ideas and meet the people who hold
them. The range of papers will ensure an interesting and enlightened discussion over the two day schedule.
The topics covered by the papers this year illustrate the depth of the information operations’ research area,
with the subject matter ranging from the highly technical to the more strategic visions of the use and
influence of information.
With an initial submission of 97 abstracts, after the double blind, peer review process there are 38 papers
published in these Conference Proceedings, including contributions from Austria, Bangladesh, Estonia,
Finland, India, Iran, Pakistan, Peru, Romania, South Africa, the Netherlands, United Arab Emirates, United
Kingdom and the United States.
I wish you a most enjoyable conference.
March 2011
Leigh Armistead
Edith Cowan University
Programme Chair
iii

Biographies of Conference Chairs, Programme Chairs and Keynote
Speakers
Conference Chairs
Programme Chairs
Dr. Julie Ryan currently teaches and directs research in Information Assurance at
The George Washington University. Prior to joining academia, she worked in various
positions in industry and government. Her degrees are from the US Air Force
Academy, Eastern Michigan University, and The George Washington University.
Dr Edwin “Leigh” Armistead is the Director of Business Development for Goldbelt
Hawk LLC, the Programme Chair for the International Conference of Information
Warfare and an Adjunct Lecturer for Edith Cowen University in Perth, Australia. He
has written nine books, 18 journal articles, presented 17 academic papers and served
as a Chairman for 16 professional and academic conferences. Formerly a Master
Faculty at the Joint Forces Staff College, Leigh received his PhD from Edith Cowan
University with an emphasis on Information Operations. He also serves as a Co-
Editor for the Journal of International Warfare, and the Editorial Review Board for
European Conference on Information Warfare.
Keynote Speakers
Mathew “Pete” Peterson has served in a variety of positions within US government
agencies since 1989, to include 13 years on active duty in the U.S. Army. He has
experience in a wide range of domains, including information assurance/information
protection, research, development & acquisition (RDA)/research & technology
protection (RTP), cyber analysis issues, critical infrastructure protection, and threat
analysis. He currently serves as Cyber Analysis Division Chief within the Naval
Criminal Investigative Service, while working towards completion of his dissertation in
the Executive Leadership Doctoral Program at George Washington University’s Virginia
Campus.
Matthew Stern is the director of cyber accounts for General Dynamics Advanced Information Systems. He
also provides subject matter expertise in cyber space operations to the company and its customers. Stern
also represents the company on several boards and advisory groups providing thought leadership to the
cyber security community. He spent 22 years in positions of increasing responsibility in the U.S. Army
culminating with command of 2nd Battalion, 1st Information Operations Command and the Army Computer
Emergency Response Team (ACERT). This is the first unit in U.S. Army history dedicated to cyberspace
operations. Stern is an established expert on information technology, network security, information
operations and special information operations. He is also a recognized visionary regarding the military
conduct of cyberspace operations. He has developed his knowledge and expertise through practical
experience leading his command, the U.S. military data communication services in Iraq, support to the
technical architecture of the U.S. Army’s digitized Armored Corps, and the systems integration for the Land
Information Warfare Activity Information Dominance Center. Stern is also a decorated combat veteran of
Operations DESERT SHIELD /STORM and IRAQI FREEDOM. Matt holds a Masters degree in Information
Systems and Computer Resource Management from Webster University and a Bachelor’s of Science degree
in Political Science from Northern Illinois University.
iv

Biographies of contributing authors (in alphabetical order)
Jaime Acosta completed his Ph.D. in Computer Science at the University of Texas at El Paso. Dr. Acosta’s
research has received awards and recognition including the outstanding dissertation award by the University
of Texas at El Paso. Jaime is currently working at the United States Army Research Laboratory conducting
security research.
William Acosta, Ph.D. received his Ph.D. from the University of Notre Dame in 2008 and is currently an
assistant professor at the University of Toledo teaching in the Computer Science and Engineering
Technology Program. His prior work included peer-to-peer search and distributed systems. He is currently
working on experimental data systems research focusing on large-scale data analysis.
Hind Al Falasi, is currently pursuing a PhD in Information Security at the United Arab Emirates University, Al
Ain, UAE. He received a Bachelors of Science in Information Security from the United Arab Emirates
University. Where the main focus is Security of Vehicular Ad hoc Networks.
Rohan Amin is a member of Lockheed Martin's CIRT, who helped grow the team from 5 charter members
with limited responsibilities to an industry-leading entity with global scope. His contributions to the team have
ranged from deeply technical to broadly organizational.
Shada Al-Salamah is a doctoral candidate at the Department of Computer Science & Informatics, Cardiff
University, UK. She received her MSc in Strategic Information Systems with Information Assurance from
Cardiff University and received a BSc in Information Technology from the College of Computer and
Information Sciences, King Saud University, Riyadh, Saudi Arabia.
Merritt Baer is a graduate of Harvard Law School and Harvard College. She has conducted clinical cyberlaw
research at Harvard's Berkman Center for Internet and Society and has published a number of pieces at the
intersection of cybercrime, Constitutional Internet issues and national security. She currently serves as a
judicial clerk at the United States Court of Appeals for the Armed Forces.
Michael Bilzor is a PhD student at the Naval Postgraduate School. He has a B.S. in Computer Science from
the U.S. Naval Academy and an M.S. in Computer Science from Johns Hopkins University. He served in F-
14 and F/A-18 squadrons as a Naval Flight Officer until 2005. His research interest is in hardware security.
Ivan Burke is a Msc student in the department of Computer Science at the University of Pretoria, South
Africa. He also works full time at the Council of Scientific and Industrial Research South Africa in the
department of Defense Peace Safety and Security,where he works within the Command, Control and
Information Warfare research group.
Marco Carvalho is a research Scientist at Florida Institute for Human and Machine Cognition (IHMC). He
received his Ph.D. from Tulane University, New Orleans, following a M.Sc. in Computer Science from
University of West Florida, a M.Sc. in Mechanical Engineering from Federal University of Brasilia (UnB), and
a B.Sc. in Mechanical Engineering, also from UnB. His research interests are primarily in the areas of
biologically inspired security and tactical networks.
Mecealus Cronkrite is studying for a M.S in Information & Security Management at Syracuse University,
School of Information Studies, He is a DHS Career Development Grant fellow, Graduate Engineering
Minority (GEM) fellow. He gained a B.S degree in 2009 in Computer Science, from the State University at
Brockport NY. He has spent 7 years in industry in systems integration programing and analysis, and IT
disaster management roles.
Mike Cloppert is a member of Lockheed Martin's CIRT, who helped grow the team from 5 charter members
with limited responsibilities to an industry-leading entity with global scope. His contributions to the team have
ranged from deeply technical to broadly organizational.
Evan Dembskey is a senior lecturer at UNISA in Pretoria, South Africa. He currently lectures in the area of
computer security. His research interests include IW and technology and science in Ancient Greece and
Rome.
Javier Espinoza was born in Lima, Peru, on August, 1971. He studied Electronic Engineering in Pontificia
Universidad Catolica del Peru. He studied specialization in Cisco Certified Network Associate (CCNA), in
v

Structured Wiring and Information System Security. Javier is studying a Telecommunications Engineering
master at Pontificia Universidad Catolica del Peru in Lima, Peru
Stephen Groat is a PhD student at Virginia Tech in the Bradley Department of Electrical and Computer
Engineering focusing on network security and IPv6. Working in coordination with the Information Technology
Security Office and Lab, Stephen is researching the security implications of IPv6.
Ulf Haeussler is a Legal Advisor in the German Armed Forces and currently seconded to HQ SACT. Prior
to this assignment, Ulf served in multiple German Armed Forces positions as well as at NATO HQ, and was
deployed to NATO operations as a reservist on active duty. Ulf is widely published on international law.
Karim Hamza works as an Academic Researcher at the Maastricht school of Management (Netherlands),
Part Time Professor at the American University (Egypt) and Approved Tutor for Edinburgh Business School
(UK). Additionally, he works as a Business Development Manager in one of the leading information
technology companies specialized in Enterprise Resource Planning applications for governments and private
sectors.
Tim Hartog graduated in 2005 at the Technical University of Twente, in the Netherlands. Since then he has
been active in the field of Information Security. During his work at TNO, the Dutch Organization for Applied
Scientific Research, Tim has been working in the areas of Trusted Computing, Trusted Operating Systems
and Cross Domain Solutions.
Saara Jantunen studies leadership as a doctoral student in the Finnish Defence University. She has studied
English language and culture at the University of Groningen in the Netherlands and English philology in the
University of Helsinki, Finland. Her research interests include language & identity and military discourse.
Jantunen currently works in education.
Brian Jewell is a graduate student with an emphasis on Information Security at Tennessee Technological
University. He received his B.S. in Computer Science from Murray State University. During summer 2010 he
interned at Oak Ridge National Laboratory in the Applied Software Engineering Research group. His
research is in the area of host intrusion detection and response.
Louise Leenen is a Senior Researcher at the South African Council for Scientific and Industrial Research in
the Defence, Peace, Safety and Security (DPSS) unit which focuses on defence related research and
development. She holds a PhD in Computer Science from the University of Wollongong in Australia.
Dan Likarish is a Director of the Center on Information Assurance Studies and faculty at Regis University
School of Information and Computer Science. For many years he has been the advisor for undergraduate
and graduate students with an interest in IS and IT problems. His research interests are in rapid curriculum
development and deployment in conjunction with virtual worlds.
Jose Luis Mas y Rubi studied Systems Engineering at the Instituto Universitario Politecnico Santiago
Mariño in Barcelona, Venezuela. He has a Cisco CCNA certification in networking. He is currently studying
for a Telecommunications Engineering Master degree at Pontificia Universidad Catolica del Peru in Lima,
Peru.
Ruchika Mehresh is a doctoral student of Computer Science and Engineering at the State University of New
York at Buffalo. Her research focuses on reliability and security in fault-tolerant computing. She has worked
on research projects funded by U.S. Air Force Research Laboratory
David Merritt received his B.S. in computer engineering from the U.S. Air Force Academy. He is an
Undergraduate Network Warfare Training graduate, holds CISSP and GSEC certifications, and spent 3 years
on the Air Force Computer Emergency Response Team. David is an active duty officer attending the Air
Force Institute of Technology in Ohio.
Srinivas Mukkamala is a senior research scientist with ICASA (Institute for Complex Additive Systems
Analysis), Adjunct Faculty of Computer Science Department of New Mexico Tech, advisor Cyber Security
Works, and co-founder/managing partner of CAaNES LLC. He received his Ph.D. from New Mexico Tech in
2005. He is a frequent speaker on information assurance in conferences and tutorials across the world.
Muhammad Naveed completed B.Sc degree in Electrical Engineering (with majors in communication),
University of Engineering and Technology (UET), Peshawar, Pakistan 2010. Currently a lecturer at
vi

Department of Computer Science, IQRA University, Peshawar, Pakistan. Research interests include
information security and cryptography.
Alexandru Nitu is a legal counselor at the Romanian Intelligence Service, with nine years of experience in
matters regarding human rights protection. He is involved in legal studies referring to the impact of the
intelligence activities on respecting citizens’ fundamental rights and liberties.
Rain Ottis is a scientist at the Cooperative Cyber Defence Centre of Excellence. He is a graduate of the
United States Military Academy and Tallinn University of Technology (MSc, Informatics). He continues his
studies at a PhD program in Tallinn University of Technology, where he focuses on politically motivated
cyber attack campaigns by non-state actors.
Christopher Perr is currently a PhD candidate at Auburn University studying computer and network security.
He holds a B.S. in Computer Science from the Air Force Academy and a Masters of Software Engineering
from Auburn University.
David Rohret, CSC, Inc. Joint Information Operations Warfare Center (JIOWC). For over fifteen years he
has pursued network security interests to include developing and vetting exploits for use on established red
teams and adversarial research. He holds degrees in Computer Science from the University of Iowa and La
Salle University.
Shambhu Upadhyaya is Professor of Computer Science and Engineering at the State University of New
York at Buffalo. His research interests are computer security, information assurance, fault-tolerant
computing, distributed systems and reliability. His research has been funded by federal agencies such as
National Science Foundation, U.S. Air Force Research Laboratory, DARPA, National Security Agency and
industries such as IBM, Intel, Cisco and Harris Corporation.
Namosha Veerasamy obtained a BSc:IT Computer Science Degree, and both a BSc: Computer Science
(Honours Degree) and MSc: Computer Science with distinction from the University of Pretoria. She is
currently employed as a researcher at the Council for Scientific and Industrial Research (CSIR) in Pretoria.
Namosha is also qualified as a Certified Information System Security Professional (CISSP).
Natarajan Vijayarangan is a senior scientist in TCS. He obtained his Ph.D in Mathematics in 2001 from
RIASM, University of Madras. He received 'Best Research Paper Award' of Ramanujan Mathematical
Society in 2000. He has published patents, papers and books in the field of Information Security. He has
participated in NIST SHA-3 competition and received 'AIP Anchor Award'.
Jannie Zaaiman (B Comm, B Proc, HBA, MBA, PhD) is Deputy Vice Chancellor: Operations at the
University of Venda, and is the former Executive Dean, Faculty of Information and Communication
Technology at the Tshwane University of Technology (TUT). Before joining TUT, Jannie was Group
Company Secretary of Sasol, Managing Executive: Outsourcing and Divestitures at Telkom and Group
Manager at Development Bank of Southern Africa.
Tanya Zlateva completed her doctorate at the Dresden University of Technology, Germany, and
postdoctoral training at the Harvard-MIT Division for Health Sciences and Technology. Her research interests
include application level security, biometrics, and new educational technologies. She currently serves as
director of Boston University's Center for Reliable Information Systems and Cyber Security.
vii

Conference Executive:
Michael Grimaila, Center for Cyberspace Research, WPAFB, Ohio, USA
Dorothy Denning, Naval Postgraduate School, Monterey, CA, USA
Doug Webster, MITRE Corporation - United States Strategic Command's Global Innovation & Strategy
Center
Kevin Streff, Dakota State University, USA
Andy Jones, Security Research Centre, British Telecom, UK and Khalifa University, UAE
William Mahoney University of Nebraska Omaha, Omaha, USA
Dan Kuehl, National Defense University, Washington DC, UK,
Corey Schou, Idaho State University, USA
Committee Members:
The conference programme committee consists of key people in the information systems, information
warfare and information security communities around the world. The following people have confirmed their
participation:
Jim Alves-Voss (University of Idaho, USA); Todd Andel (Air Force Insitute of Technology, USA); Leigh
Armistead (Edith Cowan University, Australia); Johnnes Arreymbi (University of East London, UK); Rusty
Baldwin (Air Force Insitute of Technology, USA); Richard Baskerville (Georgia State University, USA); Allan
Berg (Critical Infrastructure and Cyber Protection Center, Capitol College, USA); Sviatoslav Braynov
(University of Illinois, USA); Blaine Burnham (University of Nebraska, Omaha, USA); Catharina Candolin
(Finnish Defence Forces, Helsinki, Finland); Rodney Clare (EDS and the Open University, UK); Nathan
Clarke (University of Plymouth, UK); Geoffrey Darnton, (University of Bournemouth, UK); Dipankar Dasgupta
(Intelligent Security Systems, USA); Dorothy Denning (Navel Postgraduate School, USA); Glenn Dietrich
(University of Texas, USA); David Fahrenkrug (US Air Force, USA); Kevin Gleason (KMG Consulting, MA,
USA); Sanjay Goel (University at Albany, USA); Michael Grimaila (Air force Institute of Technology, Ohio,
USA); Daniel Grosu (Wayne State University, USA); Drew Hamilton (Auburn University, USA); Dwight
Haworth (University of Nebraska at Omaha, USA); Philip Hippensteel (Penn State University, USA); Jeffrey
Humphries (Air Force Institute of Technology, USA); Bill Hutchinson (Edith Cowan University, Australia);
Berg P Hyacinthe (Assas School of Law, Universite Paris, France); Andy Jones (British Telecom, UK);
James Joshi (University of Pittsburgh, USA); Leonard Kabeya Mukeba (Kigali Institute of Science and
Technology, Rwanda); Prashant Krishnamurthy (University of Pittsburgh, USA); Dan Kuehl (National
Defense Forces, USA); Stuart Kurkowski (Airforce Institute of Technology, USA); Takakazu Kurokawa
(National Defense Acadamy, Japan); Rauno Kuusisto (National Defence College, Finland); Tuija Kuusisto
(Internal Security ICT Agency, Finland); Arun Lakhotia (University of Louisiana Lafayette, USA); Sam Liles
(Purdue University Calumet, USA): Cherie Long (Clayton State University, Decatur, USA); Brian Lopez
(Lawrence Livermore National Laboratory); Juan Lopez (Air Force Institute of Technology, USA); Bin Lu
(West Chester University, USA); Bill Mahoney (University of Nebraska, USA); John McCarthy
(Buckinghamshire and Chiltern University College, UK); J Todd McDonald (Airforce Institute of Technology,
USA); Robert Mills (Air Force Institute of Technology, Ohio, USA); Don Milne (Buckinghamshire and Chiltern
University College, UK); Srinivas Mukkamala (New Mexico Tech, Socorro, USA); Barry Mullins (Air Force
Institute of Technology, USA); Andrea Perego (Università degli Studi dell’Insubria, Italy); Gilbert Patterson
(Air Force Institute of Technology, USA): Richard Raines (Airforce Institute of Technology, USA); Ken Revett
(University of Westminster, UK); Neil Rowe (US Naval Postgraduate School, USA); Julie Ryan (George
Washington University, USA); Corey Schou (Idaho State University, USA); Dan Shoemaker (Univesity of
Detroit Mercy, USA); William Sousan (University of Nebraska, Omaha, USA); Kevin Streff (Dakota State
University, USA); Dennis Strouble (Air Force Institute of Technology, USA); Eric Trias (Air Force Institute of
Technology, USA); Doug Twitchell (Illinois State University, USA); Renier van Heerden (CSIR, Pretoria,
South Africa); Stylianos Vidalis (Newport Business School, UK); Fahad Waseem (Unviersity of Northumbria,
UK); Kenneth Webb, Edith Cowan University, Australia); Douglas Webster (USSTRATCOM Global
Innovation & Strategy Center, USA); Zehai Zhou (Dakota State University, USA).
viii

Using the Longest Common Substring on Dynamic Traces
of Malware to Automatically Identify Common Behaviors
Jaime Acosta
Army Research Laboratory, White Sands, NM, USA
jaime.acosta1@us.army.mil
Abstract: A large amount of research is focused on identifying malware. Once identified, the behavior of the
malware must be analyzed to determine its effects on a system. This can be done by tracing through a malware
binary using a disassembler or logging its dynamic behavior using a sandbox (virtual machines that execute a
binary and log all dynamic events such as network, registry, and file manipulations). However, even with these
tools, analyzing malware behavior is very time consuming for an analyst. In order to alleviate this, recent work
has identified methods to categorize malware into “clusters” or types based on common dynamic behavior. This
allows a human analyst to look at only a fraction of malware instances–those most dissimilar. Still missing are
techniques that identify similar behaviors among malware of different types. Also missing is a way to
automatically identify differences among same-type malware instances to determine whether the differences are
benign or are the key malicious behavior. The research presented here shows that a wide collection of malware
instances have common dynamic behavior regardless of their type. This is a first step toward enabling an analyst
to more efficiently identify malware instances’ effects on systems by reducing the need for redundant analysis
and allowing filtration of common benign behavior. This research uses the publicly available Reference Data Set
that was collected over a period of three years. Malware instances were identified and assigned a type by six
anti-malware scanners. The dataset consists of dynamic trace events of 3131 malware instances generated by
CWSandbox. For this research, the dataset is separated into two sets: small and large. The small set contains
2071 instances of malware that are less than 100 KB in size. The large set contains 1060 instances of malware
that are between 100 KB and 3.4 MB in size. In order to measure the common behavior between the small and
large sets, common sequential event sequences within each malware instance in the small set are identified
using a modified version of the longest common substring algorithm. Once identified, all appearances of these
common event sequences are removed from the large set to determine shared behavior. Most common
sequences are between length 2 and 60 events. Results indicate that when using length 2 event sequences and
higher, on average, the large set instances share 96% of event sequences, with length 6 and higher event
sequences–66%, and with length 12 and higher event sequences–50%. This indicates that an analyst’s workload
can be largely reduced by removing common behavior sequences. Furthermore, it shows that malware instances
may not always fall into exclusive categories. It may be more beneficial to instead identify behaviors and map
them to malware instances, for example, as with the Malware Attribute Enumeration and Characterization
(MAEC). Future efforts may look into attaching semantic labels on long sequences that are common to many
malware instances in order to aid the analyst further.
Keywords: malware, similarity, dynamic, analysis, substring
1. Introduction
As the number of malware instances grows each year, there is a need for automated methods that
can efficiently identify, classify, and reduce the amount of data that an analyst has to review pertaining
to malware. This paper focuses on identifying similarities among known malware instances in order to
reduce an analyst’s workload.
Automatic malware detection has been researched extensively in the past (Vinod et al., 2009). When
malware is identified, it is assigned a type or name. The malware binary behavior is analyzed in detail
in order to provide alerts, recover data, and assess damage among others. Recently, there have been
two main approaches to accomplish this: static and dynamic analysis. In static analysis, the malware
binary is reverse engineered using a disassembler. This method can be very time consuming,
especially due to obfuscation techniques such as polymorphism (Kasina et al., 2010), metamorphism
(Lee et al., 2010), memory packing (Han et al., 2010), and virtualization (Sharif et al., 2009). Dynamic
analysis, on the other hand involves running the malware binary in a controlled environment known as
a sandbox, e.g., Norman (Norman Solutions, 2003), Anubis (Bayer et al., 2006), CWSandbox
(Willems et al., 2007), where every event during the malware’s execution is logged to an event trace.
State-of-the-art sandboxes have the ability to fast-forward time to elicit delayed malware execution
and can even simulate user interaction. Current techniques, e.g., (Rieck et al., 2010), use clustering
methods in order to group similar malware based on their events during runtime, but still require
manual analysis to identify specific similarities and differences.
1

Jaime Acosta
The research presented here uses a dataset that consists of sandbox event traces of 3131 malware
instances. Manual observation of the dataset revealed many behavior patterns that were shared
across many instances such as file replacements (which involve a series of system calls), that at first
glance seem complex and overwhelming, but were made simple by replacing these common
behaviors with short annotations. This paper is a step in automating this process.
The following are the contributions resulting from the work described in this paper.
This research provides a methodology shows how the longest common substring algorithm can
be modified to conduct similarity analysis on malware using dynamic event traces. This similarity
may be due to code reuse, which arises from legitimate third-party libraries and also by reusing
infected or malicious code.
Use of this algorithm shows that in this dataset of malware, even though the instances are of
different types (assigned by anti-virus programs), there are a large number of common behaviors.
This means that it is the case that malware authors reuse code, and that an analyst could use this
to eliminate duplicate processing.
This research shows that the common behaviors identified are not limited to short trivial event
sequences; there are many large sequences. This indicates that it may be possible to replace
semantically rich events with natural language annotations to facilitate analysis.
2. Related work
Because of the large growth of malware instances being introduced each year, there has been a large
amount of work to aid in each stage of the malware analysis workflow.
The first step in analysis is data collection. Tools that aid in this collection include Nepenthes
(Baecher et al., 2006), Amun (Göbel, 2009), and HoneyPots (Provos, 2004). After collection, the
malware instances are analyzed using static (source code) or dynamic (event traces) techniques. In
the past decade there have been a wide variety of techniques used for static and dynamic analysis of
legitimate source code, with the goal of exploiting program semantics in an efficient way (Cornelissen,
2009). Related to malware, there have been many techniques that exploit characteristics unique to
malware, including malicious behavior, small program size, and code reuse among instances.
In both static and dynamic analysis techniques, one method that has had recent attention is using
machine learning to cluster similar malware instances. Clustering methods are useful because they
generalize large sets of malware into categories with limited need for manual human intervention.
Jang and Brumley (2009) perform static analysis by identifying areas of code reuse by clustering
malware binaries. His clustering method uses bloom filters, which identify similarity of malware
instances by applying hashing techniques to fixed size chunks of the malware executable code.
On the other hand, Bayer et al. (2009) use machine learning algorithms to identify similarities in
malware instances by comparing their dynamic event traces, which include system calls, their
dependencies, and network behavior. Next, the malware instances are clustered based on their
dynamic behavior. A limitation of this approach is that the algorithm is trained with a fixed set of
malware. It does not allow retraining with additional malware samples during the clustering phase.
Rieck extends this with his Malheur (Rieck et al., 2010) system by establishing an iterative
mechanism that consists of clustering and then classifying new instances into existing clusters. In his
work, similarity is determined by the presence of shared fixed-length instruction sequences. In
addition, Rieck also uses a dynamic trace representation format called MIST (Trinius et al., 2010) that
allows prioritization of event parameters (e.g., an openfile system call may have the file name, file
type, and the file path as parameters). This is meant to allow more efficient processing for machine
learning algorithms by reducing the input file size by leaving out less-critical parameters. MIST also
provides a common file format to which many of the available sandbox output can be converted.
After the instances are clustered, an analyst may have to conduct deeper investigation, such as exact
differences and similarities in the binaries. It may be the case that malware in different clusters share
common behaviors. This results in redundant analysis by a human analyst. Another issue is that
instances in a cluster are not exactly the same. There may be malicious behavior that is unique to one
instance within a cluster. One way to alleviate these issues is to, instead of determining similarity by
using fixed size sequences as in previous work, develop techniques that are not tied to sequence
length and automatically detect varied sized semantically-representative sequences.
2

Jaime Acosta
Some techniques that use semantic structure for finding similarity are in code-clone detection
research. These techniques have been used to identify redundancy to reduce program size or to
identify plagiarism in legitimate software (Roy and Cody, 2007). The problem with using these
techniques for identifying similarity and differences in malware is that the source code of malware is
not available. Some attempts have been made to analyze the sequences of instructions of
disassembled binaries to determine whether they are malicious. One method compared the
disassembled code against behavior templates that are known to exist in malware. These templates
are able to capture malicious behavior, even if the malware has small variation (Christodorescu et al.,
2005). Another method (Ye et al., 2007) uses the Intelligent Malware Detection System (IMDS), to
identify malware instances by checking if certain sequences of Application Programming Interface
(API) calls exist in a binary Portable Exchange (PE) file. A limitation of both of these examples is that
they assume the binary file is not packed and is not virtualized.
In this paper the longest common substring algorithm is modified and used to identify common event
sequences of varying size among a set of malware. Also, the algorithm works on the dynamic traces
of malware, which are evident even if the malware is packed or virtualized.
3. Dataset
3.1 Sandbox environment
The dataset used for this research was obtained from the Malheur website (http://pi1.informatik.unimannheim.de/malheur/)
and was collected over a period of three years. In particular, the Reference
dataset is used, which consists of the dynamic trace events of 3131 malware instances that are
grouped into 24 types, as assigned by six anti-virus scanners. The dynamic traces of the malware
instances were generated by CWSandbox. The event traces range in size from 700 B to 3.4 MB. The
traces are encoded in the Malheur instruction set (MIST) format and are in sequential order.
Furthermore, the traces are separated by thread behaviors of the executable.
3.2 MIST
The dynamic trace of the malware instances in the dataset are logs of the events that occurred as the
result of the execution of the malware binary. The logs contain details about each event that may be
of different levels of interest to an analyst, or to analysis software. MIST encodes events in a format
that will prioritize log details, e.g., filenames, sleep delay times and memory addresses associated
with each event trace. In total there are 120 system calls that fall into 13 more general categories
(e.g., winsock_op, file_open system calls are both in the winsock category). An extensive description
and examples of MIST are presented in (Trinius et al., 2010).
4. The common substrings algorithm
The algorithm developed to identify shared behaviors in malware instance event traces is a modified
version of the well-known longest common substring algorithm (Cormen et al., 2001). The main
difference is that in the modified version, all common substrings of a minimum length are identified,
instead of only the longest.
There are two main procedures that are executed to find the amount of shared behavior in the
malware instances. Figure 1 is the reduction procedure that calculates the amount of common
behavior in the event traces. In line 2, all common substrings are stored in the commonSubstrings
variable. In order to efficiently process the files, this step was first run on instances that were labeled
in the same malware class, i.e., all event traces within the ALLAPLE malware instances (as assigned
by anti-virus software) were compared first, then all EJIK traces, etc.
In lines 3-4, the commonSubstrings are sorted in descending order and output to a file. This allows
the commonsSubstrings to be used to find commonality with other datasets. In lines 5-9, the
occurrences of all strings in commonSubstrings of at least size min are identified in the largeFileSet.
They are then counted and removed. Removing the occurrences in the largeFileSet allows calculating
the amount of common behavior that exists in these malware instances (line 10).
3

Figure 1: The reduction procedure
Jaime Acosta
The CommonSubstring procedure (Figure 2) starts by reading the event traces from two input files
(lines 1-5). In the case that the next event sequences match in the two files, a temporary string,
currSubstring, keeps track of the matching sequences (lines 12-24). When the event sequence is
dissimilar in the two files, the current common substring, currSubstring, is stored if it is unique (8-10)
and finally cleared (11). For this research, a hash table was used to ensure that only unique instances
are stored. Lastly, all common substrings found are returned to the calling procedure in line 25.
Figure 2: The CommonSubstring procedure
In practice, because the malware instances share a high amount of common behaviors, the storage
space required to save the unique common substrings is small (less than 50 MB using substrings
greater than or equal to 2).
5. Experimental setup
In order to determine whether common behavior exists in the malware instances, the Reference
dataset was separated into two sets: small and large. The small set contained 2071 instances of
malware that are less than 100 KB in size. The large set contained 1060 instances of malware that
were between 100 KB and 4 MB in size. For this research, only the malware size, not the type as
4

Jaime Acosta
assigned by an anti-virus scanner, were used when separating the dataset. For the most part, the
malware types for small and large sets are different. Table 1 shows more details on the dataset and
how it was partitioned.
Table 1: Details on small and large sets
Small Set Large Set
Total # event trace files 2,071 1,060
Total # events 1,217,985 17,400,262
Total size of event trace files 44 MB 490 MB
The smaller dataset was used for capturing the set of common substrings in the hopes that large
complex malware instances may be broken down into behaviors that exist in small malware. For
example, it may be the case that part of a malware instance exhibits the behavior of a trojan to collect
data and may also self-replicate like a worm virus.
The level of detail needed when finding common behavior among malware instances was based on
Rieck et al.’s (2010) work. In their experiment, they found that the best configuration for clustering
malware instances was realized when using MIST level 1. This means that only the event names, not
any other details such as parameters, from the traces were used when searching for common
behaviors. Although his method compared fixed size event q-grams, the methods in this experiment
are similar; therefore MIST level 1 was used.
The Reduction algorithm presented in Figure 1 was first run on the small set. In order to more
efficiently process the data, the input was split into four equal size chunks and was processed
concurrently on four computers. After the common substrings from the small set were captured, the
next step was to determine the common behavior that occurs in the large file set.
6. Results
The results show that there is much common behavior among the malware instances. From an
analyst’s point of view, the preferred case is that longer substrings are prevalent among the malware
because these longer substrings most likely capture more semantically rich behavior blocks. If the
substrings are all too short, the effect would be less interesting because it would take almost the same
amount of effort to analyze event traces.
In order to help investigate what is actually happening in the data, the experiment was run several
times using different allowable minimum lengths to identify common substrings. For example, if the
allowed minimum length is six event sequences, all common substrings less than size six are ignored
and are not removed from the large set. Therefore, the reduction percentage, in this example, would
only be based on substrings size six and greater. Figure 3 shows the results for minimum lengths
ranging from 2 to 100.
The graph shows that when only considering substrings of length at least 12, half of the large dataset
can be accounted for using the common substrings in the small set. This indicates that by starting on
small traces, an analyst can break down a large complex trace by removing common behaviors.
When using a minimum length of 24, it seems the restriction is too great; only 30% is accounted for in
the large set, but this also signifies that the dataset represents a reasonable distribution of dissimilar
malware. If the malware all showed high level of similar behavior with many long sequences, it may
be the case that the collected malware is not a good representation of different types of malware. For
example, when looking at some of the longest common substrings found within the small set, it was
sometimes the case that two malware differed only by a few events. Further investigation revealed
that these two malware instances were of the same type and only differed probably to confuse a
hash-based virus scanner.
When using a minimum size of two, 96% of the large dataset is accounted for, but this is not practical
because most of the shared sequences are short. This is evident because the percentage of shared
behavior drops as the sequence minimum increases.
5

Jaime Acosta
Figure 3: Average percentage of the large set that is accounted for by common substrings of the
small set
7. Conclusions and future work
This paper has provided a technique that can be used for similarity analysis on malware, based on
dynamic behavior that was captured using CWSandbox. The results show that the similarities are not
restricted to small sequences; many large sequences are shared among the malware instances,
which mean that there are in fact many shared behaviors present that could be identified and possibly
labeled using natural language to reduce an analyst’s workload, matching the intentions of Kirillov et
al. (2010).
Future work will test the methods described in this paper with a larger dataset. In addition, instead of
limiting the process to sequential instructions, it may be useful to instead identify templates of
behavior, as Christodorescu et al. (2005) did for static malware analysis. For example, there may be a
trace that contains a sequence of five wait events and another with ten. Semantically, these are
almost equivalent, but the common substring algorithm presented here does not capture this; a
template method could. Tailoring to malware some techniques used in identifying code clones, such
as in (Roy and Cody, 2007) may also prove useful.
The work described here is an initial step for a tool that can be used to semantically label portions of
files to allow for more efficient identification of both redundancy (use of legitimate 3 rd party libraries)
and overlap (reuse of malware code) in malware instances.
Acknowledgments
I would like to thank Victor Mena, Ken Fabela, and Michael Shaughnessy for their valuable comments
and suggestions that led to the maturation of this work. Also, I would like to thank Konrad Rieck and
colleagues for the dataset and feedback.
References
Baecher, P., Koetter, M., Holz, T., Dornseif, M. and Freiling, F. (2006) “The Nepenthes platform: An efficient
approach to collect malware”, Recent Advances in Intrusion Detection, No. 4219, pp 165–184.
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C. and Kirda, E. (2009) “Scalable, behavior-based malware
clustering”, Network and Distributed System Security Symposium (NDSS).
Bayer, U., Moser, A., Krügel, C. and Kirda, E. (2006) “Dynamic analysis of malicious code”, Journal in Computer
Virology, Vol. 2, No. 1, pp 67–77.
Christodorescu, M., Jha, S., Seshia, S. A., Song, D. and Bryant, R.E. (2005) “Semantics-Aware Malware
Detection”, IEEE Symposium on Security and Privacy, pp 32–46.
6

Jaime Acosta
Cormen, T.H., Leiserson, C.E., Rivest, R.L., Stein, C. (2001) Introduction to Algorithms, The MIT press.
Cornelissen, B. (2009) “Evaluating Dynamic Analysis Techniques for Program Comprehension”, Delft University
of Technology.
Göbel, J. G. (2009) “Amun: Python honeypot”, http://amunhoney.sourceforge.net.
Han, S., Lee, K. and Lee, S. (2010) “Packed PE File Detection for Malware Forensics”, Second International
Conference on Computer Science and its Applications (CSA), pp 1–7.
Jang, J. and Brumley, D. (2009) “BitShred: Fast, Scalable Code Reuse Detection in Binary Code”, CMU-CyLab,
pp 28–37.
Kasina, A., Suthar, A. and Kumar, R. (2010) “Detection of Polymorphic Viruses in Windows Executables”,
Contemporary Computing, pp 120–130.
Kirillov, I., Beck, D., Chase, P., and Martin, R. (2010) “Malware Attribute Enumeration and Characterization”,
http://maec.mitre.org/.
Lee, J., Jeong, K., and Lee, H. (2010) “Detecting metamorphic malwares using code graphs”, ACM Symposium
on Applied Computing, pp 1970–1977.
Norman Solutions (2003), “Norman sandbox whitepaper”
http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf
Provos, N. (2004) “A virtual honeypot framework”, USENIX Security Symposium, Vol. 13, pg 1.
Rieck, K., Trinius, P., Willems, C. and Holz, T. “Automatic Analysis of Malware Behavior using Machine
Learning”, Journal of Computer Security (JCS), to appear 2010.
Roy, C.K. and Cordy, J.R. (2007) “A survey on software clone detection research”, Queen’s School of Computing
TR, Vol. 541, pg 115.
Sharif, M., Lanzi, A., Giffin, J. and Lee, W. (2009) “Automatic reverse engineering of malware emulators”, IEEE
Symposium on Security and Privacy, pp 94–109.
Trinius, P., Willems, C., Holz, T. and Rieck, K. (2010) “A Malware Instruction Set for Behavior-based Analysis”,
Sicherheit 2010, pp 205–216.
Vinod, P., Jaipur, R., Laxmi, V. and Gaur, M.S. (2009) “Survey on malware detection methods”, Hack, pg 74.
Willems, C., Holz, T., Freiling, F. (2007) “Toward automated dynamic malware analysis using CWSandbox”, IEEE
Security and Privacy, Vol. 5, No. 2, pp 32–39.
Ye, Y., Wang, D., Li, T., Ye, D. and Jiang, Q. (2007) “An intelligent PE-malware detection system based on
association mining”, Journal in computer virology, Vol. 4, No. 4, pp 323–334.
7

Modeling and Justification of the Store and Forward
Protocol: Covert Channel Analysis
Hind Al Falasi and Liren Zhang
United Arab Emirates University, Al Ain, United Arab Emirates
hindalfalasi@uaeu.ac.ae
lzhang@uaeu.ac.ae
Abstract: In an environment where two networks with different security levels are allowed to communicate, a
covert channel is created. The paper aims at calculating the probability of establishing a covert channel between
the high security network and the low security network using Markov Chain Model. The communication between
the networks follows the Bell-LaPadula (BLP) security model. The BLP model is a “No read up, No write down”
model where up indicates an entity with a high security level and down indicates an entity with a low security
level. In networking, the only way to enforce the BLP model is to divide a network into separate entities, networks
with a low security level, and others with a high security level. This paper discusses our analysis of the Store and
Forward Protocol that enforces the BLP security model. The Store and Forward Protocol (SAFP) is a gateway
that forwards all data from a low security network to a high security network, and it sends acknowledgments to
the low security network as if they were sent from the high security network; thereby achieving reliability of the
communication in this secure environment. A timing covert channel can be established between the two networks
by using the times of the acknowledgments to signal a message from the high security network to the low
security network. A high security network may send acknowledgments immediately or with some delay where the
time of the acknowledgments arrival is used to convey the message. The covert channel probability is found to be
equal to the blocking probability of the SAFP buffer when analyzing the problem using Markov Chain Model.
Increasing the size of the buffer at the SAFP decreases the covert channel probability. Carefully determining the
size of the buffer of the SAFP ensures minimizing the covert channel probability.
Keywords: covert channel, access model, Markov Chain Model, store and forward protocol
1. Introduction
Covert channels may be introduced to secure networks both intentionally and unintentionally.
Consider a computer system were two networks with different security levels are communicating; the
existence of covert channels can compromise the efforts exerted to prevent access to higher security
level information by a lower security level network. Security procedures should be established to
prevent the lower network from reading the higher network files, and ensure that the higher network
cannot write to the lower network files. We are referring to a multilevel secure setting where different
networks have different security levels. The notion of having rules that state “No read up", and "No
write down” is in accordance with the BLP security model (Bell and LaPadula 1973). The model's
security procedures make it mandatory for information to flow from the low security network to the
high security network only.
In this paper we are interested in one type of covert channel, a timing channel. In timing channels,
information is transmitted by the timings of events (Wray 1991). This channel is established whenever
the higher network is able to hold up the SAFP (Kang and Moskowitz 1995) response time to signal
an input to the lower network. An acknowledgement sent by the SAFP to the lower network without
delay means no message; however, if the acknowledgment is sent with delay, the value of the delay
is translated by the lower network as an alphabet. Therefore, a communication channel is established
between the two networks with the output constructed from the different delay time values. The
medium in which the covert channel exists is the network environment in our channel i.e. network
covert channel (Cabuk et al., 2009). The channel manages to control the timing of legitimate network
traffic to allow the leaking of confidential data. The purpose of the covert channel analysis is to
calculate the best size buffer for the SAFP to minimize the probability of the covert channel
establishment.
2. Background and motivation
Information flow between two networks with different security levels should not only be governed by
the rules of the BLP security model. An integral part of implementing the BLP security model is
ensuring that any weaknesses of the system implementing the model do not defeat the purpose
behind it. Being able to identify the circumstances that lead to establishing a covert channel between
the two communicating networks is the first step towards eliminating the covert channel. The
importance of identifying the existence of covert channels stems from the fact that they are used to
8

Hind Al Falasi and Liren Zhang
transfer information secretly, where the ultimate goal of covert channels is to conceal the very
existence of the communication (Zander et al., 2007).
The capacity of the covert channel was analyzed as a function of buffer size and moving average size
by Kang and Moskowitz (Kang and Moskowitz, 1993; 1995). The analysis was performed on a Pump
that used randomized acknowledgments which are also used to control the input rate of a source. In
addition, several protocols were reviewed and implemented (Kang and Moskowitz, 1993), and the
proposed protocols in their work were designed to reduce the bandwidth of covert channels.
3. Store and Forward Protocol (SAFP)
The Store and Forward protocol is a simple protocol used for reliable communication between two
networks. The protocol effectiveness is limited in minimizing the existence of covert channels.
However, we use it in this paper as a benchmark to calculate the probability of a timing covert channel
as the advantage of the protocol is in its simplicity to analyze.
The idea behind this protocol is simple: There are two networks communicating, one network has a
low security level, and the other has a high security level. There is a gateway between the two
networks. The gateway does the following job: it receives a packet from the low security network,
stores it in a buffer, and then sends an acknowledgment to the low security network indicating the
successful receipt of that packet. The gateway then forwards the packet to the high security network
and waits for an acknowledgment of receipt. If no such acknowledgment is received, the gateway
retransmits the packet to the high security network. Only after the receipt of the acknowledgment
does the gateway delete that packet from its buffer.
All traffic from the high security network is ignored except for the acknowledgments. This notion is in
accordance with the BLP security model which is a “No read up, No write down” model where up
indicates an entity with high security level and down indicates an entity with low security level. The
gateway forwards all data from the low security network to the high security network, and it does not
forward acknowledgments from the high security network to the low security network; however, it
achieves reliability of the communication by sending acknowledgments to the low security network
(Figure 1).
Figure 1: Store and Forward Protocol (SAFP)
3.1 The covert channel
The problem with the store and forward protocol is that it permits covert channels to exist between the
high security network and the low security network through the acknowledgments. A timing covert
channel can be established between the two networks by using the time values of the
acknowledgments to signal a message from the high security network to the low security network. A
high security network may send acknowledgments immediately or with some delay where the value of
the delay is used to convey the message.
3.2 TCP sliding window effect
The SAFP notifies the low security network of the number of bytes it is willing to receive, which then
becomes the low security network send window. On the other side, the high security network notifies
the SAFP of the number of bytes it is willing to receive, which then becomes the SAFP send window.
At first glance, the use of TCP's sliding window appears to reduce the probability of the covert channel
by minimizing the number of acknowledgments. The low security network can send several packets
without waiting for acknowledgments. Similarly, the high security network can acknowledge several
9

Hind Al Falasi and Liren Zhang
packets at once. Therefore, for every sequence of packets sent, only one piece of useful information
is sent via one acknowledgment. However, the high security network can set the size of the sliding
window to one which requires that every packet is acknowledged before the next one is sent, sending
us back to square one.
4. The covert channel analysis
4.1 Notations
The following acronyms are used in the paper: LSN stands for Low Security Network, and HSN
stands for High Security Network.
Table 1: The table contains the notations we will use throughout the paper, and in the illustration
figures
4.2 Assumptions
LSN SAFP: λ 1
SAFP LSN:µ1
LSN SAFP = T1
LSN SAFP = α1
RL: Ack rate from SAFP LSN
Arrival Rate = λ
Service Rate = µ
Packet Size = Ri
Queuing Delay = q
Transmission delay = Tx
Propagation Delay:
Acknowledgement Rate (Ack/sec):
SAFP HSN: λ 2
HSN SAFP: µ2
SAFP HSN = T2
SAFP HSN = α2
RH: Ack rate from HSN SAFP
T1 and T2 of the acknowledgment packets are ignored because the packet size is small. In addition,
the processing (service) time at SAFP is negligible.
4.3 Discussion
In this section, we investigate the time it takes one packet to travel from the low security network to
the high security network. In addition, we investigate the time it takes an acknowledgement of the
packet to reach the SAFP; as well as the time an acknowledgment from the SAFP to low security
network takes to reach its destination. Calculating the time from the SAFP point of view; the i th packet
is received at α1 + T1. Moreover, the i th packet is deleted from the buffer at α1 + T1 + 2α2 + T2 + 1/ µ2,
where α1 represents the propagation delay of the packets sent between the low security network and
the SAFP. Similarly, α2 represents the propagation delay of the packets sent between the SAFP and
the high security network. T1 and T2 represent the transmission delay from the low security network to
the SAFP, and the SAFP and the high security network, respectively. Finally, 1/ µ2 is the service time
at the high security network.
When we take the distance between the SAFP gateway and the high security network into
consideration, the time a packet stays in the SAFP buffer changes. For example, if the distance is
very large, then we can ignore T2 and 1/ µ2. Therefore, the i th packet is deleted from the buffer at α1 +
T1 + 2α2. As a result, the ability of the high security network to control the acknowledgment rates;
10

Hind Al Falasi and Liren Zhang
therefore, creating a covert channel diminishes. The service time at the high security network is the
only factor under the control of the high security network. The other elements are controlled by the
physical environment of the network. On the other hand, if the distance between them is small, we
estimate that the i th packet is deleted from the buffer at α1 + T1 + T2 + 1/ µ2.
Another element to consider is the high security network service time, which affects the SAFP
queuing time. We are considering this element because it leads to the establishment of a timing
covert channel between the high security network and the low security network. A slow service time
eventually leads to a full buffer at the SAFP. In other words, packets from the low security network are
lost; therefore, no acknowledgments are sent from the SAFP to the low security network. From there,
the high security network can control the SAFP buffer; subsequently, it can control the rate of the
acknowledgments from the SAFP to the low security network. Therefore, it can use the delays to
signal messages to the low security network. The SAFP buffer is modeled using the M/M/1/K model
as it has a finite capacity where the maximum number of packets in the buffer is K. A packet enters
the queue if it finds fewer than K packets in the buffer and is lost otherwise. The probability of a full
buffer = blocking probability = probability of a covert channel. An illustration of the above scenario is
presented in Figure 2.
Figure 2: Communication representation between low security network, SAFP and high security
network
5. Analysis of the system using Markov chain model
Using the state transition diagram (see Figure 3), we found the blocking probability of the SAFP buffer
(PK):
Solving the equations in terms of P0:
p
p
p
(
1
2
k
1
2
p
1
0
p
K
1
2
1
2
1
2
2
p
0
2
k
2
) p
1
p
p
k
p
1
p
0
0
K 1
1
p
k 1
k
k
P
K
0
1
2
p
1
2
k 1
K
p
0
k
1
k
0
k
K
K
1
11
(1)
(2)
(3)

Solving for PK:
K
Pk
p0
K
1
k 0 k 0 2
p
k
1
2
k
p
0
k
1
p
p
0
k
Hind Al Falasi and Liren Zhang
k
k
K
K
1
0 2
1
2
1
1
0 2
k
k
k
*Where PK = PB = Probability an arriving packet is turned away due to full buffer = Probability of a
covert channel.
Figure 3: Markov chain model of the SAFP queue
6. Results
Figure 4 provides an overview of the relationship between the blocking probability and the size of the
SAFP buffer. We are assuming the simplest possible scenario, where the arrival rate is twice as fast
as the service rate. Starting with a buffer with size 0, the blocking probability is 1.
Figure 4: Pk vs. K
This is understandable, as at this point the SAFP is turning away every packet, due to lack of storage
place. When the size of the buffer is 2, we calculate a probability of a covert channel which is more
than 50%. While the probability slightly decreases as we increase the size of the buffer, we find that
12
(4)
(5)

Hind Al Falasi and Liren Zhang
the value stabilizes at 0.5 where the change in the blocking probability value is negligible. When the
buffer size exceeds 10, one packet will be serviced and one will be blocked no matter what. As long
as the arrival rate is twice the service rate, whenever a packet from the buffer is accepted to be
serviced, room is made for one packet to enter the buffer. This explains the 0.5 blocking probability.
The blocking probability decreases as the buffer size increases because fewer packets are turned
away, due to a full buffer. When a packet enters the SAFP queue, an acknowledgment of receipt is
sent from the SAFP to the low security network, which means there is no delay that can interpreted as
a message from the high security network. If we desire a blocking probability of 0.5, then we need a
buffer capable of holding at least 10 packets.
7. Conclusion
We examined the SAFP protocol, which is used to provide reliability of communication between two
networks with different security levels. We argued that a timing covert channel can exist between the
two networks, given the possibility that malicious users are able to control the acknowledgments
arrival time. We analyzed the timing of the packets flowing between the two networks and the SAFP,
and the probability of the covert channel between the low security and high security network. The
purpose of our covert channel analysis was to calculate the best size buffer for the SAFP to keep the
probability of the covert channel to minimum which we found dependent on the arrival rate of LSN
packets and the service rate at the HSN. We have created a mathematical model to calculate the
covert channel probability and define the factors that affect the probability with increase or decrease.
One of our future plans includes building a mathematical model for a Data Pump (Kang and
Moskowitz, 1993; 1995).
References
Bell, D. and LaPadula, L. (1973) Secure Computer Systems: Mathematical Foundation. ESD-TR-73- 278, Vol.1,
Mitre Corp.
Bolch, G., Greiner, S., DeMeer, H. and Trivedi, K.S. (2006) Queueing Networks and Markov Chains: Modeling
and Performance Evaluation with Computer Science Applications. Second Edition, Wiley Interscience,
Hoboken, NJ.
Cabuk, S., Brodley, C., and Shields, C. 2009. IP Covert Channel Detection. ACM Transactions on Information
System Security, Volume 12, Issue 4 (Apr. 2009), pp. 129.
Kang, M. and Moskowitz, I. (1995) A Data Pump for Communication. NRL Memo Report 5540-95-7771.
Kang M. and Moskowitz, I. (1993) A Pump for Rapid, Reliable, Secure Communication. Proceedings ACM Conf.
Computer and Comm. Security '93, Fairfax, VA, pp.119-129.
Ogurtsov, N., Orman, H., Schroeppel, R., O’Malley, S., and Spatscheck, O. (1996) Covert Channel Elimination
Protocols. Technical Reports TR96-14. Department of Computer Science, University of Arizona.
Wray, J. C. (1991) An Analysis of Covert Timing Channels. Research in Security and Privacy. Pages 2-7.
Zander S., Armitage, G. and Branch, P. (2007) Covert Channels and Countermeasures in Computer Network
Protocols. Communications Magazine, IEEE. Vol.45. Pages 136-142.
13

The Evolution of Information Assurance (IA) and
Information Operations (IO) Contracts across the DoD:
Growth Opportunities for Academic Research – an Update
Edwin Leigh Armistead 1 and Thomas Murphy 2
1 Goldbelt Hawk LLC and Norwich University, USA
2 NorthLight Technologies, USA
larmistead@gbhawk.com
earmiste@norwich.edu
tmurphy@rochester.rr.com
Abstract: Four years ago, the authors presented a paper at the ICIW conference in Monterey, CA (Armistead &
Murphy, 2007) that outlined opportunities for academics and researchers with regard to IO (Information
Operations), IW (Information Warfare) and IA (Information Assurance) contracts across the Department of
Defense (DoD) and Federal government (USG). The original paper highlighted a differential in contracts available
and the current opportunities were at that time. Specifically, that paper predicted what the future may hold for
further growth in these areas and how growth of IO, IA and IW contract vehicles can benefit universities and
academics from a funding aspect. Finally, the original paper also suggested future areas of research that
academics may be interested in exploring, to best optimize their ability to secure grants and contracts over the
next few years. This paper is not only an update to the original research, to review the original hypothesis and
determine if the predictions from four years ago were correct, but it also mines new data sources to take a fresh
look at current contracts. In this research, the authors analyze the growing new opportunities in cyber warfare,
strategic communications, psychological operations and cyber security. The scope of IO / IA is also expanding
farther into areas of diplomacy, economics, and homeland security, while growing even more central to complex
unconventional and conventional warfare applications. In addition, organizational change is accompanying these
doctrinal and application area changes, which has led to a subsequent revision of the contract opportunities
available. Likewise, new revisions of policy and documentation are also expected to arrive in the foreseeable
future, which could lead to a deeper understanding and appreciation of cultural values and psychological roles
among the multiple political players. In this review, we explore what new and promising opportunities for
collaboration exist for academics, and we hope that this paper can alert researchers to alternate opportunities for
funding in the IO and IA arena that they may not have considered previously.
Keywords: information assurance, information operations, Department of Defense, contracts, proposals
1. Introduction
For many academics, funding is always a constant pursuit. With the current recession, grants and
other non-profit opportunities may have become more limited than in previous time periods. In this era
of fiscal constraint, this paper examines another method of obtaining funds for academics that should
be considered. Specifically, the authors are interested in the opportunities that lay within the realm of
DoD and Federal contracting, where academics can act as consultants to the companies that are
supporting these entities. In some cases, this can be quite a lucrative venture, and if offers other
avenues besides grants and academic scholarships, to offset the financial needs of the tenured
scholar. Therefore, this paper reviews the types of research areas that have experienced the most
growth, as well as areas that will experience future growth. We identify the DoD and Federal
contractors that have the best success in obtaining contracts in the IA and IO areas. We give
extensive details of the global and United States Government (USG) environment, which drive the
security business as well. The authors also discuss how the USG and interagency interactions
influence contracting policies and awards. Understanding all of the forgoing factors and strategies will
allow the academic researcher to formulate targeted business plans to employ in their search for
additional funding.
2. IA and IO business growth areas – players, relationships and influences
The Federal IA segment is characterized by agency management that is policy, doctrine and
reputation motivated.
Civilian agencies IT security directives are driven by the magnitude, not by the quantity of events.
Overriding political priorities mitigate new government-wide IT security legislation. Trade-offs of
efficiency and effectiveness with security-privacy differs with department.
14

Edwin Leigh Armistead and Thomas Murphy
Agency Corporate Information Security Officers struggle with choosing to simply use a
compliance scorecard or going farther to secure their enterprise. It is easier to say you are
compliant than to prove you are secure. Both are necessary to deliver cost effective solutions.
Department level initiatives drive security agendas. Each USG department has separate
initiatives, which in turn drive their emphasis or lack of emphasis on IA.
Trends in security focus following the path of Perimeter security, then Data security and most
recently Coding security. This end-to-end focus on secure design, development and
implementation is becoming common in all market segments.
Information Systems Security Lines of Business is not expected to cannibalize short term vendor
sales
Demand for Integrated Security Services is growing. Standalone (Point) security opportunities are
on the decline.
Federal agencies still separate IT and physical services. Merger of IT and physical security is
impeded by silos of excellence. Successful contract teams will be able to assist in integrating total
security services.
The Commercial IA segment of the security industry is characterized by an upper management that is
litigation and profit motivated. Major trends are similar to the Federal segment. Secondly, there is a
very rapid consolidation of best industry players. Cyber security firms are motivated to rapidly develop
and offer full suites of integrated and managed services to meet the demand for full services. Large IT
and network organizations can successfully merge with smaller IA firms if the ingenuity of the “pureplay”
or point (individual security component supplier) IA firm is not lost. This is a particularly
advantageous route to speed up the number and scope of offerings and to acquire experienced IA
and Information Security (InfoSec) personnel who are in short supply. It is reasonable to expect
similar motivation and actions in the Federal IA market for the same reasons. Thirdly, there are
external factors, including a continuing rise in cybercrime, which follows the earlier increase in
terrorism. Significant increases (greater than 200%) in cyber crimes occurred over the last two years.
Over 100 million data records have been lost or stolen. The average cost of each data record loss is
about $180/record giving a total estimate of $18 Billion lost over the period of two years, high
motivation to client and criminal alike. There is also a modest trend toward offering cyber and physical
security in packages of offerings.
Agencies and firms increasingly outsource more security activities each year. They determine that
they can achieve cost savings or a higher level of security at the same cost and tend to increase their
outsourcing budgets over time. The firms that do outsource all or part of their IT security activities will
see an increase in their level of security per dollar of investment. Surprisingly, although they don’t
realize it, agencies and firms that outsource Security Services are also likely to benefit from each
other’s decisions to outsource. IT security outsourcing has been shown to result in a reduction in the
firms production costs and a freeing up of other resources. (Outsourcing refers to the relationship
between a firm and another firm it pays to conduct security activities on its behalf). However, without
careful planning and due diligence, the clients return on investment in outsourcing IT security could be
reduced or become negative as a result of a variety of potential costs including both strategic risks
(e.g., principal-agent problems), interoperability issues and other transactions costs.
There are several emerging areas involving the “social” and risk management aspects of IA/IO.
Clearly, “social” is used here to mean relationships among groups of agents, individual or
organizations that involve proprietary information. At the firm level, there is a need to assure individual
firms that their partners, suppliers, or any organization they communicate with over the Internet are
trustworthy to a defined level acceptable to upper management. The economic benefit of securing all
members of the business group is significant. At the individual level there is growing demand to
secure interpersonal communications involving proprietary information (marketing, strategy and
planning, budgets or financial), email, data and image exchanges, instant messaging, etc. This is also
an area of vital national interest to DoD and other Federal agencies.
In addition, the global environment influencing customers as well as the Federal and Commercial IA
segments is characterized by significant stress. Negative pressure from the environment that Federal
and Commercial organizations must perform under has increased significantly since 2007. The United
States government (USG) and the global international community, nation states, state-sponsored
nongovernment organizations (NGOs), organizations, groups, and individuals have rapidly moved into
15

Edwin Leigh Armistead and Thomas Murphy
a new and more unstable situation. The Diplomatic, Intelligence, Military, Economic, Cultural/Social
and Environmental factors (includes medical, earthquake, fire, wind and flood, etc) [DIMES-E] are
considerably more powerful. That transition from a relatively steady state into an economically harsh
state is bad enough. A new, transient and poorly understood unsteady state makes prediction of
expected local and global situations uncertain and thus even more stressful. Together, the DIMES-E
factors above mean three things for the future:
Bad actors can be expected to act even worse and previously good actors may act badly
Predicting the actor’s actions and timing will be too complex and uncertain to analyze in
adequate, precise and satisfactory detail
Better analysis and planning for steadily moving to a more stable and less uncertain future is of
paramount importance.
Consistent with this global situation, a shift towards IA and Cyber security is evident in the contracts
data. Defending and assuring ones data, information and knowledge is the first basic step to
managing both the DIMES-E transitions and the bad actors that resulting social stress a rapid
transition brings out.
IO, IW and IA are sometimes also grouped as network and information components of “Cyber War”
(Carr, 2009). Like IO and IA, Cyber War is a term, which includes threats from:
Cyber Attacks,
Cyber Crime,
Cyber Espionage,
Informatized War,
Information War, and
Computer Network Operations
Defending against these threats can potentially save billions of dollars to the USG, business and
international organizations and thus serve to greatly reduce the stresses forcing the three dire
expectations above. The bad actors involved are State, State-sponsored, and Non-State actors who
use the Internet to attack and disrupt both military and civilian organizations. These actors: commit
acts of espionage against Department of Defense and DoD contractor networks. This accelerates
other nation states’ race to achieve parity or near-parity with superior U.S. military technology. They
commit acts of network intrusion into U.S. critical infrastructure, remaining dormant until needed to
delay or stop an imminent U.S. military action against an adversary state. They further commit
espionage against U.S. corporations stealing millions in intellectual property. They also disrupt
national economies and rob banks on an unprecedented scale.
3. Analysis of IO, IW, IA and cyber contracts
As part of this research, the authors conducted a series of searches on a commercial Federal and
DoD business database known as INPUT (INPUT, 2010,) http://www.input.com. This tool is useful in
that it stores all opportunities – past, present and future in archival form and one can search in both a
functional (using multiple keywords) manner as well as an organizational one (across the federal
government). In total, for this paper, searches for types of contracts were made using 13 key words. A
general search on all keywords and separate searches on each individual keyword were run.
Keywords included:
Information Operations (IO)
Information Warfare (IW)
Information Assurance (IA)
Perception Management
Strategic Communications
Psychological Operations (PSYOPS)
Public Diplomacy
Electronic Warfare (EW)
16

Deception
Operations Security (OPSEC)
Cyber Security
Cyber Operations
Cyber Warfare
Edwin Leigh Armistead and Thomas Murphy
In addition, five different contract status categories were reviewed to include the following:
Forecast Pre-RFP (Forecast Pre-Request for Proposal)
Pre-RFP
Post-RFP
Source Selection
Award (contract awarded)
The data was pulled twice at a 12-month period – first in September 2009 and then again in
September 2010, as shown in Tables 1 and 2. These numbers represent the contracts in the INPUT
database either in process (in one of the pre-award states) or already awarded as of the date given in
the table heading.
Table 1: Status of all contracts by contract category as of september 2009
September 2009 Forecast Pre-RFP Post-RFP Source Selection Award Total
Information Operations 58 35 11 15 216 335
Information Warfare 15 16 3 7
100 141
Information Assurance 79 143 22 45 399 688
Perception Management
2 2
Strategic Communications 15 19 1 2 48 85
Psychological Operations 6 2 3 3
37 51
Public Diplomacy 2 1 12 15
Electronic Warfare 52 58 22 39 333 504
Deception 5 7 6 7 46 71
Operations Security 12 4 2 10
48 76
Cyber Security
10 13 1 1 43 68
Cyber Operations 2 2 5 9
Cyber Warfare 1 2 2 5
254 300 75 130 1291 2050
Table 2: Status of all contracts by contract type as of september 2010
September 2010 Forecast Pre-RFP Post-RFP Source Selection Award Total
Information Operations 16 15 3 6 76 116
Information Warfare 4 5 1 5
41 56
Information Assurance 46 70 7 30 290 443
Perception Management
1 1
Strategic Communications 15 10 1 5 61 92
Psychological Operations 8 4 2 3
41 58
Public Diplomacy 3 13 16
Electronic Warfare 13 12 8 9 138 180
Deception 5 7 5 6 56 79
Operations Security 8 13 4 6
62 93
Cyber Security
11 15 3 4 53 86
Cyber Operations 1 1 11 13
Cyber Warfare 1 3 3 5 12
131 151 38 77 848 1245
17

Edwin Leigh Armistead and Thomas Murphy
From the 2010 set of data, we sorted by company name and counted the number of contracts in the
award state (awarded) to each company. Table 3 shows that only 29 out of 341 companies won more
than two awards, and only eight companies won more than 10 awards out of the data reviewed in this
research.
Table 3: Frequency of awarded number of contracts as of september 2010
Awards 1 2 3 4 5 6 8 ≥ 10
# of Companies 242 49 7 7 4 2 1 8
Success of the Awardees could be measured several ways, total number of contracts awarded, total
dollar value of contracts awarded, award $$ per employee, etc. We use a simple measure important
to academic researchers, the total number of contracts, since it is a straightforward measure of their
best sources of opportunities. Using the data on awarded contracts from the INPUT database we
found that the eight corporations that won 10 or greater IO contracts in Table 3 included the following:
Northrop Grumman Corporation 41
Science Applications International Corporation (SAIC) 40
General Dynamics Corporation 20
BAE Systems PLC 19
Lockheed Martin Corporation 19
Booz Allen Hamilton 15
CACI International Inc 15
L-3 Communications Inc 10
This information shows that as IA and IO have matured in the Federal and DoD marketplace, the
competition appears to be centering more and more on the same key players. Knowing the players
who have won the most contracts suggests strategies for entering the fray.
4. Strategies for entering the fray
The academic researcher must deliver at least best practice and more importantly, unique or worldclass
theories, models, products or services to the contract team in order to be successful. This
applies to individual contributions as well as for the products and services they are developing. After
satisfying these basic requirements for success, there are several key strategies for entering the fray
and selecting what aspect of IO, IW or Cyber to work on. Key strategies laid out in our previous paper
in 2007, centered on the following strategies:
Allying Oneself with the Leading Contenders
Developing a Front Runner
Striking out on your Own
In light of the updated contract information and current international situation, in the author’s opinion,
the new key strategies are as follows:
Develop strong relationships with key individuals of those corporations that are consistently
winning IO and IW contracts
Focus on IO/IW areas that have the most contracts (IA and Cyber Security)
Stay aligned with growing areas of interest in the community (e.g. Strategic Communications)
4.1 Developing strong relationships
The eight companies listed earlier have won about 25% of the total IO and IW contracts from our
research data, and there is a good reason for that. IO and IW, like any endeavor, require a certain
amount of expertise in the form of personnel, capabilities and past performance. Government
contracting officers and their technical representatives are, in general, conservative and will often go
with the “tried and true” company that has performed these duties in the past. A good example is
Northrop Grumman who ran the IO Center of Excellence for the Army at Ft Belvoir for an extended
period and were recently also awarded the contract to run the IO Center for the US Marine Corps.
18

Edwin Leigh Armistead and Thomas Murphy
Clearly, a strong relationship with a company which wins numerous contracts offers more
opportunities for teaming on those contracts.
Academics, like the contracting company, should plan to review and update their strategies at least
once a year, and must be ready to adapt to changes in the acquisition requirements (FAR), market
dynamics and technological innovations. The academic can thus align their contributions to the
company’s contracted requirements. The academic team member can assist the company in
establishing and enhancing service offerings, building corporate values, establishing infrastructure to
support corporate vision, and providing synergy by leveraging corporate resource bases.
4.2 Focus on IA and cyber security
Out of all of the areas of IO and IW, it is IA and Computer Security that hold the most promise,
potential and by our research – the reality of income for academic research. Every business and
military organization needs protection for their computer systems. We see a serious present need to
fix a significant Defensive shortfall in the US cyber position, particularly the commercial and civilian
infrastructure areas. Armistead and Clarke (Armistead, 2010; Clarke & Knake, 2010) emphasize the
central and crucial importance of improving Defensive Cyber capability, and of having open debate on
Cyber strategy/planning/policy – similar to the process carried out for nuclear weapons when that
technology emerged 50 years ago.
4.3 Watch Strategic Communications
Strategic Communications (SC) is an area of continuing interest in the USG, in particular to the DoS
and DoD (Armistead L., 2010). SC should also be watched as a candidate for future contract growth.
SC is important because it addresses a much broader, more informed view of the very demanding
DIMES-E world situation the USG faces today. Because the academic community will find a number
of areas in SC to which they can contribute, we include the following background details. As
discussed in our previous paper (Armistead & Murphy, 2007) and by Paul (Paul, 2010), Strategic
Communications refers to five areas with differing but related meanings:
Enterprise level strategic communication
Strategic communication planning, integration, and synchronization processes
Communication strategies and themes
Communication, information, and influence capabilities
Knowledge of human dynamics and analysis or assessment capabilities.
Paul points out that “these five specifications connect to each other logically. Within the broader
strategic communication enterprise, national or campaign level goals and objectives constitute the
inputs to the strategic communication planning, integration, and synchronization processes. Based on
knowledge of human dynamics and analysis or assessment capabilities, these processes transform
and incorporate the communication strategies and themes and provide them to commanders who
employ the various available communication, information, and influence capabilities in pursuit of
desired objectives. The planning, integration, and synchronization processes and knowledge,
analysis, and assessment capabilities continue to be useful to force elements as they broadcast or
disseminate their themes and messages or otherwise engage and appraise the impact of these
activities”. The reader is referred to (Paul, 2010) for details of the following SC elements.
Enterprise level strategic communication is a commonly shared but general understanding of SC;
it refers to a broad range of USG enterprise level activities and their coordination for internal,
national, international or global strategic goals. Enterprise level strategic communication is
therefore too broad to be very meaningful.
Strategic communication planning, integration, and synchronization processes are the set of
processes included under the overly general USG enterprise level use of “Strategic
communication”.
“Communication strategies and themes are strategic communication elements that involve
content and both the inputs and outputs from the strategic communication planning, integration,
and synchronization processes”. This includes national or campaign goals or objectives (inputs)
that planning processes will translate into communication goals and themes (outputs) and
incorporate into plans. However, there is a multilevel application of these elements. The focus on
19

Edwin Leigh Armistead and Thomas Murphy
these elements of strategic communication can be on levels at, above or below the USG
enterprise level. They could involve higher-level international strategic goals and the implied
communication. Alternatively, they could consider objectives and themes in lower level
operational organizations to be coordinated with and communicated by various communication,
information, and influence assets.
Communication, information, and influence capabilities are broadcast, dissemination, and
engagement elements of SC. Communication, information, and influence capabilities include
public affairs, perception management, psychological operations (PSYOP now MISO), defense
support to public diplomacy (DoD to DoS), and civil affairs. These capabilities are thus very broad.
They can be combined with elements of force, such as maneuver conducting civil-military
operations or military police. They might include the interactions of any element of the USG
military, diplomatic or other forces with foreign populations or the prevalence of language and
cultural awareness training across the force. They might include any action or comment by every
deployed diplomatic or military service member.
Knowledge of human dynamics and analysis or assessment capabilities are the fundamental
bases for all the preceding specified activities. In contrast to processes, knowledge, analysis and
assessment are the bases of accurate models for planning effective, efficient, and successful
actions. Knowledge is obtained via media monitoring, media use pattern research, target
audience analysis, and social, historical, cultural, and language expertise, along with other
relevant analytic and assessment capabilities. “Cultural knowledge and audience analysis are
critical for translating broad strategic goals into information and influence goals. Understanding
audiences specifically and human dynamics generally is critical to identifying themes, messages,
and engagement approaches that will lead to desired outcomes. Data collection and assessment
contribute the feedback that allows two-way communication and engagement (rather than just
broadcast) and that also makes it possible to demonstrate and report impact or effect from
communication activities.” (Paul, 2010)
Thus, the academic researcher could contribute SC applications of Business Marketing, Psychology,
Narratives, Political Science, Economics, and many other disciplines.
5. Future areas of research
Several assumptions must be made when determining IA/ IO needs over the next five years. The first
is that the U.S. economy will continue to rebound from the great recession. The second is that the
U.S. will fund continuing IA efforts in the Federal budget. The third assumption is that information
operations will continue to a growth market, thus the continuing need to bolster IA needs,
requirements and solutions. Continued introduction of unique discriminating Security offerings, such
as an integrated set of IO services, will be vital to keeping revenue up in the contracted companies. IA
services price elasticity is based on the demand from the customer base and costs for having
qualified, trained and certified personnel. These personnel allow the contract team to reach critical
mass in Knowledge Management, create a good reputation, and built consistent security teams to
provide IA functions to customers. Given these assumptions, the customer base will remain high and
that their IA needs and requirements, as well as their budgets, will continue to grow. Acquiring and
maintaining personnel to support IA/IO contract teams will continue to be a challenge to employers
and an opportunity for academics.
How will current capabilities and technologies develop and evolve over the next five years? We can
expect the introduction of a host of new technologies presenting opportunities for IT security vendors.
Many of these will be wireless devices, particularly nomadic devices for home and business users.
The expectation is the continued increased blending of technologies, such as is just beginning to
occur in Internet and cable TV technologies. Increasingly, users of computing devices will have
access to a combination of web-based technologies, including traditional HTTP/IP communications,
streaming video, voice over IP (VOIP), global positioning systems and database applications. Users
will be able to seamlessly move between these technologies via increasingly sophisticated user
interfaces and input/output devices. The blending of technologies, along with increased use of
service-oriented architecture (SOA), will increase the need for multi-level and cross-domain security
capabilities. Cross-domain security requirements will increase significantly, as the ability to share data
across SOAs will increase the need for securing privacy and classified data extracted from databases
for use in other applications. Likewise, the DoD trend towards employing SOAs to support net centric
operations will make C&A increasingly difficult. Biometric identification and access control
technologies will be a growth industry, particularly in the area of identity verification technologies for
20

Edwin Leigh Armistead and Thomas Murphy
use by home PC users in eCommerce. Identity theft protection needs will continue to increase, as
criminals develop increasingly sophisticated means of stealing electronic identity data. The need for
technologies to detect spoofing in emails and on websites will continue to grow. Finally, the capability
to perform software verification and validation (V&V) to determine the inherent security of software
code will become an area of increasing significance.
We argued in the Strategies to Entering the Fray section, based on our analysis of current and
expected contracts, that IA and Cyber Defense will receive increasing attention. Armistead and Clarke
(Armistead, 2010; Clarke & Knake, 2010) also emphasizes the central and crucial importance of
improving Defensive Cyber capability, and of having open debate on Cyber strategy/planning/policy –
similar to the process carried out for nuclear weapons when that technology emerged 50 years ago.
We appreciate the need for coverage and analysis of Defensive and Offensive Cyber strategy,
operations and tactics. More importantly, we also see a serious need to fix a significant Defensive
shortfall in the US cyber position. Because there is no agency with responsibility for Defense of
civilian banking, commercial, industrial systems, and because the DoD and the USG partially depend
on the commercial internet, a monumental vulnerability exists. Engaging in conflicts with a good
offense but without a good defense will fail. The nation as a whole now finds itself in that situation.
These factors define additional reasons the authors switched to the Defensive current focus in our
Strategies for Entering the Fray section. Both Armistead and Clarke (Armistead L., 2010; Clarke &
Knake, 2010) outline a process to establish a well-founded strategy-policy-plan and minimize risk of
uncontrolled Cyber-Kinetic War. These analyses suggest several topics, simulations and desktop
exercises, which would be useful to USG contract work. A well-founded analysis must address our
overall Strategy and Political situation, with military and cyber strategy as a component of national
strategy.
A difficult area needing both theoretical and practical development is formulating Measures of
Performance [MOP] and Measures of Efficiency [MOE] (Tokar, 2010). This is a focus area of military
effects based (EB) planning. Roughly, when carrying out missions involving the application of
components of IO, IW, Cyber, etc., we need to measure if we are “doing the right things” to effectively
achieve our desired goals [MOP] and if we are efficiently “doing things right” [MOE] to not waste time,
$, equipment and people. A related concept in the business world, which will be increasingly
importance as USG and DoD budgets narrow, is Return on Security Investment [ROSI]. The difficulty
with these ideas is in measuring the impact of one component alone when multiple different initiatives
are brought to bear. How one separates the effects of one from the combination of all is directly
related to the model of the complex DIMES-E processes being used.
Finally, the need for new and improved models of complex, DIMES-E systems is the most
fundamental barrier to achieving success, performance and efficiency. The benefits from such
insightful theory and models will be similar to the leap forward in physical sciences resulting from
Newton’s or Kepler’s Laws. If we are to more simply and accurately understand, predict and act to
bring about a desired future, and if we are to be able to tease out the effects of one factor (e.g. SC,
MISO, etc.) from the effects of many, then we must discover and apply much more insightful theories
and mathematical models to DIMES-E systems. Such models can clarify the attribution of who and
what is really at work and how to anticipate and adjust to the situation. This will allow everyone,
leaders and members of governments and organizations alike, to move beyond simply knowing they
are in serious hardship or risk, to appreciate what is being done right and what is not, and act to bring
about a more desirable future rather than an expected undesirable future.
6. Summary
Our overall goal has been to provide both the sources of funding opportunity for academic
researchers as well as sufficient background to understand the strategies for acquiring funding from
those sources. We first described the intuition and insight into the motivation of players, relationships
and integrated influences in the IA and IO business growth areas. In particular, we noted the
important influence of stress from external conditions and global DIMES-E situations. The ability to
understand and address these integrated problem areas is fundamental to an academic’s funding
success. Based on an analysis of contracts up to September 2010, we noted a current focus on IA
and Cyber security. We concluded that IA and Cyber Security are areas that should and will continue
to receive contract funding. Next, we further analyzed current and historical IO, IW, IA and Cyber
contracts and identified which companies have been awarded more contracts to date and are thus
“opportunity targets” for academic consulting. We provided details of strategies to enter the contract
21

Edwin Leigh Armistead and Thomas Murphy
fray, suggesting that understanding the contract, the contractor and developing strong relationships
with contractors is essential. We give substantial details on how and why one develops strong
relationships. We call attention to the area of Strategic Communications as a possible future area of
opportunity given the broader scope of integration and application of security contract focus. Finally,
we mention several future areas of research, giving the assumptions made as well as details of
selected difficult but very important technical, complex predictive modeling and MOE/MOP areas that
need to be solved.
References
Armistead, E., & Murphy, T. (2007). The Evolution of Information Assurance and Information Operations
Contracts across the DoD: Growth Opportunities for Academic Research. ICIW Conference. Monterey, CA.
Armistead, L. (2010). Information Operations Matters - Best Practices. Washington, D.C.: Potomac Books, Inc.
Carr, J. (2009). Inside Cyber Warfare. O'Reilly.
Clarke, R. A., & Knake, R. K. (2010). Cyber War - The Next Threat to National Security and What to do About It.
New York, NY: HarperCollins.
INPUT. (2010). INPUT database, INPUT. Retrieved 2010, from "The Authority on Government Business"
[Online]: http://www.input.com
Paul, C. ( 2010). “ Strategic Communication” Is Vague, Say What You Mean. Joint Forces Quarterly, Issue 56 .
Tokar, J. (2010). Assessing Operations:MOP and MOE Development. IO Journal, Vol. 2, Issue 3 , 25-28.
22

The Uses and Limits of Game Theory in Conceptualizing
Cyberwarfare
Merritt Baer
Harvard Law School, Cambridge, USA
mbaer@post.harvard.edu
Abstract: In cyberwarfare, there are obstacles to reaching minimax stasis: unlike in checkers, game theory
cannot follow each decision path to its conclusion and then trace the right decisions back. However, I contend
that because the rational predictability of game theory will continue to drive decisions and seek out patterns in
them, game theory may identify (and intelligently weight) nodes of a decision tree that are not immediately
recognizable to or favored by human decision-makers. While we can‟t create a network that is maximally
resistant to random faults and maximally resistant to targeted faults, we can take into account the particular
weaknesses and likelihoods of attack so that the weaknesses overlap in resistant ways-- ways that correspond to
risk preferences and security priorities. Moreover, using game theory to make a security strategy that is a
calculated derivative of mapped potential outcomes will help us to avoid human biases and to respond to threats
proportionately/economically. Rather than a process of continual growth, cyber evolution, like biological evolution,
seems more aptly characterized as punctuated equilibrium—periods of relative stasis followed by quick, drastic
periods of breakthrough. Reaching Nash equilibrium is unlikely in the cyberwar context because under unstable
conditions, evolutionarily stable strategies don‟t run a typical course. While there may be no set of moves that is a
“solution” in cyberwar strategy, game theory allows human decisionmakers to intelligently identify and weight
decision paths to transcend cognitive biases. This paper seeks to change the way of thinking about cyberwar--
from one of stockpiling weapons, to one of looking for patterns-- thinking about the problem of cyber insecurity
more holistically. The paper challenges some of the myopia in thinking about cyber in existing "warfare" terms
and proposes that organic models‟ tendency toward game theoretic equilibrium may help us conceive of the
cyberwar decisionmaking landscape more effectively.
Keywords: cyberwarfare, game theory, layered defense, Nash equilibrium
1. Introduction
In this paper I explore the applications and limitations of game theory to cyberwarfare at a conceptual,
not case study, level. My focus is on federal strategy—especially the United States Department of
Defense (DoD)—so I do not focus on addressing cybercrime or cyberattack that has as its purpose
money or a local, ideological message, or even those with cyber -terrorist or -anarchist goals. My
focus is on large-scale acts of war aimed at military, governmental or infrastructural targets that
currently only certain nation-states are likely to be able to execute, thus the other “players” in the
game are nation-state-level actors.
I recognize that cyberwarfare is among the rarer forms of online violence in comparison with other
forms of cybercrime, but its high stakes and opportunities for more contained strategic study attracted
my focus. For the purposes of this paper, I assume we have available all existing sophisticated game
theoreticians, human or computerized.
I find that game theory is useful to the extent that it allows us to transcend some of our systemspecific
biases (based on established or institutional ways of approaching problems) and threatspecific
biases (rooted in evolutionarily-derived disproportionate reactions to certain threats). Game
theory can allow us to weigh the nodes of the decision tree more accurately; it is not a solution as
such, but a tool for holistic cyberwarfare strategy.
2. Background: Nash equilibrium and complications to game-theoretical
stasis in the cyber context
Game theory scholars have written, though not extensively, on the application of game theory to
information warfare. (See, e.g., Hamilton et al, “The Role of Game Theory in Information Warfare” and
“Challenges to Applying Game Theory to Information Warfare”). The US Cyber Consequences Unit
(US-CCU) claims it primarily employs an analytic method called “Value Creation Analysis” that
“draws…broadly on cooperative game theory.” (See US-CCU website, "http://www.usccu.us/"
http://www.usccu.us/).
Two-player stochastic games may be useful in the escalation context (deciding whether to launch a
preemptive attack or responding to an attack could be a two-player interaction). A study by SPIE has
23

Merritt Baer
refined the metrics for estimating impact and intent of cyberattack, and applies Markov game theory, a
stochastic approach. (Shen et al. 2007) However the two-player stochastic model is not valid any time
when more than one player is involved, and this is the more likely scenario— as in the case of a
generalized security model that would account for more than one player as a potential threat, or a
model that includes potential alliances.
The minimax solution in zero-sum games is Nash equilibrium (where each player is at her optimal
level, taking into account the other players' strategy). There exists “at least one Nash equilibrium,
possibly involving mixed strategies, for any normal- form static game with a finite number of players
and strategies” (Jamakka, 2005:14). However, in cyberwarfare, there are obstacles to reaching
minimax stasis: there is no assumption that it is a zero-sum game (power may exist relative to others
but in cyber there can be emerging forms of power and there may be no clear endpoint that signifies
“winning”); there may be more than two players; players may make simultaneous and overlapping
moves (instead of taking turns like in chess); and there is no valid assumption of perfect information
(one‟s minimax strategy may depend on knowing the capabilities of the other players).
Moreover, the possibility of alliances disrupts Nash equilibrium because if players can agree on
strategies different from minimax, they may achieve higher payouts. The classic example of this is a
cartel manipulating the market; in the cyber realm, it could take the form of inter- national or even nonnationstate
collaboration among players. U.S. vulnerability to alliance-making by other players is
accentuated by the fact that we have more to lose— our government and our private-sector cyber
capabilities/ data are overall more valuable than other countries' (Hathaway, 2009:16).
Some, including former Department of Homeland Security Secretary Michael Chertoff (in Espiner
2010) compare nuclear strategy to cyber strategy. However, cyber weapons defy nuclear game
theoretic strategy because cyber weapons are amorphous and can be pinpointed— used as a scalpel
instead of, or as well as, a hammer. Even cyber weapons that are clearly war-oriented, like Stuxnet,
can be more controlled and monitored in use than nuclear weapons, may take time to detect and may
cover the executor‟s tracks. Unlike the nuclear arena, in which even those with capabilities have so far
resisted employing nuclear weapons, cyberwar weapons have been and will continue to actually
come into use—but in nuanced and creative ways that elude traditional definitions of use of force,
weapons, or war.
For all these reasons, it seems likely that we cannot use game theory in the traditional method of
modeling the game‟s endpoints and then reversing the moves that would lead to stasis, because we
may never reach equilibrium. This is another way of saying that the game may have multiple Nash
equilibria-- “Game theory cannot necessarily predict the outcome of a game if there are more than
one Nash equilibriums [sic] for the game. Especially when a game has multiple Nash equilibriums [sic]
with conflicting payoffs...” (Jamakka et al., 2005: 14). If the parties do not reach stasis then by
definition the game will continue because players have an incentive to change their decision--it is only
at equilibrium that (optimal payout exists and therefore) there is no incentive to change decisions.
Accordingly, this paper‟s analysis begins from an acknowledgment that in cyberwar, there may be no
“solution.” In cyberwar, unlike in checkers, game theory cannot follow each decision path to its
conclusion and then trace the right decisions back. The “right decisions” may evolve and the endpoint,
if there is one, is unknown. However, game theory continues to be useful in cyberwar strategy
because the rational predictability of game theory will continue to drive decisions and seek out
patterns in them, and because game theory may identify and intelligently weight nodes of a decision
tree that are not immediately recognizable or historically favored by human decision-makers.
The paper begins by acknowledging a number of ways in which cyberwar defies traditional game
theory models. It describes why a biological model is the most useful analogy, including the
epidemiological response to invasion and the evolutionary tendency toward equilibrium. Then it
explores the benefits of game theory, describing ways in which it is a uniquely useful tool for
cyberwarfare strategy as an ongoing set of decisions in a changing set of conditions.
24

3. Limits to using game theory
3.1 The economics of cyber insecurity
Merritt Baer
Game theoretical explorations assume perfect rationality, but economically, there are a number of
ways in which the current cybersecurity system lacks the incentives to operate at what might be
termed “rational” full strength. One is the problem of externalities-- like air pollution, most individuals
underinvest in their own security out of a perception that the problem (and its solution) does not target
them directly. (Anderson and Moore 2006). This emerges in many contexts where vulnerabilities are
not clearly attributable to the responsible actor; Daniel Geer, Chief Information Security Officer of the
Central Intelligence Agency‟s venture capital fund In-Q-Tel, (2010) struck a comparison to the
evolution of laws that would enforce responsibility for cleaning up a toxic waste spill and dealing with
those affected by it. Personal underinvestment in security means vulnerability to botnet appropriation
of computers, as well as facilitation of anonymity-inducing programs like Tor, which allow a hacker to
stage a virtually untraceable attack. (See, e.g., Wilson 2008). Computers under remote botnet control
are growing at an average of 378% each year, according to grassroots security monitoring
organization Project Honey Pot; this translates to ease of launching denial-of-service (DDoS) attacks
and decreased likelihood of tracing an attack. The DDoS attacks—both against Wikileaks (Carney
2010) and against its detractors (Reuters 2010) --made use of those who passively or voluntarily
submitted their computers to botnet control.
Internet founder Vint Cerf (in Schofield, 2008) made the Hobbesian observation that “[i]t seems every
machine has to defend itself. The Internet was designed that way. It‟s every man for himself.” The
Internet may require individuals to self-protect, but it wasn‟t “designed” for individuals to take the reins
in security—it was simply not designed for security. It is designed, to the extent that one can say it
was designed, for openness. Security may fall to individuals but the current structure doesn‟t provide
the necessary incentives for them to make that investment. Game theoretical assumptions about
rationality are thrown off by the human tendency to underinvest when there are externalities. As
software engineer Brad Shapcott famously said, “The Internet isn‟t free. It just has an economy that
makes no sense to capitalism.”
Re-aligning incentives to prioritize an optimal level of individual cybersecurity investment is an
economics task, but no one has ownership of the problem or the impetus to even get robust
information about it. As Jonathan Zittrain (Harvard Law 2010) stated, “Because no one owns this
problem, no one is paying for monitoring software to get the picture they need, to be accurate.”
Contrastingly, in the private sector economic objectives often reward security—such as the case study
of the US banking industry compared with the UK banking industry. In US bank security, credit card
fraud has been the responsibility of the bank. UK banks initially refused responsibility for ATM error,
and it created a “moral hazard” incentive for bank employees to act carelessly. (Anderson and Moore
2006: 610-613).
On a higher level of abstraction, there are externalities because of government reliance on private
sector cybersecurity technology. When this reliance couples with any tolerance for inefficiency, such
as those that result from revolving door corruption or transparency concerns, it constricts the
competitiveness of government contract assignment. This produces high-level inefficiencies. (See
Baram 2009). According to a study by the Center for Public Integrity, only about one-third of Pentagon
contracts were awarded following competition between two or more bidders. (Calbreath 2005). The
cost premium of outsourcing defense contracts to private sector providers is only justified by the
innovation push that the private sector is assumed to have; if government-to-company contracts are
instead funneled through sole-source contracts, this innovation advantage assumption may not be
valid, and the price premium may not be justified. (See Arnold, S. A. et al., 2009: 25). Small levels of
distorted investment can produce large results in absolute terms because the numbers are so large--
the total investment in research, development, test and evaluation (RDT&E) and procurement funds
for the DoD major defense acquisitions portfolio is a staggering $1.6 trillion yearly (GAO Report 2009).
3.2 Imperfect competition and the investment-to-security payout
Companies are moved by (and have a legal fiduciary duty to prioritize) their own bottom line; there is
no independent incentive to collaborate toward producing high-quality security products. Thus at the
federal level, great dependency on private contractors in the cyber weapons arena can distort cost
efficiency calculations in game theory. Our investment in security may not lead linearly to a higher-
25

Merritt Baer
security end-result, as is presumed by security-investment-level calculations. See, e.g., Schavland,
Chan and Raines (2009:629): “Our model places a dollar valuation on the insurance we are willing to
purchase for information security." Yet the assumption of a linear connection between investment and
security is generally inaccurate. Karen Evans, Administrator for Electric Government and Information
Technology, Office of Management and Budget (2007), emphasized in a statement to a congressional
subcommittee that when it comes to e-security, neither high spending nor high regulatory compliance
translate directly to actual higher security.
Because of the private sector‟s lack of incentives to collaborate, coupled with private companies‟
incentives not to divulge information about breaches (See, e.g., Gal-Or and Ghose 2004), there is an
opaqueness about cybersecurity vulnerabilities which can produce misinformation. For instance, there
has been a longstanding assumption that cyberattackers are exploiting unpatched computers after the
patch has been released-- Internet security expert Eric Rescorla (2004) has even argued against
disclosure and frequent patching for this reason. However, the latest Verizon data breach report does
not support this: "In the past we have discussed a decreasing number of attacks that exploit software
or system vulnerabilities versus those that exploit configuration weaknesses or functionality…[This
year] there wasn‟t a single confirmed intrusion that exploited a patchable vulnerability” (2010: 29). In
other words, as Verizon‟s 2009 Report stated, "vulnerabilities are certainly a problem contributing to
data breaches but patching faster is not the solution” (2009:18).
There is another concrete instance of misinformation in the “60 Minutes” video (2009) that claimed
that the Brazilian powergrid was taken down by hackers. While the video met wide acceptance and
generated apocalyptic fears, Bob Giesler, Vice President for Cyber Programs at SAIC, soon avowed
the video to be “part of the dialogue that is absolutely wrong. The Brazilian powergrid dropped
because of poor and faulty maintenance.” Giesler was corroborated when Wired Magazine (2009)
reported that there was an investigation, and the blackout was “actually the result of a utility
company‟s negligent maintenance of high voltage insulators on two transmission lines.”
Misinformation about our cyber nemeses obscures analysis of policy needs and threat prioritization.
Game theory cannot apply efficiently when we miscalculate or fail to identify those against whom we
are playing.
4. Moving from a linear to a biological model
High reliance on private sector for cyber development means the DoD must use a customer-driven
intelligence model, identifying needs and contracting for them. Yet competition for contracts does not
occur in a perfectly competitive environment, and reliance upon it incorrectly presumes that the
government has perfect information about their own needs and the risks of disclosing them. Umehara
and Ohta (2009: 323) model transparency as a zero-sum game, and “assume that when a
government agency makes a decision it knows the total amount of the potential damage." We may
need to reevaluate the customer-driven intelligence model to find ways to harness more of the
brainpower that exists not only in the private sector but also within the nonprofit, academic, and
government domains—such as the working group that came together to face the Conficker virus
challenge (See Moscaritolo 2009).
Similarly, there are “weapons” confronting the DoD in the cyber arena that do not come from
traditional or foreign enemies, such as the Wikileaks disclosures. As Giesler (2009) phrased it, “The
challenge to the government is: how do you harness that decentralized, netcentric organism? How do
you enable the ecosystem's antibodies to react to these things as opposed to regulating and breaking
it down? How do you nurture that reaction?” This decentralized power emerged in the response to
Pakistan blocking Youtube-- as Jonathan Zittrain (2009) reminds, this was a crisis to which NANOG,
“an informal network of nerds, some of whom work for various ISPs,” promptly responded.
Cyberwar strategy requires us to think outside of a linear security-investment frame of mind toward
weapons development. The most accurate model of cyber threat appears to one that is biological—
specifically, one that is epidemiological— in its response to invasion. In the case of the Estonian
cyberattacks, Giesler (2009) offers as example, “it was the banking sector, it was the tellco sector that
responded,” and “I started to think „Maybe that's the right model. This stuff is so decentralized, the
problem is so pervasive and so fast…how you organize around a problem will dictate how you solve it
and it requires a lot more dialogue.” The Department of Defense has recognized this interweaving of
capabilities and data, and released the more oblique statement, “We are in the Age of
Interdependence, out of the Information Age” (DoD 2009 Vision Conference).
26

Merritt Baer
Effective cyberintrusion defenses analog the epidemiological model for responding to an invader.
Some have warned of a “cyber pearl harbor”; this seems too kinetic-world to form an accurate
description of the threat. As Giesler asserts, we ought to be talking about cyber-destruction like a
cancer—“you already have it, it‟s hard to detect, it may be fatal but it‟s also treatable.” It may be that
the best responses to cyberwar are not found by studying war—at least not the ones in our history
books involving cannons or tanks.
Similarly, rather than a process of continual growth, cyber evolution, like biological evolution, seems
more aptly characterized as punctuated equilibrium—fairly long periods of relative stasis followed by
quick, drastic periods of breakthrough. (An example of a breakthrough in the cyber context could be
the advent of cloud computing.) Correspondingly, one of the reasons why reaching Nash equilibrium
is unlikely in the cyberwar context is that it under unstable conditions, evolutionarily stable strategies
don‟t run a typical course. As evolutionary biologist Klaus Rohde (2005: Appendix 3) writes, “frequent
and drastic abiotic and biotic changes in the environment which affect the fitness (reproductive
success) of potential contestants in evolutionary „games,‟ will make it more difficult to establish
evolutionary stable strategies, because the establishment of an ESS cannot keep up with the
changes.” Because cyber evolution is not linear but organic, it forces us to treat it according to the
economics of biology. The DNI‟s “Vision 2015” report addresses the deliverables aspect of this: “We
cannot evolve into the next technology „S curve‟ incrementally; we need a revolutionary approach.
Breakthrough innovation, disruptive technologies, and rapid transition to end-users will be required…”
Applying game theory to cyberwarfare strategy allows us to make predictions that transcend lockstep
models, that change based on resources, and that take into account other players‟ strategies and
environmental conditions. Thus, while there is no solution nor even an accurate map of potential
moves in game theory, it seems yet to be our best tool for transcending the perpetual reactiveness
that has characterized cyber- information security efforts.
5. Uses of game theory
5.1 Layered defense
While cyberwar strategy is a game of imperfect information, there are always choices available, and
the vulnerabilities associated with each choice are not random but are often knowable or predictable,
at least to some extent. We know that the risks of using open-source materials are in its lack of
restriction; we know that the weakness that comes from use of highly classified, air-gapped (or in
Zittrain-speak, “tethered”), networks come from a loss of functionality and “generativity.” Diversity and
interoperability are tradeoffs, as are embrittlement and toughening. These are zero-sum games; but
the overall strategy is not. While one can not create a network that is maximally resistant to random
faults and maximally resistant to targeted faults, one can take into account the particular weaknesses
and likelihoods of attack so that the weaknesses overlap in resistant ways-- ways that correspond to
risk preferences and security priorities. As the banking and credit card systems have worked to create
overall robustness through non-overlapping weaknesses, other providers (including infrastructural)
should be able to create calculated layers of defense if there were coordination and appropriate
budgeting.
5.2 Identifying nodes robustly
In game theory, the identification of possible choices is termed alpha-beta pruning—there is not an
unlimited number of desirable outcomes therefore there is not an unlimited number of choices. One
can prune down the number of nodes evaluated in the search tree. Alpha-beta pruning represents the
fact that as soon as one move can be proven less desirable than another, it need not be further
evaluated. One‟s search can then steer toward the more promising subtree(s), creating an optimal
search path.
To do this effectively first requires diversity and creativity—that is, the ability to identify many possible
nodes. Defense Secretary Robert Gates stated that the Pentagon is “desperately short of people who
have capabilities (defensive and offensive cybersecurity war skills) in all the services and we have to
address it.” (Booz Allen 2009: 1). The key human-side aspect of cyberwar strategy is to effectively
uncover all possible decision paths, which requires foundationally that the Department of Defense do
a more effective job of recruiting and retaining diverse talent.
27

Merritt Baer
Identifying new nodes also requires a model that takes into account the creative possibilities that exist
in the cyber world (which do not exist as concretely in, for example, the nuclear world) for moves that
serve what biological models call “posturing”— flexing muscles to show capability rather than to enact
any immediate goal. Species which posture rather than fight tend to compete via a “war of attrition.”
Applying this to international security reveals that there are more available cyberwar decision paths
than those which enact straightforward violence. As Rohde (2010) stated, taking into account
posturing is useful because it accounts for different forms of power on the changing landscape in
which the competition occurs. Rohde explains, “Climate change, for example, may have unforeseen
consequences for how nations behave: a war of attrition may become more aggressive.” This game
cannot be modeled linearly based on how many canons or bombs a country has stockpiled; actual
capabilities may be less or more than those the country chooses to posture. (See, e.g., Woodward
2010 on the “speculative” possibility that Stuxnet was an Israeli attack on an Iranian target.) Cyberwar
posturing requires a model more nuanced than M.A.D. To fully exploit the potential for modeling game
theoretical strategies, we must recruit diverse minds to think up new possible nodes, and validate
different forms of power to determine what strategies serve the end goal.
5.3 Weighting nodes intelligently
Once one isolates the problem and defines the corresponding set of goals in a given situation, one
must evaluate the other players‟ likely moves. Game theory can play an important role at this stage
because it is well-established that human cognition tends not to react to threats in a fully rational way,
or as economics would dictate. Jonathan Renshon and Nobel Prize winner Daniel Kahneman have
written on these human cognitive obstacles to economically-optimal decisions. According to
Kahneman and Renshon (2006), “humans cannot make the rational calculations required by
conventional economics. They rather tend to take mental shortcuts that may lead to erroneous
predictions, i.e., they are biased.” Using game theory to make a security strategy that is a calculated
derivative of mapped potential outcomes allows decisionmakers to lessen those biases and respond
to threats proportionately/economically.
The fact that there are limited existing examples of cyberwarfare interactions complicates this stage of
analysis—successful programming in games like chess and Othello have relied upon finite patterns of
previous actions: “A hill climbing algorithm can… be used based on a function of the number of
correct opponent move predictions taken from a list of previous opponent moves or games.” (Hamilton
et al., 2002: 4). Lack of behavioral precedent models will increase the margin of error—if one could
use a killer heuristic (prioritizing moves that have been shown to produce cutoff in other situations),
the pruning would be more successful. (Winands 2004). It is possible that red-teaming could provide
some approximations of history—indeed, one of the recommendations in the Report of the Defense
Science Board (2010: viii) is to “establish red teaming as the norm instead of the exception.” And all
players must play on the board of limited empirical history.
In an intersecting sense, the uses of game theory in assigning weight neutrally to nodes of a decision
tree may be especially useful in the cyber context because our reactions seem to derive from
evolutionary strategies, and cyber may activate those uniquely. Having a "face" to the threat is crucial
to our reaction, according to psychologist Daniel Gilbert (2007) who offers as example that global
warming does not push our buttons like terrorism and other threats "with a mustache" do (think of the
resources we devote to deaths by terrorism, compared to deaths by cancer or hunger). Cyberwar has
a degree of sanitation to it—unlike bombs and tanks, it does not necessitate face-to-face
confrontation with the effects of one‟s decisions. (See Baer 2010b).
6. Avoiding cyberwar: Could we have cyber disarmarment?
The economic inefficiencies of an offensive cyber arms race (not to mention the danger of allowing
the US and others to stockpile a cyber arsenal) have led some to propose solutions to avoid this
altogether. Harvard Professor Jack Goldsmith (2010) has proposed something akin to an international
negotiating architecture to preempt cyberwar and the costs of cyberdefense. Certainly, the U.S. would
benefit from having red lines drawn. But even if we could have the prescience to create a sense of
rules that would anticipate the new ways in which the Internet will be useful for attack (which is
unlikely given the range of possibilities, many of which might not be directly violent— “the range of
possible options is very large, so that cyberattack-based operations might be set in motion to
influence an election, instigate conflict between political factions, harass disfavored leaders or entities,
or divert money.”-- National Research Council Committee on Offensive Information Warfare Section
28

Merritt Baer
1.5), there seems to be no way to guarantee China‟s (or North Korea‟s or Russia‟s) compliance
unless there are some enforcement machineries, and some remedies in instances of transgression.
Cheating seems almost assured considering that, for instance, North Korea continually reneges on its
nuclear negotiations, and cyber disarmament would be pragmatically much easier to cheat.
Even if we could get a global cyber-enforcement organization in place, cyber attribution problems
would allow for rogue states (let alone non-nation-state actors which have no real duty to comply and
are harder to retaliate against) to act outside of the red tape. Defectors could get a comparative
advantage by cheating (think to the classic prisoners‟ dilemma, in which defecting is always the
optimal strategy even though it doesn‟t produce optimal outcome overall), and could do it remotely
through US computers, as in the Estonia attack. For a disarmament agreement to be enforceable
would require a change in the Internet architecture in the sense of decreasing anonymity or some
other sea change to incentivize compliance. One could impose sanctions on nations that allow attacks
to happen-- but this strict liability regime would confront practical problems: finding accurate attribution
is difficult and in fact, the latest numbers reflect more botnet-appropriated computers in the U.S. than
anywhere else (Prince 2010). Establishing cyber rules and then not being able to enforce them
because of attribution problems could be embarrassing.
Moreover, like nuclear war game theory, cyberwar game theory decision paths are complicated by the
fact that there are differences in risk tolerance among players. Thus, while “the usual assumption is
that an opponent evaluation function uses a subset of the heuristics in our own evaluation function,
with different weights” (Hamilton et al. 2002: 4), the heuristics of cyber players may vary dramatically,
especially in interactions between countries with generally greater risk tolerance regimes in
government. Since “players' decisions are optimally based not only on their own cost functions (which
each knows) but also on their opponent's cost structure (which is known only in probability)”
(McCormick and Owen 2006), we cannot assume that our incentives for desiring disarmament match
other players‟.
Larger values-based issues require us to evaluate what kind of behavior we find acceptable online
and what is a violation of international ethics or human rights. This is part of a dialogue that needs to
occur before a legal framework can enforce it. As I have written, we all have a stake in this
determination (Baer 2010a). The purpose of this paper, however, was the strategic possibilities and
not the broader development of a code of human rights online.
7. Conclusions
Game theory is not a panacea. As I have described, cyberwarfare defies a number of common game
theoretic assumptions. However, it is worth exploring game theory‟s applications to cyberwarfare
strategy because game theory lends itself to viewing larger patterns, and approaching problems
holistically. In cyber, the lines between fighting and research melt away, and the computer scientists
mobilizing the tools to wage cyberwar look more like Mozart or Einstein than Napoleon. Following the
symmetries that occur in the natural world, the responses of epidemiology and the growth patterns of
evolutionary biology, game theory allows us to gauge efficacy in a non-linear dimension. Many
experts have compared cyberwar strategy to kinetic-world models, from nuclear strategy (Chertoff, in
Espiner 2010) to air warfare strategy (Baker 2010). I find that kinetic-world models of warfare fall short
of describing the problem of cyberwarfare or its possible treatments. There is no real winning in
cyberwar; there is continual reorientation.
Game theory, worked upon a biological model, holds promise for cyberwar strategy because it
transcends linear models that assume aspects of the landscape to be fixed. Cyberwarfare is delicate
but not haphazard, and game theory can lead decisions that address true threats by avoiding human
bias. If we maintain a robust workforce, game theory can also allow decisionmakers to identify
emerging nodes on the decision tree. In an occam‟s razor sense, it may be that to anticipate the curve
in the cyberwarfare game, we ought to return to the simple beauty of early programming, when the
Internet was unmolded, an organic cell of potential energy. Cyber development eludes kinetic-world
models because it is not just about harnessing power, it is about creating new pockets of utility and
exploiting them in creative ways.
Acknowledgements
Thanks to Professor Jack Goldsmith for the opportunity to write a first version of this research in
seminar and for the exposure to many of cyberwarfare‟s leading minds.
29

References
Merritt Baer
Anderson, R. and Moore, T. (2006) “The Economics of Information Security,” Science Vol. 314 No. 5799, pp.
610-613.
Arnold, S. A., et al. (2009) "Can Profit Policy and Contract Incentives Improve Defense Contract Outcomes?"
Institute for Defense Analyses, Washington, DC.
Baer, M. (2010a) “Cyberstalking, and the Internet Landscape We Have Constructed.” Virginia Journal of Law and
Technology 154 Vol. 15, No. 2.
-- (2010b) “Cyber Attacks & the Ethical Dimension of the Google China Episode,” [online], Global Comment,
http://globalcomment.com/2010/cyber-attacks-the-ethical-dimension-of-the-google-china-episode/
Baker, S. (2010) “Cyberwar: What is it Good For?” ABA 20 th Annual Review of the Field of National Security Law,
Washington, DC.
Baram, M. (2009) “Wasteful Spending by Private Contractors in Afghanistan Climbs to $1 Billion, as their
Numbers Multiply,” Huffington Post.
Booz Allen Hamilton (2009) “Cyber In-Security: Strengthening the Federal Cybersecurity Workforce,” [online],
http://www.ourpublicservice.org/OPS/publications/viewcontentdetails.php?id=135
Calbreath, D. (2005) "MZM Scandal Illuminates Defense Contract Tactics," [online], Sign on San Diego,
http://archives.signonsandiego.com/news/politics/cunningham/20050821-87-mzmscand.html
Carney, J. (2010) “The War Against Wikileaks is Worse than Wikileaks,” [online], CNBC,
http://www.cnbc.com/id/40551046/
CBS News (2009) “Cyber War: Sabotaging the System” 60 Minutes,
http://www.cbsnews.com/stories/2009/11/06/60minutes/main5555565_page1.shtml?tag=contentMain;conte
ntBody
Charney, S. (2009) “Reviewing the Federal Cybersecurity Mission,” Testimony Before the U.S. House Committee
on Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology,
Washington, DC.
Clockbackward (2009) “Does Beauty Equal Truth in Physics and Math?” [online], Clockbackward Essays,
http://www.clockbackward.com/2009/03/11/does-beauty-equal-truth-in-physics-and-math/
DoD 45 th Annual Federal Forecast (2009) Department of Defense Special Topic Cyber Security: TechAmerica
2009 Vision Conference, Washington, DC.
Director of National Intelligence, “Vision 2015: A Globally Networked and Integrated Intelligence Enterprise,”
[online], HYPERLINKhttp://www.dni.gov/Vision_2015.pdf
Espiner, T. (2010) “Chertoff Advances Cyber Cold War,” [online], ZDNet UK
http://www.zdnet.co.uk/news/security-threats/2010/10/14/chertoff-advocates-cyber-cold-war-40090538/
Gal-Or, E. and Ghose, A. (2004), “The Economic Consequences of Sharing Security Information,” Economics of
Information Security, Vol. 12, pp. 95-104.
GAO Report to Congressional Committees (2009) "Defense Acquisitions: Assessments of Selected Weapons
Plans," [online], http://www.gao.gov/new.items/d09326sp.pdf
Geer, D., Jr., Sc.D. (2010) “Cybersecurity and National Policy,” Harvard National Security Journal, Vol. 1.
Giesler, R. (2009) personal conversation with the author.
Gilbert, D. (2007) “If Only Gay Sex Caused Global Warming,” Huffington Post.
Goldsmith, J. (2010) “Can We Stop the Global Cyber Arms Race?” Washington Post.
Hathaway, M. (2009) “Strategic Advantage: Why America Should Care About Cybersecurity,” Harvard Kennedy
School, Cambridge, MA.
Hamilton, S.N., Miller, W.L., Ott, A., and Saydjari, O.S. (2002) The Role of Game Theory in Information Warfare,
and Challenges in Applying Game Theory to the Domain of Information Warfare, Fourth Information
Survivability Workshop ISW-2001/2002, Vancouver, BC Canada
Winands, M.H.M. (2004) “Informed Search in Complex Games,” Datawyse b.v., Maastricht, The Netherlands.
Jamakka, J. and Mölsä, J.V.E. (2005) “Modeling Information Warfare as a Game,” Journal of Information Warfare
Vol. 4, No. 2, pp. 12-25.
Kahneman, D. and Renshon, J. (2006) “Why Hawks Win.” Foreign Policy.
http://www.foreignpolicy.com/articles/2006/12/27/why_hawks_win
Libicki, M. (1995) What is Information Warfare? National Defense University, Washington, DC.
McCormick, G. H. and Owen, G. (2006) "A Game Model of Counterproliferation, with Multiple Entrants,"
International Game Theory Review, Vol. 8, No. 3, pp. 339-353.
Moscaritolo, A. (2009) “Industry Collaboration: Drumming Up Defenses,” SC Magazine.
MSNBC (2007) “Defense Dept. warns about Canadian spy coins,” [online],
http://www.msnbc.msn.com/id/16572783/
National Research Council Committee on Offensive Information Warfare (2009) “Technology, Policy, Law and
Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities,” The National Academies Press,
Washington, DC.
http://www.abanet.org/natsecurity/cybersecurity_readings/1final_report_cyberattack_nasnae.pdf
Prince, B. (2010) “Microsoft: U.S. Home to Most Botnet PCs,” eWeek [online]
http://www.eweek.com/c/a/Security/Microsoft-US-Home-to-Most-Botnet-PCs-216614/
Project Honey Pot, (2009) “Our 1 Billionth Spam Message” [online]
http://www.projecthoneypot.org/1_billionth_spam_message_stats.php
30

Merritt Baer
Report of the Defense Science Board (2010), “Capability Surprise,” [online],
http://www.acq.osd.mil/dsb/reports/ADA506396.pdf
Rescorla, E. (2004) “Is Finding Security Holes a Good Idea?” Third Workshop on the Economics of Information
Security, Minneapolis, MN.
Reuters (2010) “Wikileaks Battle: A New Amateur Face of Cyber War?” CNBC
Rhode, Klaus (2005) Nonequilibrium Ecology. Cambridge University Press, Cambridge, MA.
-- [online] “Games Theory (Nash Equilibria) in International Conflicts,” http://knol.google.com/k/games-theorynash-equilibria-in-international-conflicts#
Saydjari, O.S. (2004) “Cyber Defense: Art to Science,” Communications of the ACM Vol. 47, No. 3 pp. 52-57.
Schavland, J., Chan, Y., and Raines, R.A. (2009), “Information Security: Designing a Stochastic-Network for
Throughput and Reliability.” Naval Research Logistics Vol. 56, No. 7, pp. 625-641.
Shapcott, Brad “Economics Proverbs,” [online], CEO Magazine
http://ceomagazine.biz/hrmproverbs/economicsproverbs.htm
Shen, D., Chen, G., Haynes, L.S., Cruz, J.B., Kruger, M. and Blasch, E. (2007) “A Markov Game Approach to
Cyber Security,” [online], SPIE Newsroom, "https://spie.org/x15400.xml?ArticleID=x15400"
https://spie.org/x15400.xml?ArticleID=x15400
Shofield, J. (2008) “It‟s Every Man for Himself,” The Guardian.
Sills, M. (2009) “ULL gets Air Force contract: Researchers to develop preemptive cyber security strategies,” The
Advocate [online] http://www.2theadvocate.com/news/79589152.html?c=1287843989513
Soares, M. (2009) “Brazilian Blackout Traced to Sooty Insulators, Not Hackers,” Wired Magazine.
Spring, B. “Nuclear Games: A Tool for Examining Nuclear Stability in a Proliferated Setting,” [online],
http://www.heritage.org/Research/nationalSecurity/upload/hl_1066.pdf
Umehara, E. and Ohta, T. (2009) “Using Game Theory to Investigate Risk Information Disclosure by Government
Agencies and Satisfying the Public—the Role of the Guardian Agent," Systems, Man and Cybernetics, Part
A: IEEE Transactions on Systems and Humans Vol. 39, No. 2, pp. 321-330.
Verizon 2009 Data Breach Investigations Report, [online], Verizon Business Security Solutions,
http://securityblog.verizonbusiness.com/2009/04/15/2009-dbir/
Verizon 2010 Data Breach Investigations Report, [online], Verizon Business Security Solutions,
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Wilson, C. (2008) “Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress”
Congressional Research Service Order Code RL32114, Washington, DC.
Woodward, P. (2010) “Stuxnet: the Trinity Test of Cyberwarfare,” War in Context [online]
http://warincontext.org/2010/09/23/stuxnet-the-trinity-test-of-cyberwarfare/
Zittrain, J., Lord, Lt. Gen. W., Geer, D., (2010) Cybercrime and Cyberwarfare class, Harvard Law School.
Zittrain, J. (2008) The Future of the Internet—and How to Stop It. Yale University Press, New Haven, CT.
-- (2009) “The Web as Random Acts of Kindness” [online video]
http://www.ted.com/talks/jonathan_zittrain_the_web_is_a_random_act_of_kindness.html
31

Who Needs a Botnet if you Have Google?
Ivan Burke and Renier van Heerden
Council for Scientific and Industrial Research, Pretoria South Africa
IBurke@csir.co.za
RvHeerden@csir.co.za
Abstract: Botnets have become a growing threat to networked operations in recent years. They disrupt services
and communications of vital systems. This paper, gives an overview of the basic anatomy of a Botnet and its
modus operandi. In this paper, we present a Proof of Concept of how Google gadgets may be exploited to
achieve these basic components of a Botnet. We do not provide a full fledged Botnet implementation but merely
to mimic its functionality through Google Gadget API. Our goal was to have Google act as proxy agent to mask
our attack sources, establish Command and Control structure between Bots and Botherders, launch attacks and
gather info while at the same time maintaining some degree of stealth as to not be detected by users.
Keywords: Botnet; Google Gadget; Command and Control; DDoS
1. Introduction
A Botnet is a collection of compromised computers or agents that are infected by malware. These
agents use sophisticated command and control techniques to execute complex and distributed
network attacks. Agents are usually unaware that they have been compromised and are partaking in
these attacks. They are often controlled by an external agent known as Botherders or master agents
(Banks 2007, Vamosi 2008).
According to Steward (in Vamosi, 2008), the techniques used by large Botnets such as Storm are
available online, but a Botnet is more than the sum of its parts. What makes a Botnet successful is
combining all these components into a coherent structure.
Stracener states in (Stracener, 2008), that future malware will run on the internet instead of
standalone computers. His premise is that, as the modern computer infrastructure moves closer to a
networked cluster or cloud so too will the threats to these infrastructures. He warns of his concerns
about malicious gadget and key vulnerabilities related to gadgets. A study conducted by WorkLight
Inc. (in MacManus, 2008), found that 48% of internet bank users, ages 18-34, would use secure thirdparty
Web 2.0 gadgets for their personal banking, if their banks did not provide them with such
functionality. This would imply the users would be able to make a informed decision about what it
means to identify a Web 2.0 gadget as being secure.
Stracener's concerns are mimicked by The Cloud Security Alliance in their paper (Hubbard et al.,
2010). They identify seven key threats to Cloud computing security:
Abuse and nefarious use of cloud computing
Insecure interfaces and APIs
Malicious insiders
Shared technology issues
Data loss or leakage
Count or service hijacking
Unknown risk profile
In this paper we demonstrate a rudimentary Botnet construct by exploiting Google services to host our
Botnet. We investigate the core components of a Botnet and then attempt to mimic the components
using Google Gadget API. It is not the goal of this paper to illustrate the weaknesses in a specific API
but rather to illustrate the danger of user generated content on the World Wide Web. Our aim is to
proof that online services can be organized into a botnet like structure.
Google Gadgets API is design for rapid development of small web based utility applications such as:
calendars, currency converters and news feed readers (Peterson, 2009). By including Open Social
API to a Google gadget, one can enhance shared gadget interaction and extend one’s gadget to the
Social Media domain.
32

Ivan Burke and Renier van Heerden
Flaws in Google Gadgets have been demonstrated by Barth et al. (2009). They noted that JavaScript
can lead to exploitation. These vulnerabilities include session sharing vulnerabilities which enable
Cross-Site Scripting (XSS) and malicious redirects to Man-in-the-middle attacks. Google has been
reluctant to fix some of these vulnerabilities since 2004. (Robert 2008)
In Section 2, we investigate the composition of a basic Botnet. In Section 3, we describe our attempt
at mimicking these components. In Section 4, we discuss our Botnet model. In Section 5, we propose
possible future application of this work. In Section 6, we discuss our conclusion and possible means
of stopping these types of Botnets.
2. Anatomy of a botnet
Botnets tend to share communalities in their structure and design. In this Section, we describe the
common components of a Botnet as well as their role within the Botnet.
Figure 1: Anatomy of a Botnet
2.1 Command and control component
A large part of a Botnet’s success can be attributed to its ability to execute large, synchronized,
distributed attacks. This would require sophisticated command and control (C2) structures to coordinate
these attacks (Banks 2007, Ollmann, 2009).
Communication channels usually relay herder instructions, such as commands to execute on remote
PC. Bots use channels to send back retrieved data such as key logger information or command
response information. These communications need to be covert in order to hide the Botnet activities.
Over the years several covert channels have been used to communicate commands between Bot and
Botherder such as Twitter, Internet Relay Chat (IRC) and Instant Messages. Several advance C2
techniques such as steganography or social media sites to hide Botnet communication in plain sight.
Next we look at the types of attacks that could be executed by Botnots (Ollmann, 2009)
33

2.2 Attack vector
Ivan Burke and Renier van Heerden
Botnets are usually goal orientated. For the most part their goal is either profit or service disruption.
There are several means of achieving these goals using botnets. In this Section, we discuss some
attacks commonly used by Botnets.
2.2.1 Distributed denial of service attack
Due to Botnet size and the distributed nature of Botnets, Distributed Denial of Service attacks (DDoS)
are a popular form of attack (Felix et al., 2005). In this attack the Botherders issue a command to all
its subordinate Bots to connect to a targeted system at the same time. The targeted system can
usually not handle the sudden influx of requests and which cause system services to be temporarily
disrupted. Botherder rent out these services to competitors to disrupt competitor services (Kiefer,
2004).
2.2.2 Spam relay
The first generation of Botnets where reliant on email to spread and infect various hosts. Botnets
would open a SOCKS v4/v5 proxy on compromised machines, allowing it to send spam at the request
of the Botherder. Botnets also harvested email addresses from infected hosts to add to its spam lists.
(Engate, 2009)
2.2.3 Data harvesting
Botnets report back valuable system information to Botherders. This information can include key
stroke logs, system vulnerabilities, service availability on host machine, open port data and network
traffic. Botherders collect and collate this data to retrieve data such as user names and passwords
which could be used for mass identity theft. Botnets scan for system weakness that could possibly be
exploited at a later stage if Botnet functionality is compromised in future. By sniffing network traffic
Botnets could become aware of rival Botnets infecting host PCs and disrupt these rival Botnet
functionality.
2.2.4 Ad serve abuse
Botnets can be utilized for monetary gain. Botnets can be used to exploit the Pay Per Click or
Impression Based internet advertising models. By forcing infected machines onto ad serve sites or
using iFrames to fool users into clicking on advertisements, Botherdes can generate revenue from
marketing companies.
Botherders infect host PC with browser add-ons, Browser Helper Objects (BHO), or browser
extensions which changes user browser interaction to relay them to ad serve sites or simply generate
brows requests to ad serve sites automatically. These Add-ons can serve a dual purpose, as it can
collect user data from browser and relay it to Botherder.
2.3 Viral capability
One of the great strengths of a Botnet is its sheer size. This also makes Botnets so tough to take
down. Hence it is essential for a Botnet to spread fast and to vastly distributed systems.
The first generation of Botnets where primarily reliant on email and malicious page redirects to
spread. Modern Botnets such as Asprox, Koobface, Zhelatin and Kreios C2 spread via social media
(Denis, 2008) (Eston, 2010). The Botnet posts users content on social networks sites which infect any
user that follows the malicious links. Some Botnets have been known to hide within popular trusted
applications. Trojans drop malicious code in trusted address spaces and exploits weaknesses in
hosts PC to compromise it and make it part of Botnet network.
2.4 Stealth component
Botnets are only useful as long as they are not detected. Hence stealth is a fundamental requirement
for all Botnets.
It is the opinion of the researchers that stealth is required in each of the components previously
identified in this section. If communications are noisy, infected host might become aware of malicious
34

Ivan Burke and Renier van Heerden
activity and firewalls or intrusion detection systems might block communications. If attack is disruptive,
anti-virus companies will detect and block the attack. Mechanisms used to spread Botnets must seem
organic and natural for it to be affective. It is the combination of these requirements that make Botnets
so difficult to construct and maintain.
In the next section we our attempt at constructing these components using Google Gadgets API.
3. Attempt at constricting a botnet
In this Section, we will discuss our attempt to create a proof of concept Botnet; At first we look at
cloud computing as a whole and then more specifically using Google Gadgets API we investigate the
possibility of using Cloud computing to mimic the attack components of a Botnet, as presented in
Section 2. It is important to note that, this paper is not just specifically targeted towards exposing
Google API weaknesses but to illustrate the dangers of user generated content and cloud computing
on the World Wide Web.
According to Garner (Garner, 2008), cloud computing can be defined as style of computing whereby
IT-related capabilities are provided as a service using Internet technologies to connect to multiple
customers. Botnets have already been found using popular cloud such as Amazon's EC2 as a
Command and Control unit (Goodin, 2009). In a report compiled by The Cloud Security Alliance,
seven types of security threats where identified (Hubbard et al., 2010). Of these seven, we focused on
two main attack factors Abuse and nefarious use of cloud computing as well as Insecure interfaces
and APIs.
3.1 Establishing denial of service attack capability
Figure 2: Google Gadget makeRequest() function
The Google Gadget API provides users the capability to load remote content into gadgets by calling,
makeRequest() (Google Gadgets API, 2009). This function is asynchronous and can be called
independent from other JavaScript calls. This is a fairly useful capability as this allows users to easily
create gadget versions of their websites and extend their market reach. This function instructs one of
the servers residing on the Google Gadget Domain to perform an HTTP request on behalf of the
gadget user, as illustrated in Figure 3: makeRequest() HTTP request flow. This implies that the request
source is obfuscated and that only the Google Gadget Server IP address will appear in the remote
server logs. By exploiting this communication structure one can use Google Gadget Servers as Bots
for a Botnet. For the purpose of this Proof of Concept we used Goolge’s makeRequest() function to
send and interpret all command and control messages sent between bots and botherder.
Figure 3: makeRequest() HTTP request flow
According to Google Webmaster Central (2010), Google uses a Feedfetcher user-agent to retrieve
remote content. Google’s Feedfetcher user-agent does not follow the Robots Exclusion Protocol. This
protocol is not mandatory but is meant to protect certain pages from being viewed by web spiders and
crawlers. When asked why Google’s Feedfetch agent does not obey robots.txt, the Google
representative states that the Feedfetcher request is the result of an explicit action by a human user,
and not from automatic crawlers, hence Feedfetcher does not follow robots.txt guidelines. This
response would imply it is not possible to generate fetch requests automatically, yet seeing as Google
gadgets are coded in JavaScript it is a trivial task to automate the fetch requests.
35

Ivan Burke and Renier van Heerden
According to (Google Gadgets API, 2009), Google’s makeRequest() function does not validate the
existence of a page prior to sending the HTTP request to remote server. This would mean malicious
coders can use Google Gadgets to probe websites for config, admin or script files stored in un-listable
directories of web pages. This could also be used to create a large amount of traffic towards the web
server by generating makeRequest() calls for none-existent pages on the server. This type of probing
and traffic generation could also be created by pure JavaScript without the use of Google Gadget’s
makeRequest() function, but the benefit of using Google Gadget API is that the remote server logs will
only contain the IP address of Google Gadget application servers, as illustrated by Figure 4: Remote
server log.
Figure 4: Remote server log
Google provides a cache features for all its gadgets to reduce server loads (Google Gadgets API,
2009). This cache server saves a copy of the remote content on a local server for faster retrieval. By
default Google gadgets get cached for approximately one hour. Due to the requirement of some
gadget developers to have shortened cache timing due to dynamic nature of their gadgets, Google
provided developers with the capability to set the cache interval. According to Google Gadgets API
(2009), it is possible to set the interval to zero seconds. Google Gadget API does not prevent
developers from setting cache interval to zero but warns against setting cache interval to zero as it
might overload remote server.
Thus we have discovered two means of disrupting remote server. Either by generating near infinite
fictitious web pages from a server, or by fetching the same page recursively and setting the refresh
interval to zero seconds.
3.2 Retrieving user data
Clients using the Cloud uses API calls to communicated and execute commands on the Cloud,
through its Service-Orientated Architecture (SOA). In general, cloud computing units are heavily
compartmentalized to insure no data can be leaked between clients. Unfortunately the components
that makeup the Cloud infrastructure, such as CPU, Ram and GPU, where not specifically designed
for isolation. (Hubbard et al., 2010) Techniques to exploit this weakness have been demonstrated by
Joanna Rutkowska (Rutkowska, 2008) and Kostya Kortchinsky (Kortchinsky, 2009). In our specific
case we do not target data on the Cloud specifically we merely use the Cloud as a channel to pass
and receive message.
Google gadget API is a collection of JavaScript libraries; as such they require JavaScript to be
enabled to utilize its capability. JavaScript can be used to determine user browser history and browser
information. Cabri (2007), created a simplistic JavaScript to determine if a page have been visited
before. Figure 5: Sites visited script, contains the script he used. By using this script to look up
banking sites or social media sites one can determine which banking and social media services the
user have visited.
By combining this script with Google gadget makeRequest(), one can determine if the user has auto
login enabled for certain social media sites. For example: to test if the user has auto-logon enabled on
Facebook one can request http://www.facebook.com/home.php. If the content is the home page it
would mean the browser automatically logged the user in or the user has an active Facebook session.
If the login page is returned it would mean the user’s session has expired or that auto-logon is
disabled. Keep in mind that makeRequest() does not display the page, it merely returns its contents to
the callback function specified by the makeRequest() call. This means that the user does not need to
get any visual cues of gadget activity. The Botnet designer can choose whether to scrape the
resulting homepage for more data or to crawl the social network site for more data or to just report the
information back to Botherder for future use.
36

Ivan Burke and Renier van Heerden
Figure 5: Sites visited script
Hashemian (2005), created a PHP script that can be accessed via JavaScript to perform IP resolution
and reverse DNS lookups for visitors to sites. This provides more info on the location and domain
usage of gadget user. Google’s makeRequest() function is also capable of performing a POST
request. By combining these JavaScript information gathering techniques and posting capability of
Google’s makeRequest() one can report back gathered information to Botherder. This is just some of
the data that can be gathered using JavaScript and by no means covers all the data that can be
harvested by JavaScript but for the purposes of this Proof of Concept they are sufficient.
3.3 Adsense abuse
Advertising companies offering website designers money for serving up adverts on their sites. By
requesting pages using makeRequest() one can fool most Impression Based advertising models into
counting the page fetch as an impression hence generating revenue for the website designer. Unique
IP addresses have a higher weight on Advanced Impression Based advertising sites. Because
Google Gadget Application servers make the request, only a select few IP addresses will in effect be
displayed in advertising company logs. Hence, Adsense abuse is not really effective with Google
Gadget API but it does guarantees a steady and constant number of visits to a site.
3.4 Obfuscating source of attack
Thus far it has already been stated that if the Google Feedfetcher is used to fetch remote data only
the Google Gadget Domain Server's IP will be logged in the remote servers access logs. This is
already an attempt to obfuscate the source of the attack. Unfortunately for Google gadgets to work
and to be published Google needs to be able to access the gadget source code. This means that
anyone wishing to add the gadget would also be able to fetch the source code and could possibly
deduce that it executes malicious commands. A simple way of overcoming this obstacle is obfuscate
the source code. By encoding the JavaScript source code in base64. Wang, (2009) developed a web
tool specifically designed to obfuscate JavaScript. Figure 6 illustrates the result of obfuscating the
hasLinkBeenVisited() function.
37

Figure 6: JavaScript obfuscation
3.5 Spreading of botnet
Ivan Burke and Renier van Heerden
Thus far we have illustrated two layers of attack. The DDoS attacks and Adsense abuse described in
previous subsections are targeted towards remote servers or Impression Based advertising
companies, these attacks are in effect performed by the gadget users on behalf of the botherder. The
second layer of attack is the data gathering performed on the actual gadget user.
Attacks on remote server, actually require few gadget users. A botherder can automate mass
amounts of requests from a single gadget user. FeedFetcher was designed distributed on several
machines to improve performance and to cut down on bandwidth Google attempts to make the fetch
request on a machine situated near target remote site. This would mean that the IP would constantly
change and that the physical location of fetching machines can also be varied.
The second layer of attack is more reliant on the gadget itself to spread among users. For the
purpose of this research we merely created several Google accounts and used Google Gadget
sharing capabilities to distribute the gadgets. We will now briefly discuss some of the options available
for spreading of gadgets.
Google Gadget API provides users with the capability of sharing gadgets among a user’s Google
contact list or by sending out emails containing an invite to install the gadget. Google also provide the
capability of publishing the gadget on their Application servers. Published applications can be ranked
and browsed by all iGoogle users. By manipulating the Google ranking system one can increase the
probability of your gadget being added by other users.
Google Gadget API is fully integrated with OpenSocial API. OpenSocial API is a web framework for
developing social applications which are capable of communicating across multiple social media sites.
Peterson (2009), provides some basic steps than can be taken to increase gadget spread.
In the next Section, we will discuss our final Botnet model. We discuss how we mapped all the
techniques described in this Section into our final Proof of Concept model.
4. Botnet gadget
Figure 7: Botnet Gadget illustrates the basic structure of our Botnet gadget. The Botherder acts as a
Gadget developer and uses Google’s services to update the Gadget and by extension update the
Botnet. By doing this the Botherder can have a single point of access to all Bots at the same time.
Updates might include new JavaScript attacks or even new targets for DDoS attack. The Botnet hides
in plain sight as a normal gadget. It could either use a command from the Botherder or a temporal
event to trigger a remote attack and while the Botnet is waiting to commence the next attack the
Gadgets can gather information on Gadgets users and possibly identify other means of
communications or vulnerabilities on Gadget user’s PC.
38

Ivan Burke and Renier van Heerden
Figure 7: Botnet Gadget
In the remainder of this Section we discuss the attacks we added to our PoC Botnet Gadget and we
discuss some of the information obtained by our Botnet Gadget.
We used the JavaScript function provided by Cabri (2007) to extract user history information such
which Social network site the gadget user has visited and which bank he or she uses. Cabri’s (2007)
script can only determine if a site has been visited hence it is an exaustive search, hence we scanned
though a targeted list of URLs for information we were interested in. We used JSON IP Adress
recovery script provided by (Bullock, 2010), to determin gadget user IP Time zone and general
geographical location using the retrieved IP.
Figure 8: Sample of JSON IP recovery script
To determine if the gadget user has auto login for social network sites we create hidden iFrames to try
and access logged in content of social media sites. We queried the iFrame content to determine
whether the iFrame was redirected to Login page or whether it could access the content. This data
along with IP and history data was posted back to our own remote server using Google’s
makeRequest() function.
For a denial of service attack we used one of our own servers and requested fictitious pages from it
using makeRequest() function. We placed fetch request in a n endless loop that generated
39

Ivan Burke and Renier van Heerden
randomized page requests to our server. This approach was not successful as it lead to gadget user
PC to run out of memory. Upon investigation we realized this was caused by Google’s AdSense
triggering upon each remote request. We realized that by slowing the request time one could
effectively use this technique for AdSense abuse but as this was not our goal with this PoC we
deactivated AdSense tracking.
We ran the DDoS attack ten times on our own server. We used a single Google Gadget machine.
Table 1: DDoS results shows that on average 638 requests were executed per second. According to
server logs, eight unique Google domain servers were used to make the remote requests. Based on
this data and data pertaining to a specific target server one can determine the number of Gadget
users required to effectively take down a remote server. Unfortunately there is no fixed number of
Gadget users that is required to disrupt a service. The number required is dependent on server
architecture, request routing and data transferred per request. This PoC just determined the rough
number of request that are possible using Google gadgets.
Table 1: DDoS results
Experiment Time per 1000 requests Requests per second
1 1.376 726.744
2 1.884 530.786
3 1.232 811.688
4 1.473 678.887
5 1.661 602.047
6 1.573 635.768
7 1.589 629.406
8 1.605 623.169
9 1.621 617.055
10 1.637 611.060
Average 1.56495 638.998
5. Future work
This paper, merely wishes to illustrate the ease of generating a potential Botnet using services
provided by Google Gadgets. In actuality the only true exploit was the fact that Google allows users to
use Google servers to fetch remote content. The fact that Google gadgets require JavaScript in order
to run, just facilitate the process of automating the attack.
The whole spectrum of attacks on JavaScript can be used with Google’s services. The ability to
execute code from Google’s computers can lead to other misdirection attacks. Google is not the only
commercial player in the internet cloud space. Similar attacks may be possible from Microsoft, Yahoo
or Amazon services. We aim to investigate this in future research.
In this paper we did not investigate the possibility of AdSense revenue generation. By registering a
impression based advertising mechanism, such as Adgator, one can generate revenue simply by
delaying repetitive fetch requests a Botherder. More complex techniques are proposed by Hansen
(2008) to add Clickthrough or Pay-Per-Click advertising schemes.
The Botnet Gadget suffers from several critical weaknesses. Because the Botnet Gadget relies on
Google Feedfetch agent to make remote requests it can easily be stopped by blocking all requests
from this agent. But this will influence other legitimate FeedFetch agent request from Google reader.
Another potential weakness is that Google gadget source code needs to accessible by Google
Gadget Servers hence if a malicious gadget is detected Google could easily remove the Gadget and
the Botherder would lose all its Bots.
6. Conclusion
In this paper we reiterated the views of Stracener (2008) and Hubbard et al. (2010) that as the
computer user base moves towards cloud computing so to will the security threats. We used
Hubbard’s seven key threat indicators to try and identify possible routes of attack for our research.
40

Ivan Burke and Renier van Heerden
First, we defined the four key components of a Botnet. We then provided examples of how these
components can be mimicked by Cloud services and specifically by Google’s gadget API and how
they match the Cloud security threats identified by Hubbard. The API was capable of reproducing
each of the components functionality, to a limited degree with very little alteration of freely available
web resources.
We combined these components to form a simple but working botnet. Although limited in scope, a
simple DDoS attack was achieved by using Google servers as the attacking computers. The current
botnets concentrate on using personal and corporate computers, but as they are moving into the
cloud computing, the botnets will follow.
We identified several weak points in our current design and identified some possible areas for future
development of Cloud botnet research. This is still a rather new field and as such this paper hopes to
serve as a possible point of reference for future work.
References
Banks, S. & Strytz, M., 2007. Bot armies: an introduction. [Online] SPIE Available at:
http://spie.org/x15000.xml?ArticleID=x15000 [Accessed 10 October 2010].
Bullock, D., 2010. IP Address Geolocation JSON API. [Online] Available at:
http://ipinfodb.com/ip_location_api_json.php [Accessed 8 October 2010].
Cabri, R., 2007. Spyjax - Your browser history is not private! [Online] Available at:
http://www.techtalkz.com/news/Security/Spyjax-Your-browser-history-is-not-private.html [Accessed 7
October 2010].
Denis, B., 2008. Anatomy of the Asprox Botnet. [Online] VeriSign Available at:
http://xylibox.free.fr/AnatomyOfTheASPROXBotnet.pdf [Accessed 30 September 2010].
Engate, 2009. Defending your network from Botnet threat. [Online] Engate Available at:
http://ns1.happynet.com/images/datasheets/Engate_whitepaper.pdf [Accessed 9 October 2010].
Eston, T., 2010. DigiNinja. [Online] Available at: http://www.digininja.org/ [Accessed 5 October 2010].
Felix, F.C., Thorsten, H. & Wicherski, G., 2005. Botnet Tracking: Exploring a Root-Cause Methodology to Prevent
Distributed Denial-of-Service Attacks. Computer Security – ESORICS 2005, 3679, pp.319-15.
Garner, 2008. Gartner Says Cloud Computing Will Be As Influential As E-business. Garner Inc. Stamfort: Garner
Inc.
Google Gadgets API, 2009. Working with Remote Content. [Online] Google Available at:
http://code.google.com/apis/gadgets/docs/remote-content.html [Accessed 7 October 2010].
Google Webmaster Central, 2010. Feedfetcher. [Online] Google Available at: "
http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=178852 [Accessed 3 October
2010].
Hansen, R. & Stracener, T., 2008. Xploiting Google Gadgets: Gmalware and beyond. [Online] Available at:
http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-stracener-hansen.pdf [Accessed 3
October 2010].
Hashemian, R.V., 2005. JavaScript Visitor IP Address and Host Name. [Online] Available at: I:\JavaScript Visitor
IP Address and Host Name.mht [Accessed 3 October 2010].
Hubbard, D. et al., 2010. Top Threats to Cloud Computing V1.0. Cloud Security Alliance.
Kiefer, K.P., 2004. Background on Operation Web Snare. [Online] Available at:
http://www.justice.gov/criminal/fraud/documents/reports/2004/websnare.pdf [Accessed 3 December 2010].
Kortchinsky, K., 2009. Black Hat. [Online] Immunity, Inc. Available at: http://www.blackhat.com/presentations/bhusa-09/KORTCHINSKY/BHUSA09-Kortchinsky-Cloudburst-SLIDES.pdf
[Accessed 16 November 2010].
MacManus, R., 2008. Read Write Web. [Online] Available at:
http://www.readwriteweb.com/archives/survey_48_of_bank_customers_wa.php [Accessed 6 October 2010].
Ollmann, G., 2009. A Botnet by Any Other Name. [Online] Available at:
http://www.securityfocus.com/columnists/501 [Accessed 11 October 2010].
Peterson, V., 2009. Social Design Best Practices. [Online] Available at:
http://wiki.opensocial.org/index.php?title=Social_Design_Best_Practices [Accessed 3 October 2010].
Rutkowska, J., 2008. Black Hat. [Online] Coseinc Available at: http://www.blackhat.com/presentations/bh-usa-
06/BH-US-06-Rutkowska.pdf [Accessed 16 November 2010].
Stracene, T., 2008. Securing Widgets and Gadgets in the Web 2.0 World. [Online] Available at:
http://blog.cenzic.com/public/blog/208285 [Accessed 6 October 2010].
Vamosi, R., 2008. CNET News. [Online] Available at: http://news.cnet.com/8301-10789_3-10040669-57.html
[Accessed 2 October 2010].
Wang, A., 2009. Javascript Obfuscator . [Online] Available at: http://www.javascriptobfuscator.com/Default.aspx
[Accessed 12 October 2010].
41

Mission Resilience in Cloud Computing: A Biologically
Inspired Approach
Marco Carvalho 1 , Dipankar Dasgupta 2 , Michael Grimaila 3 and Carlos Perez 1
1
Florida Institute for Human and Machine Cognition, Pensacola, USA
2
University of Memphis, USA
3
Air Force Institute of Technology, Wright-Patterson AFB, USA
mcarvalho@ihmc.us
ddasgupt@memphis.edu
michael.grimaila@afit.edu
cperez@ihmc.us
Abstract: With the continuously improving capabilities enabling distributed computing, redundancy and diversity
of services, Cloud environments are becoming increasingly more attractive for missioncritical and military
operations. In such environments, mission assurance and survivability are key enabling factors for deployment,
and must be provided as an intrinsic capability of the environment. Mission-critical frameworks must be safe and
resistant to localized service failures and compromises. Furthermore, they must be able to autonomously learn
and adapt to the environmental challenges and mission requirements. In this paper, we present a biologically
inspired approach to mission survivability in cloud computing environments. Our approach introduces a multilayer
infrastructure that implements threat detection and service failure coupled with distributed assessments of
mission risks, automated re-organization, and re-planning capabilities. Our approach leverages some insights
from developmental biology at the service orchestration level, and takes failures and risk estimations as
weighting functions for resource allocation. The paper first introduces and formulates the proposed concept for a
simple single mission environment. We then propose a simulated scenario for proof-of concept demonstration
and preliminary evaluation, and conclude paper with a brief discussion of
results and future work.
Keywords: mission assurance, cloud computing, mission survivability, biologically-inspired
resilience
1. Introduction
Mission survivability is recognized as the capacity to maintain the execution, and ensure successful
completion of mission-critical systems, even under localized failures and attacks. In
resourceconstrained environments, mission survivability includes the prioritization of services and
capabilities to maintain mission goals. Previous research efforts on Mission Assurance have focused
on the estimation of effects caused by localized failures (or attacks) to the mission and the design of
robust plans for impact minimization. These are challenging and important capabilities that rely on a
mapping of mission tasks to associated components and their corresponding interdependencies.
They generally provide mechanism for the online evaluation of mission impact, for human
intervention. There is a need to combine these capabilities with self-managing and resilient mission
critical frameworks. In the context of this work, a resilient mission-critical infrastructure is defined as a
computational and communications infrastructure capable to maintain a successful mission execution
(mission survivability) and to remain mission capable under localized disruptions, which normally
requires the capacity to detect, identify, and recover from previous attacks.
More generally, an idealized resilient infrastructure must be able to seamlessly absorb local failures or
attacks with no immediate impact to the mission, while also isolating and recovering from the problem
in order to maintain its capacity to effectively execute subsequent missions. They are expected to be
robust and adaptive infrastructures, capable to learn from experience, and improve their own
performance and survivability.
The challenge is that most mission-critical systems have been traditionally designed for cost efficiency
and performance, with little room from component redundancy and diversity (Cohen,
2005).Furthermore, they generally rely on fixed architectures and configurations, favoring
predictability and control, often in lieu of self-management and run-time adaptability. However, in the
recent years, the computational landscape for mission critical systems has changed significantly with
the increasing acceptance of service oriented architectures as a new design paradigm for systems
design, and the introduction of cloud computational environments to provide large scale, low-cost and
agile commodity computing and storage capabilities. The prospect of highly redundant and adaptive
42

Marco Carvalho et al.
systems starts to become reality, as new adopters begin to leverage the capabilities of these
combined technologies for high-end systems development.
Following several industry initiatives, the United States (US) Government begins to consider the new
landscape. For example the Central Intelligence Agency (CIA) has recently reported it is investing in
cloud analytics, cloud widgets and services, cloud security-as-a-service, cloud enterprise data
management and cloud infrastructure, using commercial IT technologies to analyze multi-lingual data,
audio, Twitter tweets, video and text messages that add layers of complexity to intelligence gathering
(Yasin, 2010).
When properly managed and coordinated, the new environment provides the means and tools for
large-scale distributed systems development, including on-demand resource allocation, dynamic
resource management, diversity in services and capabilities, intrinsic replication for data recovery and
several other capabilities. The challenge, however, is to coordinate all these powerful features in
order to enable resilient mission-critical systems.
In this paper we introduce an organic approach to mission resilience in large-scale and adaptive
computational environments. In particular, we focus on the issues of mission continuity and
survivability in response to attacks, as well as runtime system management and adaptation. In section
2 we briefly discuss the proposed challenges and requirements of mission critical systems for SOA
and cloud environments, as well as some background discussions on service discovery and
orchestration. In section 3 we introduce our biologically-inspired approach on organic resilience for
mission-critical systems, followed by some preliminary discussions on the proposed ideas, and
conclusions.
2. Mission critical systems in the cloud
As previously defined, the goal of resilient mission critical systems is to ensure the successful
execution and completion of the mission while remaining mission-capable in response to localized
failures and attacks. In the context of this work we are primarily concerned with the availability and
integrity aspects of the problem. While data exfiltration and privacy are important and challenging
issues in the cloud environments, they are not considered in the scope of this work. We are primarily
concerned with attacks or failures that may directly disrupt the mission. While there are multiple ways
to describe and represent a mission we will consider that a mission can be represented as a set of
workflows, or a set of strictly ordered sequences of tasks, as illustrated in Figure 1.
In this example, a mission is composed as a set of workflows. Each workflow is composed by a set of
ordered tasks and may represent, for instance, a set of image processing steps to be performed on
imagery collected by surveillance aerial vehicles. Each processing step, represented by the task (A,
F, G, and A) must be performed in strict order, and services 1, 4 and 7 have been tasked to jointly
execute the workflow. It is important to note that service selection in this example may refer to the
orchestration of services provided by a supporting Service Oriented Architecture (SOA) in the cloud.
Figure 1: Distributed execution of a mission represented as a set of workflows
43

Marco Carvalho et al.
In Figure 1, mission success requires a minimum rate of images being successfully processed by the
system. Failures or delays of any of the services engaged in the allocation will likely disrupt the
execution of a workflow (i.e. the processing of one image, in this example) and eventually
compromise the mission.
One of the main benefits provided by a cloud-computing environment (and supporting serviceoriented
capabilities) is the availability of resources that can be quickly engaged for service execution and
released when no longer needed. They also enable the availability of multiple configurations and
implementations for the same type of service (diversity) potentially provided by supporting Service
Oriented Architectures or Software-as-a-Service (SaaS) architectures is also critically important for
resilient mission execution. Combined, these capabilities can be leveraged to:
Enable a dynamic, elastic and automated computing framework for mission execution. This
capability enables mission-critical systems to dynamically balance resource allocation based on
operational context and mission requirements, without building massive amounts of idle
overcapacity.
They enable the parallel execution of critical tasks on demand, over heterogeneous software (and
emulated hardware) systems.
The process of identifying and organizing the services for the task execution (services 1, 4 and 7) is
our example requires a discovery mechanism and an orchestration process, which may be centralized
or distributed. In most cases, the discovery and orchestration of services are based on protocols
defined for Service Oriented Architectures operating over cloud computing environments. They often
take place before mission execution, and remains fixed until a failure is detected or the mission is
completed. In the following items, we will provide a brief review of conventional discovery and
orchestration protocols often used in SOAs.
2.1 Service discovery in cloud environments
There are two aspects involved in service discovery on cloud-enabled frameworks: the identification
of services capable to accomplish a given task, and the identification of computational resources for
executing the service. The first problem is often addressed by conventional service discovery
algorithms for service oriented architectures or software-as-a-service (SaaS) running on cloud
environments. The second part of the problem is generally provided as part of the cloud infrastructure
itself.
The discovery of cloud resources enables load dynamic load balancing and scalability by dynamically
moving services and processes running in the cloud. Most cloud resource allocation services offer
either a centralized or hierarchical approach to this problem, but some authors have also propose
P2P strategies based on Distributed Hash Tables for resource management (Ranjan, 2010). As for
service discovery, service developers often rely on different types of SOA service discovery,
recognizing that some SOA-based services rely on capabilities (e.g. multicast-based discovery) not
necessarily supported by some environments.
One of the earliest service discovery mechanisms available in web service environments was the
Universal Description, Discovery and Integration (UDDI) (Oasis, 2002). UDDI provided a
registrybased approach to service discovery. The approach didn’t gain strong adoption from Industry
as IBM, Microsoft, and SAP closed their public UDDI registries, and Microsoft moved UDDI services
from Windows Server to their services orchestration product called Biztalk. It is possible that UDDI
might still be used inside organizations to dynamically find services within smaller domains, but the
workgroup defining the standard completed their work in 2007. WS-Discovery (Oasis, 2009) provides
an alternative way to service discovery. WS-Discovery is a multicast discovery protocol reducing the
need for a centralized registry. The communication is mainly done using SOAP over UDP. WS-
Discovery has found a niche amongst the network device builders. But its adoption in cloud
environments is limited due to constraints in multicast traffic often imposed in cloud environments.
Another discovery method that has been gaining attention is the DNS-based discovery. Zeroconf, the
protocol implemented by Apple's Bonjour for service discovery, uses DNS and multicast DNS for
service discovery.
One of the next challenges in service discovery is to enable semantic queries (Papazoglou, 2008),
which involves adding semantic annotations and descriptions of QoS characteristics (Klusch, 2006;
44

Marco Carvalho et al.
Benatallah, 2003; Lord, 2005). In 2007, the W3C published a recommendation for Semantic
Annotations for WSDL (W3C, 2007) with limited adoption so far.
2.2 Service orchestration in cloud environments
Service Orchestration generally refers to the composition of modular services to execute a task. The
selection of a service is generally based on interface and capability descriptions. A lot of effort in
service orchestration is focused on tools and languages for service and interface descriptions such as
the Business Process Execution Language (BPEL) and its web-services variation (WS-BPEL). In
most cases, service orchestration is provided by centralized services such as Microsoft’s BizTalk
(Microsoft, 2010) amongst others. There are, however, some research efforts to enable peer-to-peer
orchestration (Bradley, 2004). While centralized approaches to service orchestration are generally
more effective to create complex service structure, they represent a single point of failure in the
process which is undesirable for mission-critical systems. They also require an external correction to
localized failures, which implies that service wide disruptions must be perceived to trigger a
reconfiguration of the service composition. A decentralized strategy for service orchestration, on the
other hand, enables a more robust and emergent approach to the problem. They are generally unable
to provide the same determinism and time guarantees of centralized approaches but if properly
implemented they are better suited to address localized failures and disruptions.
3. Organic computing for mission resilience
In this paper we propose a multi-layer approach to system resilience that builds upon peer-to-peer
discovery and orchestration strategies for mission management. Our approach builds upon previous
research on resilient tactical infrastructures (Carvalho, 2010). It is biologically inspired in the sense
that we combine insights from developmental biology, diversity and immunology, including
inflammatory and immunization systems. In our formulation these biological traits are desirable
capabilities that can be implemented in multiple ways by leveraging services and features enabled by
cloud computing and our own support services. An illustrative view of the proposed architecture is
shown in Figure 2. The service and resource management capabilities illustrated in the lower part of
the figure are provided by the cloud computing and SOA (or SaaS) support services. The organic
defense framework is implemented as the three upper layers in the system.
Figure 2: Proposed multi-layer defense architecture
For the purposes of the organic defense framework, the resource management and service
management capabilities provide the mechanisms necessary for service response and adaptation.
The organic defense infrastructure builds upon three supporting capabilities:
Nodes and services are capable to identify a localized failure or attack. This assumption is based
on the fact that nodes engaged in mission-critical applications are frequently interacting with their
45

Marco Carvalho et al.
neighbors, which allows them to either self-evaluate and identify a failure or a degradation in
performance, or to be notified by its peers of a performance problem.
The defense infrastructure must be able to re-allocate mission critical services to other
(functionally equivalent) services and resources in the system. This capability enables a quick
response to local disruptions and attacks, mitigating their immediate impact to the mission.
The defense layer must be able to replace a service (i.e. shutdown a compromised service and
instantiate a new one) with a copy that is functionally equivalent but with different implementation,
this capability enables the system recover recently lost capabilities, and to diversify its
configuration in order to develop resiliency and eventually immunity against the attack.
Combined, these capabilities enable the multi-layer response infrastructure illustrated in Figure 2. The
first (lower) layer manages the dynamic allocation of resources for mission execution. The second
layer is responsible for the identification, response and potential immunization to localized damages
(i.e. failures or attacks) detected and reported by the first layer. The identification process consists on
correlating the damage with the characteristics and configuration of the effected node. The response
mechanism may include the quarantine, termination or re-initialization of the affected node. The
immunization mechanism provided by the second layer includes the creation of functionally similar
nodes with different software configurations (diversity).
In parallel, the third (and higher) layer coordinates the sharing of information about the attack,
ensuring that a collective response (if appropriate) can be enforced, and that nodes that are
functionally similar to the victim can be reconfigured to prevent a similar attack. A collective response
to an attack may include, for instance, modifications in routing weights to disfavor the use of nodes
that may have been compromised. While simultaneously supported and coordinated, the proposed
defense infrastructure must be loosely couple to prevent a cascade failure in the event that one of the
components becomes temporarily impaired or permanently compromised. As conceived, the
coordinated operation of all three components is necessary to enable a comprehensive response and
system resilience, each component will also operate independently with limited performance gains,
ensuring a graceful degradation of the survivability infrastructure itself.
3.1 Damage detection
One of the assumptions of our approach is that individual services are capable to monitor their own
sensors and performance to detect local damages. In practice, damage detection may be
implemented in multiple ways. In the context of mission continuity, damage is directly related to the
inability of a service to execute its tasks, or a significant degradation in task execution performance
(below acceptable QoS requirements). From that perspective, there is no distictions from damage
caused by localized failures or malicious acts. The effects of both events will be similar, as well as the
way in which the system will respond.
Other approaches for damage detection have also included statistical and biologically inspired
techniques based on Danger Theory (Yuan, 2009), and Artificial Immune Systems (Dasgupta, 2002;
Liang, 2006) amongst others. In most cases damage is based on negative signature matching or
anomaly detections associated with misbehavior s or performance degradations. Upon damage
detection the system will immediately notify the upper layers (for resource management and
response/immunization), while in parallel trying to identify correlated features that could be linked
(maybe causally) to the event. Previous research efforts have been proposed for that, including the
application of Hidden Markov Models (Cho and Park, 2003; Ourston, Matzner, Stump and Hopkins,
2003), decision trees (Li and Ye, 2001; Abbes, Bouhoula, and Rusinowitch, 2004), and others.
3.2 Resource management for mission continuity
Automatic resource and service re-allocation in response to localized failures is common practice in
Grid environments, and has also been previously proposed for enterprise (Lardieri et al, 2007) and
tactical (Carvalho et al, 2005) environments. However, in general, a change in allocation strategy
happens only when degradation (or failure) has taken place and the impact on the mission has been
noted, there's generally no predictive re-allocation based on increased risk of an attack or failure,
learned at runtime from novel attacks.
Our proposed approach leverages and extends such dynamic allocation strategies to enable the
proactive task reallocation, based on online risk estimations. For our current proof-of-concept mission
46

Marco Carvalho et al.
management layer implementation, we have adopted a greedy distributed coordination algorithm
using a generalized cost metric per node for resource management. When a workflow is received,
each node makes a local decision about task execution based on current local cost estimations. If
local costs become less attractive than neighbor’s estimated costs then the workflow is forwarded to
the node with the lowest estimated cost. Cost information is shared between nodes involved in a joint
mission as part of workflow exchange messages.
Attacks and failures may be detected indirectly, through their effects on the mission (see 3.1). To
simplify our model, we currently consider the degradation of a task as causing direct impact in the
mission performance. There are, however, related research efforts on mission mapping (Musman et
al., 2010; Sorrel et al., 2008; Grimaila, 2008) that can provide a better assessment of the impact of
localized failures to the overall mission.
In general, the approach for detection may rely on a number of sources that include performance
monitoring, anomaly detection, or resource utilization monitoring. These are all metrics that may be
used to detect violations in resource utilization policies, or deviations from pre-defined (or learned, in
the case of anomaly) QoS requirements for task execution.
Dynamic resource management for mission continuity focuses on isolating the area (i.e. node, or
services) associated with the damage to minimize the impact on mission execution. The re-allocation
of resources and re-organization of tasks is coordinated through distributed, self-organizing
algorithms and may take place at different scales – that is, from very localized modification involving a
single service that has reported damage, to larger scale changes involving multiple services. An
analog to this approach can be found in developmental biology, where cells (and other structures at
different hierarchical levels) signal each other to induce a differentiation that will enable a needed
capability. In our approach, mission-aware services will perceive the lack of damaged capability and
will signal other services (as part of a distributed orchestration mechanism) to engage the new
capabilities.
3.3 Response and immunization
The response and immunization mechanisms are responsible for both a short-term response to the
reported damage and a longer-term mitigation strategy to future attacks of the same type. The
intuitive response to a damaged component that can be replaced by alternative services in the
environment is to immediately terminate the affected service. However, depending on the type of
attack, the response and immunization layer may benefit from maintaining a potentially compromised
node in operation. The goal is to identify the potential causes of the effects perceived as damage, and
possibly correlate those events with the configuration of the node. This rudimentary approach to
vulnerability estimation is useful in providing a hint to other services in the system that may be equally
vulnerable to the same types of attacks. In our proposed infrastructure, the response and
immunization mechanism work together to allow some time for the system to build such correlations
before shutting down the node as a response to the damage. In order to do that without affecting the
mission, a duplicate of workflows (which have been re-allocated to alternative nodes in response to
the damage) is still sent to the damage node for processing, but it is also tagged to be ignored by
subsequent processing services. This allows for the damaged component to remain ‘active’ for the
characterization and immunization tasks.
4. Preliminary experimental results
A first proof of concept of the proposed approach was implemented and tested in a simulated
networked environment using NS3. Simulated scenarios allow for larger scale experiments, and
controlled attack conditions, facilitating the evaluation and analysis of the proposed algorithm. For the
purposes of our first tests we considered a single service running on each node of our conceptual
network, so the terms ‘service’ and ‘node’ are used interchangeably in our discussions. We also
disregarded the complexities associated with service descriptions and interfaces. We focused, instead
on the survivability and resilience aspects of the proposed approach. In our simulated scenario, each
workflow is composed of 3 tasks, and a mission is composed of 400 workflows. There are 5 nodes (or
services) executing independent parallel missions. In addition to those there are other 9 nodes
available to be engaged for task execution, and 6 additional nodes playing the role of
attackers.
47

Marco Carvalho et al.
Each node has a short sequence of bits (arbitrarily chosen to be a 4-bit string in our simulations) that
represents its configuration. For example, the sequence 0000 could indicate a Linux-based host
running the Apache Web Server of a given version, with other specific libraries and configurations. A
different sequence of bits would represent an alternative configuration for the same service capability.
The execution of each task in the workflow takes between 1 and 2 seconds under normal operational
conditions. The simulation runs for 1200 seconds, and the attacking nodes become active only after
200 seconds of simulation. At that point, each attacking node starts to launch attacks to a randomly
selected victim every 6 seconds. Every task-processing node that receives an attack packet will
match that attack against its own configuration (4-bit string). If at least a 75% match is found, the node
accepts the attack and progressively degrades its performance.
The scenario was executed with 20 different seeds and the results were averaged out across those
runs. The metric of interest for comparing results is the percentage of completed workflows at any
given moment of the simulation. Two baselines representing the upper and lower operational
boundaries of the system were computed. The first baseline, identified in the chart as “Clean
Baseline” (Figure 3), represents the performance of the system when there are no attacks during the
whole simulation. The second baseline, identified in the chart as “Attack Baseline” (Figure 3),
represents the performance of the system under attack but without any corrective measures. As
previously discussed, an organic response to the degrading attacks should include both a recovery
and adaptation component. The first strategy tested was a simple recovery strategy, consisting on
restarting the compromised node to a previous safe image. This strategy was designed to simply
mitigate the short-term effects of the problem. Figure 3 shows the performance of this strategy,
identified as “Simple Reset” in the chart.
Figure 3: Mission performance in different operation conditions
A second strategy that was tested included in addition to a short-term response, an adaptation
strategy to enhance the resilience of the system to subsequent attacks. The adaptation strategy can
have multiple approaches. One approach can consist on randomizing the configuration of
reinstantiated services and nodes. A second approach is to provide an immunization capability that
will drive mutations of re-instantiated services to become resistant to previous attacks. In our
experiments we have opted for the immunization strategy. The figure also shows the performance for
this strategy, identified as “Immunization” in the chart.
48

Marco Carvalho et al.
Figure 4: Statistical significance of the performance gains due to the immunization strategy
In the “Simple Reset” strategy, nodes detect and identify the attack and then reboot from a previously
known safe state. The attack detecting happens indirectly (through the effects of the attack) and the
identification happens by correlating the detection with the current state of the node. This process
takes some time, during which the services of the node are degraded. In the “Immunization” strategy,
the nodes additionally identify a “mutation” strategy that is likely to make it less vulnerable to the same
attack. For our simulated scenario, the state of the node is represented by a 4-bit string and defines
how vulnerable a node is to a given attack. The immunization process additionally involves
announcing the 4-bit string to other nodes, which will drive “similar” nodes to mutate in order to
become resistant to the attack. In the scenario illustrated in Figure 3, the “Immunization” starts with
results close to the “Simple Reset” strategy, but then it improves getting close to the upper operational
boundaries of the system (“Clean Baseline”). Figure Y shows how the p-value changes across time
for a t-test of difference in percentage of completed missions for the “Immunization” and “Simple
Reset” strategies. Approximately after 300 seconds in the simulation, the difference in performance
between the “Immunization” and “Simple Reset” strategies becomes statistically significant. While
very simplified at this point, our initial seems to indicate that an immunization-based strategy is more
effective than a reactive approach based on simple node reset. Under the simplifying assumption that
immunization has a fixed cost, fast recovery to continuous attacks will eventually be less effective
than longer, but more permanent recovery to the same kinds of attacks.
5. Conclusions
In this paper we have described a three-layer concept for system resilience in distributed
computational environments such as those found in cloud computing and service oriented
architectures. Our proposal is based on the notions of self-organization and self-maintenance,
leveraging distributed coordination algorithms for mission continuity. After a brief discussion on the
capabilities enabled by cloud computing, service oriented architectures and some of their core
services, we introduce our organic resilience approach. We define a threelayer defense infrastructure
responsible for detecting damage (i.e. failures or attacks), maintaining mission execution, and
identifying a short-term response and an immunization path for the problem. We also defined a very
simplified scenario to illustrate the basic concepts of the proposed approach. In our simulations,
services are equated to computational nodes in a distributed environment to simplify the simulations
and allow for the use of network simulator as basis for test and evaluation. Our goal with these initial
experiments was to illustrate the proposed concept, rather than making any quantitative claims. As
part of our future work in this project we plan to more rigorously define the adaptation and
diversification algorithms, and to better evaluate the agility, as well as the overhead and the
effectiveness of the proposed approach.
49

Acknowledgments
Marco Carvalho et al.
This material is partially based upon work supported by the Department of Energy National Energy
Technology Laboratory under Award Number(s) DE-OE0000511.
Disclaimer: Parts of this paper were prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor any agency thereof, nor any of
their employees, makes any warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or
process disclosed, or represents that its use would not infringe privately owned rights. Reference
herein to any specific commercial product, process, or service by trade name, trademark,
manufacturer, or otherwise does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or any agency thereof. The views and
opinions of authors expressed herein do not necessarily state or reflect those of the United States
Government or any agency thereof."
References
Abbes, T., Bouhoula, A., and Rusinowitch, M. (2004) “Protocol analysis in intrusion de- tection using decision
tree,” in Information Technology: Coding and Computing, 2004. Proc. ITCC 2004. Intl. Conference on, vol.
1.
Benatallah, B., Hacid, M., Rey, C. and Toumani, F. (2003), “Semantic reasoning for web services discovery,” in
Proc. of Workshop on E-Services and the Semantic Web at WWW 2003.
Bradley, W. B., and Maher, D. P. (2004). The NEMO P2P Service Orchestration Framework. In Proceedings of
the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) -
Track 9 - Volume 9 (HICSS '04), Vol. 9. IEEE Computer Society, Washington, DC, USA, 90290.3-.
Carvalho, M., Lamkin, T., Perez, C. (2010) Organic Resilience for Tactical Environments. 5 th International ICST
Confernece on Bio-Inspired Models of Network, Information, and Computing Systems (Bionetics). Boston,
MA, December, 2010.
Carvalho, M. M., Pechoucek, M., and Suri, N. (2005) “A mobile agent-based middleware for opportunistic
resource allocation and communications,” in DAMAS, pp. 121–134.
Cho, S. and Park, H. (2003), “Efficient anomaly detection by modeling privilege flows using hidden Markov
model,” Computers & Security, vol. 22, no. 1, pp. 45–55.
Cohen, F. (1995), Protection and Security on the Information Superhighway, Wiley and Sons, 1995.
Dasgupta, D. and Fabio Gonzalez, (2002), An immunity-based technique to characterize intrusions in computer
networks, IEEE Trans. Evolutionary Comp. 6 (3), pp. 281–291, June 2002.
Grimaila, M.R., “Improving the Cyber Incident Mission Impact Assessment Process,” Cyber Security and
Information Intelligence Research Workshop (CSIIRW 2008), Oak Ridge National Laboratory, Oak Ridge,
TN, May 12-14, 2008.
Klusch, M., Fries, B., and Sycara, K. (2006) “Automated semantic web service discovery with OWLSMX,” in
Proceedings of the fifth international joint conference on Autonomous agents and multiagent systems, pp.
915–922, ACM.
Lardieri, P., Balasubramanian, J., Schmidt, D. C., Thaker, G., Gokhale, A., and Damiano, T. (2007) “A multilayered
resource management framework for dynamic re- source management in enterprise dre systems,”
J. Syst. Softw., vol. 80, no. 7, pp. 984–996.
Liang, Gang. (2006) An Immunity-Based Dynamic Multilayer Intrusion Detection System, Lecture Notes In
Computer Science. Heidelberg: Springer Berlin 2006.
Li, X., and Ye, N. (2001) “Decision tree classifiers for computer intrusion detection,” Jour- nal of Parallel and
Distributed Computing Practices, vol. 4, no. 2, pp. 179–190.
Lord, P., Alper, P., Wroe, C., and Goble, C. (2005) “Feta: A light-weight architecture for user oriented semantic
service discovery,” The Semantic Web: Research and Applications, pp. 17–31.
Microsoft (2010) “BizTalk Server”, http://www.microsoft.com/biztalk/en/us/host-integration.aspx
Musman, S., Temin, A., Tanner, M., Fox, D. and Pridemore, B. (2010) “Evaluating the impact of cyber attacks on
missions,” in 5th International Conference on Information Warfare and Security. Wright-
OASIS, (2002) “UDDI Specifications.” http://www.oasis-open.org/committees/uddi-spec/doc/ tcspecs.htm.
OASIS, (2009) “Web Services Dynamic Discovery (WS-Discovery).” Available online at: http://docs.oasisopen.org/ws-dd/discovery/1.1/wsdd-discovery-1.1-spec.html.
Ourston, D., Matzner, S., Stump, W., and Hopkins, B. (2003) “Applications of hidden markov models to detecting
multi-stage network attacks,” Proceedings of the 36th Annual Hawaii International Conference on System
Sciences, p. 10.
Papazoglou, M., Traverso, P., Dustdar, S., and Leymann, F. (2008) “Service-oriented computing: A research
roadmap,” Intl. Journal of Cooperative Information Systems, vol. 17, no. 2, pp. 223–255.
Patterson AFB, Ohio, USA: Air Force Institute of Technology, April 8-9, pp. 446–456.
Ranjan, R., Zhao, L., Wu, X., Liu, A., Quiroz, A., and Parashar, M. (2010) “Peer-to-Peer Cloud Provisioning:
Service Discovery and Load-Balancing,” Cloud Computing, pp. 195–217.
50

Marco Carvalho et al.
Sorrels, D., Grimaila, M.R., Fortson, L.W., and Mills, R.F., (2008) “An Architecture for Cyber Incident Mission
Impact Assessment (CIMIA),” Proceedings of the 2008 International Conference on
Information Warfare and Security (ICIW 2008), Peter Kiewit Institute, University of Nebraska Omaha, 24-25 April
2008.
Tran, D. T., Hoang, N. H., and Choi, E. (2007) The WORKGLOW System in P2P-based Web Service
Orchestration. In Proceedings of the 2007 International Conference on Convergence Information
Technology (ICCIT '07). IEEE Computer Society, Washington, DC, USA, 2312-2317.
DOI=10.1109/ICCIT.2007.377 http://dx.doi.org/10.1109/ICCIT.2007.377
W3C (2007), “Semantic Annotations for WSDL (SAWSDL).” http://www.w3.org/2002/ws/sawsdl/.
Yuan, S.; Chen, Q.; Li, P., (2009) Design of a four-layer IDS model based on immune danger theory,
Proceedings of the 5th International Conference on Wireless Communications, Networking and Mobile
Computing, WiCOM 2009
Yasin, R. (2010) GCN, http://gcn.com/articles/2010/10/27/cia-hunt-cloud-computing.aspx
51

Link Analysis and Link Visualization of Malicious Websites
Manoj Cherukuri and Srinivas Mukkamala
(ICASA)/CAaNES)/New Mexico Institute of Mining and Technology, USA
manoj@cs.nmt.edu
srinivas@cs.nmt.edu
Abstract: In this paper we present web crawling, Meta searches, geo location tools, and computational intelligent
techniques to assess the characteristics of a cyber-incident to determine if an incident is likely to be caused by a
certain group, geographical location of the source, intent of the attack, and useful behavioral aspects of the
attack. The malicious websites extracted from the identified sources acted as seeds for our crawler and were
crawled up to two hops traversing through all the hyperlinks emerging out from these pages. After crawling, all
the websites were translated to their geographic locations based on the location of the server on which the
website is hosted using the Internet Protocol (IP) address to the geographical location mapping databases. We
applied social networking analysis techniques to the link structure of the malicious websites to put forward the
properties of the malicious websites and compared them with that of the legitimate websites. We identified the
potential sources or websites that publish malicious websites using the meta-searches. Our approach revealed
that the behavior of the malicious websites with respect to their indegrees, outdegrees and the clustering
coefficient differ from that of the legitimate websites and some malicious websites acted as promoters for other
malicious websites. The link visualization showed that the links traversing across the malicious websites are not
confined to the region where the website was hosted.
Keywords: link analysis, link visualization, malicious websites, social networking analysis techniques
1. Introduction
The increase in the number of internet users and bandwidth resulted in the proliferation of the
websites. World Internet Usage and Population Statistics (2010) stated that, as of June 2010, there
are about 2 billion internet users throughout the world with a growth rate of about 440% over a
decade. December 2009 Web Server Survey (2009) affirmed that there are about 240 million
websites hosted all over the world. The prospective growth rate of the internet users and their huge
number created a new means of making revenue for the attackers, people who contribute to the
malicious activities on the web. This huge market being exploited by the attackers is often referred to
as the Underground Economy. Cheng (2008) listed that, as of 2008, the market for the underground
economy was about US$276 million with a potential of billions of dollars. Luvender (2010) stated that,
as of April 2010, United States alone is facing a loss of about $200 billion per year.
A malicious website is a website which hosts malicious code to attack the client’s machine or spoofs
the client by building up a look alike. The malicious script on the webpage is executed on loading the
webpage and malicious script or file is installed without the users consent by exploiting the
vulnerability of an application or by other possible means. The installed program reports the user
sensitive data to the attacker. The underground economy has its own hierarchy of an organization
with different sets of people (based on their roles) working collaboratively to exploit the potential of the
underground economy. Important roles contributing to the hierarchy of the underground economies
suggested by Zhuge et al. (2007) are Virus Writers, Website Masters, Envelope Stealers, Virtual
Asset Stealers and Virtual Asset Sellers. Virus writers are responsible for writing up the malicious
code. Website masters build up the websites and attract the traffic to their hosted websites using the
approaches like search engine optimizations, blogging, spam etc. The terms website masters and
traffic sellers are used interchangeably in this document. Envelope stealer purchases the malicious
code and web traffic from the virus writers and website masters respectively. Envelope stealers
capture the raw data from the victim’s machine and sell it out to the virtual asset stealers. Virtual asset
stealers extract the useful information from the raw data purchased to convert it into a virtual asset.
Virtual asset stealer sells the virtual assets to the Virtual asset sellers. Virtual asset sellers sell the
virtual assets to the clients based on the type of the asset.
Figure 1 obtained from Google Online Security blog shows an increase in number of malicious
websites (Provos, 2010). The increase in the number of users of the internet had made the web a
promising means for spreading the malware. The exponential growth of the websites on the World
Wide Web has made the traditional crawling an infeasible option for detecting the malicious websites.
The crawling mechanism must be associated with intelligence to get an optimal detection rate, often
referred to as intelligent crawling. Previous works had shown that some of the hosting companies are
52

Manoj Cherukuri and Srinivas Mukkamala
acting as the safe medium for hosting the malicious websites (Kalafut, Shue and Gupta, 2010) and
used code based and host based features for the detection of malicious websites dynamically (Ma et
al., 2009; Cova, Kruegel and Vigna, 2010). In this paper we presented a few interesting heuristics of
these malicious websites that help in enhancing the detection rate of the malicious websites.
Figure 1: Growth of the number of entries on the Google Safe Browsing Malware List
This paper is organized as follows: in section 2, we discuss the technical terms that help in
understanding our results. In section 3, we discuss the processes involved in our study. In section 4,
we describe our dataset. In section 5, we discuss about the analysis of the dataset. In section 6, we
discuss about the link visualization. In section 7, we conclude with the results.
2. Related technical terms
2.1 Indegree
Indegree of a node is defined as the number of edges pointing towards a node. For example, the
indegree of node A in Figure 2 is 3 since there are three edges from nodes B, C, D pointing towards
node A.
Figure 2: Graph demonstrating node A with indegree 3
53

2.2 Outdegree
Manoj Cherukuri and Srinivas Mukkamala
Outdegree of a node is defined as the number of edges pointing out from a node. For example, the
outdegree of node A in Figure 3 is 3 since there are three edges emerging from A pointing towards
nodes B, C, D.
Figure 3: Graph demonstrating node A with outdegree 3
2.3 Clustering coefficient
Clustering coefficient is the measure of degree of closeness among the nodes of a graph (Clustering
Coefficient, 2010). Chakrabarti and Faloutsos (2006) stated that the clustering coefficient represents
the clumpiness of the graph. Clustering coefficient of a node is computed as the ratio of number of
links among the linked nodes of a node to the number of possible links among the linked nodes of a
node. The clustering coefficient of the nodes with 0 or 1 neighbors is 0.
Clustering coefficient of all the nodes are computed and averaged to get the clustering coefficient of
the network. For example, consider the graph shown in the Figure 4.
Node A has three neighbors namely, B, C and D. BC is the only link among the neighbors of A.
Number of possible links among the neighbors of A are 3 (i.e. 3 C2). Therefore, the clustering
coefficient of A is 0.33.
Node B has two neighbors and there is one link among the neighbors of B. Therefore, the
clustering coefficient of B is 1.
Node C has two neighbors and there is one link among the neighbors of C. Therefore, the
clustering coefficient of C is 1.
Node D has two neighbors and there is no link among the neighbors of D. Therefore, the
clustering coefficient of D is 0.
Node E has one neighbor and there is one link among the neighbors of E. Therefore, the
clustering coefficient of E is 0.
Figure 4: Graph used for explaining clustering coefficient
The clustering coefficient of a graph is computed using the following formula,
54

Manoj Cherukuri and Srinivas Mukkamala
1
where ‘C’ represents the clustering coefficient of the graph, Ci represents the clustering coefficient of
the node ‘i’ and ‘n’ is the total number of nodes in the graph (Clustering Coefficient, 2010). The
clustering coefficient of the graph in the figure above is 0.466 (i.e.1/5(0.33+1+1+0+0).
3. Processes
Construction of our dataset is composed of three processes.
The first process deals with the collection of malicious websites from multiple sources
The second process deals with the construction of link structure for the malicious domains
obtained in the previous process
The third process deals with computing the geographical location of the websites based on the IP
address to geographical location mapping
3.1 Collection of malicious websites
The process of collecting the malicious websites is initialized by identifying the potential sources using
the meta-search engines. These sources publish the websites with different sets of associated
attributes. Some of the attributes associated with these domains are date, type of attack, executable
name and IP address. A custom parser was used for each website source to retrieve the domain
name and the IP address if available. All the malicious websites collected from these sources are
stored in the database.
3.2 Construction of link structure for malicious websites
Crawling is performed on the malicious websites obtained from the previous process using a custom
program. The malicious websites are crawled till the second hop. The flowchart for the process of
building the link structure is shown in the figure 6. All the malicious domains retrieved from various
sources are loaded which act as the seeds for the crawling process and ‘n’ is the total number of
malicious websites. A custom crawler was built to retrieve the content of the malicious websites and
parse all the anchor tags from the content. The parsing of the anchor tags from the website content is
done using the BeautifulSoup (Beautiful Soup, 2010), widely used html parser. All the links originating
from respective malicious websites are stored in the database. The domain is parsed from each such
link and is stored in the tuple corresponding to that link. If the link URL is not listed in the malicious
websites then it is added to a list called as LinkWebsites to avoid duplicate URLs. Once all the
malicious domains are crawled and their corresponding links are stored, the LinkWebsites list is
loaded into MaliciousWebsites list to crawl all the new websites obtained in the first hop from the
malicious websites. Again the process of crawling, parsing anchor tags and storing the links is
performed. Thus, all the links within the first two hops emerging from the malicious websites are
obtained.
3.3 Computing geographical location of websites
The location of the server on which the website is hosted was determined using the IP address to
geographic location mapping. All the distinct domains that are stored during the link analysis phase
are translated to their corresponding IP addresses using the Domain Name Servers (DNS). A custom
script is used to perform the domain name to IP address translation using the ‘nslookup’ command.
The IP address to location mapping is done using the open source database. All the IP addresses for
which the location is not identified are mapped to latitude and longitude values 0 and 0 respectively.
4. Dataset
For our experiments, all the potential sources for the malicious websites were identified using the
meta-search engines. Such identified sources used for the study were PhishTank, Malware Domain
Blocklist, abuse.ch, MalwarePatrol, joewein.de LLC. and Malware Domain List.
55

Manoj Cherukuri and Srinivas Mukkamala
Figure 5: Flowchart for the process of malicious websites collection.
All the malicious websites listed in these sources were collected and stored in the database. Crawling
was performed on the collected malicious websites up to the third hop as described in the section 4.2
to build the link structure for all the malicious websites.
Finally, the domains obtained during the first two processes of the data collection were translated to
their geographical location using the process described in the section 4.3. To perform a comparative
analysis of the malicious websites against the legitimate websites, the top 1500 webistes were
downloaded from Alexa (Top Sites, 2010), a source for top websites and were crawled upto the
second hop. This domain is reffered as a set of legitimate or non-malicious websites in the remaining
part of this paper.
Around 350,000 distinct malicious websites were collected from the previously mentioned sources.
Since these domains were detected and flagged as malicious, major portion of them were down at the
time of the analysis. Only about 20,000 distinct URLs were alive at the time of our analysis. About
only 5.7% of the malicious websites collected were alive for our analysis. Link analysis was performed
on about 19,000 malicious websites of the 20,000 live malicious websites. Remaining websites did
not have any text to perform link analysis as they were pointing out to files like executables, jars,
binaries etc.
Around 600,000 Uniform Resource Locators (URLs) were crawled during the collection of our dataset.
The URLs were crawled at the rate 50 URLs per minute. Of the live malicious websites, 14,970
domains were hosted in United States. The top five countries contributed 83% of the total malicious
websites of our dataset.
56

Manoj Cherukuri and Srinivas Mukkamala
Figure 6: Process of construction of link structure up to two hops originating from malicious websites
57

Manoj Cherukuri and Srinivas Mukkamala
Figure 7: Overview of the process for the construction of the dataset
Table 1: Top five countries by the number of malicious websites hosted in our dataset
5. Link analysis
Country Number of malicious websites
United States 14790
Philippines 1086
Canada 432
Germany 183
United Kingdom 143
5.1 Outdegree and indegree of malicious websites
The indegree and the outdegree of the malicious websites within the dataset were computed and
plotted two graphs representing the count of the malicious domains versus the indegree and the
outdegree. For computing the indegree and the outdegree of the websites, we considered only the
links among different domains as most of the links within the same domain were identified to be
navigational links. The count versus the indegree and the outdegree graphs are shown in Figure 8.
The outdegree and the indegree of the malicious websites did not satisfy the power law in contrast to
the World Wide Web graph (Watts and Strogatz, 1998).
In an attempt to identify an equation that suites the indegrees and oudegrees of malicious websites,
we identified that the malicious websites satisfy the power law with an exponential cutoff. The Lambda
and the Gamma values of the power law with exponential cutoff equation for the indegree and the
outdegree of malicious websites were identified to be 12.32, 0.9 and 8.32, 1.02 respectively.
Correlation coefficient was measured to verify the fit of these equations. The correlation coefficient
was 0.98 and 0.99 for the indegree and the outdegree respectively signifying a good fit.
.
Where
is the exponential cutoff and is the power law term (Clustering Coefficient, 2010)
58

Manoj Cherukuri and Srinivas Mukkamala
. . .
. . .
Figure 8: Count of malicious websites versus indegree (left) and outdegree on the log-log scale (right)
The average indegree of the malicious websites was 4.1 and the average outdegree of the malicious
websites was 3.9. The standard deviation of the indegree and the outdegree of the malicious
websites was 9.3 and 6.04 respectively. The average indegree was greater than the average
outdegree of the malicious websites, even though the indegree computation is limited to the crawled
dataset. This indicates that the malicious websites tend to have higher indegree over their outdegree.
Series1 represents count versus indegree and count versus outdegree in the left and the right graphs
respectively. The outdegree of the malicious websites was compared to the outdegree of the
legitimate websites. We avoided the indegree in this study as the indegrees are limited to the links
existing within the dataset. graph plotted with the outdegrees of the malicious and the legitimate
websites is shown in Figure 9.
59

Manoj Cherukuri and Srinivas Mukkamala
Figure 9: Count of malicious websites versus outdegree on the log-log scale for the malicious and the
non-malicious websites
The average outdegree of the malicious websites was 3.9 with a standard deviation of 6.04. The
average outdegree of the non-malicious websites was 39.17 with a standard deviation of 30.64. The
standard deviation of the non-malicious websites was very high compared to the malicious websites.
The standard deviation of the outdegree of the malicious websites and the non-malicious websites
about the mean signify that the major portion of the non-malicious websites have an outdegree
greater than 10 and the major portion of the malicious websites have an outdegree less than10. The
spike in the series of malicious websites at the outdegree of 89 was due to a cluster of websites
(about 35 websites) which had links to each other randomly.
5.2 Malicious websites linked through a non-malicious website
For this analysis, a graph G (V, E) was constructed, where V is the set of vertices and E is the set of
edges. All the distinct domains obtained during the construction of the link structure were considered
as the vertices of graph G. Based on the links obtained during the construction of link structure, the
vertices were connected with directional edges.
All the malicious websites that were part of the link structure were loaded into set S. In order to
identify the non-malicious websites facilitating malicious websites, all the vertices which were not in S
and had a minimum of one edge pointing towards them from a vertex in S and minimum of one edge
emerging from them towards another vertex in S were selected.
In our study of link analysis, it was observed that around 5000 malicious websites were linked through
950 non-malicious websites. In this analysis, we tried to identify the domains which were not malicious
but had links to malicious websites.
In order to make the study effective, some of these non-malicious domains were visited manually to
get a better knowledge about how the links to malicious domains were being placed in the nonmalicious
domains. The main reason for this sort of linking was that the traffic sellers have built up
websites with high pagerank that drives traffic towards the malicious websites which are short lived
and according to Stevens (2010), the traffic sellers are paid based on the number of clicks or number
of victims.
As most of the traffic towards the non-popular domains is obtained through search engines, the traffic
sellers are using these non-malicious domains as the means of driving towards the newly built
malicious websites. The distribution of the outdegrees of the facilitating websites is shown in Figure
10. Figures 11, 12 and 13 show screenshots of websites promoting malicious websites in different
ways.
60

Manoj Cherukuri and Srinivas Mukkamala
Figure 10: Number of facilitating websites against their respective outdegrees on the log-log scale
The mean of the facilitating websites was identified to be 50.12 with a standard deviation of 30.13.
The mean outdegree of the facilitating websites is high compared to the mean outdegree of the
malicious and the legitimate websites. The facilitating websites are having high outdegree mimicking
the behavior of the legitimate websites in contrast to that of the malicious websites.
Figure 11: Figure shows a screenshot of beautfulwallpapers.com
The website in Figure 11 is non-malicious but has links to other malicious websites on the top left
corner (marked in box) deceiving the users as all of them belong to the same website.
Figure 12: Figure shows a screenshot of bizar.com
The website in Figure 12 is non-malicious but promotes links to malicious websites with relevant
content at the bottom of the page (marked in box).
61

Manoj Cherukuri and Srinivas Mukkamala
This website in Figure 13 is not malicious but has links to other malicious websites on the right column
(marked in box) with the heading as “TRY MORE”. Similarity among the products on the right column
with the product of the main website draws the user’s attention towards them.
5.3 Malicious websites linked to other malicious websites
For this analysis, a graph G (V, E) was constructed, where V is the set of vertices and E is the set of
edges. All the malicious websites that participated in the construction of the link structure were
considered as the vertices of graph G. Based on the links obtained during the construction of the link
structure, the vertices were connected with directional edges. In order to identify the malicious
websites linked to other malicious websites, all the vertices which had links to another vertex were
selected.
Figure 13: Figure shows the screenshot of cddvdcopy.net
In our study of link analysis, it was observed that around 1000 malicious websites were linked directly
to another malicious website. Manual analysis was done on these sites to have a better knowledge
about the linking mechanism. The reason for having such links might be that many malicious domains
are under the control of a single envelope stealer trying to host multiple types of attacks on different
domains. In such a case the envelope stealers would prefer to have links among the malicious
domains under their control. The domains encountered under this category were less compared to the
previous category. The main reason might be the restriction for the traffic sellers from the envelope
stealers as the victims become common among the different envelope stealers. However, to come to
a conclusion on this point, a detailed analysis on the coding style and the type of attack used needs to
be figured out which is out of scope for this study. Figures 14, 15 and 16 show screenshots of the
examples of malicious websites under this category.
62

Manoj Cherukuri and Srinivas Mukkamala
Figure 14: Screenshot of the website legalizationofmarijuana.com
Figure 15: Screenshot of the website howtogrowmarijuanablog.com
The Figures 14, 15 and 16 are screenshots of malicious websites linking to other malicious websites.
All these three sites are malicious and have links to each other under the section links on the left
column of the page (marked in box).
5.4 Clustering coefficient of malicious websites
Clustering coefficient was computed among the malicious websites to identify the closeness among
the malicious websites and compared it with the clustering coefficient of the legitimate websites to
understand the differences in the linking mechanism. The clustering coefficient of the malicious
websites was identified to be 0.18 and a significant portion of this value is contributed by the
facilitating websites. On the other side, the clustering coefficient of the legitimate websites was
identified to be 0.59, which is more than three times the clustering coefficient of the malicious
websites. This shows that the links among the malicious websites are low in number.
63

Manoj Cherukuri and Srinivas Mukkamala
Figure 16: Screenshot of the website medicalmarijuanablog.com
6. Link visualization
Links were visualized on the Google maps using the Google maps application programming interface
(API). The pre-computed geographic locations of the websites using the IP address to location
database were used to plot them on to the Google maps. Link visualization provides an interactive
means for analyzing the patterns followed by the links among different websites. The interactive map
helps in zooming and displays the name of the website on clicking the marker.
In Figure 17, the malicious websites and the facilitating websites are marked with red and blue
markers respectively. The red lines represent the bidirectional links, the green lines represent the
incoming link with respect to the facilitating website and the blue lines represent the outgoing link with
respect to the facilitating website. The lines going out from one extreme are connected through the
other extreme. From the above two images it is evident that the links are traversing among the
malicious domains across different countries presenting the fact that the attackers are not limiting the
hosting of their malicious websites either to a hosting service or to a country.
In Figure 18, the red lines represent the bi-directional links and the green lines represent the
unidirectional links. In Figure 19, on selecting a domain all the links associated with malicious
domains are depicted on the map. The green line represents an incoming link with respect to the
selected domain, the red line represents a bidirectional link and the blue line represents the outgoing
link with respect to the selected domain.
7. Conclusion
In this work we presented some interesting heuristics of the malicious websites that help in enhancing
the mechanisms used for the detection of malicious websites.
We identified the behavior of the malicious websites with respect to their indegrees and outdegrees.
We defined an equation that fits to the behavior of the indegree and the outdegree of the malicious
websites, which followed the power law with exponential cutoff.
Compared the outdegree of the malicious websites with that of the legitimate websites and concluded
that the malicious websites tend to have low outdegree compared to the legitimate websites.
We computed the clustering coefficient of the malicious websites and compared to that of the
legitimate websites and showed that the linking among the malicious websites is low compared to that
of the legitimate websites.
Our results during the analysis showed that the attackers are using legitimate websites with high
Google page rank as the means for directing traffic towards the malicious websites.
64

Manoj Cherukuri and Srinivas Mukkamala
We presented a new way of visualizing the links on the map using their geographical locations and
showed the fact that the attackers are not limiting the hosting of their malicious websites to a country
or a hosting service but are spread all over.
Figure 17: Visualization of malicious websites connected through the facilitating websites
Figure 18: Visualization of malicious domains linked to other malicious domains
65

Manoj Cherukuri and Srinivas Mukkamala
Figure 19: Shows customized link visualization where domains exist in the left pane
8. Future work
We are planning to perform similarity analysis among different malicious websites to identify clusters
of malicious sites under one control. This helps in understanding the behavior and the characteristics
of the groups of attackers. We are also planning to extend this study using content analysis of the
malicious webpages.
Acknowledgements
We would like to thank our data sources PhishTank, Malware Domain Blocklist, MalwarePatrol,
Malware Domain List, joewein.de LLC. and abuse.ch.
References
“Beautiful Soup.” (2010), Crummy [Online], 09 Apr, Available: http://www.crummy.com/software/BeautifulSoup
[01 Jun 2010].
Chakrabarti, D. and Faloutsos, C. (2006) “Graph Mining: Laws, Generators and Algorithms”, ACM Computing
Survey, vol. 38, no. 1.
Cheng, J. (2008) "Symantec: Underground Cybercrime Economy Booming.", Ars Technica [Online], 25 Nov,
Available: http://arstechnica.com/security/news/2008/11/symantec-underground-cybercrime-economybooming.ars
[10 Aug 2010].
“Clustering Coefficient.” (2010), Wikipedia Foundation [Online], 29 Jul, Available:
http://en.wikipedia.org/wiki/Clustering_coefficient#Global_clustering_coefficient [07 Aug 2010].
Cova, M., Kruegel, C., and Vigna, G. (2010) “Detection and Analysis of Drive-by Download Attacks and Malicious
JavaScript Code”, WWW 2010 - 19th International World Wide Web Conference, North Carolina (USA).
“December 2009 Web Server Survey.” (2009), Netcraft [Online], 24 Dec, Available:
http://news.netcraft.com/archives/2009/12/24/december_2009_web_server_survey.html [10 Aug 2010].
Kalafut, A.J., Shue, C.A. and Gupta, M. (2010) “Malicious Hubs: Detecting Abnormally Malicious Autonomous
Systems”, IEEE Infocom Mini-Conference, California (USA).
Luvender, R.V. (2010) “Fraud Trends in 2010: Top threats from a growing underground economy.”, A First Data
White Paper.
Ma, J., Saul, L.K., Savage, S., and Voelker, M.G. (2009) “Beyond Blacklists: Learning to Detect Malicious Web
Sites from Suspicious URLs”, Knowledge Discovery and Data Mining, Paris.
Provos, N. (2010) “Malware Statistics Update.”, Google Online Security Blog [Online], 25 Aug, Available:
http://googleonlinesecurity.blogspot.com/2009/08/malware-statistics-update.html [10 Aug 2010].
Stevens, K. (2010) “The Underground Economy of Pay-Per-Install Business”, Black Hat Technical Security
Conference, Las Vegas (USA).
“Top Sites.” (2010), Alexa Internet Inc. [Online], 10 Jul, Available: http://www.alexa.com/topsites [10 Jul 2010].
Watts, D.J. and Strogatz, S.H. (1998), “Collective dynamics of ‘small-world’ networks”, NATURE, Vol 393, pp
440-443.
66

Manoj Cherukuri and Srinivas Mukkamala
“World Internet Usage and Population Statistics.” (2010), www.internetworldstats.com [Online], Available:
http://www.internetworldstats.com/stats.htm [10 Aug 2010].
Zhuge, J., Holz, T., Song, C., Guo, J., Han, X. and Zou, W. (2007) “Studying Malicious Websites and the
Underground Economy on the Chinese Web”, Workshop on Economics of Information Security,
Pennsylvania (USA).
67

The Strategies for Critical Cyber Infrastructure (CCI) Protection
by Enhancing Software Assurance
Mecealus Cronkrite, John Szydlik and Joon Park
Syracuse University, USA
micronkr@syr.edu
jaszydli@syr.edu
jspark@syr.edu
Abstract: Modern organizations are becoming more reliant on complex, interdependent, integrated information
systems. Key national industries are the critical infrastructure (CI) and include telecommunications, energy,
healthcare, agriculture, and transportation. These CI industries are becoming more dependent on a critical cyber
infrastructure (CCI) of computer information systems and networks, which are vital to the continuity of the economy.
Organized attackers are increasing in number and power with more powerful computing resources that increasingly
threaten CCI software systems. The motivations for attacks range from terrorism, fraud, identity theft,
espionage, and political activism. Government and industry research have found that most cyber attacks exploited
known vulnerabilities and common software programming errors. Software publisher vendors have been
unable to agree or implement a secure coding standard for two main reasons. The on-technical consumer is ill
informed to demand secure quality products. These current conditions perpetuate preventable risk. As a result,
software vendors do not implement security unless specifically required by the customer, leaving many systems
full of gaps. Since most of exploited vulnerabilities are preventable, the implementation of a minimum level of
software quality is one of the key countermeasures for protecting the critical information infrastructure. Government
and industry can improve the resilience of the CI in an increasingly interdependent network of information
systems by protecting the CCI with stronger software assurance practices and policies and strengthening product
liability laws and fines for non-compliance. In this paper we discuss the increasing software and market risks to
CCI and address the strategies to protect the CCI through enhancing software assurance practices and policies.
Keywords: critical cyber infrastructure, secure programming quality, software assurance
1. Introduction
The first major Internet attack in 1988 by the Morris worm was a bad prank gone awry, but made it
clear, that for the first time, cyber security threats could escape physical boundaries. Cyber threats
could now spread rapidly through the Internet and impact different organizations and countries simultaneously.
In 2001, Code Red and Nimda were the first attacks to operate disrupt the commercial
internet affecting many business and ecommerce sites. (Gelbstien & Kamal, 2002) Next, the 2003
SQL Slammer worm caused major disruption of commercial and banking systems this attack used a
weakness that already had a solved by patch but had not been applied to enough of the consumer
base to cause damage to other companies because of internet slowdown. In 2003, the Sobig virus
temporarily shut down 23,000 miles of a railway system, arguably the first successful CI attack,
(McGuinn, 2004). However, the 2010 Stuxnet SCADA attack was undoubtedly the first of its kind to
disrupt CI operations. Its entry point was ultimately attributable to a hard coded SQL administrative
password (Falliere, et. al. 2010), a well-known bad development practice. In the twenty-two years
since Morris, damage from cyber security incidents have grown in frequency and impact.
Over the past ten years, especially, the numbers of successful CCI attacks have been increasing. The
profile of the creators of malware programs have changed since the days of the Morris worm. Today
malware is being developed and used primarily by criminal actors for financial gain and potentially by
other actors seeking to cause market instability and economic damage.
In the past computing attacks required access to high-end computing which was limited to wellfunded,
established entities that could support large data centres and computer clusters. However,
the introduction of the botnet has created a black-market for spam sending, decryption large-scale
brute force cracking activities, and Distributed Denial of Service (DDoS) attacks for hire for very cheap
prices scaled according to the target size. (OCED, 2008)
A “botnet” is criminal network of distributed computing, created by compromising victim devices, usually
through malware that exploits existing software weaknesses, and makes them a slave or “zombie”
to the larger criminal computer network called a “botnet.” As the computing power of non-secured
internet-connected devices increases so does the collective computing power of botnets. It is typical
68

Mecealus Cronkrite et al.
to see botnets with over ten thousand nodes or hosts at their command. (US-CERT, 2005) Very large
botnets such as Conflicker or Mariposa controlled millions of nodes.
Botnets can also do any distributed application criminals can imagine these are “Criminal Clouds” already
active and operational years ahead of industry. These rouge ad-hoc botnets have greatly
strengthened the computing arsenal of non-state criminal and terrorist organizations. (Council of
Europe Counterterrorism Task Force, 2007) Motivated attackers now have access to cheap, large
scale “stolen” computing grids. As a result, all the baseline security presumptions associated with securing
or encrypting data and the securing the data’s availability over the internet has greatly weakened.
2. Background
2.1 The relationship between the CI and the CCI
Figure 1: CCI IS stack by security control and influence
The US Department of Homeland Security Presidential Directive-7 (HSPD-7) defines the critical infrastructure
(CI) by the importance of an industry to society and the economy, e.g. transportation, agriculture,
energy, healthcare, telecommunications, and emergency services. The critical cyber infrastructure
(CCI) represents the information systems that support the operation of these key needs.
DHS’ National Cyber Command Division (NCCD) is responsible for protecting the CCI in the US, and
focuses on helping the CI industries, “conduct vulnerability assessments, develop training, and educate
the control systems community on cyber risks and mitigation solutions.” (Mcurk Testimony, 2010)
We can layer the components that intersect in a malware attack by their ability to control or influence
security processes, as in Figure 1. Developer knowledge and skill are the final arbiters of quality code
with the influence of the software publisher’s development methodology supervising those decisions.
Therefore, the ability to control and change the behaviour of security depends on the quality practices
of the software publisher and their developers. (Wang, et. al, 2008) The responsibility for security
software rests with the company that publishes software code, and the developers that participated in
IS system development because their knowledge of the system exceeds other spheres of influence.
2.2 The increasing risk to Critical Cyber Infrastructure (CCI)
Losses attributable to coding defects or weak configuration have increased in all industry sectors. The
impact from cyber attacks grows as the dependence on CCI systems designed with poor practices
continues. Up until the 2010, Stuxnet attack critical infrastructure systems were ‘siloed’ or separated
69

Mecealus Cronkrite et al.
from possible internet damage. Stuxnet thwarted this final defence and achieved an attack through a
series of weaknesses in software practices. (Falliere, et. al. 2010)
Malware can get into vulnerable systems without detection from anti-virus measures because it exploits
trusted software. Bad programming practices result in most of the preventable malware attack.
(Goertzel et. al.2007) The Software Engineering Institute estimates that 90 percent of reported security
incidents result from exploits against defects in the design or code of software. (Mead, et. al,
2009) The defects exploited, stemmed from a relatively small number of known programming errors
such as failing to check data input before adding it to a database, hard-coding, or developing applications
dependent on over privileged accounts to run. (MITRE & SANS, 2010)
Malware has this additional hidden impact cost to the economy because the true costs of the “zeroday”
malware effect are extremely difficult to measure since they are undetectable. When software
with vulnerabilities releases on its “zero-day,” during this time attackers activities cannot be blocked or
detected. The delay between the developer knowing and making a fix available to when administrators
install it on all affected systems can lag for years. Even with patches available, the zero-day risk
is still a threat to CI when organizations or consumers are unaware of the risk or patch. Patching is a
failed program of reactive repairs.
3. Software risks to the Critical Cyber Infrastructure (CCI) and proposed mitigations
To assess potential damage caused by cyber threats, and find ways to strengthen the resilience and
defence of the CCI. “Stuxnet demands that we look not just to the security community but also to the
system designers, planners, engineers, and operators of our essential technology and physical infrastructures.”
(Assante, 2010)
One of the first rules of defence is deterrence, so approaches for enhancing the current level of CCI
defence are going to be through fixing the preventable errors. Software assurance is a way of deterrence
because it is the practice of providing high levels of software quality free of known defects.
(Wang, et. al, 2008) Techniques such as coding standards can improve deterrence by making simple
attacks fail and increase the resources needed for successful attacks.
3.1 Mitigation: Developer non-repudiation
By requiring CI software developers and publishers module code signing creates an accountability
process. To implement code signing a system similar to the web domain registration system, with a
‘WhoIS’ style lookup, could be combined with a Public Key Infrastructure (PKI) like the SSL registration
systems. Developers can start to sign all code modules or apps to an individual developer and
publisher. Major popular IDE can also support a PKI plug-in system to support code-signing development.
Certificates for code signing are already a plug-in in many IDEs.
Developer abstraction can be handled at a level similar to engineering, for example, if the senior developer
signs the code, then they are accountable for security issues later, just like an architect or
engineer is. The company management should sign the final code again so they also have tangible
accountability for the software quality. Similar to the US Sarbanes-Oxley (SOX) law requires the
CEO/CFO to sign off on the accuracy public financial records
Customer systems could be configured to disallow anonymous code to run. By forcing all software to
present credentials to run we can start to establish a trace for code that is working or failing.
3.2 Mitigation: Create development tools to assist and automate security
The government and major Integrated Development Environment IDE developers should collaborate
to create security test suites to identify common errors automatically, even to the complier level. IDEs
should check code similar to how W3C validation engines corrected for common HTML errors. This
will help programmers improve without additional cost. IDE automated test tools will transition legitimate
developers and publishers to comply with that new level of quality. With free tools for checking
code, code compliance becomes easier at all layers of development, the success of this approach
being W3C, and the rare occurrence today of unreadable HTML pages. HTML code validation is now
70

Mecealus Cronkrite et al.
trivial. Today most web code is generated in content management frameworks so the workload has
switched from the individual developer to the tools.
3.3 Mitigation: Professionally license CCI software developers and publishers
Many vital economic sectors in the physical world have accredited professionals to create a culture of
quality and security. Electricians, architects, and engineering professionals are certified and accredited
to practice because their quality of work affects public safety and infrastructure. However, unlike
other CI professions there are no legally recognized accreditation processes for IT. Anyone can develop
software without liability for the behaviour of that software. IT workers design, construct, and
manage applications, databases, and network systems for all types of public trust transactions. They
do this all without the professional support systems.
We can relate the safe and security measures used in other professions as a model for software assurance.
Like these conventional professions, IT professions are also responsible for major portions
of the critical infrastructure in the cyber world. “[IT] practitioners can produce results as inconvenient
or dangerous as any medical or legal mishap, without their having the amount of regulation or informed
public scrutiny which both those areas command.” (Wikes, 1997: 88) By leveraging the existing
professional frameworks that supports other CI professions such as accounting, engineering, and
medicine, we can adopt policies and technologies that support improved public safety. Existing technology
systems can create accountability for the software industry and transparency for its customers.
While academic training and apprenticeship still provides the basis of disseminating knowledge of
good models and best practices, the professional boards and licenses should support these practices
with ethics. Certification and licensing options have the potential of legitimizing IT as a profession by
improving the quality of output. (Wilkes, 1997) These certifications still face implementation challenges
as there are numerous standards and organization bodies in the software industry, none of
them have any enforcement capability that makes adoption of any minimum standard extremely difficult.
Key industry organizations such as ACM and IEEE, and others that lead the professionalism of
the industry only have voluntary membership status which makes their effectiveness challenging.
Any application that supports the CI should have certified developers and publishers licensed to code
for the CCI systems. By differentiating, then the consumer will get security accountability built into
systems. The market will begin to shift to demand the same levels of quality in other industries, which
will encourage software developers to distinguish themselves in the marketplace. This would also
raise the barriers to entry on the software development market and ease the pressure on existing
competitors who are able to adopt assurance practices, which will benefit both the software industry
and the consumer.
4. Market risks preventing software quality and security and proposed mitigations
The current highly competitive commercial software marketplace does not have the incentives or repercussions
to implement standards. In many situations, security is always an optional add-on. A
common business argument to the developer is to ‘worry about security later’. However, this would
not occur if a mechanic had reported that a vehicle was unsafe. There is widespread lack of individual
autonomy; IT workers feel that they cannot prioritize quality and safety ahead of production speed and
‘agility’ within their organization due to business pressures. With government supported licensing, the
individual practitioner will be able to gain autonomy and legitimacy for security driven efforts as a matter
of compliance.
The customer is at a disadvantage in market knowledge. Consumers expect that reasonable security
measures but there is no such assurance. Typically, the customer has to require specifically in their
contract specific security measures. If security is not explicitly in the requirements, it is a burden on
the development company to implement it. All estimates for the true cost of security in the system are
wrong from the first unsecured prototype that delivered to the client. The customer is left to learn
about security by taking a risk acceptance posture by default. By accepting unsecure software, they
incorrectly feeding the market an acceptance signal. Without security forced to be “built-in” to the
process, the uninformed consumer does not know to discriminate between secure and non-secure
technologies and demand them accordingly to signal more supply.
71

Mecealus Cronkrite et al.
The “industry knows best” approach for cyber-security is inefficient and a market failure. (Assante,
2010) The public’s level demand for cyber-security is higher than most firms’ individual demand. This
is because the private costs resulting from a cyber-incident are often less than the public’s cost. As an
example, when electronically stored customer credit card information is stolen from a store the financial
institutions are often responsible for the loss not the store that had badly configured security.
4.1 Vulnerability: Cyber incident data is inconsistent
Most industries have no mandatory cyber incident reporting which makes estimating the true impact
of cyber crime difficult to measure. Regular studies performed by the FBI (CSI, 2009), Secret Service,
Verizon (Baker et. al, 2010) and Microsoft (Microsoft SIR, 2010) all use voluntary surveys and data
gathering. However, there are differences in the change in malware rates. The FBI, Microsoft and
Verizon security reports agree that malware attacks are on the risk. However, according to Microsoft’s
SIR report, “Software vulnerabilities…have been on the decline since the second half of 2006,” The
report ascribed this progress to better development quality practices (Microsoft, SIR, 2010) This disparity
is the result of two vastly different data sets that Microsoft and Verizon have used the voluntary
nature of cyber incident responses contributes to these differences. However, all three reports agree
that data is inconsistent due to the lack of a mandatory reporting system.
4.2 Mitigation: Mandate cyber incident reporting
According to a Computer Security Institute survey only a small fraction of organizations that experience
a cyber attack, report it to law enforcement. (CSI, 2009) Firms generally do not favour expanded
mandatory reporting because they do not want bad press, or the public to have a negative perception.
The reluctance is even greater when the firm does not suffer any immediate financial loss. Reporting
these intrusions (crimes) is in the greater interest of society because authorities stand a better chance
of stopping them if they have more information about the threat in general and can learn from emerging
patterns.
To address privacy concerns a reporting system that is similar to U.S. Treasury FINCEN Suspicious
Activity Report (SAR) could be used. Currently, most financial institutions are mandated to report certain
types of suspicious activity using SARs. SARs are kept secret and have tight dissemination standards
and an effective tool in fighting financial crime. A similar reporting system for cyber-attacks
would be equally beneficial. “Disclosure laws” could force software publishers and their customers
that support critical infrastructure to report cyber-attacks and data breaches to DHS. (DHS NIAC,
2009). By mandating reporting, there will be a more accurate picture regarding cyber threats. (Goertzel
et. al.2007) This will help researchers identify weakness, and aid in the apprehension of attackers.
The data collected will help inform actuary tables for insurance firms, and to develop risk analyses.
Cyber crime incident reporting should be required by all CI industries first to gain better knowledge
about the threat malware poses and educate business owners and managers about the financial
and legal implications of improper software assurance processes.
4.3 Vulnerability: Demand for cyber security
Rational firms should use IT risk management to manage cyber security, but, firms often lack the
knowledge and expertise to implement and it is difficult for firms to measure the effectiveness of investments
into cyber security. (Mead, et. al, 2009) This makes it hard to justify expenditures and results
in the general lack of secure programming investment. The public is left with the costs of a cyber-security
incident such as firms that were the target of the cyber incident as well as its clients,
banks or others who feel its negative effects, and include taxpayers if the government responds.
Since the overall damage of a cyber-incident is generally higher for the public, they would rationally
choose to have a higher investment in cyber-security. Unfortunately, the public has little say in what
investment an individual firm decides to make in cyber-security leading to underinvestment in the
eyes of the public. In economic terms, the aggregate private firm’s demand for cyber security is less
than the public’s demand. This is a market failure, which invites regulation or some form of market
correction to rectify this externality.
Figure 2 illustrates a private firm’s efficient level of investment at q1 where there firms demand for
security “D” equals the marginal cost “MC” for each additional investment. . The marginal social benefit
is the public’s demand which equals q* when it crosses the marginal cost line. “q*” represents the
72

Mecealus Cronkrite et al.
socially efficient level of cyber security which is greater than the private level The graph in Figure 2,
shows the public’s demand for security is greater than individual firms.
Figure 2: Demand vs. Investment in cyber security
4.4 Mitigation: Create information systems cyber security insurance market
Data breeches usually have no consequences or fines for the company that lost the customer data,
and even fewer for the development team that wrote the software or configured the servers. A cyber
security insurance market can create an economic incentive for firms to implement better security
standards. To establish the market governments would have to create laws placing partial liability for
cyber attacks on software publishers and operating firms if they negligent by failing to implement sufficient
security standards and practices. (Baer and Parkinson, 2007:50 – 56)
With better cyber incident, reporting research and insurance communities can find common risky behaviour
patterns. Since private insurance companies use actuary tables and measure risk they would
be able to establish scalable cyber security requirements. In exchange for coverage and premium
discounts, insurance companies can require private firms to take reasonable steps to protect their
systems, within a risk management system. Premiums can assign a higher risk to IT security
breaches stemming from programming errors and failure to adopt best practice standards in cyber
security.
Market forces will generate an insurance market that accommodates different sizes of firms. A major
difficulty regarding this policy implementation is to ensure premiums are not too costly for firms to afford.
As a result, it may be necessary for government to cap the amount of damages that a firm may
pay. The government can help establish the cyber insurance market by facilitating reinsurance
through indemnifying catastrophic losses.
4.5 Mitigation: Compliance in U.S Federal IT acquisition security standards (fines)
Government IT acquisition and procurement decisions are unlike private corporations. In private concerns,
shareholder value should ultimately control spending so the implementation of security is profit
goal driven. The US Federal Government has complex goals for the public good, accountability, fairness,
and transparency. However, the majority of CCI is located within the private sector so to encourage
effective standards government has to rely on market forces and voluntary partnerships with
industry. (Golumbic, 2008)
Governments and (CI) systems increasingly dependent on commercially developed software in doing
so they have transferred security risk upstream to the developers. As a result, the US government has
created many of its own models for secure IT acquisition and procurement that either impact system
development processes. For example, NIST Special Publication 800 series, the DOD standard
DIACAP, and Federal Information Security Management Act (FISMA) all are US regulations to deal
73

Mecealus Cronkrite et al.
with security requirements for government information systems. Security rests with the acquisition
policy and contract, vendor management controls that they defined, a non-standard approach.
However, the GAO has found that the federal government overall has major deficiencies information
security. Mainly due to the lack of technical acquisition expertise needed to interpret and apply security
requirements to contracts and the rigor and sustaining efforts required to keep validating vendor
quality. (GAO-09-661T, 2009) Therefore increasing the federal IT workforce and capabilities, DHS
NCCD can start to upgrade and improve the performance of security within the US government. Security
requirements should be equally valued and balanced as e-government requirements in order to
improve CI defence from disasters and attacks. Moreover, adding vendor non-compliance fines in the
government IT acquisition process should increase the attention paid to CI systems.
5. Conclusions and future work
There is a growing relationship between preventable software assurance failures and exposed critical
cyber infrastructure risk. Preventable software defects remain unresolved at the peril of all software
consumers and endanger the cyber infrastructure on which we all rely. The software consumer is uninformed
and cannot self assure that the outsource software they order meets an acceptable standard.
Making the security case clear enough to the public to understand is harder than making the
case to the developer and the business manager through market forces.
The growing black market economy of malware is exploiting the existing known defects in widely distributed
commercial software. Targeting known common software defects is a primary vector to enter
trusted networks and systems. Preventable programming errors make “zombie” slave computers accessories
to organized crimes. The growing criminalisation of cyber attacks is driving the need for
new controls in the previously unregulated software development culture.
Without support, the business will tend to favour of profits over safety. It is the nature of profit motivation.
Firms on their own will not decide to invest the socially optimal amount in cyber security because
it conflicts with their own rational decision making criteria. However, by supported standards it enables
the developer and publisher to mitigate preventable risk.
Improving software assurance practices is one of the key countermeasures for protecting critical infrastructure.
The industry needs to be motivated to encourage accountability and liability on behalf of
the public good by avoiding common errors. This would also raise the barriers to entry on the software
development market and ease the pressure on existing competitors who are able to adopt assurance
practices, while legitimatizing IT as a new profession responsible for entrusted with the public good
defending the critical cyber infrastructure.
The proposed approaches examined a framework of increasing government and private controls on
software quality and software assurance outcomes.
Mandate Cyber Incident Reporting for CI industries to increase transparency and research ability.
Enforce (Fines) for Federal IT Security development Non-Compliance to create better vendor
compliance.
Create better IDE tools that check for common programming errors, to help prevent the programmer
from making common errors, and increase the resilience of the software infrastructure.
Encourage professional licensing and non-repudiation for CCI Developers and Publishers to help
to increase accountability and transparency in the publisher and developer community.
The software industry will not be able to negotiate the safety standards process alone, without some
government assistance. There is a need for standards based software professional accreditation to
ensure the consistent application of basic security programming techniques and data privacy. However,
the industry should not wait for legislation. Software publishers have the ability to seize the momentum
of media awareness and establish accountability for code security within their corps.
Acknowledgements
This work is an extended study of our final team project of IST623 (Introduction to Information Security),
taught by Prof. Joon S. Park, in the School of Information Studies at Syracuse University in
Spring 2010. We would like to thank the class for valuable feedback, insight, and encouragement as
we researched and developed this project during the semester.
74

Mecealus Cronkrite et al.
The views expressed herein are those of the authors and do not necessarily reflect the views of, and
should not be attributed to, the Department of Homeland Security or any of its agencies.
References
Assante, M.J. 2010, November 17. Testimony of Michael J. Assante, President and Chief Executive Officer National
Board of Information Security Examiners of the United States Inc. Before the Senate Committee on
Homeland Security and Governmental Affairs US Senate Hearing on Securing Critical Infrastructure in the
Age of Stuxnet. Washington D.C.
Baer, W.S. & Parkinson, A. 2007, "Cyberinsurance in IT Security Management,” IEEE Security & Privacy, vol. 5,
no. 3, pp. 50-56.
Baker, W., Goudie, M., Hutton, A., Hylender, c.D., Niemantsverdriet, J., Novak, c., Ostertag, D., Porter, c.,
Rosen, M., Sartin, B. & Tippett, P.,United States Secret Service 2010, July 28-last update, 2010 Data
Breach Investigations Report [Homepage of Verizon], [Online]. Available:
http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf [2010, 10/20]
Council of Europe Counterterrorism Task Force 2007, Cyberterrorism-the use of the internet for terrorist purposes.
Council of Europe Publishing, Strasbourg Cedex, France
CSI, “14th Annual 2009 CSI Computer Crime and Security Survey” December, 2009, Computer Security Institute
Falliere, N., Murchu, L.O. & Chien, E. 2010, October-last update, w32 Stuxnet Dossier [Homepage of Symantec],
[Online]. Available:
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dos
sier.pdf [2010, 10/20]
GAO May 5, 2009, GAO-09-661T: Testimony before the Subcommittee on Government Management, Organization,
and Procurement; House Committee on Oversight and Government Reform: Cyber Threats and Vulnerabilities
Place Federal Systems at Risk Statement of Gregory C. Wilshusen, Director, Information Security
Issues, GAO, Washington, D.C.
Gelbstein, E. & Kamal, A. 2002, Information insecurity :a survival guide to the uncharted territories of cyberthreats
and cyber-security, 2nd ed, United Nations ICT Task Force and the United Nations Institute for
Training and Research, New York, NY.
Goertzel, K.M., Winograd, T., McKinley, H.L., Oh, L., Colon, M., McGibbon, T., Fedchak, E. & Vienneau, R. 2007,
July 23-last update, Software Security Assurance State-of-the-Art Report (SOAR) [Homepage of Joint endeavour
by IATAC with DACS], [Online]. Available: http://iac.dtic.mil/iatac/download/security.pdf [2010,
10/20].
Golumbic, M.C. 2008, Fighting terror online: the convergence of security, technology, and the law, Springer Verlag,
New York.
McGuinn, M. 2005, October 12-last update, Prioritizing Cyber Vulnerabilities, Final Report and Recommendations
by the Council. [Homepage of DHS-NIAC], [Online]. Available:
http://www.dhs.gov/xlibrary/assets/niac/NIAC_CyberVulnerabilitiesPaper_Feb05.pdf [2010, 10/20] .
Mead, N.R., Allen, J.H., Conklin, A.W., Drommi, A., Harrison, J., Ingalsbe, J., Rainey, J. & Shoemaker, D. 2009,
April-last update, Making the Business Case for Software Assurance [Homepage of Carneige Mellon Software
Engineering Institute], [Online]. Available: http://www.sei.cmu.edu/reports/09sr001.pdf [2010, 10/20].
Microsoft, “Microsoft Security Intelligence Report Volume 9 (Jan 1 2010 - Jun 30 2010)2010”, [Homepage of Microsoft],
[Online]. Available: http://www.microsoft.com/security/sir/default.aspx [2010, 10/20].
McGurk, Sean 2010, Nov.17 Statement for the Record of Seán P. McGurk Acting Director, National Cybersecurity
and Communications Integration Center Office of Cybersecurity and Communications
National Protection and Programs Directorate Department of Homeland Security Before the United States Senate
Homeland Security and Governmental Affairs Committee, Washington, DC November 17, 2010
MITRE & SANS 2010, April 5-last update, CWE/SANS Top 25 Most Dangerous Programming Errors [Homepage
of MITRE], [Online]. Available: http://cwe.mitre.org/top25/ [2010, 10/20].
NIAC, National Infrastructure Advisory Council September 8, 2009, Critical Infrastructure Resilience Final Report
And Recommendations, DHS, Washington, D.C.
OECD, 2008. “Malicious Software (Malware) A Security Threat to the Internet Economy. OECD, Seoul, Korea.
US-CERT, “Build Security In. (n.d.).Key Practices for Mitigating the Most Egregious Exploitable Software Weaknesses.
Software Assurance Pocket Guide Series: Development” Volume II Version 1.3.2009, May 24-last
update [Homepage of DHS-US-CERT], [Online]. Available: https://buildsecurityin.uscert.gov/swa/downloads/KeyPracticesMWV13_02AM091111.pdf
[2010, 10/20].
US-CERT Multi-State Information Sharing and Analysis Center and United States Computer Emergency Readiness
Team (US-CERT) 2005, May 16-last update, Malware Threats and Mitigation Strategies [Homepage of
DHS-US-CERT], [Online]. Available: http://www.us-cert.gov/reading_room/malware-threats-mitigation.pdf
[2010, 10/20]
Wang, Y., Zheng, B. & Huang, H. 2008, "Complying with Coding Standards or Retaining Programming Style: A
Quality Outlook at Source Code Level", Journal of Software Engineering and Applications, vol. 1, no. 1, pp.
88.
Wilkes, J. 1997, "Business Ethics: A European Review, Focus: 'Protecting the Public, Securing the Profession:'
Enforcing Ethical Standards among Software Engineers"
75

Building an Improved Taxonomy for IA Education
Resources in PRISM
Vincent Garramone and Daniel Likarish
Regis University, Denver, USA
garra909@regis.edu
dlikaris@regis.edu
Abstract: To address a perceived lack of availability of educational resources for students and educators in the
field of information assurance, Regis University and the United States Air Force Academy (USAFA) have begun
development of a web portal to store and make available to the public information security-related educational
materials. The portal is named the Public Repository for Information Security Materials (PRISM). In this paper, we
begin with a review of the initial vision for PRISM. We then discuss the development and maintenance of a
deterministic discipline-specific vocabulary, along with the results of mapping curricular content to our initial set of
terms. Out of the eight material descriptions used in our evaluation, five could be clearly mapped to the initial
vocabulary, one could partially be mapped, and three did not contain any clearly mappable terms.
Keywords: PRISM, security education, taxonomy, educational resources
1. Introduction
As more of our lives become increasingly dependent on information technology, educating those who
develop and manage those technologies about information assurance (IA) concepts is crucial to help
reduce the risks of our information being lost, stolen or otherwise compromised. Recent attendance at
national conferences for educators (e.g. ISECON (International Systems Educators Conference),
CISSE (Colloquium for Information Systems Security Education) and AMCIS (Americas Conference
on Information Systems)) provided an opportunity to determine the need for security courses and
materials to support them. The organization and promotion of Security Special Interest Groups
(SecSIG) and increase in the number and variety of security education papers also demonstrates the
increased interest in the field, and the trend has culminated in national recognition that security
education is a national and international concern, (Cooper et al 2010).
Unfortunately, aligning existing educational programs to include a focus on security topics has proven
not to be straightforward. For example, although some institutions report success adding securityspecific
courses to existing curricula, others find this infeasible because of the significant instruction
time and expertise it requires (Null 2004). As an alternative to adding a security-specific course,
relevant lessons can be integrated into existing courses to teach security concepts (Irvine, Chin, and
Frincke 1998). Instructors wishing to add lessons to existing courses must either create or locate
materials that meet their particular curricular needs. Similar to creating and integrating entire courses,
some instructors may not have the time or expertise to develop effective lessons for every topic they
wish to teach. They also recognize the non-uniqueness of lesson materials and see limited utility in
reinvention of materials that they suspect others have developed, (Davis 2010).
To help address these issues and advance the availability of information security education materials,
Regis University and USAFA have initiated a collaborative effort to develop a web portal to store and
make available to the general public information security related educational materials, research,
virtual exercises, and links to security resources. The PRISM web portal will provide an online virtual
space for educators to discuss effective pedagogy, share tools, and collaborate on curriculum
development.
This paper reviews the current vision for the PRISM repository and discusses the development of a
deterministic taxonomy based method of organizing content. The use of deterministic, portal site
analytics is proposed to further improve the forensics content taxonomy and the load process.
2. Vision
The creators of the Public Repository for Information Security Materials (PRISM) web portal intend to
make it a resource for students and educators who are interested in information security education.
Visualization tools, publications, educational materials, links to relevant websites, and research data
are all potential types of material. We envision that individuals, educators and students from K-
Collegiate will contribute to the materials on the site in an ad hoc fashion. The site is a civic commons
76

Vincent Garramone and Daniel Likarish
portal that relies on the goodwill of participants to contribute content. Future versions of the site will
use publication (e.g. blogs, podcasts, articles) to encourage participants to return to the site for
reasons beyond the teaching materials. In addition, the site has the potential to serve as a
collaborative workspace to discuss tools and teaching methods in both synchronous and
asynchronous modes, and to participate in educational games and online activities.
Part of this effort involves determining the most useful way to classify and organize resources
available on the site. Information security is a broad and complex field of study, and one can quickly
become mired in results irrelevant to their interests when conducting keyword searches. Moreover, it
may be difficult to identify terms that will be most useful in locating specific materials within any given
repository (Dicheva and Dichev 2006), especially since many repositories tend to use very general
metadata definitions that lack the specificity required to effectively locate resources (Moisey 2006).
We anticipate an improved method for locating relevant material with carefully crafted taxonomies,
constructed by analyzing vocabulary usage in curricular literature and actual site searches.
3. Background
In early 2010, PRISM was available to the public. For a complete treatment of initial vision,
requirements, and technical execution, see (Garramone and Schweitzer 2010). The web portal was
designed with a high degree of flexibility to allow the project to mold itself to the changing needs of the
community. Ease of use for content seekers and developers, as well as for site moderators and
administrators was given priority when selecting the hardware and software components of PRISM.
An initial set of seven publications and eleven interactive lessons was provided by Dr. Schweitzer and
the US Air Force Academy to showcase the types of resources PRISM was designed to contain. A
handful of materials from other sources were also posted to demonstrate potential content types such
as hyperlink resources and educational simulations. Resources were categorized using a custom set
of vocabularies designed to allow users from heterogeneous backgrounds to access the materials
using familiar terms.
In particular, a subset of the Dublin Core (Weibel et al 2008) provided standard metadata.
Additionally, vocabularies from two prominent IA common bodies of knowledge (CBK) (Theoharidou
and Gritzalis 2007) were implemented to organize resources according to their IA topical content.
Although PRISM is a fully functional repository, several challenges remain. Organizing content based
on static metadata sets proves difficult as usage patterns and industry terminology change.
Furthermore, complex tagging requirements for content makes it difficult for developers to contribute
their content. In their recent IEEE transaction on Learning Technologies, Davis et al. describe the
more general sharing and deposition of education materials by small colleges and university in
common repositories (2010). The failure to develop sustainable material repositories is the result of
poor design decisions, user’s motivation to use them and failure of adoption by communities is related
to difficulty of use, administration and currency of materials.
4. Dynamic taxonomy based content management
Previous attempts to establish education web portals have been less than successful from lack of
participation by resource developers and cumbersome site search strategies to locate interesting
course materials. The upload of resources requires developers to provide metadata descriptors of
their materials based on a fixed taxonomy. Because of the wide variance in resource content, static
taxonomies based on generic structures inherited through the parent portal developer’s best efforts
are not effective. From the resource downloader’s perspective, attempts to retrieve materials are
discouraging because of difficulty in searching for materials described by the same limited taxonomy.
For example, the Merlot educational material repository, the most granular taxonomic term for
information assurance materials is “Security” under the “Information Technology” heading. This
provides no terminology guidance for those submitting or searching for content, and forces users to
resort to keyword searches.
We used the PRISM portal to investigate a simple, deterministic approach to creating a flexible and
stable taxonomic structure that would allow forensics educators to upload resources and search
content in a more easy and useful way. Our approach consisted of generating an initial list of
forensics descriptors that were manually extracted from current forensics literature and ranked
according to what percentage of the documents each term appeared in. The content of a computer
77

Vincent Garramone and Daniel Likarish
forensics course was used to evaluate whether the literature based taxonomy approach would
produce an acceptable description of the material. The result of the evaluation confirmed that a
literature based seeded taxonomy was a good starting point, but that refinement is necessary. The
digital forensics topic was chosen as our initial case because Regis University wanted to make lab
materials from its computer forensics course available on the PRISM site and felt these materials
would be representative of content for a graduate forensics class. The weekly lab materials were
qualitatively evaluated using the list of forensics terms derived from current forensics literature. These
results were then compared to actual terms in the lab topic descriptions given in the course syllabus.
4.1 Granularizing PRISM taxonomies
One of the major goals of PRISM is to make searching for content intuitive and efficient. To achieve
this, content must be tagged in a way that allows keyword and guided searches to return accurate
results. Since IA terminology varies widely among researchers and practitioners, we have tried to
accommodate the broadest possible group of users by developing several taxonomies to tag content.
After a resource has been associated with a particular taxonomy term, it can automatically be
included in guided searches and is reachable with the advanced search function of PRISM. At the
conclusion of the first major development phase, PRISM was equipped with both the International
Information Systems Security Certification Consortium (Theoharidou and Gritzalis 2007) and U.S.
Department of Homeland Security CBK vocabularies (Shoemaker, Drommi, Ingalsbe and Mead
2007). However, in simple use cases existing vocabularies did not offer a sufficient level of specificity.
Rather than create arbitrary lists of terms a researcher might personally want to search for, it was
decided to review the literature and attempt to distill vocabularies that would reflect common usage
among curriculum developers.
The first effort to granularize the PRISM taxonomies was in the area of digital forensics. Digital
forensics is its own discipline within the realm of information security (Berghel 2003). On this basis,
forensics is considered an ideal candidate for a descriptive taxonomy within PRISM. PRISM
researchers analyzed nine recent publications, primarily from curriculum developers, to identify a
common taxonomic structure and current terminology usage. These publications were selected for
their recent contribution and, based on the level of repetition of terms observed, were considered
adequate in number and scope to generate an initial forensics vocabulary for PRISM. The digital
forensics vocabulary currently being used in PRISM contains the most commonly observed digital
forensics terms from these nine papers, and will explicitly specify relationships between synonyms as
they are identified through site analytics. Table 1 shows the initial list of terms implemented within
PRISM (See Appendix 1 for the complete table). To keep the list to a manageable size, only terms
referenced in at least one third of the papers analyzed were included in this initial vocabulary.
Table 1: PRISM’s initial digital forensics vocabulary
Forensics Topics
Reference Count
Legal Process
6
Log Analysis
6
Data Acquisition 5
Data Decryption 5
Deleted Data Recovery 5
Email Forensics 5
Hidden Data Discovery 5
Steganography 5
Documentation 4
Ethics 4
Network Forensics 4
Incident Response 3
Live System Forensics 3
Malware Detection 3
Password Cracking 3
Registry Analysis 3
78

Vincent Garramone and Daniel Likarish
To avoid creating too much predefined structure and possibly over-restricting the way users interact
with the site, a single, flat vocabulary of forensics-related terms was defined, as opposed to a
hierarchical one. This allows accommodation of user variance between how they define and use
terms. Furthermore, terms that refer to conceptual subsets of other terms are included in the
vocabulary because they are apparently often used independently of their parent terms in the
literature. For example, “Steganography” could be conceptually categorized as “hidden data
discovery”, but more than half of the papers examined explicitly mentioned the former term. This is an
example of a deterministic approach: allowing actual usage or terms to dictate taxonomy
development.
4.2 Dealing with added complexity
As the taxonomy structure becomes more complex, a tradeoff between the ease of content searching
and the difficulty of content submission is made. To offset the effects of PRISM’s more complex
taxonomy system, PRISM moderators will categorize content for developers. By offering this service,
content submission difficulty will be reduced, requiring only the submission of a link or the upload of
an archive to be posted.
4.3 A trial of the system
We used Regis University’s Computer Forensics course to evaluate the list of terms derived from the
literature (Table 1) and their ability to describe the computer forensics materials. The premise of the
course is to introduce the student to a wide variety of methods for investigating computer security
incidents. Each student takes on the role of a forensic analyst and each week the student is asked to
apply their skills to the analysis of many different types of data with different scenarios and tools. The
students have to create log entries detailing their findings as they work through the process of
analyzing the data for each scenario. First, we chose terms from the vocabulary that we felt
represented the lab content and learning intent. These lists, given in Table 2, column 2, represent the
values a content creator would assign to their own materials upon upload to the PRISM site. Next
those terms were compared with actual language used to describe the lab content in the course
syllabus, and a rating was given to the level of similarity between the available vocabulary terms and
those explicitly listed in the lab topic descriptions. A “Yes” value suggests that the terminology was
sufficiently similar to allow someone not familiar with the content of the lab to effectively classify data
using only a brief description. A “Partial” value means that one or more, but not all of the vocabulary
terms are reflected in the lab topic description. In this case, a material might not be classified under all
relevant terms, making it difficult to locate on the site. As an example, the lab described in the first row
of Table 2 might only be classified as an “Email Forensics” material since “Documentation” and “Legal
Process” are not explicitly mentioned in the description. Finally, a “No” designation is given if none of
the relevant vocabulary terms are present in the lab topic description.
Table 2: Summary of the weekly lab topics MSIA 680 Computer Forensics course and related PRISM
forensics vocabulary terms
Lab Topics from Syllabus Related PRISM Forensics Terms Match
Email Forensics and the Forensic Template. Also
Email Forensics
Partial
write a preface justifying the forensic approach.
Documentation
Legal Process
Snort alert data and Wireshark packet capture
Network Forensics
No
Network Security Podcast Report
Log Analysis
Live Response, Volatile & Nonvolatile Data, Cache
Dump
Live System Forensics Yes
RAPIER Tool Analysis. End with analysis of the
Log Analysis
No
Strength and Weakness of Forensic Tools and
Hidden Data Discovery
Processes
Documentation
Tool Validation*
Registry Examination and Tool usage Registry Analysis Yes
File Analysis Lab Hidden Data Discovery No
Active Malware Discovery (Trojans) and Memory
Examination
Rootkit Examination and research of additional
risks and methods of detection
79
Malware Detection
Hidden Data Discovery
Malware Detection
Yes
Yes

Vincent Garramone and Daniel Likarish
Note: A positive in the Match column indicates that the seeded taxonomy terms were closely or
exactly reflected in the Regis lab topic.
This rudimentary analysis demonstrated that seeding the forensics vocabulary with terms extracted
from a public literature search might be sufficient to allow a moderator to characterize the uploaded
material without intimate knowledge of its contents. See Appendix 2 for a visual representation of this
mapping in table form for the course MSIA 682, Network Forensics. It is clear, however, that the initial
vocabulary could benefit from adjustments. For example, the lab description in row 2 of Table 2
mentions, “packet capture”. While this is not in the initial vocabulary, it is closely related to “Network
Forensics” and “Packet Analysis”. Network Forensics was included in the initial list and Packet
Analysis, while identified in the literature, was not for reasons described above. To address this, it
might be appropriate to replace “Network Forensics” with “Packet Analysis” in the PRISM vocabulary.
Alternatively, defining the relationship of these terms in PRISM (synonyms, subtopics, etc.) might
create a more inclusive and useful search environment.
4.4 Honing the vocabulary
The artifact constructed through literature review is, as mentioned, a starting point in the development
of an optimized digital forensics vocabulary for PRISM. It remains to be seen if these terms resonate
with other users of the web portal or if different descriptors will be favored. Moreover, terminology
changes over time, and PRISM’s vocabularies should be able to accommodate those changes. The
authors plan to utilize new content and analytics data to identify discrepancies between the
vocabulary defined above, and actual topics and terms utilized by PRISM users. PRISM records all
searches performed on the site and generates reports listing common phrases. Searches are also
tracked by Google Analytics, which provides a more in-depth view of searches executed on the site,
as well as visitor behavior before and after the search. After a particular search is executed, Google
services can be used to determine user’s preferred or selected materials. This capability can provide
insight into how accurate and relevant the taxonomies are at any given time. As long as usage of the
site continues, these tools will help PRISM moderators to maintain relevant IA vocabularies from
which content can be described.
5. Conclusions
IA is a rapidly changing field, and maintaining relevance is a difficult task. We are attempting to keep
PRISM responsive to changes in the IA landscape. PRISM developers will continue to make
adjustments based on the needs of the user community by allowing current literature and actual
usage statistics to guide the development of organizational taxonomies. Explicitly attaching these
relevant descriptors to site content allows administrators to produce intuitive, guided search
functionalities, making it easier for users to locate the materials they need. Results using our own
materials as a test case suggest that taxonomies constructed in this way could be effective for other
users. A more rigorous evaluation will only be possible if site utilization increases and is sustained
over a significant period of time. To this end, PRISM moderators recognize, and are prepared to
absorb, the increased work required to properly organize content on the site as taxonomic complexity
increases. This will hopefully make using the site more attractive to content developers and, in turn, to
those seeking educational resources.
6. Appendix 1: Terminology usage matrix
Forensics Topics Totals
Legal Process [1] [3] [5] [6] [11] [12] 6
Log Analysis [1] [3] [5] [6] [11] [13] 6
Data Acquisition [1] [2] [3] [12] [13] 5
Data Decryption [1] [2] [5] [11] [12] 5
Deleted Data Recovery [1] [3] [6] [11] [12] 5
Email Forensics [2] [3] [5] [6] [13] 5
Hidden Data Discovery [1] [2] [3] [11] [12] 5
Steganography [1] [5] [11] [12] [13] 5
Documentation [1] [2] [5] [13] 4
Ethics [6] [11] [12] [13] 4
80

Vincent Garramone and Daniel Likarish
Forensics Topics Totals
Network Forensics [3] [6] [11] [13] 4
Incident Response [11] [12] [15] 3
Live System Forensics [1] [3] [15] 3
Malware Detection [3] [11] [12] 3
Password Cracking [2] [5] [13] 3
Registry Analysis [3] [6] [13] 3
Hardware Identification [2] [6] 2
Tool Development [3] [11] 2
Web Browser Forensics [6] [13] 2
Baselining [3] 1
Application Analysis [6] 1
Data Reconstruction [6] 1
Forensic Planning 1
Key Loggers [3] 1
Dead System Forensics [15] 1
Packet Analysis [6] 1
Password Auditing [3] 1
RFID Forensics [6] 1
Tool Validation [11] 1
Web Services [6] 1
Evidence Collection and Handling [5] 1
Key Authors Year Country Subject
[1] Bem, D. and Huebner, E. 2008 Australia Curriculum
[2] Berghel, H. 2003 USA Definition
[3] Crowley, E. 2007 USA Curriculum (corporate)
[5] Figg, W. and Zhou, Z. 2007 USA Curriculum
[6] Francia, G. A. 2006 USA Curriculum
[11] Troell, L., Pan, Y., and Stackpole, B. 2003 USA Curriculum
[12] Troell, L., Pan, Y., and Stackpole, B. 2004 USA Curriculum
[13] Wassenaar, D., Woo, D., and Wu, P. 2009 USA Curriculum
[15] Yen, P., Yang, C., and Ahn, T. 2009 Taiwan Process
7. Appendix 2: MSIA 682, Network Forensics course topics and activities
mapped to PRISM forensics vocabulary
Course Topic Activity Description
Introduction to Security
Monitoring
Intro Security packet data
structure based on the
TCP/IP model
81
Example of a granular
Lab Activity
Identify the following
packet structures by
explaining what each
packet is, what ports,
protocols or codes
each one uses using
the static packet
captures
PRISM Forensics
vocabulary
Network forensics

Vincent Garramone and Daniel Likarish
Course Topic Activity Description
Protocol Analysis After understanding packet
data structures. Examine
different types of network
services using standard
sniffing tools
Metadata and Statistical
Analysis
Session Data, Intrusion
Detection and Alert Data
Normal, Suspicious and
Malicious Traffic
References
Decompose packets for
the content: metadata and
other attributes using
packet capture files
Investigate layer three and
four session data using the
Network Security
Management Framework
Examples of normal,
suspicious and malicious
traffic based on pcap files
Example of a granular
Lab Activity
Explain the following
tcpdump flags: -v, -n, -
i, -r, -w, -e, -t, -x, -X, -
s, -D, -q, -L, identity
which flags that can
be used more than
once? Please use
7.pcap file for this
exercise.
Examine the files
1.pcap through 6.pcap
using either Netdude
or Wireshark
explaining what
protocols are in use,
whether they use UDP
or TCP and what ports
are used for each
protocol.
Please review the
nfsen video to review
the capabilities of
nfsen (a web front
end) and nfdump, the
netflow
collector/provider
Please examine pcap
files 1-7 and identify
the type of traffic and
whether or not it would
be normal, suspicious
or malicious.
PRISM Forensics
vocabulary
Network Forensics, Live
Systems Forensics
Log Analysis, Hidden
Data Discovery
Log Analysis, Hidden
Data Discovery
Malware Detection, Live
Systems Forensics,
Hidden Data Discovery
Bem, D. and Huebner, E. (2008) “Computer forensics workshop for undergraduate students”, In Proceedings of
the tenth conference on Australasian computing education, Vol. 78, Simon Hamilton and Margaret Hamilton
(Eds.), Australian Computer Society, Inc., Darlinghurst, Australia, pp 29-33.
Berghel, H. (2003) “The discipline of Internet forensics”, Communications of the ACM, Vol. 46, No. 8, pp 15-20.
DOI= http://doi.acm.org/10.1145/859670.859687
Cooper, S., Nickell, C., Piotrowski, V., Oldfield, B., Abdallah, A., Bishop, M., Caelli, B., Dark, M., Hawthorne, E.,
Hoffman, L., Perez, L., Pfleeger, C., Raines, R., Schou, C., and Brynielsson, J. (2010) “An exploration of the
current state of information assurance education”, SIGCSE Bull, Vol. 41, No. 4, pp 109-125.
DOI=10.1145/1709424.1709457
Crowley, E. (2007) “Corporate forensics class design with open source tools and live CDS”, J. Comput. Small
Coll. Vol. 22, No. 4, pp 170-176.
Davis, H., Carr, L., Hey, J., Howard, Y., Millard, D., Morris, D., and White, S. (2010) “Bootstrapping a culture of
sharing to facilitate open educational resources”, IEEE Transactions on Learning Technologies, Vol. 3, No.
2, pp 96-109.
Dicheva, D. and Dichev, C. (2006) “Tm4l: creating and browsing educational topic maps”, British Journal of
Educational Technology, Vol. 37, No. 3, pp 391-404.
Figg, W. and Zhou, Z. (2007) “A computer forensics minor curriculum proposal”, J. Comput. Small Coll, Vol. 22,
No. 4, pp 32-38.
Francia, G. A. (2006) “Digital forensics laboratory projects”, J. Comput. Small Coll, Vol. 21, No. 5, pp 38-44.
Garramone, V. and Schweitzer, D. (2010) “PRISM: A public repository for information security material”, In
Proceedings from the 14th Annual Colloquium for Information Systems Security Education, Baltimore, MD.
Irvine, C., Chin, S., and Frincke, D. (1998) “Integrating security into the curriculum”, Computer, Vol. 31, No. 12,
pp 25-30.
Moisey, S. Alley, M. & Spencer, B. (2006) “Factors affecting the development and use of learning objects”, The
American Journal of Distance Education, Vol. 20, No. 3, pp 143-161.
Null, L. (2004) “Integrating security across the computer science curriculum”, Journal of Computing Sciences in
Colleges, Vol. 19, No. 5, pp 170-178.
Peisert, S., Bishop, M., and Marzullo, K. (2008) “Computer forensics in forensics”, SIGOPS Oper. Syst. Rev., Vol.
42, No. 3, pp 112-122. DOI= http://doi.acm.org/10.1145/1368506.1368521
82

Vincent Garramone and Daniel Likarish
Schweitzer, D. and Boleng, J. (2009) “Designing web labs for teaching security concepts”, J. Comput. Small Coll.,
Vol. 25, No. 2, pp 39-45.
Shoemaker, D., Drommi, A., Ingalsbe, J.A., and Mead, N.R. (2007) “A comparison of the software assurance
common body of knowledge to common curricular standards”, Software Engineering Education & Training,
2007, pp 149-156.
Theoharidou, M. and Gritzalis, D. (2007) “Common body of knowledge for information security”, Security &
Privacy, IEEE, Vol. 5, No. 2, pp 64-67. DOI=10.1109/MSP.2007.32
Troell, L., Pan, Y., and Stackpole, B. (2003) “Forensic course development”, In Proceedings of the 4th
Conference on information Technology Curriculum, 16-18 October, ACM, New York, NY, pp 265-269.
DOI=http://doi.acm.org/10.1145/947121.947180
Troell, L., Pan, Y., and Stackpole, B. (2004) “Forensic course development: one year later”, In Proceedings of the
5th Conference on information Technology Education, 28-30 October, ACM, New York, NY, pp 50-55.
DOI=http://doi.acm.org/10.1145/1029533.1029547
Wassenaar, D., Woo, D., and Wu, P. (2009) “A certificate program in computer forensics”, J. Comput. Small Coll.,
Vol. 24, No. 4, pp 158-167.
Weibel, S., Kunze, J., Lagoze, C. and Wolf, M. (1998) “Dublin Core Metadata for Resource Discovery”, RFC
Editor. US
Yen, P., Yang, C., and Ahn, T. (2009) “Design and implementation of a live-analysis digital forensic system”, In
Proceedings of the 2009 international Conference on Hybrid information Technology, 27-29 August, Vol.
321, ACM, New York, NY, pp 239-243. DOI=http://doi.acm.org/10.1145/1644993.1645038
83

Using Dynamic Addressing for a Moving Target Defense
Stephen Groat, Matthew Dunlop, Randy Marchany and Joseph Tront
Virginia Polytechnic Institute and State University, Blacksburg, USA
sgroat@vt.edu
dunlop@vt.edu
marchany@vt.edu
jgtront@vt.edu
Abstract: Static network addressing allows for attackers to geographically track hosts and launch network
attacks. While technologies such as DHCP claim dynamic addressing, the majority of network addresses
currently deployed are static for at least a session. Dynamic addresses, changing multiple times within a session,
disassociate a user with a static address. This disassociation is important since a static address can be used to
identify a host and makes targeting the host for attack feasible. We propose using dynamic addressing, in which
hosts’ addresses change multiple times per session, to create a moving target defense. Analyzing the primary
factors which contribute to the security of dynamic addressing, we statistically evaluate the validity of this
technique as a network defense. We then identify the optimal characteristics of a network-layer moving target
defense that uses dynamic addressing.
Keywords: moving target defense, network address security, privacy, dynamic addressing
1. Introduction
As computers and networks become embedded in critical services throughout society, the privacy and
security implications of fixed network addresses expose users to tracking and attack. Specifically, at
the link layer, Media Access Control (MAC) addresses associated with a network interface are
susceptible to flooding and spoofing attacks. At the network layer, Internet Protocol (IP) addresses
are susceptible to spoofing, tracking, and targeting. Both the MAC and IP addresses of servers and
other host machines are usually static to allow for clients to successfully communicate. These static
addresses often leave servers vulnerable to attack because these fixed addresses are easy targets to
locate. If the host is compromised, an attacker can create a denial of service (DoS) attack on the
server which affects all attached clients. Another concern is mobile hosts whose non-changing
network addresses can be geotemporally tracked, compromising user's privacy.
We explore the variables that impact how effectively dynamic IP addressing protects hosts and the
impact these variables have on each other. One variable is the number of dynamic bits in the
address, or bits available to change. The fewer dynamic bits, the more likely an attacker can use brute
force techniques to correlate addresses. Another variable is the frequency of the address change. An
address with fewer dynamic bits needs to change more often to avoid identification. No temporary
address can remain static for too long without risking data correlation. A third variable to consider is
the population density of the address space or subnet. A sparsely populated subnet would make
address identification easier for the attacker since fewer addresses are in use. Alternatively, a densely
populated subnet would make address identification considerably more challenging due to the
additional hosts creating traffic on the network. Although it is easy to simply maximize all the
variables, computational overhead prevents this. Minimizing computational expense is particularly
important for power-constrained devices.
To combat the security and privacy concerns of non-changing addressing, we analyze how dynamic
network addressing would increase security, privacy, and reliability. Dynamic addressing refers to
addresses in which some or all of the address non-deterministically changes, possibly even midsession.
Dynamic addressing prevents would-be attackers from tracking users over time and as they
move through different networks, because the changing addresses cannot be correlated to a single
user. Dynamic addressing also protects against traffic correlation by network sniffing attacks because
of the difficulty of associating a user with a changing address. Dynamic addressing provides
additional security by creating a moving target defense at the network layer that prevents attackers
from targeting specific machines. The increased security offered by dynamic network addressing
protects privacy and data for network users.
To analyze the use of dynamic addresses in creating a moving target defense, the remainder of the
paper is organized as follows. Static addresses and their associated security risks are discussed in
Section 2. Related work is surveyed in Section 3, focused on analyzing the need for address privacy.
84

Stephen Groat et al.
Sections 4 and 5 analyze the different factors which affect the security of a dynamic address and how
these factors affect each other. Section 6 uses statistical simulation results to validate our security
analysis of dynamic addressing factors. In Section 7, we discuss specific security advantages offered
by dynamic addresses. Future work planned to demonstrate a dynamic addressing approach is
discussed in Section 8 and we conclude in Section 9.
2. Problem
Static addresses are necessary to allow users to repeatedly find resources. Without providing a
notification of an address change, users must have a single, static identifier to locate resources. For
example, IP addresses, whether static or dynamic, are often connected with Domain Name System
(DNS) names. DNS names are updated with the current IP address to facilitate location of resources
on the Internet with an easily recognizable value. Without a static value connected to networked
resources, whether DNS names or IP addresses, users would be unable to find the resources. Even
Dynamic Host Configuration Protocol (DHCP) leased addresses, which are widely assumed to be
dynamic, rarely change.
While static addressing is critical to assist users in finding resources, static addresses allow malicious
users to easily locate targets for attack. For example, DNS names and IP addresses are publically
available static addresses. These vectors allow attackers to easily conduct scans to locate target
hosts. Once a target is located, the attacker can focus on the target found and assume that the
target’s static identifier will not change. An attacker is able to make this assumption since identifier
changes would interrupt service for valid users. To ensure the reliability and security of service, critical
services must deploy some sort of moving target defense that changes static identifiers while allowing
continuity of service for trusted users.
3. Related work
The need for an anonymous network address to maintain security and privacy has been explored.
Reiter and Rubin (1999) developed a scheme, called Crowds, to maintain IP address anonymity from
web sites. The protocol uses other computers surfing the web to funnel web requests through. The
effect is to create a crowd of users browsing web servers to hide web requests. Johnson et al. (2007)
identified the need to anonymize addresses and built a trust model into Tor networks called Nymble.
Nymble hides clients' IP addresses from servers. Shields et al. (2000) created another anonymity
protocol named Hordes. Hordes’ focus is on creating a secure system that does not decrease network
performance. All of these approaches focus on hiding the publicly available addresses by using
complex support networks. We analyze the vectors that static address create for tracking and attack
and recommend anonymizing the host address, which none of these three protocols addresses.
Koukis et al. (2006) uses web site signatures and fingerprinting to determine host addresses in
anonymized IP logs. This method is ineffective for tracking dynamic hosts, further demonstrating the
potential security and privacy advantages of dynamic addresses.
A number of researchers have focused on the potential dangers resulting from network address
tracking in the Internet Protocol version 6 (IPv6). Dunlop et al. (2011) identified the dangers posed by
auto-configured addresses in IPv6 and presented a taxonomy of methods to obscure addresses.
Narten, Draves, and Krishnan (2007) also identified a privacy concern with IPv6 addresses and
proposed a potential solution called privacy extensions. Privacy extensions can create new addresses
for users each time they connect to a subnet. Bagnulo and Arkko (2006) also proposed a solution
aimed at protecting IPv6 addresses. Their approach, called Cryptographically Generated Addresses
(CGAs), uses a self-generated public key to obscure an address for each subnet. Neither privacy
extensions nor CGAs dynamically obscure addresses and addresses remain the same until the user
terminates the session. Even though the addresses are obscured, they typically remain static long
enough for a malicious third party to gather information about the user.
While we have discovered no other academic work considering the security and privacy effects of
addressing, two patents attempt to utilize dynamic addressing for security. A technique by Sheymov
(2010) is designed with the goal of dynamic obscuration. Sheymov's objective behind dynamic
obscuration is to provide intrusion protection from certain classes of network attacks. While
Sheymov’s method uses dynamic addressing, it relies on an Intrusion Detection System to trigger
address changes. We analyze consistent dynamic address changes that require no additional
systems to support. Fink et al. (2006) also propose a technique for dynamically obscuring host
addresses called Adaptive Self-Synchronized Dynamic Address Translation (ASD). ASD uses
85

Stephen Groat et al.
symmetric keys established through a handshake process between a trusted sender and receiver
enclave. This technique adds additional overhead due to repetition of the handshake process. A
dynamic addressing technique must minimize overhead to be feasible for implementation. We analyze
the factors that contribute to creating an effective dynamic addressing technique with the goal of
determining the most efficient approach.
4. Analysis of dynamic address factors
There are three factors that contribute to an attacker’s ability to detect a target host on a subnet. The
first factor is the number of dynamic bits in the address, which affects the size of the subnet. In a
small address space, it is trivial for an attacker to check each address. The second factor is how often
a target host’s address changes. If the address remains static, an attacker has as much time as
necessary to locate the host. The third factor is the density of the address space, or the number of
other hosts on an IP subnet. If an attacker does not know the target host’s address on a subnet,
multiple other addresses will make identifying the target more difficult.
For the purpose of our analysis, we investigate an attacker actively scanning an IP subnet with
unicast addresses to identify a single targeted host. There are other methods an attacker can use to
detect target hosts on a network. One such technique is a broadcast ping, allowed by IPv4. Many
gateway devices block broadcast pings. Another method is to passively scan a subnet with a packet
sniffer. This method has scope limitations as the attacker must have a presence on the same subnet
as the target host. A unicast scan is more likely since there are multiple methods of scans that avoid
common security measures implemented on networks.
4.1 Size of address
The larger the address space, the more time it takes an attacker, on average, to locate the target
address on an IP subnet. Table 1 illustrates this by comparing subnets of various sizes. In the table,
we use the three most common Internet Protocol version 4 (IPv4) classful address blocks as
examples. We also compare the typical subnet size used in IPv6. Scanning an entire class C address
space is trivial and can be accomplished in less than a minute while scanning an entire IPv6 subnet is
currently infeasible.
Table 1: Comparison of addresses of various sizes, the scan time is based on a sequential scan with
a 150 millisecond average round trip time for a single packet (GLORIAD 2010)
Address Type Address Size (bits) Address Size (hosts) Scan Time
IPv4 Class C Subnet 8 256 38 sec
IPv4 Class B Subnet 16 65,536 3 hrs
IPv4 Class A Subnet 24 16,777,200 29 days
IPv6 Subnet 64 1.845·10 19
8.77·10 10 yrs
So far we have mentioned the time it takes an attacker to scan the various address types in Table 1,
however, this is the time it takes an attacker to scan the entire address space. The expected amount
of time to locate a host is much less due to a paradox known as the birthday attack (Schneier 1996).
According to the birthday attack, an attacker can expect to locate a target host in attempts where
m is the number of bits in the address. What this means is that an attacker can expect to locate a host
on a class C subnet in 2.4 seconds, a class B subnet in 38 seconds, and a class A subnet in 10
minutes. A host on an IPv6 subnet can still expect to escape detection for over 73,500 years. No IPv4
host that is not defending against active scanning can have any expectation of remaining hidden for a
reasonable amount of time.
4.2 Frequency of address change
The more frequently an address changes, the more difficult it is, on average, for an attacker to
successfully locate and target a specific address. This is particularly true if the address changes more
rapidly than an attacker can scan the subnet. As mentioned in Section 4.1, a larger address space
takes longer to scan. It follows that addresses on a larger subnet need to change less frequently. To
understand the relationship between changing and non-changing addresses, we analyze the number
of attempts it takes an attacker to locate a static address on a subnet. Since the address is static, the
probability of an attacker guessing the address increases with each subsequent guess. This
86

Stephen Groat et al.
probability follows a hypergeometric distribution. In the case of locating specific hosts on a subnet, the
probability can be written as:
where N represents the total possible addresses in the subnet, h represents the target host(s), and r
represents the number of guesses an attacker takes in an attempt to find the target address(es).
The best case for the target host is if its address changes at the same rate that an attacker scans a
single address. To provide the fairest assessment, we assume a scenario where the attacker is aware
of the target host changing his/her address. As a result, the attacker randomizes his/her address
guesses, allowing for repetition of addresses. This is in contrarst to the normal approach where an
attacker exhaustively scans a subnet without repetition. The probability of detecting the target host
using an exhaustive search is slightly lower due to the possibility of a host address changing to a
previously guessed address. In the attacker-aware scenario, the probability of detecting the target
host remains the same with each subsequent guess and follows a cumulative binomial distribution as
shown in Equation 2
where N again represents the total possible addresses in the subnet and r represents the attempt
during which detections occurs. Figure 1 depicts the difference between the probabilities of a static
address versus a changing address that follows a binomial distribution. A subnet of size 256 hosts is
used as an example for this figure.
Figure 1: The probability an attacker has of detecting a target address within r attempts, the solid line
represents the probability given a static address while the dotted line represents the
probability if the address is changed at the same rate it is scanned
87
(1)
(2)

Stephen Groat et al.
It is unlikely, however, that a target address will change at the same rate an attacker scans a subnet.
A target host can decrease the probability of detection compared to a static address by changing its
address more frequently than the time it takes an attacker to scan the entire subnet. In this scenario,
we assume the attacker knows the frequency of the address changes. We make this assumption to
provide the attacker with the highest probability of target detection, and thus demonstrate the worstcase
scenario for the target host. In this scenario, the probability of detecting a target address follows
Equation 1 until the address changes. After the address changes, Equation 1 resets to r=1. If we
classify each address change as a round, the probability of detection on round z can be written as:
Figure 2 also utilizes a subnet of 256 addresses. The plot illustrates the difference between a static
address and addresses that changes after an attacker scans r addresses. The address that changes
every round (r=1) follows a binomial distribution. The figure demonstrates that as the frequency of
change approaches the time it takes an attacker to scan a single address, Equation 3 converges to
Equation 2. Alternatively, as the attacker is able to scan more of the address space between address
changes, Equation 3 converges to Equation 1.
Figure 2: The probability an attacker has of detecting a static target address within 256 attempts
versus the probability of detecting an address that changes after an attacker scans r
addresses over z rounds
4.3 Density of address space
The more sparsely populated the address space is, the more difficult it is for an attacker to pinpoint
the target host. The reason for this is that the attacker does not know the address of the target host. If
the attacker knew the address, he/she would not need to scan the subnet. Assuming the attacker has
no additional information pertaining to the identity of a host (e.g., operating system), a successful
scan reply provides no indication of success.
The probability of detecting a host increases with the number of hosts on a subnet. The probability of
detecting a host can be calculated using Equation 1. In Section 4.2, h=1 to represent a single target
88
(3)

Stephen Groat et al.
host. In this case, h is equal to the number of total hosts on the subnet. As already mentioned,
successful detection does not indicate that the host detected is the target host.
This factor degrades an attacker’s capability of detecting a target host. In the single host scenario
discussed in Section 4.2, locating a target takes time. Once the target is located, though, the attacker
knows he/she has identified the target host because there are no other hosts on the subnet. With
multiple hosts on the subnet, an attacker will get false positives. By false positive, we mean indication
of success is received by the attacker when the located host is not the target. The false positive rate
increases with the number of non-target hosts on the subnet. Unlike a password attack where
success provides an attacker access to a machine, a successful scan reply tells the attacker little
about whether the discovered host is the target host. Even in the case of multiple discovered hosts,
the attacker does not know which host is the target. Of course, with additional information, such as
operating system or protocol, the attacker can filter out hosts not matching a certain profile.
5. Interaction of dynamic address factors
The three factors described in Section 4 are not independent. As certain factors increase, other
factors can decrease while still maintaining the same overall probability of detection. For example,
there is a relationship between address size and frequency of address change. There is also a
relationship between subnet density and frequency of address change.
Increasing the size of the address allows for the frequency of the address change to decrease without
degrading security. As the size of the address increases linearly, the size of the address space
increases exponentially. The increased address space requires more time and resources from an
attacker to exhaustively scan. Beyond a certain address size, an attacker cannot exhaustedly scan
the exponentially growing network quickly. Therefore, it is possible for the host to decrease the
frequency of the address change without increasing the probability it will be detected. Since each
address change requires computation on the part of the host, decreasing the frequency of address
change is desirable. A larger address space can result in less computational requirements with the
same probability of detection as that of a smaller address space with more frequent address changes.
Density of address space also affects frequency of address change. As the density of the address
space increases, the probability of correlating an address with a specific host decreases. The
increased density occurs because more hosts populate the subnet. As mentioned in Section 4.3, a
dense subnet results in a higher probability of an attacker detecting a host that is a false positive.
Therefore, a targeted host can use the dense network to lower the probability of being detected.
Density in the address space also has an inverse correlation to the possibility of address collisions. By
address collision, we mean that a host changes its address to a pre-existing address on the subnet.
Since each host must have a globally unique address to ensure connectivity, address collisions must
be avoided on the subnet. Repeated address collisions could prevent a host from sending or receiving
network traffic, thus decreasing throughput and Quality of Service (QoS). While increased density in
the address space provides a host with a lower probability of detection, address space density must
be balanced with the probability of address collisions to ensure network connectivity.
Address size inversely correlates with the probability of address collisions. It is desirable to have a
subnet populated by multiple hosts to increase the probability of an attacker finding a false positive.
By increasing the address size, the address space increases. A larger address space allows for more
hosts on the subnet without overpopulating the subnet. This means that a larger subnet can be less
densely populated. The result is that a detected host still has the same probability of being a false
positive while a host changing its address has a lower probability of an address collision.
6. Simulation results
To validate our analysis of changing addresses in Section 4.2, we simulated four different rates for
addresses to change. The rates simulated were a static address (never changes) and addresses that
changed after an attacker scanned 64 addresses (r=64), eight addresses (r=8), and one address
(r=1). The simulation results are listed in Table 2. The table highlights four search intervals. The four
intervals are 64, 128, 192, and 256 guesses. For each interval, a simulated attacker attempted to
locate a target host with an 8-bit host address within the specified interval. Each interval was
simulated for 100,000 iterations. The probability displayed is the average over the 100,000 iterations.
The probabilities produced, match the calculated probabilities at each interval depicted in Figure 2.
89

Stephen Groat et al.
Table 2: Probability conducted in simulation of detecting a target host with an 8-bit address within 64,
128, 192, and 256 guesses, each listed probability is the average over 100,000 iterations
Probability of detection within:
64 guesses 128 guesses 192 guesses 256 guesses
Static Address 0.249 0.503 0.748 1
0.248 0.435 0.578 0.682
Changing Address (r64)
Changing Address (r8)
Changing Address (r1)
7. Security through dynamic addressing
0.225 0.398 0.533 0.637
0.222 0.393 0.528 0.632
Establishing a moving target defense is an effective way of protecting users’ privacy and data.
Changing hosts’ addresses, referred to as dynamic addressing, enhances security. If target
addresses continually change, an attacker loses the expectation of narrowing the search space with
successive guesses. If the attacker is able to locate a targeted host, a dynamically changing host
address limits the time an attacker has access to the host. Since the discovered address changes, the
attacker no longer knows the host’s location on the network. Additionally, the nature of dynamic
addressing prevents other types of targeted attacks, which rely on static addressing.
Changing the addresses of hosts allows them to logically move within the address space or subnet.
As illustrated in Figure 2, the more often an address changes, the more difficult it is to locate and
target the host. A changing address, combined with other factors such as address size and subnet
density, creates a moving target defense. A large address space supporting many hosts is sparsely
populated making it difficult for an attacker to pinpoint a specific target host. Other network hosts
result in false positives for an attacker while unoccupied address spaces reduces the possibility of
address collisions. The incorporation of dynamic addressing considerably reduces the probability of
detecting a target host while still maintaining connectivity.
Dynamic addressing also protects against certain classes of network attacks. For example, an
attacker attempting a targeted DoS attack first has to find the target host on the subnet. Even if the
attacker finds the host, the attack is limited by the interval between address changes. Other targeted
network attacks, such as session hijacking and man-in-the-middle, are constrained by the same
limitations as DoS attacks. To attack dynamically addressed hosts, an attacker must be able to either
quickly find the host after an address change or predict the address change. If a sufficiently
randomized dynamic address obscuration algorithm is utilized, targeting hosts in a large address
space should not be possible.
Providing security at the network layer also provides transitive security against attacks and exploits at
layers above the network layer since many other attacks rely on network transmissions. The majority
of application layer security flaws are exploited by either taking control of a system or transferring
sensitive information back to an attacker. By securing the network layer, even if an attacker is able to
identify a valid vector of attack on an application, the window for attack is limited by the frequency of
the address change. Once the address changes, the attacker loses any existing vector to control the
remote host. The attacker must then locate the host to reestablish the connection.
8. Future work
The next phase of our research works to develop a sufficiently randomized algorithm for dynamically
obscuring IP addresses. Our goal is to produce an approach that dynamically changes IP addresses
multiple times within a single session. By changing addresses multiple times within a single session,
an attacker will have more difficulty locating target hosts. Even if an attacker locates the host,
90

Stephen Groat et al.
changing addresses multiple times within a session prevents the attacker from capturing enough
network traffic to correlate the nature of a communication between two hosts.
Our particular approach leverages IPv6. As eluded to in Section 4.1, current methods for locating a
target address in an IPv6 subnet are infeasible in a reasonable amount of time. The immense IPv6
address space will also likely be sparsely populated. As discussed in Section 4.3, locating any host in
a sparsely populated address space is probabilistically difficult. In addition to the difficulty of locating
hosts in a sparsely populated subnet, hosts using a dynamic addressing scheme can reasonably
expect not to collide with occupied addresses when rotating their addresses. In order to achieve a
reasonable dynamic addressing algorithm in IPv4, hosts would have to draw from a pool of unused
addresses. Reserving pools of addresses are more difficult with the depletion of the IPv4 address
space (NRO 2010). Additionally, an IPv4 pool of addresses, regardless of how large, would be almost
trivial for an attacker to scan. To achieve a sufficiently randomized dynamic addressing algorithm, we
plan to repeatedly use a cryptographic hash function to obscure the 64-bit interface identifier that
makes up the subnet portion of an IPv6 address. By using a cryptographic hash function, malicious
hosts cannot feasibly predict the dynamic address (Schneier 1996). Since hosts in IPv6 can generate
and advertise their own addresses (Thomson, Narten & Jinmei 2007), obscuration is kept local.
Localizing obscuration reduces the possibility of a malicious host performing any type of address
hijacking or man-in-the-middle attack. It also reduced the computational overhead that address
generation servers would incur.
9. Conclusion
As users exchange more personally identifiable information over the Internet, it is increasingly
important to protect users’ security and privacy. One of the best ways to accomplish this is through
the use of a moving target defense. At the network layer, this can be achieved by dynamically
changing host IP addresses. Frequently changing addresses are probabilistically more difficult to
detect than static addresses. Dynamic addresses also provide an additional layer of security for hosts
that are detected by an attacker. An attacker is unable to compromise hosts for a significant period of
time since the hosts’ network address changes. Dynamically changing addresses provide security and
privacy by creating a moving target solution implementable as low as the network layer of the protocol
stack.
References
Bagnulo, M., & Arkko, J. October 2006. Cryptographically Generated Addresses (CGA) Extension Field Format.
RFC 4581 (Proposed Standard).
Dunlop, M., Groat, S., Marchany, R., & Tront, J., 23-28 January 2011. ‘IPv6: Now You See Me, Now You Don't’,
Proceedings of the Tenth International Conference on Networks (ICN 2011), St. Maarten, The Netherlands
Antilles.
Fink, R. A., Brannigan, M. A., Evans, S. A., Almeida, A. M., & Ferguson, S. A. 9 May 2006. Method and
Apparatus for Providing Adaptive Self-Synchronized Dynamic Address Translation, United States Patent
No. US 7,043,633 B1.
GLORIAD. 2010. GLORIAD Average Round Trip Time - Last Week. [Online] Available
http://www.gloriad.org/gloriad/monitor/stats/avg_round_trip_time.week.html. [11 October, 2010].
Johnson, P. C., Kapadia, A., Tsang, P. P., & Smith, S. W. 2007. ‘Nymble: Anonymous IP-Address Blocking’,
Privacy Enhancing Technologies Symposium (PET '07), Ottawa, Canada, pp.113-133.
Koukis, D., Antonatos, S., & Anagnostakis, K. 2006. On the Privacy Risks of Publishing Anonymized IP Network
Traces. Communications and Multimedia Security, 4237: 22-32.
Narten T., Draves, R., & Krishnan, S. September 2007. Privacy Extensions for Stateless Address
Autoconfiguration in IPv6. RFC 4941 (Draft Standard).
NRO. 2010. Remaining IPv4 address space drops below 5%. [Online] Available http://www.nro.net/
media/remaining-ipv4-address-below-5.html, [7 November, 2010].
Reiter, M., & Rubin, A. ‘Anonymous Web Transactions with Crowds’, Communications of the ACM, vol. 42, no. 2,
pp. 32-48.
Schneier, B. 1996. Applied Cryptography: Protocols, Algorithms, and Source Code in C. (2 nd Edition. New York:
Wiley.
Sheymov, V. I. 18 February, 2010. Method and Communications and Communication Network Intrusion
Protection Methods and Intrusion Attempt Detection System, United States Patent No. US 2010/0042513
A1.
Shields, C., & Levine, B. N. 2000. ‘A protocol for anonymous communication over the Internet’, Proceedings of
the 7th ACM conference on Computer and communications security, Athens, Greece, pp. 33-42.
Thomson, S., Narten T., & Jinmei, T. September 2007. IPv6 Stateless Address Autoconfiguration. RFC 4862
(Draft Standard).
91

Changing the Face of Cyber Warfare with International
Cyber Defense Collaboration
Marthie Grobler 1 , Joey Jansen van Vuuren 1 and Jannie Zaaiman 2
1
Council for Scientific and Industrial Research, Pretoria, South Africa
2
University of Venda, South Africa
mgrobler1@csir.co.za
jjvvuuren@csir.co.za
jannie.zaaiman@univen.ac.za
Abstract: The international scope of the internet and global reach of technological usage requires the South
African legislative system to address issues related to the application and implementation of international
legislation. However, legislation in cyberspace is rather complex since the technological revolution and dynamic
technological innovations are often not well suited to any legal system. A further complication is the lack of
comprehensive international cyber defense cooperation treaties. The result is that many countries are not
properly prepared, nor adequately protected by legislation, in the event of a cyber attack on a national level. This
article will address the international cyber defense collaboration problem by looking at the impact of technological
revolution on warfare. Thereafter, the article will evaluate the South African legal system with regard to
international cyber defense collaboration. It will also look at the influence of cyber defense on the international
position of the Government, as well as cyber security and cyber warfare acts and the command and control
aspects thereof. The research presented is largely theoretical in nature, focusing on recent events in the public
international domain.
Keywords: collaboration, cyber defense, legislation, government responsibility
1. Introduction
The international scope of the internet and global reach of technological usage requires the South
African legislative system to address issues related to the application and implementation of
international legislation. However, the complexities of cyberspace and the dynamic nature of
technology innovations requires a cyber defense framework that is not well suited to any current legal
system. A further complication is the lack of comprehensive international cyber defense cooperation
treaties, resulting in many countries not being properly prepared, or adequately protected by
legislation, in the event of a cyber attack on a national level.
For the purpose of this article, cyber warfare is defined as the use of exploits in cyber space as a way
to intentionally cause harm to people, assets or economies (Owen 2008). It can further be defined as
the use and management of information in pursuit of a competitive advantage over an opponent,
involving "the collection of tactical information, assurance that one’s own information is valid,
spreading of propaganda or disinformation among the enemy, undermining the quality of opposing
force information and denial of service or of information collection opportunities to opposing forces"
(Williams & Arreymbi 2007).
The article will address some of the aspects related to changing the face of cyber warfare, focusing
specifically on international cyber defense collaboration. It will look at some international technological
revolutions that had an impact on the international legal scope and briefly evaluate the South African
legal system with regard to international cyber defense collaboration. The article will also address
international cyber warfare and the influence of cyber defense on the international position of the
Government. The article will conclude with recommendations on working towards international cyber
defense collaboration.
2. Technological revolutions' impact on warfare
Modern society created both a direct and indirect dependence on information technology, with a
strong reliance on immediacy, access and connections (Williams & Arreymbi 2007). As a result, a
compromise of the confidentiality, availability or integrity of the technological systems could have
dramatic consequences regardless of whether it is the temporary interruption of connectivity, or a
longer-term disruption caused by a cyber attack (Warren 2008).
Battlespace, as implied by military use and warfare, is becoming increasingly difficult to define since
advances in technology revolutionized the act of war. "Today, cyber attacks can target political
92

Marthie Grobler et al.
leadership, military systems, and average citizens anywhere in the world, during peacetime or war,
with the added benefit of attacker anonymity. The nature of a national security threat has not
changed, but the Internet has provided a new delivery mechanism that can increase the speed,
diffusion, and power of an attack." (Geers ND). Although the physical destruction of the internet
infrastructure as a result of cyber warfare is unlikely, a number of technological exploits can be
employed as part of a cyber warfare attack aimed at financial loss. These exploits include:
Probes - an attempt to gain access to a system;
Scans - many probes done using an automated tool;
Account compromise - hacking, or the unauthorized use of a computer account;
Root compromise - compromise of an account with system administration privileges;
Packet sniffing - capturing data from information as it travels over a network;
Denial of service (DoS) attacks - deliberate consuming of system resources to deny; and
Malicious programs and malware - hidden programs that causes unexpected, undesired results
on a system (Owen 2008).
Technological revolutions in computers and electronics make major advances in weapons and
warfare possible. It also extends to areas such as information processing and networks,
communications, robotics and advanced munitions (O'Hanlon 2000). Technological revolutions enable
countries to prepare offensive and defensive strategies in cyber space.
3. Evaluating the South African legal system with regard to international cyber
defense collaboration
From recent activity, it is clear that both the South African Government, the defense environment and
the business environment are becoming increasingly aware of the threats and implications enabled by
the use of the cyber environment. It is also clear that the threats are becoming more sophisticated
and advanced when used as an element of cyber warfare and cyber crime.
The internet is increasingly becoming more volatile and insecure. In fact, cyber terrorists have the
capability to shut down South Africa’s power, disrupt financial transactions, and commit crimes to
finance their physical operations. Organized crime is also increasingly making use of the internet as a
means of communication and financial gain. Therefore, South Africa needs a national cyber defense
system to which everybody must obey.
3.1 The South African legal system
Over the past decade, South Africa has taken the first steps to protect its information. It has passed
legislation starting with the South African Constitution of 1996, which protects privacy, and the ECT
(Electronic Communications and Transactions) Act of 2002, which provides for the facilitation and
regulation of electronic communications and transactions (ECT 2002).
In 2000, the PAIA (Promotion of Access to Information Act) No 2 as amended, was passed to give
effect to Section 32 of the Constitution, subject to justifiable limitations (PAIA Act 2000). These
limitations are aimed at the reasonable protection of privacy, commercial confidentiality and good
governance in a manner that balances the right of access to information with any other rights,
including the rights in the Bill of Rights in Chapter 2 of the Constitution (SA Constitution 1996). Linked
to this Act is the PAIA Reg 187 Regulations regarding the promotion of information of access to
information (Government Gazette 2003).
In 2002, the RIC (Regulation of Interception of Communications and Provision of Communicationrelated
information) Act was passed to regulate the interception of certain communications, the
monitoring of certain signals and radio frequency spectrums and the provision of certain
communication-related information. This Act also regulates the making of applications for, and the
issuing of, directions authorizing the interception of communications and the provision of
communication-related information under certain circumstances (RIC Act 2002).
Towards the end of 2009, the South African Government passed two bills, namely the:
93

Marthie Grobler et al.
PPI (Protection of Personal Information) Bill that introduces brand new legislation to ensure that
the personal information of individuals is protected, regardless of whether it is processed by public
or private bodies (Giles 2010).
Information Bill that is meant to replace an existing piece of legislation, the Protection of
Information Act of 1982. It deals with the protection of State information and empowers the
government to classify certain information in order to protect the national interest from suspected
espionage and other hostile activities (Republic of South Africa 2010).
Playing an important role in the South African legal system is international standards. ISO/IEC 27002
is an information security standard published by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC), originally published as ISO/IEC
17799:2005. It is entitled Information technology - Security techniques - Code of practice for
information security management. This standard has been accepted by and adopted in South Africa
(International Standards Organization 2008).
South Africa has also adopted the Council of Europe Cyber Crime Treaty in Budapest in 2001 but has
not ratified it yet. The treaty contains important provisions to assist law enforcement in their fight
against transborder cyber crime. Therefore, it is imperative that South Africa ratifies the cyber crime
treaty to avoid becoming an easy target for international cyber crime. The ratification will hopefully be
done soon, although the South African government seems to be presently focused on basic service
delivery and more traditional crimes given the current local crime situation. However, steps to
establish the Computer Security Incident Response Team (CSIRT) indicate that the aim to tackle
cybercrime is gathering momentum.
3.2 The South African position on international cyber defense collaboration
In February 2010, South Africa published a draft Cyber security policy that would set a framework for
the creation of relevant structures, boost international cooperation, build national capacity and
promote compliance with appropriate cyber crime standards. Over the last five years, South Africa
focused on modernizing and expanding information technology equipment, applications, and
centralized hosting capabilities and network infrastructure. This was done as part of its strategy to
fully modernize and integrate the national criminal justice system to the maximum benefit of society
and at minimum cost to crime prevention agencies. This policy has not been adopted, but provides a
first step from South Africa towards international cyber defense collaboration.
During a more recent attempt to international cyber defense collaboration, South Africa participated in
the 12 th United Nations Congress on Crime Prevention and Criminal Justice in Salvador, Brazil during
April 2010. During this congress, delegates considered the best possible responses to cyber crime as
the Congress Committee took up the dark side of advances in Information Technology. While
advances in information technology held many benefits for society, its dark underside (computerbased
fraud and forgery, illegal interception of private communications, interference with data and
misuse of electronic devices) requires States to develop an organized, international response.
Speakers at the congress remained undecided about the nature of the required response, with
supporters of the Council of Europe’s Budapest Convention on crime suggesting an expansion of the
treaty, and others suggestion new multilateral negotiations (UN Information Officer 2010).
In general, governments are having a tough time keeping pace, and their responses to cyber crime is
sadly lacking. In many countries, cyber crime damage economies and State credibility and further
impede national development. Cooperation in stamping cyber crime and protecting countries against
cyber warfare is vital at all levels of defense, law enforcement, the judiciary and the private sector.
According to Markoff (2010), a group of cyber security specialists and diplomats, representing 15
countries (including South Africa) has agreed on a set of recommendations to the United Nations'
Secretary General for negotiations on an international computer security treaty. In recent years, an
explosion in cyber crime has been accompanied by an arms race in cyber weapons, as dozens of
nations have begun to view computer networks as arenas for espionage and warfare. The
recommendations to the United Nations from the specialists and diplomats reflect an effort to find
ways to address the dangers of the anonymous nature of the Internet, as in the case of the object of a
cyber attack misconstruing the identity of the attacker. Among the troubling issues is the existence of
proxies. The report also suggests that “the same laws that apply to the use of kinetic weapons should
94

Marthie Grobler et al.
apply to state behavior in cyber space.” (Markoff 2010). The report recommends five steps to improve
international cyber cooperation and security:
Having more discussions about the ways different nations view and protect their computer
networks, including the Internet;
Discussing the use of computer and communications technologies during warfare;
Sharing national approaches on legislation about computer security;
Finding ways to improve the Internet capacity of less developed countries; and
Negotiating to establish common terminology to improve the communications about computer
networks (Markoff 2010).
The signers of the report are major cyber powers and of other nations: the United States, Belarus,
Brazil, Britain, China, Estonia, France, Germany, India, Israel, Italy, Qatar, Russia, South Africa and
South Korea. From a legal perspective, a number of concerns can be identified, such as:
Lack of collaboration between industry and the defense environment;
Capacity of the legal fraternity to comprehend the complexity of the cyber environment and to
deliver a verdict based on a thorough understanding of the facts;
Collaboration between countries and the agreements on protocols;
Lack of collaboration between State Departments on cyber warfare and cyber crime;
Lack of collaboration between municipalities, districts, regions and provinces; and
Lack of collaboration between urban and tribal authorities.
Networked computers now control everything, including bank accounts, stock exchanges, power
grids, the defence, the justice system and government. Networked computers also control all health
records and crucial personal data. From a single computer an entire nation can be brought down. The
authors are of the opinion that a series of regional conferences with all stakeholders involved and
sponsored by private sector should be conducted. Significant progress has been made in South
Africa, but commitments are required to draft a comprehensive Charter for South Africa and its unique
situation.
4. International cyber warfare
The North Atlantic Treaty Organization (NATO) is only just beginning to recognize that the Internet
has become a new battleground that also requires a military strategy. To counter such threats, a
group of NATO members established a cyber defense centre in Tallinn. The 30 staffers at the
Cooperative Cyber Defense Centre of Excellence analyze emerging viruses and other threats and
pass on alerts to sponsoring NATO governments. Experts on military, technology, law and science
are wrestling with such questions as: what qualifies as a cyber attack on a NATO member, and so
triggers the obligation of alliance members to rush to its defense; how can the alliance defend itself in
cyber space? Answers to these questions are strikingly different: Washington creates new funds for
cyber defenses; Estonia is aiming to create a nation of citizens alert and wise to online threats (NATO
ND).
The choice of Estonia as the home to NATO’s new cyber war brain trust is not accidental. In 2007,
Estonia suddenly found itself in the midst of cyber attacks. The fact that this happened in Estonia, a
proud digital society, was eye opening. Back in 2007, Estonia’s minister of defense stated that the
attacks cannot be treated as hooliganism, but as an attack against the State. Nevertheless, no troops
crossed Estonia’s borders, and there was nothing that could be regarded as a conventional conflict.
The United States clearly wants to take a military strategy approach. Estonia, on the other hand,
prefers to demilitarize the issue by educating citizens on how to identify risks and promote a culture of
cyber security, starting with schoolchildren. The Estonians have the right idea. A society of savvy
citizens is the best defense (Geers ND).
In response to the cyber attacks on Estonia in 2007 and Georgia, NATO set up a coordinated cyber
defense policy with a quick-reaction cyber team on permanent standby. This, however, has not
stopped the constant attack on NATO computers (Gardner 2009).
95

Marthie Grobler et al.
5. Influence of cyber defense on the international position of Governments
The opinion of international Department of Defense (DOD) officials is that cyber space is a domain
available for warfare, similar to air, space, land, and sea (Wilson 2007). As a result, any cyber attacks
can have either a direct or an indirect influence on the DOD. Accordingly, the DOD needs to consider
the potential effects of an emerging military-technological revolution that will have profound effects on
the way wars are fought. Growing evidence exists that over the next several decades, the military
systems and operations will be superseded by new, far more capable means and methods of warfare
by new or greatly modified military organizations (Krepinevich 2003).
The DOD views information itself as both a weapon and a target in warfare. In addition, it provides the
ability to disseminate persuasive information rapidly in order to directly influence the decision making
of diverse audiences. By incorporating the cyber domain in the cyber defense structure, a number of
new aspects come into play that may have an influence on the manner in which the DOD reacts to
cyber attacks:
New national security policy issues;
Consideration of psychological operations used to affect friendly nations or domestic audiences;
and
Possible accusations against the State of war crimes if offensive military computer operations or
electronic warfare tools severely disrupt critical civilian computer systems, or the systems of noncombatant
nations (Wilson 2007).
An example of the last bullet point: if wrongful acts are committed inside a country, the State can be
held responsible for these acts, since the State is obliged to fulfill the interest of the entire
international community. If a representative of a State organ or a private person acting on the State's
behalf committed an act, the act may be attributed to the State (Article 3 ILC Draft Articles). The
physical location of a computer or hardware used in a cyber attack does not (and should not) allow for
attributing that cyber attack to a particular State. Such an assumption would be greatly unjustified,
since a State does not carry the responsibility for actions of its residents operating hardware located
within its territory.
The State, however, can be held responsible in the light of existing international law doctrine, for a
breach of an international obligation. This obligation relates not to actions but to omissions, i.e. for not
preventing that attack to take place. This interpretation is derived from the wording of Article 14(3) of
the International Law Commission (ILC) Draft Articles, which provides that a State may be held
responsible for the conduct of organs of an insurrectional movement, if such an attribution is
legitimate under international law. The State has therefore an obligation to show best efforts, and to
take all “reasonable and necessary” measures in order to prevent a given incident to happen. The
occurrence of this obligation was best reflected in the International Court of Justice (ICJ) case
concerning the United States diplomatic and consular staff in Teheran. In its decision, the ICJ found
that the overriding of the United States embassy in Teheran does not free Iran from the responsibility
for that incident, although it also cannot be attributed to Iran (Kulesza 2010).
The State is also responsible for providing sufficient international protection from cyber attacks
conducted by its residents from its territory. It is the duty of any State from whose territory an
internationally wrongful act is conducted to cooperate with the victim’s State and to prevent future
similar harmful deeds. If the State itself is not capable of protecting the interests of another sovereign,
it may also not allow for private persons acting from within its territory to inflict damage or create
danger to that the other State while they are protected by its immunity. Under such an interpretation,
Russia’s denial to persecute the perpetrators of the attack against Estonia would constitute an
internationally wrongful act, while Israeli involvement and punishment of the actors behind the Solar
Sunrise attack on United States Airforce databases using the Texas internet provider exonerates
them from any international responsibility (Kulesza 2010).
In this light, it is therefore the obligation of the South African government to launch and support
awareness projects to prevent these attacks from inside its borders. This also includes the
establishment of a CSIRT, as proposed in the draft South African Cyber security policy. Currently,
South Africa is one of only a handful of countries that does not have a running CSIRT, putting South
Africa in a disadvantaged position with regard to cyber attack and defense (FIRST 2009).
96

Marthie Grobler et al.
6. Working towards international cyber defense collaboration
Cyber warfare is an emerging form of warfare not explicitly addressed by existing international law.
While most agree that legal restrictions should apply to cyber warfare, the international community
has yet to reach consensus on how international humanitarian law (IHL) applies to this new form of
conflict (Kelsey 2008). In particular, there is a need for an international consensus on the due
diligence criteria which have to be fulfilled by a State in order to avoid international responsibility for
failing to protecting other sovereigns from cyber attacks conducted from its territory.
Another crucial issue would be to establish the standards for releasing a State from any international
responsibility for not providing due diligence: would the adoption of specific provisions in national
criminal laws be sufficient or would State authorities need to initiate a criminal investigation
effectively? It should also be clarified whether a due diligence standard can be set post factum – after
an attack had already taken place (Kulesza 2010). In South Africa, this is not possible.
A suggested approach to create Nation State responsibility in building a credible cyber system
involves the following steps:
Developing a national strategy and making sure all agencies and major stakeholders follow it;
Establishing a national endorsement body for cyber security;
National coordination mechanism;
Inclusion of all professional communities and private sector, and others in national cyber security
effort; and
Providing necessary resources and institutional changes (Tiirmaa-Klaar 2010).
If all the States internationally can implement their own credible cyber system, cooperation on an
international cyber defense level will be easier to realize. As an initial attempt to enable a more
uniform cyber defense system, the European Commission is planning to impose harsher penalties for
cyber crimes. Large-scale attacks in Estonia and Lithuania in recent years have highlighted the need
for a stronger stance on cyber crime. Estonia, Lithuania, France and the United Kingdom also have
longer sentences for such crime, and the European Commission is looking to harmonize practice
across the member states. United States president Barack Obama has declared cyber crime to be a
priority. In addition to stronger laws, the European Union is looking to set up a system through which
member states can contact each other quickly to notify one another of attacks. That would help to
build a picture of the scope of cyber crime (Geers ND).
7. Conclusion
The Internet has changed almost all aspects of human life, also including the nature of warfare. Every
political and military conflict now has a cyber dimension, whose size and impact are difficult to predict.
"The ubiquitous nature and amplifying power of the Internet mean that future victories in cyber space
could translate into victories on the ground. National critical infrastructures, as they are increasingly
connected to the Internet, will be natural targets during times of war. Therefore, nation-states will
likely feel compelled to invest in cyber warfare as a means of defending their homeland and as a way
to project national power" (Geers ND).
The international scope of the internet and wide reach of technological usage has a tremendous
impact on the nature of war and crimes globally. This article showed the impact of technological
revolutions on warfare, the South African legislative system affecting warfare and cyber war, and the
need for international cyber defense collaboration.
References
ECT Act (Electronic Communications and Transactions Act No 25 of 2002). (2002). Available from:
http://www.acts.co.za/ect_act/ (Accessed 10 October 2010).
FIRST. (2009). FIRST: Teams around the world. Available from: http://www.first.org/members/map/ (Accessed 14
October 2010).
Gardner, F. (2009). Nato's cyber defence warriors. BBC News. Available from: http://news.bbc.co.uk/
2/hi/europe/7851292.stm (Accessed 22 September 2010).
Geers, K. (ND). Cyber Defence. Available from: http://www.vm.ee/?q=en/taxonomy/term/214 (Accessed 22
September 2010).
97

Marthie Grobler et al.
Giles, J. (2010). How will the PPI Bill affect you? Available from: http://www.michalsonsattorneys.com/ how-willthe-ppi-bill-affect-you/2586?gclid=COXtlKz6yKQCFcbD7QodHzHJDg
(Accessed 10 October 2010).
Government Gazette. (2003). Vol. 451 Cape Town 15 January 2003 No. 24250. No. 54 of 2002: Promotion of
Access to Information Amendment Act, 2002.
International Standards Organization. (2008). ISO/IEC 27005: 2005. Information security risk management.
Available from: http://www.iso.org/iso/catalogue_detail?csnumber=50297 (Accessed 10 October 2010).
Kelsey, JTG. (2008). Hacking into International Humanitarian Law: The Principles of Distinction and Neutrality in
the Age of Cyber Warfare. P1427. Available from: http://heinonline.org/HOL/Landing
Page?collection=journals&handle=hein.journals/mlr106&div=64&id=&page= (Accessed 22 September
2010).
Krepinevich, AF. (2003). Keeping pace with the military-technological revolution. Available from:
http://www.issues.org/19.4/updated/krepinevich.pdf (Accessed 22 September 2010).
Kulesza, J. (2010). State responsibility for acts of cyber-terrorism. 5 th GigaNet symposium Vilnius, Lithuania.
Markoff, J. (2010). Step Taken to End Impasse Over Cybersecurity Talks. Available from: http://www.
nytimes.com/2010/07/17/world/17cyber.html?_r=1 (Accessed 8 October 2010).
NATO. (ND). Defending against cyber attacks. Available from: http://www.nato.int/cps/en/natolive/
topics_49193.htm (Accessed 22 September 2010).
O'Hanlon, ME. (2000). Technological change and the future of warfare. Brookings Institution Press: Washington.
Owen, RS. (2008). Infrastructures of Cyber Warfare. Chapter V. In: Janczewski, L. & Colarik, AM. Cyber warfare
and cyber terrorism. Information Science Reference: London.
PAIA Act (Promotion of Access to Information Act No 2 of 2000 as amended). (2000). Available from:
http://www.dfa.gov.za/department/accessinfo_act.pdf (Accessed 10 October 2010).
Republic of South Africa. (2010). Protection of Personal Information Bill. Available from:
http://www.justice.gov.za/legislation/bills/B9-2009_ProtectionOfPersonalInformation.pdf (Accessed 10
October 2010).
RIC Act (Regulation of Interception of Communications and Provision of Communication-related information Act.
(2002). Available from: http://www.acts.co.za/ric_act/whnjs.htm. (Accessed 10 October 2010).
SA Constitution. (1996). Available from: http://www.info.gov.za/documents/constitution/index.htm (Accessed 10
October 2010).
Tiirmaa-Klaar, H. (2010). International Cooperation in Cyber Security: Actors, Levels and Challenges. Cyber
security 2010, Brussels, 22 September 2010 (Conference).
UN Information Officer. (2010). Delegates Consider Best Response to Cybercrime as Congress Committee -
Takes Up Dark Side of Advances in Information Technology. Available from:
http://www.un.org/News/Press/docs/2010/soccp349.doc.htm (Accessed 10 October 2010).
Warren, MJ. (2008). Terrorism and the internet. Chapter VI. In: Janczewski, L. & Colarik, AM. Cyber warfare and
cyber terrorism. Information Science Reference: London.
Williams, G. & Arreymbi, J. (2007). Is cyber tribalism winning online information warfare? ISSE/ SECURE 2007
Securing Electronic Business Processes (2007): 65-72, January 01, 2007.
Wilson, C. (2007). Information Operations, Electronic Warfare and Cyberwar: Capabilities and related policy
issues. CRS report for congress. Available from: www.fas.org/sgp/crs/natsec/ RL31787.pdf (Accessed 17
September 2010).
98

Cyber Strategy and the Law of Armed Conflict
Ulf Haeussler
National Defense University, Washington, USA
ulf.haeussler@ndu.edu
Abstract: At the time of writing, the author was Assistant Legal Advisor Operational Law, Headquarters,
Supreme Allied Commander Transformation (NATO HQ SACT). The views expressed herein are the author's
own and to not necessarily reflect the official position or policy of NATO and/or HQ SACT. Abstract: At its Lisbon
Summit (November 2010), NATO has adopted its Strategic Concept. The U.S. may soon adopt its Cyberstrategy
3.0 (originally expected for December 2010). Both strategy documents will contribute to a growing policy
consensus regarding cyber security and defence as well as provide better policy insights regarding cyber offence.
In doing so, they will contribute to a better understanding of how NATO and the U.S. want to prepare for, and
conduct cyber warfare in a manner congruent with the law of armed conflict. In addition, they will determine to
what extent this branch of the law needs to be better understood, developed, or reformed. Accordingly, this paper
indicates how the existing legal and policy frameworks intersect with practical aspects of cyber warfare and
associated intelligence activities, analyses how the new strategy documents develop and change the existing
policy framework, and what repercussions this may have for the interpretation and application of the law of armed
conflict. It also demonstrates how the new strategy documents inform the policy and legal discourse and hence
help confirm that NATO and U.S. as well as other NATO Nations' cyber activities are, and will continue to be,
lawful and legitimate.
Keywords: NATO Strategic Concept 2010, U.S. Cyberstrategy 3.0, Law of Armed Conflict, collective security,
collective defence
1. Introduction
Cyberspace is increasingly referred to as one of the global commons and as the fifth domain in which
warfare may occur (Lynn 2010, 101). Activities in cyberspace as well as involving the use of cyber
capabilities to create, or contribute to the creation of, effects in any one of the other commons, or
domains, have attracted significant discussion and analysis among technical experts, policymakers,
and legal scholars. The ensuing efforts to develop frameworks for cyberspace and the use of
associated capabilities (hereinafter collectively referred to as 'cyberspace') bring various perspectives
to bear. Cyberspace is multifunctional; it equally attracts private activities (with a strong business
component) and governments' official conduct as well as associated competing, if not conflicting,
interests. Not surprisingly, cyberspace has its unarguable dark side – on both its non-governmental
and its governmental end. The range of challenges and threats associated with the dark side of
cyberspace comprises, but is not limited to, privacy intrusions, financial loss, damage and destruction
in the physical domains, the potential of injury or even death, and (other) adverse effects on the
effectiveness of government. These challenges and threats reflects the large extent to which
computers and other information and communication technology devices can be leveraged as
weapons by non-governmental actors. Further challenges may arise out of policy positions adopted
by some non-governmental actors. For instance, the so-called 'internet pirates' endorse the notion of
a cyberspace beyond any government control whatsoever – a desire which, were it to come true,
might exacerbate all other challenges and threats referred to above.
Attempts to characterise cyber challenges and threats have usually used references to challenges
and threats in the physical domains, to which the word 'cyber' is added as a qualifier, enabling the
creation of catchwords such as cyber crime, cyber terrorism, and cyber attack. The terminology
developed using this method is attractive because it triggers analogies with known phenomena.
However, it is also prone to carrying misleading connotations since such analogies may easily fuel
misconceptions. For instance, the terms 'cyber crime' and 'cyber terrorism' do not capture the whole
range of non-governmental actors' malicious activities; moreover, they do not even attempt to address
possible links between non-governmental actors and their potential governmental sponsors. By
contrast, the term 'cyber attack' is too broad. Thus, information gathering activities may be referred to
as cyber attacks, though they might not necessarily or directly cause tangible damage. The
undifferentiated use of the notion of 'attack' may foster arguments by which a nation's inherent right of
self-defence is considered relevant to cyber activities or actions which neither has nor causes
potential or actual adverse effects. These examples may be indicative of a gap between technological
realities and the terminology used in policymaking as well as legal interpretation.
99

Ulf Haeussler
Following the cyber incident Estonia sustained in 2007 and the probable integration of a cyber line of
operation in the Russian campaign against Georgia in 2008, the discussion and analysis regarding
cyber challenges and threats has gathered new momentum. The recent Stuxnet incident might have
taken this discussion and analysis to a turning point, for many observed that the Rubicon has been
crossed regarding the development of real 'cyber weapons'. NATO's 2010 Strategic Concept and the
expected U.S. Cyberstrategy 3.0 (will) represent a sophisticated approach towards cyber challenges
and threats. As far as collective security and defence are concerned, they (will) confirm that the dark
side of cyber involves more than just economic crime, and that most of its emanations can be
effectively addressed: through the existing mechanisms designed to maintain and restore
international peace and security as well as the principles and rules governing the conduct of
hostilities, on the one hand and the protection of civilians and other individuals in the course of armed
conflict on the other hand. At the same time, they (will) indicate why and how these existing
frameworks support preventive measures and hence enhance the full spectrum of collective cyber
security and defence. As a result, they (will) inform the interpretation and application of both branches
of the law of armed conflict, that is, the legal framework informing decision-making processes on
whether as well as how to use force in international relations or against non-governmental actors.
2. Developing cyber policy consensus regarding collective defence
Like any other legal source, international law, including the law of armed conflict, is rooted in policy
consensus. For the challenges and threats associated with the dark side of the cyberspace to be
captured by the law of armed conflict they must be an integral part of the policy consensus regarding
the relevant international agreements and customary rules. Two basic concepts used by the law of
armed conflict stand out in this respect: the notion of 'armed attack' (cf. Article 51 of the UN Charter,
Article 5 of the North Atlantic Treaty, and Article 7 of the Rio Treaty), triggering the right of individual
and collective self-defence; and the notion of 'attack' (cf. Article 49 of the First Additional Protocol to
the Geneva Conventions), guiding many aspects of the conduct of hostilities within an armed conflict.
These terms of art also reflect the fundamental differentiation within the law of armed conflict between
the principles and rules that govern the legality of the use of force in international relations (jus ad
bellum) and the conduct of hostilities (jus in bello).
Political and military strategies have an important role to play in the process of consensus-building
regarding international law. They reflect how States individually and collectively assess their scope of
action – assuming for this purpose that no State has a genuine desire to consider acting, or to actually
act, deliberately illegal. If this assumption is accepted, then NATO's Strategic Concept 2010 indicates
more than that cyber incidents may trigger its collective security and defence mechanisms. It also
confirms, as a matter of policy consensus, that cyber incidents are capable of amounting to an armed
attack within the coordinates of the law of armed conflict. Likewise, the U.S. Department of Defense's
readiness to coordinate its cyber defence effort across the government, with allies, and with partners
in the commercial sector (cf. Lynn 2010, 103) does not only leverage collective security and defence
as one aspect of the U.S. response to cyber threats. It also indicates that nothing in the law of armed
conflict is considered an obstacle to utilising these mechanisms.
Since an effort at developing consensus among 28 sovereign States will yield a different result than
policy determinations within one sovereign State's government, the development of NATO cyber
defence policy until 2010 will be analysed to identify the Euro-Atlantic common denominator,
denominator which – one would expect – the drafters of U.S. Cyberstrategy 3.0 are fully aware of.
NATO's consensus-building process regarding cyber defence policy started with its Strategic Concept
1999. In this document, NATO observed that 'state and non-state adversaries may try to exploit the
Alliance's growing reliance on information systems through information operations designed to disrupt
such systems' (NATO 1999, paragraph 23). However, only after Estonia had sustained the wellknown
cyber incident did NATO actually adopt a cyber defence policy and started developing
structures and authorities to carry it out (NATO 2008, paragraph 47). Roughly two years after the
cyber incident sustained by Estonia and nearly a year after Russia had possibly integrated a cyber
line of operation in its campaign against Georgia (cf. Gates 2009, 5; Ilves 2010; but see also
Independent International Fact-Finding Mission 2010, Vol II, 217sqq), NATO still conceded that
despite the establishment of its Cyber Defence Management Authority and improvements of the
existing NATO Computer Incident Response Capability (NCIRC), its cyber defence capabilities yet
had to achieve full readiness (NATO 2009, paragraph 49). That notwithstanding, since 2008 NATO
policy couples the notions of protecting key information and communication systems on which the
100

Ulf Haeussler
Alliance and Allies rely with countering – later rephrased as responding to – cyber attacks using its
own cyber defence capabilities as well as leveraging linkages between NATO and national authorities
(NATO 2008, paragraph 47 and NATO 2009, paragraph 49), and – envisaged since 2009 –
appropriate partnerships and cooperation (NATO 2009, ibid.).
NATO policy developed since 1999 is correctly based on the observation that NATO and its Nations
rely significantly on information and communication systems, reliance susceptible to exploitation. It is
worthwhile mentioning that the observation referred to is not a reference to the notion of 'cyber
exploitation' which by definition captures non-destructive information gathering activities which may be
performed by strategic competitors and potential adversaries (Owens et al. 2009, 1). Conversely, in
using the term 'disrupt', NATO’s Strategic Concept 1999 had introduced language which covers both
potential destructive effects of cyber attacks and other adverse effects of the same scale and gravity.
(Note that the term 'to disrupt' is defined as 'to cause disorder in something' (Oxford 1989, 348);
'causing disorder' in ICT is tantamount to causing its losing part or all of its operability.) The language
used at a later stage does not indicate a change of this appraisal of the possible consequences of
cyber attacks. In particular, the notion of countering cyber attacks, used in the Bucharest Summit
Declaration 2008, is sufficiently close to the general doctrinal notion of counterattack to suggest that
its drafters had the idea of counter-offensive in mind. The fact that NATO later substituted the notion
of 'responding' to cyber attacks for the initially used term 'countering' them does not contradict this
assessment since countering cyber attacks is but one possible option for responding to them.
Actually, 'responding' is broader in scope; in addition to counter-offensive measures it also captures a
wide range of other measures including those of a political and diplomatic nature.
Taking the different points of view regarding the legal nature of cyber attacks into account, NATO's
policy documents help consolidating the developing consensus regarding the interpretation of the law
of armed conflict in cyber matters. Fully aware of the unsettled legal nature of cyber attacks, NATO
has agreed to multiple documents which in unison do not rule out that cyber attacks – initially referred
to as information operations – may be considered as destructive, or potentially destructive, in nature.
Now that the capacity to be destructive, or potentially destructive, in nature is a quintessential
characteristic of both armed attacks as defined for the purposes of the jus ad bellum and attacks as
defined for the purposes of the jus in bello, NATO's policy declarations necessarily imply the
Alliance’s tacit endorsement of the view that cyber attacks – at least theoretically – can have the
nature of armed attacks and/or attacks, as the case may be. It is important to note that, depending on
the circumstances, an act opening hostilities may coincidentally be an armed attack from a jus ad
bellum perspective and an attack from a jus in bello perspective. However, this coincidence would be
one of fact rather than an amalgamation of these notions which belong to different branches of
international law and hence warrant separate assessment.
International treaty law often captures new factual developments through subsequent agreement
regarding the interpretation of a treaty or the application of its provisions (cf. Article 31(3)(a) of the
Vienna Convention on the Law of Treaties). Whilst NATO policy does not represent agreement which
would bring all cyber attacks within the ambit of the North Atlantic Treaty and other relevant
international agreements, it does a fortiori not exclude individual cyber attacks from being considered
as an armed attack and/or an attack.
NATO's Strategic Concept 2010 confirms and reinforces earlier policy. Its assessment of the security
environment states that cyber attacks 'can reach a threshold that threatens national and Euro-Atlantic
prosperity, security and stability', and that foreign militaries can be 'the source of such attacks' (NATO
2010a, at paragraph 12). In addressing Article 5 of the North Atlantic Treaty, NATO stresses its
responsibility 'to protect and defend our territory and our population against attack' (id., paragraph 16).
Whilst critical infrastructure is captured by the notion of territorial defence, the reference to the
population should be read as to comprise key elements of statehood such as governability – essential
to human security – and the integrity of democratic decision-making – an essential tenet of
participatory democracy (Häußler 2010). NATO has also expressly embraced the need to further
develop its 'ability to prevent, detect, defend against and recover from cyber-attacks' (NATO 2010a,
paragraph 19) and its aim to 'carry out the necessary … information exchange for assuring our
defence against ... emerging security challenges'. The notion of 'emerging security challenges',
though not expressly defined, is illustrated by the portfolio of the recently established NATO
Headquarters directorate carrying the same name, which comprises challenges arising in and out of
101

Ulf Haeussler
the cyberspace. The Lisbon Summit Declaration further elaborates and reinforces the full integration
of cyber defence in NATO's collective security and defence framework (NATO 2010b, paragraph 47).
3. Leveraging collective defence for collective security through deterrence
Credible deterrence is a complex achievement which traditional strategy used to build on multiple
pillars, involving containment (including through the prospect of retaliation) and arms control (that is,
confidence building and disarmament). NATO and the U.S. use different definitions of deterrence in
military doctrine. These definitions have in common that both are concerned with potential
adversaries' perceptions of the relationship between action and counteraction. However, they
describe the method to influence potential adversaries' mindsets in fairly different manners. NATO
defines the notion of deterrence as '[t]he convincing of a potential aggressor that the consequences of
coercion or armed conflict would outweigh the potential gains'; the definition continues to observe that
'[t]his requires the maintenance of a credible military capability and strategy with the clear political will
to act' (NATO Glossary, 2-D-6). By contrast, the U.S. definition of deterrence is more outspoken about
the method by which to influence potential adversaries' mindsets. It clearly favours containment,
explaining that '[d]eterrence is a state of mind brought about by the existence of a credible threat of
unacceptable counteraction'. On this basis, it is able to describe the nature of the mindset desired on
the part of potential adversaries in capturing the notion of deterrence through a reference to '[t]he
prevention from action by fear of the consequences' (DoD Dictionary, 139).
International security is a product of multiple factors of which deterrence is but one. Resilience
towards potential threats and rules incentivising desired conduct are equally important; they are tools
to prevent differences from growing into disputes, or the pacific settlement of the latter, as the case
may be. However, experience confirms that incentivising tools will not always suffice to avert all
potential threats. Accordingly, cyber deterrence – based on the availability of defence and counteroffence
capabilities as well as the political will to use them, if required – will make a viable contribution
to international security. NATO is ready for cyber deterrence. It is continuously improving relevant
capabilities, and the Strategic Concept 2010 has tied the knot on the evolving integration of cyber
defence in the notion of collective defence.
NATO is not only increasingly well prepared to develop effective deterrence against cyber attacks the
organisation itself or its members may have to face in the future. The Alliance is also able, as a matter
of policy, to deter undesirable usages of cyberspace affecting its operations through a cyber line of
operation, regardless of whether they serve the purpose of collective defence (Article 5 of the North
Atlantic Treaty) or have the character of Non-Article 5 Crisis Response Operations (Häußler 2011,
168).
In light of the foregoing, NATO's policy choice not to exclude cyber attacks from its collective defence
mechanism (Article 5 of the North Atlantic Treaty) has a significant aspect with regard to deterrence.
As long as its collective defence mechanism is a viable option, the Alliance can – a maiore ad minus –
even more convincingly tackle challenges associated with cyberspace through its collective security
mechanism. Whilst the latter primarily relies on consultations as envisaged in Article 4 of the North
Atlantic Treaty, its invocation may result in effective measures short of the use of force. As indicated
by the single reported case of an express invocation of Article 4 by a NATO Nation, consultations
pursuant to this article may lead to the deployment of appropriate capabilities – up to and including
those represented by armed forces – to respond to the aforementioned security threats. In February
2003, Turkey asked for consultations concerning its defence needs arising out of the impending
resumption of hostilities against Iraq (Gallis 2003, 1). The consultations were conducted by NATO's
Defence Planning Committee which requested military advice from NATO's Military Authorities, and,
having obtained the latter, authorised the implementation of defensive measures (NATO DPC 2003).
In a similar manner, in the event of a cyber incident, NCIRC Rapid Reaction Teams (RRTs) may
support national Computer Emergency Response Teams (CERTs) (cf. NCSA 2009). By reinforcing
existing defences, the deployment of RRTs may make an effective contribution to deterring unfriendly
activities whose prospect of success they reduce or deny. Accordingly, consultations may result in
preventive deterrence: provided they are not a means of last resort in a misguided approach focusing
on "talking only" whilst "no action" is allowed to occur.
As indicated above, NATO's cyber security and defence policy is geared towards supporting national
efforts. This approach extends the consolidated practice of cooperation within NATO to the
cyberspace. As illustrated by the response to the 9/11 attack on the U.S. as well as the steps
102

Ulf Haeussler
following the invocation of Article 4 by Turkey, NATO's collective security and defence mechanisms
rely on the assessment of the Nation affected. Though NATO first and foremost provides an umbrella
enabling Allies' mutual support, it may also decide to launch operations led by the Alliance, such as
Operation Active Endeavour following the 9/11 attack. NATO's strategic policy choices regarding
cyber security and defence may in a similar manner serve as an interface for connecting national
security and defence efforts. After its adoption, Cyberstrategy 3.0 may demonstrate what the U.S.
expects as well as what it is prepared to contribute to achieve such 'greater levels of cooperation [as]
needed to stay ahead of the cyberthreat' (Lynn 2010, 105).
4. Cyberstrategy 3.0 – cyber defence as an integral part of national defence
NATO's positive acknowledgement, through its strategic policy consensus, of a nation's sovereign
right to consider cyber defence as an integral part of national security and defence, has clear legal
implications. It is this acknowledgement by which NATO has confirmed that national cyber security
and defence is eligible for support through its collective security and defence mechanisms. That said,
there are two different ways of looking at national cyberstrategy. On the one hand, a national
cyberstrategy is likely to represent the codification of national cyber security and defence concerns
ranging from a description of the situation, own and adversarial, through a survey of the broader
operating environment to the resulting assessment and conclusions. On the other hand, a national
cyberstrategy may also indicate in what situations NATO could theoretically expect to receive
requests for consultation under Article 4, or for collective self-defence under Article 5 of the North
Atlantic Treaty, as well as what capabilities might be available to support collective efforts made under
the auspices of the Alliance.
The description of the situation in cyberspace in which constitutional democracies in general and
NATO Nations in particular are likely to find themselves is comprised in the observation that: 'In less
than a generation, information technology in the military has evolved from an administrative tool for
enhancing office productivity into a national strategic asset in its own right' (id., 98).
Adversaries can easily exploit this situation by leveraging off the shelf technology which is not only
available at comparably low cost but also can be put to use by a limited number of personnel – '[a]
dozen determined computer programmers' (ibid.) – 'if they find a vulnerability to exploit' (ibid.). The
unpleasant reality is that 'today anyone with a computer can engage in some level of cyber
destruction' (Vamosi 2011, quoting the National Defense University's F.D. Kramer). In addition, the
estimates that programming the Stuxnet code may have taken about half a year also indicates that
warning periods regarding a force build-up in the cyberspace are much smaller than regarding a
conventional force build-up. However, there may not be any warning period at all if, like in the case of
Stuxnet, an adversary manages to launch a zero-day attack or leverage a zero-day exploit (Wikipedia,
Zero Day Attack).
That said, it is not surprising that '[i]n cyberspace, the offense has the upper hand', factor requiring a
flexible strategy since '[i]n an offense-dominant environment, a fortress mentality will not work' (Lynn
2010, 99). Accordingly, evolving U.S. cyber strategy is likely to put less emphasis on containment
than traditional strategy as embodied in military doctrine. According to the U.S. Deputy Secretary of
Defense, 'traditional Cold War deterrence models of assured retaliation do not apply to cyberspace,
where it is difficult and time consuming to identify an attack's perpetrator' (ibid.). This observation
does not simply shift the emphasis from containment to arms control. On the contrary, '[t]raditional
arms control regimes would likely fail to deter cyberattacks because of the challenges of attribution,
which make verification of compliance almost impossible.' (id., 100).
In essence, this means that both traditional elements of deterrence seem to be considered
unsatisfactory for the purposes of cyber deterrence. It is hence fairly unlikely that efforts made by
some States to leverage support for cyber arms control within the United Nations will yield tangible
results any time soon. Whilst cyber deterrence does not abandon the approach based on influencing
potential adversaries' mindsets (Vamosi 2011) it will most likely have to rely on different methods to
achieve this desired effect. In particular, cyber 'deterrence will necessarily be based more on denying
any benefit to attackers than on imposing costs through retaliation' (Lynn 2010, 99sq). This approach
couples elements of 'defensive resilience [within] cyber networks' (Vamosi 2011, quoting F.D. Kramer)
and active defence. To that end, it may require different models of 'international norms of behavior in
cyberspace … such as that of public health or law enforcement' (Lynn 2010, 100). Normative models
derived from international environmental law might also be instrumental. In the U.S., active defence of
103

Ulf Haeussler
defence sector computer networks complements 'ordinary computer hygiene, which keeps security
software and firewalls up to date, and sensors, which detect and map intrusions' (id., 103). Defence
sector networks rely on systems that, using (signals) intelligence warnings, 'automatically deploy
defenses to counter intrusions in real time' (ibid.). 'They work by placing scanning technology at the
interface of military networks and the open Internet to detect and stop malicious code before it passes
into military networks' (ibid.). Moreover, the notion of active defence also covers the effort to detect
intruders who have managed to escape detection at the interface (ibid.).
In sum, the evolving U.S. approach of defensive resilience coupled with active defence and NATO's
emerging notion of preventive deterrence seem to correspond harmoniously. As cyberstrategy
development continues, the impact of NATO's and national approaches on the conduct of military
operations in general and the conduct of hostilities in particular will require associated legal analysis.
Rather than focusing on cyber operations in isolation, this analysis will have to consider that cyber
warfare may become part of a spectrum of military responses available to the relevant policymakers
(cf. Vamosi 2011).
5. Conclusion
From an international law perspective, the choices regarding cyber security and defence made by
NATO's Strategic Concept 2010 correspond to questions related to the legality of use of force (jus ad
bellum) and implicitly defer questions pertaining to the legal framework governing the conduct of
hostilities (jus in bello) to future analysis. National cyberstrategy development points in the same
direction. From an overall perspective, cyberstrategy development has the demonstrated potential to
accelerate consensus building processes regarding the question of whether cyber attacks can be
matters of national security and defence, including through effective deterrence, and in that capacity
also trigger collective security and defence mechanisms like those based on the North Atlantic Treaty.
At the same time, existing and evolving cyberstrategies do not yet provide all necessary insights
regarding important questions such as how to leverage normative models of public health and
environmental protection as well as the adaptation to cyberspaces' realities of the notions of
combatancy and direct participation in hostilities, targetability of civilian objects turned military
objectives, questions answer which still involves challenges in light of technical realities which may
defy the development of prognoses required to develop an expectation regarding collateral damage
and an anticipation of military advantage with a sufficient degree of predictability.
References
Gallis, P. (2003) NATO’s Decision-Making Procedure (CRS Report for Congress, Order Code', RS21510, 05 May
2003), http://www.fas.org/man/crs/RS21510.pdf
Gates, R.M., U.S. Secretary of Defense (2009) "The National Defense Strategy", Joint Forces Quarterly, issue
52, 1 st quarter 2009, 1-7
Häußler, U. (2010) "Cyber Security and Defence from the Perspective of Articles 4 and 5 of the North Atlantic
Treaty", Tikk, E. and Talihärm, A.-M., International Cyber Security Legal & Policy Proceedings, 100-126
Häußler, U. (2011) "Crisis Response Operations in Maritime Environments", Odello, M. and Piotrowicz, R.,
International Military Missions and International Law (forthcoming: Brill, Amsterdam), 161-210
Ilves, His Excellency Mr. T.H., President of the Republic of Estonia (2010) Opening Address at the June 2010
Cyber Conflict Conference, http://www.ccdcoe.org/conference2010/329.html; cf.
http://www.nato.int/cps/en/SID-B2AD4DE6-E0B91B4E/natolive/news_64615.htm?
Independent International Fact-Finding Mission on the Conflict in Georgia established by the European Union
(2010), Report, Vol II
Lynn, W.J. III "Defending a New Domain – The Pentagon’s Cyberstrategy", Foreign Affairs Volume 89 Number 5,
97-108
NATO (1999) The Alliance's Strategic Concept dated 24 April 1999,
http://www.nato.int/cps/en/natolive/official_texts_27433.htm
NATO (2008) Bucharest Summit Declaration dated 03 April 2008,
http://www.nato.int/cps/en/natolive/official_texts_8443.htm
NATO (2009) Strasbourg / Kehl Summit Declaration dated 04 April 2009,
http://www.nato.int/cps/en/natolive/news_52837.htm?mode=pressrelease
NATO (2010a) Active Engagement, Modern Defence – Strategic Concept 2010 dated 19 November 2010,
http://www.nato.int/lisbon2010/strategic-concept-2010-eng.pdf
NATO (2010b) Lisbon Summit Declaration dated 20 November 2010,
http://www.nato.int/cps/en/natolive/official_texts_68828.htm
NATO Defence Planning Council (DPC) (2003) Decision Sheet, http://www.nato.int/docu/pr/2003/p030216e.htm,
cf. Press Release (2003)013 at http://www.nato.int/docu/pr/2003/p03-013e.htm
NATO NATO Glossary of Terms and Definitions (AAP-6) (annually updated publication) (quoted NATO Glossary)
104

Ulf Haeussler
NCSA (2009) NCSA Supports the Cyber Coalition 2009 undated,
http://www.ncsa.nato.int/news/2009/20091217_NCSA_Supports_the_Cyber_Coalition_2009.html
Owens, W.A., Dam, K.W. and Lin, H.S. (2009) (for the National Research Council) Technology, Policy, Law, and
Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities
Oxford University Press (1989) Oxford Advanced Learner's Dictionary
U.S. Department of Defense (DoD) Dictionary of Military and Associated Terms as amended through April 2010
(JP 1-02) (quoted DoD Dictionary)
Vamosi R. (2011) The US Needs To Learn To Limit–Not Win–A Cyber War,
http://blogs.forbes.com/firewall/?p=2604
Wikipedia "Zero Day Attack", http://en.wikipedia.org/wiki/Zero-day_attack (last visited 15 November 2010)
105

eGovernance and Strategic Information Warfare – non
Military Approach
Karim Hamza and Van Dalen
Maastricht School of Management, Netherlands
hamza@msm.nl
dalen@msm.nl
Abstract: Most of the developed Governments, active in reaping the benefits of eGovernance, nowadays have
discovered the threats of this new approach too. They invest massively to cope with the highly complex decision
making systems of today, dramatic changes in economy, technology and Information Warfare threats plus
government’s own changing strategies. This creates challenges with respect to matching decision-making
structures. eGovernance Frameworks is defined by the UNESCO as “the use of ICT (Information and
communication technologies) by different actors of the society with the aim to improve their access to information
and to build their capacities”. It may be expected that eGovernance will have more strategic importance for many
governments and that its concepts and tools will develop dramatically in the coming decade. This will raise the
urgencies and importance of protecting government decision making processes from non-solicited disturbing
external or internal interferences. Security is critical to the success of any eGovernance framework. Since such
governance frameworks somehow will be open to interactions with different “stakeholders” Internally (within the
boundaries of the state, like pressure groups, political parties, business, citizens ..) or Externally (e.g. other
states, multinational businesses, worldwide operating malicious organizations,..) who may influence the decision
making process in government, create political pressure or even start a cyber-war, by making use of
eGovernance frameworks. This raises a number of prevention issues to cope with, like instability of the decision
making processes, or even instability of real development processes in states. This causes efforts to add to the
design process of eGovernance frameworks a new dimension, popularly labeled “Information Warfare Strategy”,
with the aim to build in existing and future eGovernance Frameworks safeguarding tools; to prevent abuse of
such frameworks in practical government decision cases. Traditionally there is a distinction between military vs.
non-military approaches. The question has to be raised in how far a distinction between Technology (ICT) vs.
non-Technology tools (like diplomacy, or legal) will be more appropriate. However we have to recognize that any
line of distinction is arbitrary and will show the need for some dynamics, because parties involved will learn and
improve.
Keywords: eGovernment, government transformation, public sector information systems, e governance
framework, information warfare, non military strategies
1. Introduction
Rapid change and development in the concept of eGovernance and Strategic information Warfare,
makes it necessary to look for clear definition of both terms, examine the relation of each other and
how they can impact government or state, primary findings showed that main common elements in
these definition is Information and Technology, normally information is seen as a revolution age which
need specific attention as Drucker mentioned “The next information revolution is well underway. But it
is not happening where information scientists, information executives, and the information industry in
general are looking for it. It is not a revolution in technology, machinery, techniques, software, or
speed. It is a revolution in concepts” (Drucker, 1998). Also if we looked for a defensive point of view,
Dearth mentioned “Defense is no longer the relatively straightforward issue of the sort and extent of
physical measures that need to be taken to protect one’s valued assets. Many of the assets requiring
protection are in the civil sector, but the protection of them is perhaps not best or properly done by
military means” (Dearth, 2001). This requires tools and techniques which is not physical only but in
concept and using non military approaches to protect the government information represented in
eGovernance.
Presence of threats like terrorists, competitors, state enemies and malicious organizations makes
information warfare a threat to governments and the private sectors attached to eGovernance
frameworks very important. It will raise high attention to develop strategic information warfare to
protect dimensions, such as: Military, Physical, Economic, Political, and Social (RAND, 1996).
Governments have to develop technological as well as non-technological tools and mechanisms that
can supplement dynamic eGovernance frameworks. Application domains encompass fields like
Political, Legal and Diplomatic. Interaction between agencies inside and outside the government, in
addition to international affairs will be needed to define international legal regulations and political
channels to control relevant threats. In the end, it will certainly require (re)definition of the distribution
106

Karim Hamza and Van Dalen
of responsibilities for international legal arrangements in case of legal disputes, as the ones taking
place in the United Nations or NATO. Special attention has to be devoted to the problem of void
governance spaces, example in this continually changing playing field, asking for occasional
governance solutions sometimes.
This research examines Non Military and non technology approaches to Strategic Information Warfare
related to the development of an eGovernance Framework Design Process Model with regard to
Economic, Political and Social dimensions.
With the following concentrations:
Definition of eGovernance framework
Definition of Strategic Information Warfare
Types of Information Warfare: Cyber War / Cyber Crime / Espionage
Types of threats Internal / External and State / Non State
Importance of eGovernance National security and the need to be covered in Information warfare
strategies.
Non Military response: Policies, Laws, Diplomacies, Awareness and Media
Adaptability on dynamic eGovernance framework
what conditions of Strategic Information warfare have to be taken into account in the design
process of eGovernance frameworks
All conditioned by fundamental civil rights to interact with governments and the control on the legality
of such approaches.
2. eGovernance frame work
Nowadays ‘ eGovernance’ as a term became a very common expression in the last couple of years,
but there is no standard definition for this term; since Different governments and organizations use it
to suit specific aims or objectives. Commonly the term ‘eGovernment’ is used instead of ‘
eGovernance’ due to confusion between the definitions of the two terms, while the first is the
infrastructure of eGovernance and eGovernance covers a broader scope.
So If we start by Governance which is focusing on what the government does to make sure that all
concerned stakeholders are in the decision process and evaluate the outcomes, also which can be
applied on corporate level, governance have different types like Corporate Governance, Project
Governance, Good Governance, IT Governance, multi level governance and finally E Governance
which focuses on the function of Governance using the technology and information systems as a tool.
Normally we finds that The most common definition for eGovernance is defined by the UNESCO as
“the use of ICT (Information and communication technologies) by different actors of the society, with
the aim to improve their access to information and to build their capacities” (UNESCO, 2009). In much
more detail according to the UNESCO, Governance refers to the exercise of political, economic and
administrative authority in the management of a country’s affairs, including citizens’ articulation of their
interests and exercise of their legal rights and obligations. eGovernance may be understood as the
performance of this governance via the electronic medium in order to facilitate an efficient, speedy
and transparent process of disseminating information to the public, and other agencies, and for
performing government administration activities. eGovernance is generally considered as a wider
concept than eGovernment, since it can bring about a change in the way how citizens relate to
governments and to each other. eGovernance can bring forth new concepts of citizenship, both in
terms of citizen needs and responsibilities. Its objective is to engage, enable and empower the citizen
(different stakeholders). The use of information technology can increase the broad involvement of
citizens in the process of governance at all levels by providing the possibility of on-line discussion
groups and by enhancing the rapid development and effectiveness of pressure groups.
It is obvious that Advantages for the government include the government’s ability to provide a better
service in terms of time, making governance more efficient and more effective. In addition, the
transaction costs can be lowered and government services become more accessible.
107

Karim Hamza and Van Dalen
This leads to the eGovernance Framework which organizes the eGovernance activity and focuses on:
1. Establishing the governance, monitoring and control,
2. Develop and response strategic direction for the different stakeholders,
3. Defining roles and responsibility matrix and
4. adapt to new changes in strategies
Since eGovernance will be responsible to hold most of the government, economy and community
information plus it will engage different stake holders internal and external to the country, then security
and protection will become the biggest concern. As fear of all fears. (Mechling, 2000) mentioned that one
of the most common issues in Governance are: Protecting privacy and security, which is one of the
major concerns and can be considered as an obstacle for such systems. Substantially, defense and
security of this framework will be Critical to its success, the political risks of security breaches in this
framework perceived to be far more serious than other risks, since it can impact the government’s
political position, the economy and citizens.
3. Strategic information warfare
The concept of Information Warfare has been well documented (for example, Schwartau, 1996;
Dearth and Williamson, 1996; Knecht, 1996; Waltz, 1998; Denning, 1999). By definition, the
fundamental weapon and target in the information’s warfare is 'information'. It is the product that has
to be manipulated to the advantage of those trying to influence events. The means of achieving this
are manifold. Protagonists can attempt to directly alter data or to deprive competitors from access to
it. The technology of information collection, storage, and dissemination can be compromised. Using
other, more subtle techniques, the way the data is interpreted can be changed by altering the context
that it is viewed. Thus, the range of activities in the brief of information warfare is manifest. (Hutchinson,
Warren, 2001)
Figure 1: The relationships between data, context, knowledge, information; and the methods by
which each element can be attacked, (Hutchinson, Warren, 2001)
108

Karim Hamza and Van Dalen
From a military point of view, there is an enemy defined and specific actions and procedures are
prepared for defense or attack, but with eGovernance not all enemies are defined or detected which
encourages delivering a concept to detect such enemies or threats.
There were different definitions and concepts related to information warfare (Libicki, 1995)
Command-and-Control Warfare [C2W];
Intelligence-based Warfare [IBW];
Electronic Warfare [EW];
Psychological Operations [PSYOPS];
Hacker war software-based attacks on information systems;
Information Economic Warfare [IEW] war via the control of information trade;
Cyberwar [combat in the virtual realm].
As an example; The United States has substantial information-based resources, including complex
management systems and infrastructures involving the control of electric power, money flow, air
traffic, oil and gas, and other information-dependent items. U.S. allies and potential coalition partners
are similarly increasingly dependent on various information infrastructures. Conceptually, if and when
potential adversaries attempt to damage these systems using IW techniques, information warfare
inevitably takes on a strategic aspect. (Roger, Molander, Riddile, Wilson, 1996)
The Basic Features of Strategic Information Warfare:
Low entry cost: Unlike traditional weapon technologies, development of information- based
techniques does not require sizable financial resources or state sponsorship. Information systems
expertise and access to important networks may be the only prerequisites.
Blurred traditional boundaries: Traditional distinctions; public versus private interests, warlike
versus criminal behavior and geographic boundaries, such as those between nations as
historically defined, are complicated by the growing interaction within the information
infrastructure.
4. Types of information warfare: Cyber war / cyber crime / espionage
The Department of Defense (DoD) defines cyberspace as follows: A global domain within the
information environment consisting of the interdependent network of information technology
infrastructures, including the Internet, telecommunications networks, computer systems, and
embedded processors and controllers. (DoD Dictionary of Military, 2008)
Recently, cyberspace which is becoming the main field of information warfare started to develop as a
military domain. To join the historic domains of land, sea, air, and space. All this might lead to a belief
that the historic constructs of war like force, offense, defense, and deterrence can be applied to
cyberspace with a little modification. But it must be understood in its own terms, and policy decisions
being made for these and other new commands must reflect such understanding. Attempts to transfer
policy constructs from other forms of warfare will not only fail but also hinder policy and
planning.(Libicki, 2009)
Normally the main targets for an Information Attack as Denning (1999) outlines the potential elements
in an information system that are prone to attack and exploitation as:
Data stores: for example, computer and human memories.
Communication channels: for example, humans, and telecommunication systems.
Sensors/input devices: for example, scanners, cameras, microphones, human senses.
Output devices: for example, disk writers, printers, human processes.
Manipulators of data: for example, microprocessors, humans, software.
Most related information warfare was as below:
Strategic Cyber-War: A campaign of Cyber-Attacks launched by one entity against a state and
its society, primarily but not exclusively for the purpose of affecting the target state’s behavior,
would be strategic Cyber-War. The attacking entity can be a state or a non-state actor (Libicki, 2009)
109

Karim Hamza and Van Dalen
Cyber-War: actions by a nation-state to penetrate another nation's computers or networks for the
purposes of causing damage or disruption. (Clarke, 2010)
Cyber Crime: refers to any crime that involves a computer and a network, where the computers
may or may not have played an instrumental part in the commission of a crime
Espionage or spying: involves individuals obtaining information that is considered secret or
confidential without the permission of the holder of this information.
5. Types of threats internal / external and state / non state
Critical to the success of any eGovernance framework, is its security. Since such governance
frameworks somehow will be open to interactions with different “stakeholders”, who may, by making
use of eGovernance frameworks, influence the decision making process in the government, create
political pressure or even start a cyber-war.
A. Internal Stakeholders [Domestic] (within the boundaries of the state) as
Pressure groups,
Political parties,
Business,
Citizens
Organized crime .. etc
or
B. External Stakeholders [Foreign] (outside boundaries of the state) as
Other states,
Multinational businesses,
Worldwide operating malicious organizations,.. etc
Given the wide array of possible opponents, weapons, and strategies, it becomes increasingly difficult
to distinguish between foreign and domestic sources of IW threats and actions. You may not know
who’s under attack by whom, or who’s in charge of the attack. This greatly complicates the traditional
role distinction between domestic law enforcement, on the one hand, and national security and
intelligence entities on the other. Another consequence of this blurring phenomenon is the
disappearance of clear distinctions between different levels of anti-state activity, ranging from crime to
warfare. (Roger, Molander, Riddile, Wilson, 1996)
6. Importance of eGovernance national security and the need to be covered in
information warfare strategies
Presence of threats, like: terrorists, competitors, state enemies and malicious organizations makes
the threat of information warfare very important to governments and private sector attached to
eGovernance frameworks. It will raise a high attention to develop strategic information warfare to
protect dimensions as: Military, Physical, Economic, Political, And Social (Roger, Molander, Riddile, Wilson,
1996).
7. Non military response: Policies, laws, diplomacies, awareness and media
Governments have to develop military as well as non-military tools and mechanisms that can
supplement dynamic eGovernance frameworks. Application domains encompass fields like Political,
Legal and Diplomatic. Interaction between agencies inside and outside the government, in addition to
international affairs will be needed to define international legal regulations and political channels to
control relevant threats. In the end, it will certainly require a (re)definition of the distribution of
responsibilities for international legal arrangements in case of legal disputes, as that’s taking place in
the United Nations or NATO.
The appropriate role for the government in responding to the strategic Information Warfare threat
impacting the eGovernance framework needs to be addressed, this role to be part leadership and part
partnership with the domestic sector. In addition to being the performer of certain basic functions such
as; organizing, equipping, training, and sustaining military forces, the government may play a more
110

Karim Hamza and Van Dalen
productive and efficient role as facilitator and maintainer of some information systems and
infrastructure, and through policy mechanisms such as; tax breaks to encourage reducing vulnerability
and improving recovery and reconstitution capability. An important factor is the traditional change in
the government’s role as one move from national defense through public safety toward things that
represent the public good. Clearly, the government’s perceived role in this area will have to be
balanced against public perceptions of the loss of civil liberties and the commercial sector’s concern
about unwarranted limits on its practices and markets.
When responding to information warfare, military strategy can thus no longer focus just on support to
and operations. It must also examine information warfare implications on its state and allies’ strategic
infrastructures military, physical, economic, political, and social that depends upon information
systems and information support.
Figure 2: Strategic information warfare impact , (Roger, Molander, Riddile, Wilson, 1996)
Government can use and develop different tools and techniques to handle such situation
Research and Development: The government’s role in defending against such threats, apart from
protecting its own systems, is indirect: Sponsor research, development, and standard creation in
computer network defense. Maximize the incentives for private industry to keep its own house in
order. Increase the resources devoted to cyber forensics, including the distribution of honeypots
to trap rogue code for analysis. Encourage information-sharing among both private and public
network operators. Invest in threat intelligence. Subsidize the education of computer security
professionals. All are current agenda items. In a cyberwar, all would receive greater emphasis.
(LibiCki, 2009)
Policy : defining policies that deals with different Strategic Information Warfare threats and
engage different international parties , also working on modify constitutes an act of war, which
may be defined as one of three ways: universally, multilaterally, and unilaterally. A universal
definition is one that every state accepts. The closest analog to “every state” is when the United
Nations says that something is an act of war. The next-closest analog is if enough nations have
signed a treaty that says as much. No such United Nations dictum exists, and no treaty says as
much. One might argue that a cyber attack (which is an output of Strategic Information warfare) is
like something else that is clearly an act of war, but unless there is a global consensus that such
an analogy is valid, it cannot be defined as an act of war.
Laws : develop clear laws to criminalize action which threat eGovernance framework specially
with internal threat
Diplomatic : develop allies networks to discover different joint threats that can impact each other
Governance through intelligence and early detections
111

Karim Hamza and Van Dalen
Awareness and Media : create citizen/personal awareness working and dealing with
eGovernance framework, on how to protect themselves, how to report violation, be awre with
different types of threat and the legal impact of violation
8. Conclusion
It is becoming obvious that eGovernance will become the information backbone of any government
which creates a strong relation to strategic information warfare; since both are based on information
and use technology. In addition, the first will contain most of the government’s and community
information and will become the main war fields in the future. This requires different set of attention;
since not all existing warfare techniques will be applicable in handling eGovernance threats; this
should include non military approaches like Policy, diplomatic and laws.
eGovernance framework main challenge is adaptability on dynamic eGovernance framework; since
continuous changes on government strategies and the environment surrounding it plus the continuous
changes of technology and threat parties either internal or external, will require continuous
development to cope with such changes and complex decision making structure, not to forget that
some conditions of strategic information warfare have to be taken into account in the design process
of eGovernance frameworks, like: control of different stakeholders, monitor and detection, continuous
development and defining different sets of response approaches to deal with the rapid changing
environment and changing enemy map.
References
Bhatnagar, Subash EGovernment: From Vision to Implementation” by; Sage Publications; 2004.
Clarke , Richard A. (April, 2010) Cyber War: The Next Threat to National Security and What to Do About, Ecco
Dearth, Douglas H., (2001) “Implications and Challenges of Applied Information Operations”, Joint Military
Intelligence Training Centre Washington D.C. Journal of Information Warfare Volume 1, Issue1
Denning, D.E. (1999). Information Warfare and Security, Addison Wesley, Reading: Mass.
DoD Dictionary of Military Terms (October,2008), Washington, D.C, Joint Doctrine Division, J-7
Drucker, Peter F. (August 24, 1998) “the Next Information Revolution” , Forbes ASAP.
Hutchinson, W. and Warren, M. (2001) “Principles of Information Warfare”, Journal of Information Warfare 1, 1:1 -
6 1 ISSN 1445-3312 print/ISSN 1445-3347
Hutchinson, W.E. Warren, M.J. (1999). Attacking the Attackers: Attitudes of Australian IT Managers to retaliation
against Hackers, ACIS (Australasian Conference on Information Systems) 99, December, Wellington, New
Zealand.
Libicki, Martin C. (2009) CyberDeterrence and CyberWar , Rand Corporation, Project Air Force
Libicki, Martin C.(May,1995) “What Is Information Warfare?” Strategic
Mechling, J. (2000), Eight Imperatives for Leaders in a Networked World, Massachusetts, The Harvard Policy
Group
Roger C. Molander/Andrew S. Riddile/Peter A. Wilson (1996) “Strategic Information Warfare, A New Face of
War” Office of the Secretary of Defense, National Defense Research Institute , Rand
Schwartau, W. (1996). Information Warfare – second edition. Thunder’s Mouth Press, New York.
UNESCO(2009) http://portal.unesco.org/ci/en/ev.php-
URL_ID=4404&URL_DO=DO_TOPIC&URL_SECTION=201.html (extracted 07.10.2010)
Waltz, E. (1998) Information Warfare – Principles and Operations. Artech House, Norwood.
World Bank : Source: http://go.worldbank.org/M1JHE0Z280 (extracted on 02.10.2010)
112

Intelligence-Driven Computer Network Defense Informed
by Analysis of Adversary Campaigns and Intrusion Kill
Chains
Eric Hutchins, Michael Cloppert and Rohan Amin
Lockheed Martin, USA
eric.m.hutchins@lmco.com
michael.j.cloppert@lmco.com
rohan.m.amin@lmco.com
Abstract: Conventional network defense tools such as intrusion detection systems and anti-virus focus on the
vulnerability component of risk, and traditional incident response methodology presupposes a successful
intrusion. An evolution in the goals and sophistication of computer network intrusions has rendered these
approaches insufficient for certain actors. A new class of threats, appropriately dubbed the “Advanced Persistent
Threat” (APT), represents well-resourced and trained adversaries that conduct multi-year intrusion campaigns
targeting highly sensitive economic, proprietary, or national security information. These adversaries accomplish
their goals using advanced tools and techniques designed to defeat most conventional computer network
defense mechanisms. Network defense techniques which leverage knowledge about these adversaries can
create an intelligence feedback loop, enabling defenders to establish a state of information superiority which
decreases the adversary's likelihood of success with each subsequent intrusion attempt. Using a kill chain model
to describe phases of intrusions, mapping adversary kill chain indicators to defender courses of action, identifying
patterns that link individual intrusions into broader campaigns, and understanding the iterative nature of
intelligence gathering form the basis of intelligence-driven computer network defense (CND). Institutionalization
of this approach reduces the likelihood of adversary success, informs network defense investment and resource
prioritization, and yields relevant metrics of performance and effectiveness. The evolution of advanced persistent
threats necessitates an intelligence-based model because in this model the defenders mitigate not just
vulnerability, but the threat component of risk, too.
Keywords: incident response, intrusion detection, intelligence, threat, APT, computer network defense
1. Introduction
As long as global computer networks have existed, so have malicious users intent on exploiting
vulnerabilities. Early evolutions of threats to computer networks involved self-propagating code.
Advancements over time in anti-virus technology significantly reduced this automated risk. More
recently, a new class of threats, intent on the compromise of data for economic or military
advancement, emerged as the largest element of risk facing some industries. This class of threat has
been given the moniker “Advanced Persistent Threat,” or APT. To date, most organizations have
relied on the technologies and processes implemented to mitigate risks associated with automated
viruses and worms which do not sufficiently address focused, manually operated APT intrusions.
Conventional incident response methods fail to mitigate the risk posed by APTs because they make
two flawed assumptions: response should happen after the point of compromise, and the compromise
was the result of a fixable flaw (Mitropoulos et al., 2006; National Institute of Standards and
Technology, 2008).
APTs have recently been observed and characterized by both industry and the U.S. government. In
June and July 2005, the U.K. National Infrastructure Security Co-ordination Centre (UK-NISCC) and
the U.S. Computer Emergency Response Team (US-CERT) issued technical alert bulletins describing
targeted, socially-engineered emails dropping trojans to exfiltrate sensitive information. These
intrusions were over a significant period of time, evaded conventional firewall and anti-virus
capabilities, and enabled adversaries to harvest sensitive information (UK-NISCC, 2005; US-CERT,
2005). Epstein and Elgin (2008) of Business Week described numerous intrusions into NASA and
other government networks where APT actors were undetected and successful in removing sensitive
high-performance rocket design information. In February 2010, iSec Partners noted that current
approaches such as anti-virus and patching are not sufficient, end users are directly targeted, and
threat actors are after sensitive intellectual property (Stamos, 2010).
Before the U.S. House Armed Services Committee Subcommittee on Terrorism, Unconventional
Threats and Capabilities, James Andrew Lewis of the Center for Strategic and International Studies
testified that intrusions occurred at various government agencies in 2007, including the Department of
113

Eric Hutchins et al.
Defense, State Department and Commerce Department, with the intention of information collection
(Lewis, 2008). With specificity about the nature of computer network operations reportedly emanating
from China, the 2008 and 2009 reports to Congress of the U.S.-China Economic and Security Review
Commission summarized reporting of targeted intrusions against U.S. military, government and
contractor systems. Again, adversaries were motivated by a desire to collect sensitive information
(U.S.-China Economic and Security Review Commission, 2008, 2009). Finally, a report prepared for
the U.S.-China Economic and Security Review Commission, Krekel (2009) profiles an advanced
intrusion with extensive detail demonstrating the patience and calculated nature of APT.
Advances in infrastructure management tools have enabled best practices of enterprise-wide patching
and hardening, reducing the most easily accessible vulnerabilities in networked services. Yet APT
actors continually demonstrate the capability to compromise systems by using advanced tools,
customized malware, and “zero-day” exploits that anti-virus and patching cannot detect or mitigate.
Responses to APT intrusions require an evolution in analysis, process, and technology; it is possible
to anticipate and mitigate future intrusions based on knowledge of the threat. This paper describes an
intelligence-driven, threat-focused approach to study intrusions from the adversaries’ perspective.
Each discrete phase of the intrusion is mapped to courses of action for detection, mitigation and
response. The phrase “kill chain” describes the structure of the intrusion, and the corresponding
model guides analysis to inform actionable security intelligence. Through this model, defenders can
develop resilient mitigations against intruders and intelligently prioritize investments in new technology
or processes. Kill chain analysis illustrates that the adversary must progress successfully through
each stage of the chain before it can achieve its desired objective; just one mitigation disrupts the
chain and the adversary. Through intelligence-driven response, the defender can achieve an
advantage over the aggressor for APT caliber adversaries.
This paper is organized as follows: section two of this paper documents related work on phase based
models of defense and countermeasure strategy. Section three introduces an intelligence-driven
computer network defense model (CND) that incorporates threat-specific intrusion analysis and
defensive mitigations. Section four presents an application of this new model to a real case study, and
section five summarizes the paper and presents some thoughts on future study.
2. Related work
While the modeling of APTs and corresponding response using kill chains is unique, other phase
based models to defensive and countermeasure strategies exist.
A United States Department of Defense Joint Staff publication describes a kill chain with stages find,
fix, track, target, engage, and assess (U.S. Department of Defense, 2007). The United States Air
Force (USAF) has used this framework to identify gaps in Intelligence, Surveillance and
Reconnaissance (ISR) capability and to prioritize the development of needed systems (Tirpak, 2000).
Threat chains have also been used to model Improvised Explosive Device (IED) attacks (National
Research Council, 2007). The IED delivery chain models everything from adversary funding to attack
execution. Coordinated intelligence and defensive efforts focused on each stage of the IED threat
chain as the ideal way to counter these attacks. This approach also provides a model for identification
of basic research needs by mapping existing capability to the chain. Phase based models have also
been used for antiterrorism planning. The United States Army describes the terrorist operational
planning cycle as a seven step process that serves as a baseline to assess the intent and capability
of terrorist organizations (United States Army Training and Doctrine Command, 2007). Hayes (2008)
applies this model to the antiterrorism planning process for military installations and identifies
principles to help commanders determine the best ways to protect themselves.
Outside of military context, phase based models have also been used in the information security field.
Sakuraba et al. (2008) describe the Attack-Based Sequential Analysis of Countermeasures (ABSAC)
framework that aligns types of countermeasures along the time phase of an attack. The ABSAC
approach includes more reactive post-compromise countermeasures than early detection capability to
uncover persistent adversary campaigns. In an application of phase based models to insider threats,
Duran et al. (2009) describe a tiered detection and countermeasure strategy based on the progress of
malicious insiders. Willison and Siponen (2009) also address insider threat by adapting a phase
based model called Situational Crime Prevention (SCP). SCP models crime from the offender’s
perspective and then maps controls to various phases of the crime. Finally, the security company
Mandiant proposes an “exploitation life cycle”. The Mandiant model, however, does not map courses
114

Eric Hutchins et al.
of defensive action and is based on post-compromise actions (Mandiant, 2010). Moving detections
and mitigations to earlier phases of the intrusion kill chain is essential for CND against APT actors.
3. Intelligence-driven computer network defense
Intelligence-driven computer network defense is a risk management strategy that addresses the
threat component of risk, incorporating analysis of adversaries, their capabilities, objectives, doctrine
and limitations. This is necessarily a continuous process, leveraging indicators to discover new
activity with yet more indicators to leverage. It requires a new understanding of the intrusions
themselves, not as singular events, but rather as phased progressions. This paper presents a new
intrusion kill chain model to analyze intrusions and drive defensive courses of action.
The effect of intelligence-driven CND is a more resilient security posture. APT actors, by their nature,
attempt intrusion after intrusion, adjusting their operations based on the success or failure of each
attempt. In a kill chain model, just one mitigation breaks the chain and thwarts the adversary,
therefore any repetition by the adversary is a liability that defenders must recognize and leverage. If
defenders implement countermeasures faster than adversaries evolve, it raises the costs an
adversary must expend to achieve their objectives. This model shows, contrary to conventional
wisdom, such aggressors have no inherent advantage over defenders.
3.1 Indicators and the indicator life cycle
The fundamental element of intelligence in this model is the indicator. For the purposes of this paper,
an indicator is any piece of information that objectively describes an intrusion. Indicators can be
subdivided into three types:
Atomic – Atomic indicators are those which cannot be broken down into smaller parts and retain
their meaning in the context of an intrusion. Typical examples here are IP addresses, email
addresses, and vulnerability identifiers.
Computed – Computed indicators are those which are derived from data involved in an incident.
Common computed indicators include hash values and regular expressions.
Behavioral – Behavioral indicators are collections of computed and atomic indicators, often
subject to qualification by quantity and possibly combinatorial logic. An example would be a
statement such as ”the intruder would initially used a backdoor which generated network traffic
matching [regular expression] at the rate of [some frequency] to [some IP address], and then
replace it with one matching the MD5 hash [value] once access was established.”
Using the concepts in this paper, analysts will reveal indicators through analysis or collaboration,
mature these indicators by leveraging them in their tools, and then utilize them when matching activity
is discovered. This activity, when investigated, will often lead to additional indicators that will be
subject to the same set of actions and states. This cycle of actions, and the corresponding indicator
states, form the indicator life cycle illustrated in Figure 1.
Figure 1: Indicator life cycle states and transitions
115

Eric Hutchins et al.
This applies to all indicators indiscriminately, regardless of their accuracy or applicability. Tracking the
derivation of a given indicator from its predecessors can be time-consuming and problematic if
sufficient tracking isn’t in place, thus it is imperative that indicators subject to these processes are
valid and applicable to the problem set in question. If attention is not paid to this point, analysts may
find themselves applying these techniques to threat actors for which they were not designed, or to
benign activity altogether.
3.2 Intrusion kill chain
A kill chain is a systematic process to target and engage an adversary to create desired effects. U.S.
military targeting doctrine defines the steps of this process as find, fix, track, target, engage, assess
(F2T2EA): find adversary targets suitable for engagement; fix their location; track and observe; target
with suitable weapon or asset to create desired effects; engage adversary; assess effects (U.S.
Department of Defense, 2007). This is an integrated, end-to-end process described as a “chain”
because any one deficiency will interrupt the entire process.
Expanding on this concept, this paper presents a new kill chain model, one specifically for intrusions.
The essence of an intrusion is that the aggressor must develop a payload to breach a trusted
boundary, establish a presence inside a trusted environment, and from that presence, take actions
towards their objectives, be they moving laterally inside the environment or violating the
confidentiality, integrity, or availability of a system in the environment. The intrusion kill chain is
defined as reconnaissance, weaponization, delivery, exploitation, installation, command and control
(C2), and actions on objectives.
With respect to computer network attack (CNA) or computer network espionage (CNE), the definitions
for these kill chain phases are as follows:
Reconnaissance - Research, identification and selection of targets, often represented as crawling
Internet websites such as conference proceedings and mailing lists for email addresses, social
relationships, or information on specific technologies.
Weaponization - Coupling a remote access trojan with an exploit into a deliverable payload,
typically by means of an automated tool (weaponizer). Increasingly, client application data files
such as Adobe Portable Document Format (PDF) or Microsoft Office documents serve as the
weaponized deliverable.
Delivery - Transmission of the weapon to the targeted environment. The three most prevalent
delivery vectors for weaponized payloads by APT actors, as observed by the Lockheed Martin
Computer Incident Response Team (LM-CIRT) for the years 2004-2010, are email attachments,
websites, and USB removable media.
Exploitation - After the weapon is delivered to victim host, exploitation triggers intruders’ code.
Most often, exploitation targets an application or operating system vulnerability, but it could also
more simply exploit the users themselves or leverage an operating system feature that autoexecutes
code.
Installation - Installation of a remote access trojan or backdoor on the victim system allows the
adversary to maintain persistence inside the environment.
Command and Control (C2) - Typically, compromised hosts must beacon outbound to an Internet
controller server to establish a C2 channel. APT malware especially requires manual interaction
rather than conduct activity automatically. Once the C2 channel establishes, intruders have
“hands on the keyboard” access inside the target environment.
Actions on Objectives - Only now, after progressing through the first six phases, can intruders
take actions to achieve their original objectives. Typically, this objective is data exfiltration which
involves collecting, encrypting and extracting information from the victim environment; violations
of data integrity or availability are potential objectives as well. Alternatively, the intruders may only
desire access to the initial victim box for use as a hop point to compromise additional systems
and move laterally inside the network.
3.3 Courses of action
The intrusion kill chain becomes a model for actionable intelligence when defenders align enterprise
defensive capabilities to the specific processes an adversary undertakes to target that enterprise.
116

Eric Hutchins et al.
Defenders can measure the performance as well as the effectiveness of these actions, and plan
investment roadmaps to rectify any capability gaps. Fundamentally, this approach is the essence of
intelligence-driven CND: basing security decisions and measurements on a keen understanding of the
adversary.
Table 1 depicts a course of action matrix using the actions of detect, deny, disrupt, degrade, deceive,
and destroy from DoD information operations (IO) doctrine (U.S. Department of Defense, 2006). This
matrix depicts in the exploitation phase, for example, that host intrusion detection systems (HIDS) can
passively detect exploits, patching denies exploitation altogether, and data execution prevention
(DEP) can disrupt the exploit once it initiates. Illustrating the spectrum of capabilities defenders can
employ, the matrix includes traditional systems like network intrusion detection systems (NIDS) and
firewall access control lists (ACL), system hardening best practices like audit logging, but also vigilant
users themselves who can detect suspicious activity.
Table 1: Courses of action matrix
Here, completeness equates to resiliency, which is the defender’s primary goal when faced with
persistent adversaries that continually adapt their operations over time. The most notable adaptations
are exploits, particularly previously undisclosed “zero-day” exploits. Security vendors call these “zeroday
attacks,” and tout “zero day protection”. This myopic focus fails to appreciate that the exploit is
but one change in a broader process. If intruders deploy a zero-day exploit but reuse observable tools
or infrastructure in other phases, that major improvement is fruitless if the defenders have mitigations
for the repeated indicators. This repetition demonstrates a defensive strategy of complete indicator
utilization achieves resiliency and forces the adversary to make more difficult and comprehensive
adjustments to achieve their objectives. In this way, the defender increases the adversary’s cost of
executing successful intrusions.
Defenders can generate metrics of this resiliency by measuring the performance and effectiveness of
defensive actions against the intruders. Consider an example series of intrusion attempts from a
single APT campaign that occur over a seven month timeframe, shown in Figure 2. For each phase of
the kill chain, a white diamond indicates relevant, but passive, detections were in place at the time of
that month’s intrusion attempt, a black diamond indicates relevant mitigations were in place, and an
empty cell indicates no relevant capabilities were available. After each intrusion, analysts leverage
newly revealed indicators to update their defenses, as shown by the gray arrows. The illustration
shows, foremost, that at last one mitigation was in place for all three intrusion attempts, thus
mitigations were successful. However, it also clearly shows significant differences in each month. In
December, defenders detect the weaponization and block the delivery but uncover a brand new,
117

Eric Hutchins et al.
unmitigated, zero-day exploit in the process. In March, the adversary re-uses the same exploit, but
evolves the weaponization technique and delivery infrastructure, circumventing detection and
rendering those defensive systems ineffective. By June, the defenders updated their capabilities
sufficiently to have detections and mitigations layered from weaponization to C2. By framing metrics
in the context of the kill chain, defenders had the proper perspective of the relative effect of their
defenses against the intrusion attempts and where there were gaps to prioritize remediation.
Figure 2: Illustration of the relative effectiveness of defenses against subsequent intrusion attempts
3.4 Intrusion reconstruction
Kill chain analysis is a guide for analysts to understand what information is, and may be, available for
defensive courses of action. It is a model to analyze the intrusions in a new way. Most detected
intrusions will provide a limited set of attributes about a single phase of an intrusion. Analysts must
still discover many other attributes for each phase to enumerate the maximum set of options for
courses of action. Further, based on detection in a given phase, analysts can assume that prior
phases of the intrusion have already executed successfully.
Only through complete analysis of prior phases, as shown in Figure 3, can actions be taken at those
phases to mitigate future intrusions. If one cannot reproduce the delivery phase of an intrusion, one
cannot hope to act on the delivery phase of subsequent intrusions from the same adversary. The
conventional incident response process initiates after our exploit phase, illustrating the self-fulfilling
prophecy that defenders are inherently disadvantaged and inevitably too late. The inability to fully
reconstruct all intrusion phases prioritizes tools, technologies, and processes to fill this gap.
Figure 3: Late phase detection
Defenders must be able to move their detection and analysis up the kill chain and more importantly to
implement courses of actions across the kill chain. In order for an intrusion to be economical,
adversaries must re-use tools and infrastructure. By completely understanding an intrusion, and
leveraging intelligence on these tools and infrastructure, defenders force an adversary to change
every phase of their intrusion in order to successfully achieve their goals in subsequent intrusions. In
this way, network defenders use the persistence of adversaries’ intrusions against them to achieve a
level of resilience.
118

Eric Hutchins et al.
Equally as important as thorough analysis of successful compromises is synthesis of unsuccessful
intrusions. As defenders collect data on adversaries, they will push detection from the latter phases of
the kill chain into earlier ones. Detection and prevention at pre-compromise phases also necessitates
a response. Defenders must collect as much information on the mitigated intrusion as possible, so
that they may synthesize what might have happened should future intrusions circumvent the currently
effective protections and detections (see Figure 4). For example, if a targeted malicious email is
blocked due to re-use of a known indicator, synthesis of the remaining kill chain might reveal a new
exploit or backdoor contained therein. Without this knowledge, future intrusions, delivered by different
means, may go undetected. If defenders implement countermeasures faster than their known
adversaries evolve, they maintain a tactical advantage.
Figure 4: Earlier phase detection
3.5 Campaign analysis
At a strategic level, analyzing multiple intrusion kill chains over time will identify commonalities and
overlapping indicators. Figure 5 illustrates how highly-dimensional correlation between two intrusions
through multiple kill chain phases can be identified. Through this process, defenders will recognize
and define intrusion campaigns, linking together perhaps years of activity from a particular persistent
threat. The most consistent indicators, the campaigns key indicators, provide centers of gravity for
defenders to prioritize development and use of courses of action. Figure 6 shows how intrusions may
have varying degrees of correlation, but the inflection points where indicators most frequently align
identify these key indicators. These less volatile indicators can be expected to remain consistent,
predicting the characteristics of future intrusions with greater confidence the more frequently they are
observed. In this way, an adversary’s persistence becomes a liability which the defender can leverage
to strengthen its posture.
The principle goal of campaign analysis is to determine the patterns and behaviors of the intruders,
their tactics, techniques, and procedures (TTP), to detect “how” they operate rather than specifically
“what” they do. The defender’s objective is less to positively attribute the identity of the intruders than
to evaluate their capabilities, doctrine, objectives and limitations; intruder attribution, however, may
well be a side product of this level of analysis. As defenders study new intrusion activity, they will
either link it to existing campaigns or perhaps identify a brand new set of behaviors of a theretofore
unknown threat and track it as a new campaign. Defenders can assess their relative defensive
posture on a campaign-by-campaign basis, and based on the assessed risk of each, develop
strategic courses of action to cover any gaps.
Another core objective of campaign analysis is to understand the intruders’ intent. To the extent that
defenders can determine technologies or individuals of interest, they can begin to understand the
adversary’s mission objectives. This necessitates trending intrusions over time to evaluate targeting
patterns and closely examining any data exfiltrated by the intruders. Once again this analysis results
in a roadmap to prioritize highly focused security measures to defend these individuals, networks or
technologies.
4. Case study
To illustrate the benefit of these techniques, a case study observed by the Lockheed Martin Computer
Incident Response Team (LM-CIRT) in March 2009 of three intrusion attempts by an adversary is
considered. Through analysis of the intrusion kill chains and robust indicator maturity, network
defenders successfully detected and mitigated an intrusion leveraging a “zero-day” vulnerability. All
three intrusions leveraged a common APT tactic: targeted malicious email (TME) delivered to a limited
set of individuals, containing a weaponized attachment that installs a backdoor which initiates
outbound communications to a C2 server.
119

Figure 5: Common indicators between intrusions
4.1 Intrusion attempt 1
Eric Hutchins et al.
Figure 6: Campaign key indicators
On March 3, 2009, LM-CIRT detected a suspicious attachment within an email discussing an
upcoming American Institute of Aeronautics and Astronautics (AIAA) conference. The email claimed
to be from an individual who legitimately worked for AIAA, and was directed to only 5 users, each of
whom had received similar TME in the past. Analysts determined the malicious attachment,
tcnom.pdf, would exploit a known, but unpatched, vulnerability in Adobe Acrobat Portable Document
Format (PDF): CVE-2009-0658, documented by Adobe on February 19, 2009 (Adobe, 2009) but not
patched until March 10, 2009. A copy of the email headers and body follow.
Received: (qmail 71864 invoked by uid 60001); Tue, 03 Mar 2009 15:01:19 +0000
Received: from [60.abc.xyz.215] by web53402.mail.re2.yahoo.com via HTTP; Tue,
03 Mar 2009 07:01:18 -0800 (PST)
Date: Tue, 03 Mar 2009 07:01:18 -0800 (PST)
From: Anne E...
Subject: AIAA Technical Committees
To: [REDACTED]
Reply-to: dn...etto@yahoo.com
Message-id:
MIME-version: 1.0
120

Eric Hutchins et al.
X-Mailer: YahooMailWebService/0.7.289.1
Content-type: multipart/mixed;
boundary="Boundary_(ID_Hq9CkDZSoSvBMukCRm7rsg)" X-YMail-OSG:
Please submit one copy (photocopies are acceptable) of this form, and
one copy of nominee’s resume to: AIAA Technical Committee
Nominations,
1801 Alexander Bell Drive, Reston, VA 20191. Fax number is 703/264-
7551. Form can also be submitted via our web site at www.aiaa.org, Inside
AIAA, Technical Committees
Within the weaponized PDF were two other files, a benign PDF and a Portable Executable (PE)
backdoor installation file. These files, in the process of weaponization, were encrypted using a trivial
algorithm with an 8-bit key stored in the exploit shellcode. Upon opening the PDF, shellcode exploiting
CVE-2009-0658 would decrypt the installation binary, place it on disk as C:\Documents and
Settings\[username]\Local Settings\fssm32.exe, and invoke it. The shellcode would also extract the
benign PDF and display it to the user. Analysts discovered that the benign PDF was an identical copy
of one published on the AIAA website at http://www.aiaa.org/pdf/inside/tcnom.pdf, revealing adversary
reconnaissance actions.
The installer fssm32.exe would extract the backdoor components embedded within itself, saving EXE
and HLP files as C:\Program Files\Internet Explorer\IEUpd.exe and IEXPLORE.hlp. Once active, the
backdoor would send heartbeat data to the C2 server 202.abc.xyz.7 via valid HTTP requests. Table 2
articulates the identified, relevant indicators per phase. Due to successful mitigations, the adversary
never took actions on objectives, therefore that phase is marked “N/A.”
Table 2: Intrusion attempt 1 indicators
4.2 Intrusion attempt 2
One day later, another TME intrusion attempt was executed. Analysts would identify substantially
similar characteristics and link this and the previous day’s attempt to a common campaign, but
analysts also noted a number of differences. The repeated characteristics enabled defenders to block
this activity, while the new characteristics provided analysts additional intelligence to build resiliency
with further detection and mitigation courses of action.
Received: (qmail 97721 invoked by uid 60001); 4 Mar 2009 14:35:22 -0000
121

Eric Hutchins et al.
Message-ID:
Received: from [216.abc.xyz.76] by web53411.mail.re2.yahoo.com via HTTP; Wed,
04 Mar 2009 06:35:20 PST
X-Mailer: YahooMailWebService/0.7.289.1
Date: Wed, 4 Mar 2009 06:35:20 -0800 (PST)
From: Anne E...
Reply-To: dn...etto@yahoo.com
Subject: 7th Annual U.S. Missile Defense Conference
To: [REDACTED]
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-760892832-1236177320=:97248"
Welcome to the 7th Annual U.S. Missile Defense Conference
The sending email address was common to the March 3 and March 4 activity, but the subject matter,
recipient list, attachment name, and most importantly, the downstream IP address (216.abc.xyz.76)
differed. Analysis of the attached PDF, MDA_Prelim_2.pdf, revealed an identical weaponization
encryption algorithm and key, as well as identical shellcode to exploit the same vulnerability. The PE
installer in the PDF was identical to that used the previous day, and the benign PDF was once again
an identical copy of a file on AIAA’s website
(http://www.aiaa.org/events/missiledefense/MDA_Prelim_09.pdf). The adversary never took actions
towards its objectives, therefore that phase is again marked “N/A.” A summary of indicators from the
first two intrusion attempts is provided in Table 3.
Table 3: Intrusion attempts 1 and 2 indicators
4.3 Intrusion attempt 3
Over two weeks later, on March 23, 2009, a significantly different intrusion was identified due to
indicator overlap, though minimal, with Intrusions 1 and 2. This email contained a PowerPoint file
which exploited a vulnerability that was not, until that moment, known to the vendor or network
defenders. The vulnerability was publicly acknowledged 10 days later by Microsoft as security
advisory 969136 and identified as CVE-2009-0556 (Microsoft, 2009b). Microsoft issued a patch on
May 12, 2009 (Microsoft, 2009a). In this campaign, the adversary made a significant shift in using a
brand new, “zero-day” exploits. Details of the email follow.
Received: (qmail 62698 invoked by uid 1000); Mon, 23 Mar 2009 17:14:22 +0000
122

Eric Hutchins et al.
Received: (qmail 82085 invoked by uid 60001); Mon, 23 Mar 2009 17:14:21 +0000
Received: from [216.abc.xyz.76] by web43406.mail.sp1.yahoo.com via HTTP; Mon,
23 Mar 2009 10:14:21 -0700 (PDT)
Date: Mon, 23 Mar 2009 10:14:21 -0700 (PDT)
From: Ginette C...
Subject: Celebrities Without Makeup
To: [REDACTED]
Message-id:
MIME-version: 1.0
X-Mailer: YahooMailClassic/5.1.20 YahooMailWebService/0.7.289.1
Content-type: multipart/mixed; boundary="Boundary_(ID_DpBDtBoPTQ1DnYXw29L2Ng)"
This email contained a new sending address, new recipient list, markedly different benign content
displayed to the user (from “missile defense” to “celebrity makeup”), and the malicious PowerPoint
attachment contained a completely new exploit. However, the adversaries used the same
downstream IP address, 216.abc.xyz.76, to connect to the webmail service as they used in Intrusion
2. The PowerPoint file was weaponized using the same algorithm as the previous two intrusions, but
with a different 8-bit key. The PE installer and backdoor were found to be identical to the previous two
intrusions. A summary of indicators from all three intrusions is provided in Table 4.
Table 4: Intrusion attempts 1, 2, and 3 indicators
Leveraging intelligence on adversaries at the first intrusion attempt enabled network defenders to
prevent a known zero-day exploit. With each consecutive intrusion attempt, through complete
analysis, more indicators were discovered. A robust set of courses of action enabled defenders to
mitigate subsequent intrusions upon delivery, even when adversaries deployed a previously-unseen
exploit. Further, through this diligent approach, defenders forced the adversary to avoid all mature
indicators to successfully launch an intrusion from that point forward.
Following conventional incident response methodology may have been effective in managing systems
compromised by these intrusions in environments completely under the control of network defenders.
However, this would not have mitigated the damage done by a compromised mobile asset that moved
out of the protected environment. Additionally, by only focusing on post-compromise effects (those
after the Exploit phase), fewer indicators are available. Simply using a different backdoor and installer
would circumvent available detections and mitigations, enabling adversary success. By preventing
123

Eric Hutchins et al.
compromise in the first place, the resultant risk is reduced in a way unachievable through the
conventional incident response process.
5. Summary
Intelligence-driven computer network defense is a necessity in light of advanced persistent threats. As
conventional, vulnerability-focused processes are insufficient, understanding the threat itself, its
intent, capability, doctrine, and patterns of operation is required to establish resilience. The intrusion
kill chain provides a structure to analyze intrusions, extract indicators and drive defensive courses of
actions. Furthermore, this model prioritizes investment for capability gaps, and serves as a framework
to measure the effectiveness of the defenders’ actions. When defenders consider the threat
component of risk to build resilience against APTs, they can turn the persistence of these actors into a
liability, decreasing the adversary’s likelihood of success with each intrusion attempt.
The kill chain shows an asymmetry between aggressor and defender, any one repeated component
by the aggressor is a liability. Understanding the nature of repetition for given adversaries, be it out of
convenience, personal preference, or ignorance, is an analysis of cost. Modeling the cost-benefit ratio
to intruders is an area for additional research. When that cost-benefit is decidedly imbalanced, it is
perhaps an indicator of information superiority of one group over the other. Models of information
superiority may be valuable for computer network attack and exploitation doctrine development.
Finally, this paper presents an intrusions kill chain model in the context of computer espionage.
Intrusions may represent a broader problem class. This research may strongly overlap with other
disciplines, such as IED countermeasures.
References
Adobe. APSA09-01: Security Updates available for Adobe Reader and Acrobat versions 9 and earlier, February
2009. URL http://www.adobe.com/support/security/advisories/apsa09-01.html.
Duran F, Conrad, S. H, Conrad, G. N, Duggan, D. P and Held E. B. Building A System For Insider Security. IEEE
Security & Privacy, 7(6):30–38, 2009. doi: 10.1109/MSP.2009.111.
Epstein, Keith, and Elgin, Ben. Network Security Breaches Plague NASA, November 2008. URL
http://www.businessweek.com/print/magazine/content/08_48/b4110072404167.htm.
LTC Ashton Hayes. Defending Against the Unknown: Antiterrorism and the Terrorist Planning Cycle. The
Guardian, 10(1):32–36, 2008. URL http://www.jcs.mil/content/files/2009-04/041309155243_ spring2008.pdf.
Krekel, Bryan. Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network
Exploitation, October 2009. URL http://www.uscc.gov/researchpapers/2009/NorthropGrumman_
PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf.
Lewis, James Andrew Holistic Approaches to Cybersecurity to Enable Network Centric Operations, April 2008.
URL http://armedservices.house.gov/pdfs/TUTC040108/Lewis_Testimony040108.pdf.
Mandiant. M-Trends: The Advanced Persistent Threat, January 2010. URL
http://www.mandiant.com/products/services/m-trends.
Microsoft. Microsoft Security Bulletin MS09-017: Vulnerabilities in Microsoft Office PowerPoint Could Allow
Remote Code Execution (967340), May 2009a. URL http://www.microsoft.com/technet/security/
bulletin/ms09-017.mspx.
Microsoft. Microsoft Security Advisory (969136): Vulnerability in Microsoft Office PowerPoint Could Allow Remote
Code Execution, April 2009b. URL http://www.microsoft.com/technet/security/advisory/969136.mspx.
Sarandis Mitropoulos, Dimitrios Patsosa, and Christos Douligeris. On Incident Handling and Response: A stateof-the-art
approach. Computers & Security, 5:351–370, July 2006. URL
http://dx.doi.org/10.1016/j.cose.2005.09.006.
National Institute of Standards and Technology. Special Publication 800-61: Computer Security Incident Handling
Guide, March 2008. URL http://csrc.nist.gov/publications/PubsSPs.html.
National Research Council. Countering the Threat of Improvised Explosive Devices: Basic Research
Opportunities (Abbreviated Version), 2007. URL http://books.nap.edu/catalog.php?record_id=11953.
Sakuraba, T. Domyo, S, Chou Bin-Hui and Sakurai, K. Exploring Security Countermeasures along the Attack
Sequence. In Proc. Int. Conf. Information Security and Assurance ISA 2008, pages 427–432, 2008.
doi:10.1109/ISA.2008.112.
Stamos, Alex. “Aurora” Response Recommendations, February 2010. URL https://www.isecpartners.
com/files/iSEC_Aurora_Response_Recommendations.pdf.
Tirpak, John A.. Find, Fix, Track, Target, Engage, Assess. Air Force Magazine, 83:24–29, 2000. URL
http://www.airforce-magazine.com/MagazineArchive/Pages/2000/July%202000/0700find.aspx.
UK-NISCC. National Infrastructure Security Co-ordination Centre: Targeted Trojan Email Attacks, June 2005.
URL https://www.cpni.gov.uk/docs/ttea.pdf.
United States Army Training and Doctrine Command. A Military Guide to Terrorism in the Twenty-First Century,
August 2007. URL http://www.dtic.mil/srch/doc?collection=t3&id=ADA472623.
US-CERT. Technical Cyber Security Alert TA05-189A: Targeted Trojan Email Attacks, July 2005. URL
http://www.us-cert.gov/cas/techalerts/TA05-189A.html.
124

Eric Hutchins et al.
U.S.-China Economic and Security Review Commission. 2008 Report to Congress of the U.S. China Economic
and Security Review Commission, November 2008. URL http://www.uscc.gov/annual_report/2008/
annual_report_full_08.pdf.
U.S.-China Economic and Security Review Commission. 2009 Report to Congress of the U.S.-China Economic
and Security Review Commission, November 2009. URL http://www.uscc.gov/annual_report/2009/
annual_report_full_09.pdf.
U.S. Department of Defense. Joint Publication 3-13 Information Operations, February 2006. URL
http://www.dtic.mil/doctrine/new_pubs/jp3_13.pdf.
U.S. Department of Defense. Joint Publication 3-60 Joint Targeting, April 2007. URL http://www.dtic.
mil/doctrine/new_pubs/jp3_60.pdf.
Willison, Robert and Siponen. Mikko Overcoming the insider: reducing employee computer crime through
Situational Crime Prevention. Communications of the ACM, 52(9):133–137, 2009. doi: http://doi.acm.
org/10.1145/1562164.1562198.
125

The Hidden Grand Narrative of Western Military Policy: A
Linguistic Analysis of American Strategic Communication
Saara Jantunen and Aki-Mauri Huhtinen
National Defence University, Helsinki, Finland
sijantunen@gmail.com
aki.huhtinen@mil.fi
Abstract: War engages civilians in a very different way than is traditionally understood. The military-industrial
complex has rooted itself permanently into the civilian world. In the US, recruiters have long operated in
university campuses, the Pentagon has funded the entertainment industry for decades, and the current trend in
most militaries is to advertise military careers that are less about war and more about individual expertise in
civilian professions. The key place for military recruiting is shopping malls, where teenagers can play war games
and enlist. Strategic communication has replaced information warfare. In a complex world, strategic
communication exploits all possible media. As Art of War has been replaced by science, the representations of
war and the role of the military have changed. Both war and military forces are now associated with binary roles:
destruction and humanity, killing and liberating. The logic behind 'bombing for peace' is encoded in the Grand
Military Narrative. This narrative is hidden in American (and NATO) strategies such as Effects Based Operations,
which rely heavily on technology. As people aim to rationalize the world with technology, they fail to take into
account the uncertainty it brings. In warfare, that uncertainty is verbalized as “friendly fire”, “collateral damage” or
simply as “accident”. Success and failure are up to technology. Technology is no longer a tool, but an ideology
and an actor that not only 'enables' the military to take action, but frees it of responsibility. This article analyzes
American strategy discourse and the standard and trends of rhetoric they create. The article focuses on
pinpointing some of the linguistic choices and discourses that define the so-called 'techno-speak', the product of
modern techno-ideology. These discourses result in representations of techno-centered binary values, which
steer military strategy and foreign policy.
Keywords: military-industrial complex, revolution in military affairs, effects based operations, discourse analysis,
military technology
1. The grand military narrative
"You want to hit only the guy you want, not the school bus three cars back", says Steve Felix of the
Naval Air Warfare Center (Matthews, 2010). "The bad guys are figuring out how to hide out in homes
and near schools. We can't go in and drop large bombs - that just doesn't work any more", explains
Steve Martin, the representative of Lockheed Martin. Raytheon's Griffin, currently deployed in
Predator drones, is a new, lighter and more precise missile type. "The Griffin's maneuverability and
accuracy reduce the risk of "collateral damage"' says an Army representative. "When you can start
producing a lower ratio of collateral damage, that's how you win this kind of war", notes Anthony
Cordesman from Strategy at the Center for Strategic and International Studies (Wichner, 2010). No
more 'enemy', but virtuous precision to rid the world of the "bad guys".
In July 2010, the Army Experience Center (AEC) in a Philadelphia mall was getting ready to close its
door after a successful project. The Center offered visitors information on military careers as well as
video games and simulators (some of which are used to train the troops). The traditional images of
depressing boot camp physical training disappear once the teenagers (13 and older, according to the
AEC) get to show with combat simulators what they have been practicing most of their lives. The
youth, wandering the malls, are the perfect target for recruiters. Because they know gaming, warfare
has to become game-like. Now, entertainment industry is replacing boot camps. Being good at war is
made easy. Being good at war is about pressing a button: In the Army Experience Center, the
teenagers can "touch and feel and experience what the army is all about", explains one of the
Center's recruiters (thearmyexperience, 2008). High-tech weapons to kill the "bad guys" from a
comfortable distance and virtual simulation create combat experience: What ever the problem, the
answer lies in technology. This is the Grand Military Narrative.
2. The military-industrial-complex and revolution in military affairs
The military-industrial complex gave birth to the Revolution in Military Affairs. The future of the military
is computers, information networks, and precision-guided munitions (Toffler, 1981, 1993).
Technological advances are used to solve the military and strategic challenges of the U.S. (Shimko,
2010: 213). This revolution, or evolution, is depicted by the Grand Military Narrative.
126

Saara Jantunen and Aki-Mauri Huhtinen
RMA's focus on technology has led to technology-centered strategies and doctrines. Technology
offers the option of unmanned war, to “bring knowledge forward” for the people whose observation is
limited (Rantapelkonen, 2006:72). “Maximizing output” and “minimizing input” (citing Lyotard, 1984 in
Rantapelkonen, 2006:73) match the American ideal of “easy living”. Lyotard argues that technology is
“good” because it is efficient, not because it is “true”, “just” or “beautiful”.
According to Rantapelkonen (2006), 'war on terror' is technologically driven. However, the binary
image of war contains the idea of not only destroying and devastating, but also avoiding risk, threat
and death by liberating, helping and building. Der Derian (2008) calls this "virtuous war". He argues
that the military-industrial complex needs binary rhetoric such as 'bombing for peace' and 'killing to
live' in order to operate and make profit: Technology is in service of virtue. As death and destruction
are no longer accepted, technology steps in. By replacing the soldier with a precision (fire-and-forget)
weapon, 'targets can be hit' and 'operations conducted' without causing protests on the home front.
The evolution of warfare demands science is in the service of war. Technology “enables us to do a lot
more stuff” and to “more effectively prosecute those operations” (U.S. Department of Defense, 2003).
Because of its efficiency and speed, strategies, doctrines and even foreign policy rely on the sole use
of technology. The Powell Doctrine aimed to solve problems by overwhelming force in the form of
superior weapons technology. Shock and Awe in 2003 worked much the same way.
However, the modern narratives and threat descriptions do not, after all, change much. President
Obama no longer uses the term "war on terrorism", but this choice of term did not change the warfare
in Afghanistan or Iraq. The US, China, Russia, India, Pakistan, Israel and North Korea are still
developing nuclear weapons. The new threat descriptions have not removed the old threats. Despite
precision munitions, B52 bombers are still in use. The real change first takes place in discourse, but
lags behind in realization.
The Grand Military Narrative contains a techno-ideology, which is encoded in language. In this
Narrative war has two aspects: the "how" and "why". How wars are conducted is a matter of
technology descriptions. Why wars are fought is a matter of value systems. The merge of these two
aspects create what is now known as strategic communication.
3. From information warfare to strategic communication
Not only has the language of the press-briefings, but also soldier-to-soldier communication changed.
In the battle field and combat, propaganda has been replaced by strategic and psychological
influence. The global and social media create an increasing influence and new technology solutions
create an opportunity to make an impact. Strategic communication exploits all these.
The new generation's war, the Gulf War, was a catalyst to public discussion on the new wave of
Information Operations. The Kosovo War and 9/11 sped up the discussion. A whole new narrative
was created during the 'War Against Terrorism'.
According to Taylor (2003), the concepts of political, psychological or information warfare are
outdated. Instead, we use the concept of 'strategic communication'. Taylor recognizes three types of
it. First is “public diplomacy”, referring to state and political level. Second is “public affairs”, which
contains the global media. The third type, Information operations (Info Ops), deals with military
capability. Strategic communication has abandoned the Cold War era categories of propaganda: the
so called “black” (covert), “white” (overt) and “grey” (unknown) propaganda. Today, the speed of
communication is enough to disturb our perception management capability. The 24/7 model takes
advantage of our values and understanding of democracy: we say no to censorship and want all
information to be available at all times, everywhere.
Strategic communication is a child of the complex world. Instead of rational knowledge, we have
information flow. Planning and execution are parallel processes; Speed dictates the operational
modes, and strategic communication is an attempt to control all this.
4. The question of responsibility: Effects Based Operations
Effects Based Operations (EBO), is a US military concept and doctrine that stands for "operations that
are planned, executed, assessed, and adapted based on a holistic understanding of the operational
environment in order to influence or change system behaviour or capabilities using the integrated
127

Saara Jantunen and Aki-Mauri Huhtinen
application of select instruments of power to achieve directed policy aims". On the day of "Shock and
Awe" in 2003, Colonel Gary L. Crowder, chief of strategy, concepts and doctrine, elaborated the
concept in layperson's terms in a press briefing dedicated for EBO alone (U.S. Department of
Defense, 2003). Before proceeding to explaining any further, the concepts of technology-based
approach and doctrine step in. Crowder explains that the new approach was "more than just people, it
was the combination of a fortuitous development of different capabilities and technologies [...] that
enabled us to do that." The phrases that follow this capture the very essence of the discourse that
characterized the American Public Relations during the beginning of the war:
[...] what we wanted to do was in fact to achieve some sort of policy objective, and that
you could, in fact, craft military operations to better achieve those policy operations in a
more efficient and effective manner.
The key words here are "efficient" and "effective". EBO was, according to Crowder, a way to mitigate
collateral damage. In order to explain the concepts of "collateral damage" and "unintended damage",
Crowder had to discuss risk-taking as part of doctrine.
Crowder explains that even if collateral and unintended damage happen, and "both of these types of
damage will take place", they "still went through a methodical process". This precisely is the problem
with strategy that relies almost solely on the performance of technology. Technology fails, and when it
does, the responsibility of that failure lies on technology itself. According to the strategy, both
collateral and unintended damage are unavoidable, technology has its fail-ratio, and these are facts
that just have to be accepted. In Virilio's (1989: 8-9) terms, Art of War has turned into Science of the
Accident.
Technology is complex and when techno-speak enters press-briefings such as Crowder's, a new kind
of language is created. Zizek (2009) argues that public communication increasingly applies expert
and scientific jargon that no longer translates to the 'common speak' of the society. The 'expert
speak', despite its abstract nature, still shapes our thinking, especially when it is labeled with
adjectives such as 'precision', 'smart' and 'efficiency'. With examples of virtuous warring (liberating)
and precise and efficient operating models (avoiding collateral damage), it complies with the modern
imperative of clean and safe, effective and lethal, and yet moral and humane war fighting. The kind of
war that we will accept.
Although EBO as it was first created and intended is already abandoned by the American Department
of Defense, it created a new narrative tradition of virtue and the superiority of technology and binary
values. This tradition continues to influence Western military discourses. This will be discussed in
Chapter 5.
5. The grand military narrative: Analysis
In order to pinpoint the Grand Military Narrative of strategic communication, we have to look at the
theme and structures of the strategists' language. The United States has an irrefutable position as the
military trend-setter and the creator of new military concepts. This makes American strategy papers
and press briefings on strategy and doctrine a good resource for analyzing the evolution of strategic
communication. The upcoming sections continue the discussion on strategy, doctrine and Effects
Based Operations and their influence on discourse.
The Joint Operating Environment 2010 (JOE10) (United States Joint Forces Command, 2010)
provides the framework for our analysis and aims to predict and forecast the future of American
warfare. It argues and elaborates on what should be prepared for. The narrative starts from the
recognition of the human limitations in the complex world, created by the clash of different ideologies
and cultures, and further supplemented by advances in technology and changes in the economy.
The complex world affects, according to the report, the "battle of narratives". If winning the battle is
important, winning the battle of narratives is "absolutely crucial". The report makes the conclusion that
Dominating the narrative of any operation, whether military or otherwise, pays enormous
dividends. [...] In the battle of narratives, the United States must not ignore its ability to
bring its considerable soft power to bear in order to reinforce the positive aspects of Joint
Force operations. Humanitarian assistance, reconstruction, securing the safety of local
128

Saara Jantunen and Aki-Mauri Huhtinen
populations, military-to-military exercises, health care, and disaster relief are just a few
examples of the positive measures that we offer.
This statement is interesting, as we have witnessed the emergence of operations 'other than war'. In
the narrative of Operation Iraqi Freedom, the military leadership put much focus on the humanitarian
aspect of the operation. But, the "battle of narratives" manifested itself not only in word choices such
as liberate and humanitarian aid, but also as words such as precision-guided weapons. The emphasis
of the use of precision guided munitions can be seen as semantic tactics. Technology is part of the
narrative.
JOE10 mentions the words deter and deterrence several times, and finally concludes that deterrence
will be the "primary purpose" of the military forces. This explains the threat discourse: the only way to
deter is to excel over the rest in skill, capacity and resources. Deterrence will be created by absorbing
education and science: "The Services should draw from a breadth and depth of education in a range
of relevant disciplines to include history, anthropology, economics, geopolitics, cultural studies, the
‘hard’ sciences, law, and strategic communication", the report states. It also stresses that in future,
asymmetric and irregular warfare will be more likely than conventional warfare, and that the U.S.
military should be prepared for this:
Irregular wars are more likely, and winning such conflicts will prove just as important to
the protection of America’s vital interests and the maintenance of global stability.
To summarize the report, we make the following conclusions: In strategy, techno-speak
1. is part of the "battle of narratives"
2. is based on threat discourse
3. serves the function of deterrence
The analysis uses these conclusions as the starting point for the linguistic part of the analysis.
5.1 Narrating the doctrine: Effects Based Operations briefing
This briefing aired on the same day when the coalition forces started the Operation Iraqi Freedom by
bombing Baghdad. In this briefing, Colonel Gary Crowder (the division chief at Air Combat Command
and the plans director for Strategy, Concepts and Doctrine) introduces the concept of Effects Based
Operations (EBO) to the public. The role and type of technology descriptions in it will be discussed in
this section.
Two types of clauses are included in the analysis: those, where the 'doer' is technology, and those
where the 'doer' is 'us' (the US, Coalition Forces, etc).
When looking at the clauses where technology is the Actor, the main observations are that in these
descriptions the typical process is a description of 'enabling', and the object of action (Goal or Range,
often in a projected clause) is abstract or ambiguous:
Table 1: Technology as a doer
ACTOR PROCESS
(material)
BENEFICIARY
1 these analytical tools enable us [...] to find alternative methodologies
2 [PGM] [...] give us the ability for a large number of other
aircraft besides just stealth aircraft to hit
multiple weapons per targets.
3 its stealth qualities enable us to do a large number of things
4 [the stealth] enables us to do a lot more stuff
5 the stealth does give us some capabilities in addition to the
precision
In action descriptions where the Actor is human or animate, there are two main types. The first type
are the descriptions of dynamic military action and capability:
129

Table 2: Human as a DOER
ACTOR/
CARRIER
Saara Jantunen and Aki-Mauri Huhtinen
PROCESS
(material or relational)
GOAL/RANGE/POSSESSED
6 we were able to take down the air defense system
7 we were able to neutralize those towers
8 we can hit multiple targets
9 we have much more dual-use capability in each of the Air Force's,
Navy's and Marines' fighter
aircraft as well as our
bomber aircraft
10 we have an improved ability to go after adversary's
systems
The action descriptions refer to the use of weapons and technology. In descriptions of military action,
the process is typically material (physical) and the object of the action is inanimate and often abstract.
The data also contains a number of possessive attributive action descriptions (having something),
where the entity possessed is typically capability or ability, both abstract. The evaluation of the first
ten sample clauses is positive. The Process (often combined with the Goal/Range) signal social
esteem in the form of capacity; Technology and Self are described as competent, expert and
powerful. The objects of action are inanimate, which signals Social Sanction: the one acting is good,
moral and ethical by attacking non-human targets.
The second type consists of action descriptions that are somewhere between material and mental
processes:
Table 3: Human as a doer
# SENSER PROCESS (mental) PHENOMENON
11 I would prioritize [...] those targets
12 we look at the desired effects we want to create on the battlespace,
13 we evaluate the target sets that we need to do, that -- those effects that we
need to create on the battlespace
14 we bring those together into a integrated plan
15 we literally come up with a high heaven objective
These descriptions highlight the analytical part of waging war: the planning and the creating of
strategy. In this context we will analyze them as mental processes, because they are strongly
contrastive to the material processes of attacking and neutralizing, and their purpose is to emphasize
the role of the scientific and creative planning process in warfare. The evaluation in the above clauses
is, just like in the first ten, positive. Capacity is signaled with descriptions of observation, consideration
and learnedness. These Process types can further be characterized as perceptive and cognitive
(Halliday, 2004: 210).
To put it briefly, the source text emphasizes Capacity that is realized by descriptions of having both
inner (ability, cognitive skills) and outer (material, technological) resources. Of all action, the emphasis
is on inner experience: Weapons are of course used, but after a planning process that is described as
highly scientific. In addition to action descriptions, the briefing contained a number of nominal
constructions that are worth notice:
Table 4: Nominalizations
Nominal constructions: technology
the combination of a fortuitous development of different capabilities and technologies
the development of the laser-guided bombs
the capability of a Joint Direct Attack Munition
the evolution of about the last 20 years
the evolution of both the Air Force and the Navy and Marine Corps' combat
our ability to go after targets
130

Saara Jantunen and Aki-Mauri Huhtinen
The above nominalizations capture the semantic content of the action descriptions: development,
capability, evolution, ability. The order of these nominalizations create a narrative of evolving and
developing capability that finally is utilized as an ability. This narrative creates a concept of
advancement and technological omnipotence.
5.2 Discussion
There are two major players in the Grand Narrative of War: Technology is the enabler, and 'we' are
the able. The ability technology creates is to wage war effectively, precisely and securely and so save
lives by avoiding casualties and collateral damage. Technology is the prerequisite for humanity in
warfare. In this narrative, war has evolved into "Effects Based Operations" on one hand, and into
humanitarian operations on the other. The result is war's new image, which is slowly drifting further
and further away from the killing, and closer and closer to implementing humanity. This is the source
of the binary rhetoric of 'bombing for peace' and 'destroying the village to save it'.
The frequently occurring words capacity and capability are abstract subordinate terms that may mean
anything from having financial or human resources to operate to meaning the quality of weapons
systems, planning, or the mass of the actual weapons. These are everyday terms in strategy and
operations discussed in public and allow the speaker to carry out the tactic of neutrality through
vagueness.
The technology descriptions in American war-speak execute the function of deterrence. As Joint
Operational Environment 2010 (United States Joint Forces Command, 2010) concludes, the task of
deterrence will be increasingly important. This, although, evokes the question whether the asymmetric
and irregular enemy the report described can be deterred and if so, whether technology as a
deterrence will work. Insurgents use inexpensive and asymmetric forms of combat, to which the U.S.
responds with expensive counter measures. According to 2008 National Defense Strategy,
deterrence must include both military and non-military tools, and that "changes in capabilities,
especially new technologies" help to create a credible deterrence. Metz (2007: 65) elaborates on the
logic of fighting insurgency with technology:
Counterinsurgency experts long have argued that technology is unimportant in this type
of conflict. While it is certainly correct that technology designed to find and destroy a
conventional enemy military force had limited application, other types such as nonlethal
weapons and robotics do hold promise for difficult tasks such as securing populated
areas, preventing infiltration, and avoiding civilian casualties.
While the counterinsurgency (COIN) strategy emphasizes the integration of military and non-military
means, the military still turns to technology for answers. EBO, once justified with the promise of new
technologies, has been abandoned and replaced with a 'Comprehensive Approach'. These new
strategies (and if not old, then updated) are justified with 'even less' collateral damage and 'even
better' precision - enabled by technology. The name of the applied strategies change, but the
discourse (and the weapons used) remains the same. The deterrence the West imposes means
smaller and smaller missiles (yet more lethal than ever), satellites and stealth drones (that both
observe us and guide missiles) and cyberspace. Virilio (2009) calls this "aesthetics of disappearance".
The collective Western outlook no longer tolerates alternatives that would make war visible. At the
same time, we fear the unseen.
The Joint Operating Environment 2010 (ibid.) also remarks that individual soldiers are increasingly
"global communication producers". According to the report, in the "battle of narratives" the role of the
"strategic corporal whose acts might have strategic consequences if widely reported" is big. By pressbriefing
the media and embedding journalists in 'liberation operations', the military leadership is
creating strategic communication that is convincing enough to appeal not only to the public, but also
to the soldier that has to be supervised and controlled by the system and as part of the system - not
as an individual. In the words of the COIN Field Manual: "Information operations (IO) must be
aggressively employed" to "obtain local, regional, and international support for COIN operations" and
"discredit insurgent propaganda and provide a more compelling alternative to the insurgent ideology
and narrative".
131

6. Conclusion
Saara Jantunen and Aki-Mauri Huhtinen
The Revolution in Military Affairs presents the new identity of war as a system of technologies, an
ideology which manifests itself in military discourse. In addition, system thinking, such as EBO, has
created the demand for both internal and external control in the Western military force. This
combination of strategically significant military contractors, techno-faith and the need to dominate and
control have led to strategic communication, which contains the Grand Military Narrative. According to
this Grand Narrative, technology executes, with precision, reliability and from a distance, the duties
determined by analytical, rational and morally virtuous humans. The public role of the military is to 'do
good'. In this narrative, war is removed from the battle fields into the virtual.
The binary roles of the military result in binary rhetoric, and this is very visible in the analysis
introduced in this article. Whereas the adversary, the insurgents, conduct hands-on warfare based on
the assumption that the insurgent will die in the process, the West distances itself from the discomfort
both physically (drones and missiles) and mentally (distance and simulation) and tolerate no losses.
'We' cling onto everything we have, whereas 'they' have little to lose. 'We' fight the enemy with the
exact opposite way than they fight 'us': The US is portrayed as evolved and scientific, while the
majority of the militaries in the rest of the world employ very different methods of warfare. This makes
the discourse on the threats of asymmetric enemies interesting. Is it not the RMA that distanced 'us'
from the enemy and created asymmetry, the Frankenstein we are now terrified of?
The Grand Military Narrative is full of paradoxes. Rhetoric, strategy and reality do not meet. The result
is that we are deterring an asymmetric enemy (that cannot be deterred) with weapons (that cannot be
seen) and pay more than we can afford to in order to do so (while the enemy pays close to nothing).
The paradox here is that in an arms race against asymmetric enemies, the winner is not the one who
has the highest technology, but the one who tolerates the biggest losses.
References
Allen, Patrick D. (2010) Information Operations Planing, Boston: Artech House.
Boisot, M. H., MacMillian, I. C. and Han, K. (2007) Explorations in Information Space. Knowledge, Agents, and
Organisation, London: Oxford University Press.
Campen, A. (1996) Cyberwar, Washington D.C.: AFCEA Press.
Campen, A. (1992) The First Information Warfare: The Story of Computers and Intelligence Systems in the
Persian Gulf War, Washington D.C.: AFCEA International Press.
Czosseck, C. and Geers, K. (Eds.) (2009) The Virtual Battlefield: Perspectives on Cyber Warfare, Amsterdam:
IOS Press.
David, G. J. and McKeldin III, T.R. (Eds.) (2009) Ideas as Weapons. Influence Perception in Modern Warfare,
Washington D.C.: Potomac Books.
Der Derian, J. (2009) Virtuous War, New York: Routledge.
Fainaru, S. and Klein, A. (2007) 'In Iraq, a Private Realm Of Intelligence-Gathering', Washington Post, 1 July,
[Online], Available: http://www.washingtonpost.com [19 Oct 2010].
Halliday, M.A.C. (2004) An Introduction to Functional Grammar. Revised by Matthiessen, C.M.I.M, London:
Arnold.
Johnston, W. (2010) 'War Games Lure Recruits For 'Real Thing'', NPR, 31 July, [Online],
Available:http://www.npr.org/templates/story/story.php?storyId=128875936 [19 Oct 2010].
Krishnan, A. (2009) Killer Robots. Legality and Ethicality of Autonomous Weapons, Burlington: Ashgate.
Libicki, M. (1996) What is Information Warfare? Washington DC: National Defence University Press.
Matthews, W. (2010) 'Smaller, Lighter, Cheaper: New Missiles Are 'Absolutely Ideal' for Irregular Warfare',
Defense News, 31 May, [Online], Available: http://www.defensenews.com/story.php?i=4649372 [19 Oct
2010]
Metz, S. (2007) Learning from Iraq: Counterinsurgency in American strategy, [Online], Available:
http://www.strategicstudiesinstitute.army.mil/pubs/download.cfm?q=752 [19 Oct 2010].
Rantapelkonen, J. (2006) The Narrative Leadership of War: Presidential Phrases in the 'War on Terror' and their
Relation to Information Technology. Doctoral Dissertation. Publication Series 1, Research n:o 34, Helsinki:
National Defence University.
Risen, J. & Mazzetti, M. (2009) 'C.I.A. Said to Use Outsiders to Put Bombs on Drones', New York Times, 20 Aug,
[Online], Available: http://www.nytimes.com/2009/08/21/us/21intel.html [19 Oct 2010].
Stahl, R. (2010) Militainment, INC. War, Media, and Popular Culture, New York: Routledge.
Shimko, K. L. (2010) The Iraq Wars and America’s Military Revolution, New York: Cambridge University Press.
Soeters, J., van Fenema P.C., & Beeres, R. (Eds.) (2010) Managing Military Organizations: Theory and practice,
London: Routledge.
Taylor, P. (2003) Munitions of the Mind: A History of Propaganda from the Ancient World to the Present Day, 3rd
edition, Manchester: Manchester University Press.
132

Saara Jantunen and Aki-Mauri Huhtinen
Thearmyexperience (2008) Inside the Army Experience Center, [video online]
Available:http://www.youtube.com/watch?v=-lZKV9bP_0Q [19 Oct 2010]
Toffler, A. (1981) The Third Wave, New York: Bantam Books.
Toffler, A . & Toffler, H. (1993) War and Anti-War: Survival at the Dawn of the 21st Century, Boston: Little, Brown
& Co.
United States Joint Forces Command. (2010) The Joint Operating Environment 2010 [Online], Available:
http://www.jfcom.mil/newslink/storyarchive/2010/JOE_2010_o.pdf [19 Oct 2010].
U.S. Department of Defense (2008) 2008 National Defense Strategy, [Online], Available:
http://www.defense.gov/news/2008%20national%20defense%20strategy.pdf [19 Oct 2010]
U.S. Department of Defense (2003) Effects Based Operations Briefing. Transcript, 19 March, [Online], Available:
http://www.defense.gov/Transcripts/Transcript.aspxTranscriptID=2067 [19 Oct 2010]
Wichner, D. (2010) 'Raytheon's new Griffin fit for drone', Arizona Daily star, 22 Aug, [Online] Available:
http://azstarnet.com/business/local/article_ff437ef6-c69d-56c6-aeff-e74d0d5902b9.html [19 Oct 2010]
Ventre, D. (2007) Information Warfare, London: Wiley.
Virilio, P. (2009) The Aesthetics of Disappearance, Translated by Philip Beitchman, Los Angeles: Semiotext(e).
Virilio, P. (1989) War and Cinema. The Logistics of Perception, Translated by Patrick Camiller, London: Verso.
Wiest, A. (2006). Rolling Thunder in a Gentle Land – The Vietman War Revisited, London: Osprey Publishing.
Zizek, S. (2009). Pehmeä vallankumous. Translated by Janne Porttikivi, Helsinki: Gaudeamus.
Unpublished
XX. (2010) “On Making War Possible: Strategic Thinking, Soldiers’ Identity, and Military Grand Narrative”.
(Unpublished manuscript in Security Dialogue)
133

Host-Based Data Exfiltration Detection via System Call
Sequences
Brian Jewell 1 and Justin Beaver 2
1
Tennessee Technological University, Cookeville, USA
2
Oak Ridge National Laboratory, Oak Ridge, USA
bcjewell21@tntech.edu
beaverjm@ornl.gov
Abstract: The host-based detection of malicious data exfiltration activities is currently a sparse area of research
and mostly limited to methods that analyze network traffic or signature based detection methods that target
specific processes. In this paper we explore an alternative method to host-based detection that exploits
sequences of system calls and new collection methods that allow us to catch these activities in real time. We
show that system call sequences can be found to reach a steady state across processes and users, and explore
the viability of new methods as heuristics for profiling user behaviors.
Keywords: data exfiltration, data security, intrusion detection
1. Introduction
A successful attack on an organization involving the theft of sensitive data can be devastating. Data
exfiltration is the term used to describe this type of theft and can be defined as the unauthorized
transfer of information from a computer system. Data exfiltration attacks represent a tremendous
threat to both government entities and commercial enterprises.
Government organizations maintain repositories for sensitive and classified information, and breaches
into protected systems or leaks into the public domain can have implications that threaten national
security. Commercial enterprises manage complex levels of proprietary tools and data that, if
compromised, could endanger the financial security of their institutions and/or their customers. Recent
studies find that information leaks are the most prevalent security threat for organizations 0 and that in
recent years attackers have exfiltrated more than 20 terabytes of data, much of which is sensitive,
from the U.S. Department of Defense and Defense Industrial Base organizations, as well as civilian
government organizations 0.
Despite the threat, the approach to defending against these attacks is surprisingly unsophisticated.
Off-the-shelf intrusion detection systems (IDS) monitor for known malicious network signatures at the
system boundary. These systems are relied upon to flag potential network breaches, which are then
typically investigated manually (often these are guided analyses that leverage custom-built scripts) in
order to trace potential unauthorized activities. Unfortunately, the model of perimeter defense leaves
attackers free to navigate, investigate, and extrude information if the perimeter is breached
undetected.
Host intrusion detection systems (HIDS) are software programs that run on each computer host in a
network and attempt to detect malicious events in the operation of the host. Commercial virus
protection packages (McAfee, 2003) are examples of HIDS and monitor system services, registry
changes, and check individual files for signatures of known malicious programs. We approach the
detection of data exfiltration attacks as a HIDS. Once the boundary defense is breached, it is from the
individual hosts that a malicious user will explore file systems, package data, and export it to an
outside network. We postulate that, given insight into the activities of individual users and processes
on a given host, acts of unauthorized data exfiltration can be discriminated from normal user/process
behaviors.
Our hypothesis hinges on the availability of low-level data that reflects the operation of processes on
a computer host. We propose to achieve this insight into the computer’s operation through the
monitoring of system calls, which are low-level process interactions with the host computer’s
operating system. System calls provide a window into what all processes and users on a host
machine are executing, regardless of how they are interacting with the machine. In addition, they
provide more fidelity in identifying individual actions than a process monitor.
134

Brian Jewell and Justin Beaver
In this paper, we propose the use of a method by which unique sequences of system calls, managed
at the process/user level, are the basis for discriminating normal and anomalous behaviors by users
for use as an exfiltration detection agent. We then evaluate this model to fit our 3 criteria for a viable
detection agent.
Tractable- The chosen method must be able to run in real time while having negligible effect on a
system as experienced by the end user.
Environmentally Neutral- Our method must also be portable and adapt to any environment.
Responsive- Lastly, our ideal method should reliably report on data exfiltration behaviors.
The following sections are organized as follows: Section 2 provides a review of similar work. Section 3
formalizes the methodology we used to categorize normal behavior and collect a profile from the
system call data traces. Section 4 evaluates our method according to the 3 criteria we set, and
Section 5 gives a detailed account of our results, conclusions, and ideas for future work.
2. Related work
The detection of data exfiltrations has been a recent focus of cyber security research. Exfiltration
detection is a difficult problem due to the wide range of methods available, and the subtlety with which
it can be performed 0. Current IDS systems are mostly concerned with intrusion attempts, although
there are extrusion detection systems that are commercially available (e.g., 0. Like network-based
IDSs, these are primarily signature-based solutions that perform network traffic analysis through
custom hardware.
Many more advanced data analysis approaches have been proposed, including clustering of network
traffic for anomaly detection 0, the application of statistical and signal processing methods to
outbound traffic for signature identification 0, and the application of data mining techniques 0 to
network data. These approaches yielded varying degrees of success, but inevitably were plagued
with base-rate fallacy 0 issues or a narrow problem focus.
However, when we look at previous work on host-based IDSs there is some inspiration for host-based
data exfiltration detection. In 1996, Forrest, et al, proposed a host-based intrusion detection method
based on the monitoring of system calls (Forrest, 1996). This early work was inspired by the human
immune system's ability to recognize what cells are part of the host organism (it's self) or foreign (nonself).
They used this principle in developing their own methodology for constructing a "sense of self"
for Unix based systems using available system trace data.
Forrest’s methodology used lookahead pairs, or sets containing pairs of system calls formed by the
originating system call and the one that follows it with spacing 1, 2, 3, .. k. These pairs were used to
form a database of normal process behavior (or self), and used to monitor for previously unfound
patterns, that were then tagged as anomalous (or non-self). While their results were only preliminary,
they did show that a stable signature of normal process behavior could be constructed using very
simple methods.
Many other approaches have been taken since to model the behavior of processes using system
calls, including the use of Hidden Markov Models (HMM) (Gao, 2006), neural networks (Endler, 1998),
k-nearest neighbors (Liao, 2002), and Bayes models (Kosoresow, 1997). These models were all
developed in hopes of producing more accurate models while reducing false positives which comes at
a high computational cost. The most notable advantage of Forrest's model is the ability to track
processes for anomalous behavior at the application layer of each individual host in real time at a very
low computational cost.
Forrest et al., later improves upon their work in (Forrest, 2008) by introducing another simple model
that is suitable for real-time detection dubbed sequence time-delay embedding (stide), and again
involves the enumeration of system call sequences. However, this time their method uses contiguous
sequences of fixed length to form a database of normal behavior. They also introduce a new
modification to their method called sequence time-delay embedding with frequency threshold (t-stide).
This method explores the hypothesis that sequences with very low occurrence rates in training data
are suspicious.
135

Brian Jewell and Justin Beaver
Forrest et al. tested these methods against 2 popular machine learning methods. One based on
RIPPER - a rule learning system developed by William Cohen (Cohen, 1995) that was later adapted
by Lee et al. (Lee 1998, 1999) to learn rules to predict system calls and find anomalies, and the other
based on HMMs as used in (Gao, 2006). While they weren't able to show that stide performed better
than the other methods, they did conclude that it performed comparably to more complicated
methods.
Our work is most closely paralleled by that of Forrest and leverages host-based system call
information to detect anomalous user behaviors. Unlike previous work, we seek to implement and
adapt this approach as an analysis process that is user and process centric to detect data exfiltration
agents.
3. Methodology
Our model for data exfiltration detection focuses on the analysis of system calls used in a host’s
operation and hinges on observations similar to that found in previous works by Forrest et al. (Forrest,
2008). This section justifies the use of sequences of system calls as a mechanism for defining normal
behaviors in Section 3.1, discusses variants in optimizing system call sequences in Section 3.2, and
compares these variants for use as data exfiltration detectors in Section 3.3.
3.1 Defining normal in sequences of system calls
A system call trace or system call sequence is the ordered list of system calls as invoked by a process
that spans the length of execution by a given user. An example system call trace for a given user
might be:
“..., open, read, fstat, fstat, write, close, mmap,...”,
where “open”, “read”, “fstat” , etc. are all examples of system call executable names. All invoked user
operations, whether a command line imperative or in the operation of a running program, use various
combinations of system calls to complete their tasking. Even simple commands, such as a directory
listing, use a sequence of multiple system calls to execute.
While there are a number of current methods to enumerate system call sequences, there is a
common theme: to form a data store of traces that are used to characterize normal behaviors (also
referred to as a normal profile) in a given environment. Once the data store is established, it can be
used as the basis for identifying future sequences as normal (within the set) or anomalous (not
included in the set). In addition, it is desirable for any automated comparison of this profile with
experienced events to be computationally tractable.
Previous research (Forrest, 2008) on host-based IDSs that has attempted to use system call
sequences to detect anomalous behaviors has concentrated on detecting anomalies in program
execution. That is, the focus of the analysis is on individual processes and their execution but did not
take into account the uniqueness of each individual user.
By contrast, when attempting to detect data exfiltrations, we are more interested in the behavior
specific to a user. However, in order to create a normal profile that is specific to a user, it must be
established that system call sequences are suitable for discriminating normal and anomalous
behaviors in such a context.
Given that, experientially, user behavior seems to vary drastically depending on the task being
performed at any given moment, it is necessary to support the claim that unique system call
sequences for a user can be generalized.
We performed an experiment in which the unique system call sequences for individual users were
tracked. The results of this experiment are illustrated in Figure 1. We define a stable profile as one
that plateaus at a given size (N sequences). It's the asymptotic nature of the line that makes the
anomalous detection possible.
That is, in a given trace, the number of sequences generated can always be observed to "step" or to
plateau under normal usage and to increase suddenly when a user performs a new or unusual action.
136

Brian Jewell and Justin Beaver
Figure 1 demonstrates that, despite varying operations by users, a normal profile can be established
and characterized by a tractable (< 200) number of unique system call sequences.
Figure 1: Number of unique system call sequences for a given user/process versus the total number
of system calls
3.2 Models for system call sequences
For our testing we implemented three different simple methods for enumerating system calls. The first
of these methods is implemented very similarly to stide (Warrender, 1999). The method uses a sliding
window of size N across all system calls included in a trace to form the sequences. However, we have
adapted the method to incorporate UID/process name pairs to create a profile of our trace data.
We also wanted to take care in choosing an appropriate value of N to be used with our
implementation. The best value for N that is used for stide and similar implementations is discussed in
a number of previous works. Kosoresow et al. (Kosoresow, 1997) suggest “the best sequence length
to use would be 6 or slightly higher than 6.” And Kymie 0 in a paper dedicated to the singular question
of “Why 6?” provide evidence supporting the conjecture empirically.
However, while evaluating our own variable sequence length method we identify another possible and
more fundamental reason to pick a sequence size of 6. In Figure 2 we see the number of unique
sequences present in a complete “normal” profile generated by our variable length sequence collector
over one week.
It is interesting to note the dramatic decrease in the number of sequences that occur with a length
greater than 6. As the value of N increases we increase the accuracy of the profile generated
proportionately to the percentage of system call sequences that fall under that size. However, we also
increase our learning time and profile complexity by the same proportions. Therefore, for our
experiments we also use 6 for the length of our sequences
The next model is designed to avoid the apparent shortcomings of the windowing method. Many
sequences of length 1 or 2 can be observed as repeating continuously, making a perfect fit with the
windowing method requires substantial unnecessary overhead. This is also demonstrated in Figure 2.
This leads us to theorize that a method utilizing a variable window length would perform better than
the previous methods.
While developing an approach to create variable sequences of system calls it was important to
preserve the low run time complexity of the sliding window method while attempting to better model
normal behavior. Thus, a simple solution was chosen. In order to construct our variable sequences we
chose a subset such that sequence length is maximized while no one system call is repeated. This is
implemented by constructing a sequence as calls are being traced and beginning a new sequence
when a call is found to be a repeat in the current sequence.
137

Brian Jewell and Justin Beaver
Figure 2: Number of unique sequences observed with the size N (x-axis)
Up to this point we ignore the additional information about each system call in building our normal
profile. Thus, we implement a third method that additionally uses errno, and function arguments in
matching sequences.
The method uses the same methodology as the variable length sequences. Unique system call
sequences are selected in such a way that length is maximized while no one system call is repeated
in a given sequence. However, here we define a system call as {probefunc, errno, args}.
3.3 Comparison and discussion
To validate our methods we tested them against each other. In Figure 3 we show the increase in
number of sequences generated over one week of collection for a given UID/execname pair. From
Figure 3 we can observe that the variable sequence length method both finishes training of a normal
sequence faster and uses less sequences than both of the other methods as hoped. This is likely in
part due to the observation that the majority of sequences have a length less than 6 and the smaller
the sequence the more that they repeat. (Refer back to Figure 2)
Other observations we can make from Figure 3 is that the variable with arguments method reaches a
stable state faster than the windowing method and without an unacceptable large increase in the
number of unique sequences. Again, this is most likely due to the better fitting of high frequency
sequences.
The surprise comes in how poorly the windowing method performs in terms of generating a stable
profile. Overall the windowing method performs well, but when the testing is stretched over the period
of a week the method fails to show the same level of stabilization as the other 2 methods. Thus, for all
purposes the variable method seems superior, with the addition of arguments requiring a much large
database which correlates to a lot more false positives. Since detection speed and precision are what
we’re interested in, we’ll be using the variable method for the remainder of our testing.
Figure 3: Three sequence collection methods (SEQ - windowing, VAR - variable, VARARG - variable
with arguments) compared by number of unique sequences generated
138

4. Evaluation
Brian Jewell and Justin Beaver
We now evaluate the method prescribed in the previous section against our three criteria for our ideal
exfiltration detection agent.
4.1 Tractable
Perhaps the largest singular challenge encountered during the implementation of this project is the
task of collecting and managing the torrent of system calls that occur during normal to heavy use of a
modern computer. Each user or process action can result in hundreds of system calls and in our own
experiments logging system call activity alone generates a gigabyte of data per hour. In previous work
(Kang, 2005; Forrest, 2008) this problem is sidestepped mainly by concentrating on individual
processes/users/calls and/or using previously collected data.
Unlike prior efforts, we are interested in tracing all system calls across multiple users to track their
behavior in real time, and we also desire to deploy a swift analysis of that data without noticeably
degrading system performance or destabilizing the system. While researching options for this we
found an existing commercial solution that meets all of our needs.
Dtrace (Dtrace, 2009) is a software tool that is designed specifically for low impact system call tracing
for system administration and debugging. More importantly, it can be configured to collect the
required system call data with negligible effect on system performance, such as timestamp, user and
process identifiers, executable names, error numbers, and executable arguments.
Another challenge is the management of the collected data. Retaining and cataloging all the system
calls for analysis at a later time is impractical given the observed data rate of over 1 gigabyte per
hour. As we previously discussed, by collecting just the unique sequences that form our profile of
normal behavior in real time we elegantly address this problem.
Figure 1 shows the increase in number of unique system calls for the 1/java pair in an hour long
system call set using our variable sequence model. This pair was chosen because of the volume of
system calls that are produced while the program was actually conducting only a few functions
repeatedly. Over the course of approximately 1.4 million system calls generated by 1/java contained
the trace, only 196 unique sequences were recorded. It's this quick stabilization and small normal
profile that combine with the advantages of Dtrace to make our implementation light-weight with very
low observable impact on system performance.
4.2 Environmentally neutral
In order to validate that we can distinguish a normal profile of one user/process apart from another
regardless of environmental conditions such as the operating system or other operational conditions,
we must first explore the “diversity hypothesis” similar to that put forth by Forrest et al. in (Forrest
2008). Their hypothesis states that the code paths executed by a process are highly reliant upon the
usage patterns of the users, configuration, and environment hence causing what is considered to be
normal to differ widely from one installation to the next.
While the methods used to create the sequences that Forrest et al. are similar they focus solely on
program execution, the same diversity should theoretically still exist between the profiles generated by
our methods when per user patterns are added as a controlling factor. In addition it may also be
possible to determine the degree of impact changes such as different operating systems and varying
users have upon a normal profile. We can observe this in our own testing by comparing the various
collected profiles from different users and operating systems.
Table 1: Comparison of normal profiles generated by different users by platform
User 1B Linux (User1) Solaris (User1)
User 1A 0.91129591 0.16700353 0.19755409
User 1B 1 0.14119998 0.13764726
User 2 0.25793254 0.13287113 0.12885861
User 3 0.30644131 0.17470944 0.20602069
139

Brian Jewell and Justin Beaver
For this testing we had 3 different users (User 1A, User 2, and User 3 in Table 1) run our variable
sequence collection algorithm for approximately 1 hour. All users were using Mac OSX on separate
machines. In addition, we had User 1 repeat the same collection process on a separate date using
Linux and Solaris operating system on different machines trying to keep behavior as similar as
possible.
The most significant result is that profiles from User 1A and User 1B have a >90% match while
profiles generated from the other 2 users did not exceed 31% when compared to User 1. This seems
to confirm that there is significant variation between profiles of one user from another.
Perhaps the disappointment here is that correlation between User 1A and User 1B profiles wasn't
closer to 100%. However, it should be noted that most of the difference between these 2 sets was the
use of a new process in the User 1B profile that wasn't present in the User 1A profile. This type of
anomaly will have to be taken care of in any future implementation.
Differences in profiles among various users are expectedly severe, with the most significant
differences coming from different host operating systems. This is perhaps unsurprising since many of
the system calls that are used by Mac OSX aren't used by Linux and vice versa. The same goes for
Solaris vs. the others as well.
However, this does validate that any model will have to be highly adaptable to the environment and
not rely on a predetermined set of signature detection algorithms. This property does however help us
greatly as mimicry attacks will be extremely difficult to carry out without specific knowledge of the
environment and user's behaviors.
4.3 Responsive
The last of the criteria for evaluating our chosen implementation is the ability to detect a very large
variety of data exfiltrations. For this stage of testing we issued a challenge that was conducted over
the course of 2 days at Oak Ridge National Laboratory (ORNL) during the summer of 2010.
Participants were solicited from the lab to exfiltrate a number of files setup on one of our testing
machines. All participants were asked to exfiltrate 3 files:
A plain text file plainly labeled in a directory and to which all participants had unrestricted access.
A mock transactional database containing simulated sensitive personal financial information that
was hidden within a shared location on the same machine.
A document that was clearly labeled and had a known location but in a user directory with
restricted access.
While this data set will have a number of other uses in the future, it currently gives a good view of
whether it will be feasible to detect attacks in progress and give an idea of what those attacks might
look like. We had originally hoped that our attacks would display some specific similarities to each
other, perhaps manifesting as an increase in certain system call types or some other type of pattern.
However, we found that all of our attacks differed significantly with a wide variety of tactics deployed.
Even those attacks that appeared to use the same tactics of exfiltration displayed very dissimilar
system call sequence profiles.
Overall there were 18 individual UIDs and over 9 gigabytes of alerts observed during the 2-day
period. The size of the dataset collected in contrast to the average observed rate of approximately 2
megabytes of alerts generated under normal operation over the same time period is evidence that our
method is sufficiently sensitive to data exfiltration activities.
Among the 20 observed UIDs, 8 are identifiable as successfully retrieving at least one of the files, and
at least 2 retrieving all three. Observed behaviors included probing with find, privilege escalation
attempts, mass data exfiltrations using the sftp protocol, and transferring the files to a USB flash drive.
The detection of many of these attacks may in some sense be biased given that they were new users
on the system using a distinct UID. However, several of the attacks were observed among both the
root account and the primary users’ UIDs, lending credibility to the system's ability to detect exfiltration
behaviors even when the activity is hidden amongst normal system operation and users. As for the
140

Brian Jewell and Justin Beaver
other attacks that were identified, each of these incidents invoked an alarm as designed, and for our
immediate purposes serve to validate that the implementation is working as intended.
5. Conclusions
The accurate detection of malicious data exfiltration is a complex task that can take human experts
months. However, in order to react to an attack a practical system not only needs to detect attacks
autonomously, but do so in real time before files can be leaked.
The goal of this paper was to identify and test ways to approach this problem. We initially identified
the main issues that separated what we needed in our implementation as opposed to previous work
on HIDSs. We sought a method that would be tractable to run in real time, environmentally neutral as
to perform well with any operating system or conditions, and most importantly responsive to behaviors
specific to data exfiltrations. With these criteria in mind we adapted a means of host-based detection
using sequences of system calls to implement a data exfiltration detection agent.
In all of our testing, we have found that data exfiltration behaviors can be successfully detected by the
relatively simple means of system call sequence analysis in real-time, which can be implemented with
negligible performance impact on user operations. Our adaptation of system call sequence monitoring
to this specific problem is promising and passed our three main evaluation criteria. The
implementation was successfully run in real-time and deployed across a diverse set of systems and
users. We were also able to present evidence that our method detects a wide range of exfiltration
related behaviors.
This work has prompted the question of whether this approach can detect these malicious behaviors
quickly and accurately enough to prevent the data exfiltration. Our future work will focus on correlating
suspicious behaviors to more reliably discriminate malicious behaviors, and further testing of our
methods against known attacks is warranted to determine long-term performance.
Acknowledgements
The views and conclusions contained in this document are those of the authors. This manuscript has
been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the U.S. Department
of Energy. The United States Government retains and the publisher, by accepting the article for
publication, acknowledges that the United States Government retains a non-exclusive, paid-up,
irrevocable, world-wide license to publish or reproduce the published form of this manuscript, or allow
others to do so, for United States Government purposes.
References
Axelsson, S. (2000) “The Base-Rate Fallacy and the Difficulty of Intrusion Detection.” ACM Transactions on
Information and System Security, Vol. 3 No. 3, pp. 186-205.
Cohen, W.W. (1995) Fast effective rule induction. In Machine Learning: the 12th International Conference.
Morgan Kaufmann.
Coleman, K.G. (2008) “Data Exfiltration.” [online], http://it.tmcnet.com/topics/it/articles/37876-data-exfiltration.htm.
Dtrace (2009), [online], http://www.oracle.com/technetwork/systems/dtrace/dtrace/index.html.
Endler, D. (1998) Intrusion detection: applying machine learning to solaris audit data. In In Proc. of the IEEE
Annual Computer Security Applications Conference, pages 268–279. Society Press.
Fidelis Security Systems, (2009) “Fidelis Extrusion Prevention System”. [online], http://www.fidelissecurity.com/.
Forrest, S. et al. (1996) A sense of self for UNIX processes. In Proceedings of the 1996 IEEE Symposium on
Security and Privacy, pages 120–128, Los Alamitos, CA, IEEE Computer Society Press.
Forrest, S. et al. (2008) “The Evolution of System-call Monitoring”, 2008 Annual Computer Security Applications
Conference.
Gao, D. et al (2006) Behavioral distance measurement using hidden markov models. In D. Zamboni and C.
Kruegel, editors, Research Advances in Intrusion Detection, LNCS 4219, pages 19–40, Berlin Heidelberg,
Springer-Verlag.
Ghosh, A. and Schwartzbard, A. (1999) A study in using neural networks for anomaly and misuse detection. In
Proceedings of the 8th USENIX Security Symposium.
Giani, A. et al. (2004) “Data Exfiltration and Covert Channels.” In Proceedings of the SPIE 2004 Defense and
Security Symposium.
Hooper, E. (2009) “Intelligent Strategies for Secure Complex Systems Integration and Design, Effective Risk
Management and Privacy.” In Proceedings of the 3rd Annual IEEE International Systems Conference.
Kang, D. et al. (2005) “Learning Classifiers for Misuse and Anomaly Detection Using a Bag of System Calls
Representation”, Proceedings of the 2005 Workshop on Information Assurance and Security, 2005.
141

Brian Jewell and Justin Beaver
Kosoresow, A.P. and Hofmeyr, S.A. (1997) Intrusion detection via system call traces. IEEE Software, 14(5):35–
42.
Kymie, M.C.T and Maxion, R. (2002) “”Why 6?’ Defining the Operational Limits of stide, an Anomaly-Based
Intrusion Detector."
Lee, W. et al. (1997) Learning patterns from UNIX process execution traces for intrusion detection. In AAAI
Workshop on AI Approaches to Fraud Detection and Risk Management, pages 50–56. AAAI Press.
Lee, W. and Stolfo, S.J. (1998) Data mining approaches for intrusion detection. In Proceedings of the 7th
USENIX Security Symposium.
(Liao 2002) Y. Liao and V. R. Vemuri. Use of k-nearest neighbor classifier for intrusion detection. Computers &
Security, 21(5):439–448, 2002.
Liu, Y. et al. (2009) “SIDD: A Framework for Detecting Sensitive Data Exfiltration by an Insider Attack.” In
Proceedings of the 42nd Hawaii International Conference on System Sciences, 2009.
McAfee (2003), [online], http://www.mcafee.com/us/.
Richardson, R. (2007) CSI Computer Crime and Security Survey, [online],
http://icmpnet.com/v2.gocsi.com/pdf/CSISurvey2007.pdf.
Sans Institute. (2010) “20 Critical Security Controls, Critical Control 15: Data Loss Prevention.” [online],
http://www.sans.org/critical-security-controls/control.php?id=15
Warrender, C. et al (1999) "Detecting Intrusions Using System Calls: Alternative Data Models." In 1999 IEEE
Symposium on Security and Privacy.
142

Detection of YASS Using Calibration by Motion Estimation
Kesav Kancherla and Srinivas Mukkamala
(ICASA) / (Canes) / New Mexico Institute of Mining and Technology USA
kancherla@cs.nmt.edu
srinivas@cs.nmt.edu
Abstract: Through this paper we propose a new approach to thwart defects of current blind steganalysis
methods. “Yet Another Steganographic Scheme” (YASS) is a robust steganographic scheme that embeds data in
random locations based on a secret key. Due to this randomization the current steganalysis schemes such as
self calibration methods do not detect YASS. In this work, we present a new calibration method using Motion
Estimation and extract higher order features. In our methodology motion estimation technique is applied on an
image, to estimate its actual image. We assume that the estimated image captures the features of the actual
image, due to spatial redundancy in the images. We extract two sets of features; DCT based features from DCT
domain and Markov model based features from spatial domain, and apply Support Vector Machines (SVMs) on
these feature sets. Our approach against YASS using different block sizes (9, 10, 12, and 14), compression rates
(50-50, 50/75, and 75/75) and coefficients used for embedding data (12 and 19) obtained an accuracy of about
95%, even for bigger block lengths and low embedding rates. This methodology can be used as blind
steganalysis technique, as detection is based on modification of an image rather than steganographic scheme.
Keywords: blind steganalysis, Discrete Cosine Transform (DCT), motion estimation, steganalysis, Support
Vector Machines (SVM)
1. Introduction
Steganography is the science of embedding data into cover object in covert communication. The rapid
growth in internet and digital media causes an increasing threat of using steganography for covert
communication. Steganographic images are not perceivable to human eye but embedding data into
images change the statistics of images. The goal of a steganalyst is to use these statistical changes
to detect the presence of any hidden message.
Fridrich used second order statistics in her research of self-calibration method for blind Steganalysis
(Fridrich, 2004: 67-81). In self-calibration technique, a given image is first decompressed and few
rows and columns are cropped. The cropped image is recompressed using the same quality factor,
and difference between the features extracted from actual image and cropped image is used to detect
steganograms. To detect well-known steganographic schemes like Outguess, F5 and Model Based
steganography schemes (Provos, 2001: 24; Westfeld, 2001: 289-302; Sallee, 2005: 167-190); Farid
proposed the use of wavelet based features for JPEG Steganalysis (Lyu and Farid, 2002: 340-354),
Shi proposed the use of transition matrix as features for detecting steganograms (Shi et al, 2006: 249-
264), Fridrich used merged Discrete Cosine Transform (DCT) and Markov features for implementing a
multi-class JPEG steganalysis classification (Pevny and Fridrich, 2007: 1-13) and Chen proposed
Markov based features using intra-block and inter-block correlation of DCT coefficients (Chen and
Shi, 2008: 3029-3032).
Outguess embeds data by replacing least significant bit and preserves the first order statistics by
performing additional changes, F5 algorithm uses matrix embedding to reduce the number of changes
needed to embed data. And Model-based steganography tries to preserve histograms of individual
AC DCT models after embedding the data. However the current steganalysis techniques can detect
these steganography methods. “Yet Another Steganography Scheme” (YASS) by (Solanki, Sarkar
and Manjunath, 2007: 16-31) is a new steganography scheme that resists the above steganalysis
methods. YASS embeds data at random locations and uses Quantization Index Modulation (QIM) to
increase robustness of data. Even though it cannot be detected using current self-calibration
methods, embedding data still changes the statistical properties of image.
In (Li, Shi and Huang, 2008: 139-148), the authors present a targeted attack on YASS. They showed
that due to QIM embedding scheme used in YASS, there is an increase in number of zero DCT
coefficients in stego image. Thus there is a notable difference between statistics of embedded block
and the actual block. They also identified the fact that embedding is not random enough for detection
of YASS. However this approach does not work when there are modifications in algorithm. In the
method proposed by (Kodovský, Pevný and Fridrich, 2010: 1-11), the authors used various well
known steganalysis methods for detection of YASS. They used Subtractive Pixel Adjacency Model
143

Kesav Kancherla and Srinivas Mukkamala
(SPAM) of feature set (686 features), Pevný feature set (584 features), Markov Process (MP) feature
set (486 features) and CDF (Cross-Domain Feature) set (1,234 features, combination of SPAM and
Pevny). Except for SPAM remaining features are extracted from DCT domain (Pevny and Fridrich,
2007: 1-13; Chen and Shi, 2008: 3029-3032; Pevny, Bas and Fridrich, 2009 75-84). In Pevny feature
set instead of using difference calibration they used Cartesian calibration thus increasing the feature
set length, however the authors argue the use of difference calibration will affect the performance of
detection. Our approach in this paper is based on difference calibration for detection.
In this paper we propose a novel method that uses calibration for detection. YASS defeats current
calibration methods by embedding data in random location. In our approach, we perform calibration
by estimating image using motion estimation. Motion estimation is widely used in video compression
for capturing temporal redundancies. In our case we use motion estimation on adjacent blocks for
capturing spatial redundancies. After obtaining the estimated image we extract two sets of features:
DCT based features and Markov based features (Pevny and Fridrich, 2007: 1-13). Markov based
features are extracted from spatial domain rather than DCT domain, as embedding is done in spatial
domain. We used Support Vector Machine (SVM) based classifier in our experiments, and obtained
an accuracy of about 95% even for low embedding rates. This paper is organized in sections, section
2 gives a brief discussion of YASS algorithm, section 3 gives outline of our approach, section 4 gives
a brief overview of features used, and section 5 contains results obtained using this approach
followed by conclusion in section 6.
2. YASS algorithm
For an input image of size MxN, the following steps are involved in YASS (Solanki, Sarkar and
Manjunath, 2007: 16-31)
First the input image is divided into blocks of size BxB (B>8 block size in jpeg images) called bigblock.
For compressed images like jpeg, first the image is decompressed and then divided.
For each big-block, a block of size 8x8 is pseudo randomly selected. This block is called
embedding block. The key for random key generator is shared between the sender and receiver.
For each embedding block we apply two dimensional DCT and divide DCT coefficients with
quantization matrix of design quality factor QFh. Data is embedded into predetermined band of
low frequency AC coefficients using quantization index modulation.
After embedding data, the embedding block is de-quantized using design quality factor and
inverse two dimensional DCT is applied.
After data is embedded in all the embedding blocks, the image is compressed with advertised
quality factor QFa. Generally QFh is not less than QFa.
The random selection of embedding blocks at step 2 will ensure the security from current calibration
based steganalysis methods. As data is embedded at random 8x8 blocks, steganalyst cannot
resynchronize by cropping rows and columns. However the above scheme will reduce the capacity of
embedding. Even though data is embedded at random locations, the statistical properties of DCT
coefficients will change.
Our approach will try to capture these changes by obtaining an estimated image from actual image
using spatial redundancies. This estimation process is similar to motion estimation which is widely
used in video compression techniques. After finding the estimate we model the difference between
the actual and estimated along horizontal, vertical, and diagonal directions in one step Markov
process. We extract DCT and Markov features from actual and estimate. After modeling and
extracting features, we train a SVM based classifier to detect steganalysis.
3. Our approach
The steganalysis scheme consists of three steps: (1) Obtain estimated image from actual image, 2)
Extract high order DCT and Markov features from both actual and estimated image, and (3) Train
SVM classifier using these features. In order to obtain estimated image we use the concept of motion
estimation (Torr and Zisserman, 1999: 278-294), widely used in video compression techniques.
Motion estimation utilizes temporal redundancies in videos for achieving compression.
The video compression process consists of inter frame compression and intra frame compression.
Intra frame compression is more like JPEG compression. Inter frame compression uses the temporal
redundancy in the video frames. In inter frame compression, the current frame is predicted using the
144

Kesav Kancherla and Srinivas Mukkamala
redundant data from the previous frame. In inter frame compression, current frame is divided into 8x8
blocks and a match for each block is found in previous frame. To find a match we search the previous
frames in the near vicinity of the block we are analyzing.
Figure 1: Current block is searched for best in search space and is replaced by it
We apply this concept to images, in order to find estimate. Just like temporal redundancies in videos
we have spatial redundancies in images. We find the best estimate to current block in its vicinity and
replace it with this match. Figure 1 shows the matching procedure, where a best match is found in the
search space. To reduce noise induced due to motion estimation, we used block size of 4x4.
The algorithm for estimating image is given below:
1. First de-compress the image by applying de-quantization and inverse 2 dimensional DCT
2. Divide the decompressed image into blocks of size 4x4
3. For each 4x4 block find the best match at step size 1 pixel in both x-axis and y-axis
4. Replace the actual block with best match
5. After obtaining matched block, apply 2 dimensional DCT and quantization to estimated block
6. Using this image we extract two set of features: DCT based and Markov model based features
4. Feature extraction
In this section we explain briefly about the feature extraction. We extract merged DCT and Markov
features (Pevny and Fridrich, 2007: 1-13) that are used for blind steganalysis. The first sets of
features are DCT based features that are extracted from 23 different functions. These 23 functions
are based on first order and higher order statistics of the quantized DCT coefficients. The second sets
of features are extracted from Markov based models. Here the difference between absolute values of
neighboring pixel coefficients are modeled as Markov process. From these models, we extract cooccurrence
matrix. Due to high dimensionality of these functions, only features at selected locations
and for selected values are taken. We extract a total of 274 features of which 193 are DCT based
features and 81 are Markov based features. The major difference between (Pevny and Fridrich, 2007:
1-13) and our features is, instead of extracting Markov based features in DCT domain, we extract
features in spatial domain only. As embedding is done, we believe Markov features extracted in
spatial domain are effective. A brief description of both sets of features is given below.
4.1 DCT features
The coefficients are denoted dij (k), i, j = 1. . . 8, k = 1. . . nb, where dij (k) denotes the (i, j)-th quantized
DCT coefficient in the k-th block (there are total of nb blocks).
First set of features are histogram of DCT coefficients of image. To reduce dimensionality we only use
histogram of values from -5 to 5
The next 5 functions are histograms of coefficients of 5 individual DCT modes (i, j) ∈ {(1, 2), (2, 1),
(3, 1), (2, 2), (1, 3)} and only the histogram of values {−5. . . 5} are used
145

Kesav Kancherla and Srinivas Mukkamala
ij ij ij
h = ( h , K , h )
(1)
L R
The next 11 functions are dual histograms represented with 8 × 8 matrices g d
i, j,where i, j = 1, . . . , 8,
d =−5, . . . , 5
nB
d
g = ∑δ ( d, dij(
k ))
(2)
ij
k = 1
Where δ(x, y) = 1 if x = y and 0 otherwise. For reducing the features only (i, j) ∈ {(2, 1), (3, 1), (4, 1),
(1, 2), (2, 2), (3, 2), (1, 3), (2, 3), (1, 4)} are taken
The next 6 functions capture inter-block dependency among DCT coefficients. The first function is
variation V
8 | Ir| −1 8 | Ic|
−1
∑∑ ∑∑
| d ( I ( k)) − d ( I ( k+ 1)) | + | d ( I ( k)) − d ( I ( k+
1)) |
ij r ij r ij c ij c
ij , = 1 k= 1 ij , = 1 k=
1
| I | + | I |
r c
Where Ir and Ic denote the vectors of block indices 1. . . nb while scanning the image by rows and by
columns, respectively
The next two functions capture the blockings of the frames
B
⎣⎢( M−1)/8 ⎦⎥ N ⎢⎣( N−1)/8⎥⎦
M
α α
∑ ∑| C8, i j − C8i+ 1, j | + ∑ ∑|
Ci,8 j −Ci,8j+
1|
α =
i= 1 j= 1 j= 1 i=
1
N ⎢⎣( M − 1)/8 ⎥⎦+ M ⎢⎣( N −1)/8⎥⎦
Where M and N are image height and width in pixels and ci, j are grayscale values of the
decompressed JPEG image, α = 1, 2
The last sets of features are co-occurrence matrix of DCT coefficients in neighboring blocks. The cooccurrence
matrix is calculated for values -2 to +2.
4.2 Markov features
From each image F (u, v), we obtain the following difference matrix along the horizontal, vertical,
diagonal and minor diagonal directions.
Fh( u, v) = F( u, v) − F( u+ 1, v)
Fv(,) u v = F(,) u v − F(, u v+
1)
Fd(,) u v = F(,) u v − F( u+ 1, v+
1)
Fm(,) u v = F( u+ 1,) v − F(, u v+
1)
Where F (u, v) is the image u, v gives the pixel location
In order to reduce the dimensionality we consider only the values [-4, +4] in these matrixes. Thus all
the values that is larger than +4 are set to +4 and the values that are smaller than -4 are set to -4.
From these we calculate the transition matrix as follows
146
(3)
(4)

M
M
M
Su−2 Sv
∑∑
u= 1 v=
1
h(,
i j)
=
Su−1 Sv
Su Sv−2
∑∑
u= 1 v=
1
Kesav Kancherla and Srinivas Mukkamala
δ(
Fh( u, v) = i, Fh( u+ 1, v) = j)
∑∑
u= 1 v=
1
v(,
i j)
=
Su Sv−1
Su−2 Sv−2
∑ ∑
u= 1 v=
1
δ(
Fh( u, v) = i)
δ(
Fv( uv , ) = iF , v(
uv , + 1) = j)
∑∑
u= 1 v=
1
d (, i j)
=
Su−1 Sv−1
M
Su−2 Sv−2
∑∑
u= 1 v=
1
δ(
Fuv v(
, ) = i)
δ ( Fd( uv , ) = iF , d(
u+ 1, v+ 1) = j)
∑∑
u= 1 v=
1
m(,
i j)
=
Su−1 Sv−1
u= 1 v=
1
δ ( Fd( u, v) = i)
δ(
Fm( u+ 1, v) = i, Fm( u, v+ 1) = j)
∑∑
δ(
Fm( u, v) = i)
Where Su and Sv are the dimensions of the image and δ (condition) = 1 if only if the conditions are
satisfied. The final features will be the average of the above 4 transition matrix.
5. Results
We used 2000 images in our experiment. From these 2000 images we used 1400 images for training
SVM and 600 images for testing. Each data point consists of 274 features, of which 193 are DCT
features and 81 are Markov features. We used the following parameters for embedding data using
YASS
Three different quality factor modes 50/50, 50/75 and 75/75
Four different block sizes 9, 10, 12 and 14
Low frequency DCT coefficients used for embedding 12 (low) and 19 (high)
We selected block sizes less than 14 as the block size increases the amount of data that can be
embedded decreases. We choose the number coefficients used for embedding 19 because it is used
in YASS (Solanki, Sarkar and Manjunath, 2007: 16-31) paper and value 12 to show the performance
of our steganalysis scheme at low embedding rates. Table 1 and Table 2 give the accuracies
obtained for different parameters at high data and low data respectively.
Table 1: Accuracy obtained for different block sizes, compression rates and coefficients used equal to
19
Advertised-Design Compression rate/ Block Size 9 10 12 14
50-50 99.8 99.7 99.75 99.7506
50-75 97.1737 97.584 97.5894 96.0881
75-75 97.5973 97.6725 97.0075 96.0881
Table 2: Accuracy obtained for different block sizes, compression rates and coefficients used equal to
12
Advertised-Design Compression rate/ Block Size 9 10 12 14
50-50 99.8337 99.5012 99.335 99.47
50-75 96.5087 96.7581 96.84 95.59
75-75 96.59 96.68 95.6775 94.55
We obtained an accuracy of about 99.5 % for 50-50 setting even when we used only 12 coefficients
for embedding. There is a decrease in accuracy as the block size increases for all compression
setting. This is due to the fact that as size of the block increases the embedding capacity decreases.
We obtained an accuracy of above 95% for all setting even when block size is 14 and embedding
147
(5)
(6)
(7)
(8)

Kesav Kancherla and Srinivas Mukkamala
coefficients as 12. Our method performed best when we used 50-50 compression setting. In 50-50
there is more noise added due to compression. As our method is based on using this noise for
detection we obtained better accuracy in 50-50 setting. In next section we explain the model selection
process and Receiver Operation Characteristic (ROC) curves.
5.1 Model selection for SVMs
In any predictive learning task, such as classification, both model and parameter estimation method
should be selected in order to achieve a high level of performance of the learning machine. Recent
approaches allow a wide class of models of varying complexity to be chosen. Then the task of
learning amounts to selecting the sought-after model of optimal complexity and estimating parameters
from training data (Cherkassy, 2002: 109-133; Lee and Lin 2000). Within the SVMs approach, usually
parameters to be chosen are (i) The penalty term C which determines the trade-off between the
complexity of the decision function and the number of training examples misclassified; (ii) The
mapping function and (iii) The kernel function such that . In the case of RBF kernel, the width,
which implicitly defines the high dimensional feature space, is the other parameter to be selected
(Chang and Lin, 2001). Figures 2 and 3 gives the model graph obtained during training.
Figure 2: Model graph obtained during training of SVM obtained for YASS at block size 9,
compression rates 50-50 and coefficients used for embedding equal to 12
Figure 3: Gives model graph obtained during training SVM for YASS at block size 14, compression
rates 75-75 and coefficients used for embedding equal to 10
148

5.2 ROC curves
Kesav Kancherla and Srinivas Mukkamala
ROC is a graphical plot between the sensitivity and specificity. The ROC is used to represent the
plotting of the fraction of true positives (TP) versus the fraction of false positives (FP). The point (0, 1)
is the perfect classifier, since it classifies all positive cases and negative cases correctly. Thus an
ideal system will initiate by identifying all the positive examples and so the curve will rise to (0, 1)
immediately, having a zero rate of false positives, and then continue along to (1, 1). Detection rates
and false alarms are evaluated for steganography data set and obtained results are used to plot the
ROC curves. In each of these ROC plots, the x-axis is the false alarm rate, calculated as the
percentage of normal video frames considered as steganograms; the y-axis is the detection rate,
calculated as the percentage of steganograms detected. A data point in the upper left corner
corresponds to optimal high performance, i.e., high detection rate with low false alarm rate (Egan,
1975) Figures 4 and Figure 5 gives the ROC curves obtained during testing.
Figure 4 Gives the Receiver Operational Characteristics (ROC) curve obtained during steganalysis of
YASS at block size 9, compression rates 50-50 and coefficients used for embedding equal
to 12
Figure 5: Receiver Operational Characteristics (ROC) curve obtained during steganalysis of YASS at
block size 14, compression rates 75-75 and coefficients used for embedding equal to 10
149

Kesav Kancherla and Srinivas Mukkamala
The accuracy of the test depends on how well the test classifies the group being tested into 0 or 1.
Accuracy is measured by the area under the ROC curve (AUC). An Area of 1 represents a perfect test
and an area below .5 represents a worthless test. In our experiment, we got an AUC of 0.9998 and
0.9667 as shown above in Figures 4 and Figure 5.
6. Conclusion
In this paper we propose a steganalysis scheme for YASS. The novelty of our method is to estimate
the image using the concept of motion estimation. Experimental results show that our method is able
to detect YASS even for low embedding rates. Our method is able to detect YASS stegnograms
consistently with accuracy of above 99%, which has compression rates 50-50. In our approach the
accuracy decreases as the block size increases, since less number of bits are embedded. As our
methodology does not use any information regarding steganographic scheme, it can be applied on
any scheme.
References
Chang, C. C. and Lin, C. J. (2001), LIBSVM: a library for support vector machines, Department of Computer
Science and Information Engineering, National Taiwan University.
Chen, C. and Shi, Y. Q. (2008) ‘JPEG image steganalysis utilizing both intrablock and interblock correlations’,
IEEE International Symposium on Circuits and Systems, pp. 3029-3032.
Cherkassy V. (2002) ‘Model complexity control and statistical learning theory’, Journal of Natural Computing, Vol.
1, pp. 109-133.
Egan, J.P (1975), Signal detection theory and ROC analysis, New York: Academic Press.
Fridrich, J. (2004) ‘Feature-based steganalysis for JPEG images and its implications for future design of
steganographic schemes’, Information Hiding, 6th International Workshop, LNCS 3200, pp.67-81.
Kodovský, J., Pevný, T. and Fridrich, J. (2010) ‘Modern steganalysis can detect YASS’, Proceedings SPIE,
Electronic Imaging, Security and Forensics of Multimedia XII, volume 7541, pp. 02–01–02–11.
Lee, J. H. and Lin, C. J. (2000), Automatic model selection for support vector machines, Technical Report,
Department of Computer Science and Information Engineering, National Taiwan University.
Li, B., Shi, Y.Q. and Huang, J. (2008) ‘Steganalysis of YASS’, Proceedings of the 10th ACM Multimedia &
Security Workshop, pp. 139–148.
Lyu, S. and Farid, H. (2002) ‘Detecting hidden messages using higher order statistics and support vector
machines’, Information Hiding, 5th International Workshop, LNCS 2578, pp. 340-354.
Pevny, T. and Fridrich, J. (2007) ‘Merging Markov and DCT features for multi-class JPEG steganalysis’, Proc. of
SPIE Electronic Imaging, Security, Steganography, and Watermarking of Multimedia Contents, volume
6505, pp. 650503-1-650503-13.
Pevný, T., Bas, P. and Fridrich, J. (2009) ‘Steganalysis by subtractive pixel adjacency matrix’, Proceedings of the
11th ACM Multimedia & Security Workshop, pp. 75–84.
Provos, N. (2001) ‘Defending against statistical steganalysis’, 10 th USENIX Security Symposium, Washington
DC, USA, pp. 24.
Sallee, P. (2005) “Model based methods for steganography and steganalysis’, Int. J. Image Graphics, 5(1): 167-
190.
Sarkar A., Solanki, K. and Manjunath, B. S. (2008) ‘Further study on YASS: Steganography based on
randomized embedding to resist blind steganalysis’, Proceedings SPIE, Electronic Imaging, Security,
Forensics, Steganography, and Watermarking of Multimedia Contents, volume 6819, pages 16–31.
Shi, Y. Q., Chen, C. and Chen, W. (2006) ‘A Markov process based approach to effective attacking JPEG
steganography’, Information Hiding, 8th international Workshop, volume 4437, 249-264.
Solanki, K., Sarkar, A. and Manjunath, B. S. (2007) ‘YASS: Yet another steganographic scheme that resists blind
Steganalysis’, Proceedings of 9th Information Hiding Workshop, Saint Malo, France, volume 4567, pp. 16-
31.
Torr, P.H.S. and Zisserman, A. (1999) ‘Feature Based Methods for Structure and Motion Estimation,” ICCV
Workshop on Vision Algorithms, pp. 278-294.
Westfeld, A. (2001) ‘High capacity despite better steganalysis (F5-a steganographic algorithm)’, Information
Hiding, 4th International Workshop, LNCS 2137, pp. 289-302.
150

Developing a Knowledge System for Information
Operations
Louise Leenen, Ronell Alberts, Katarina Britz, Aurona Gerber and Thomas
Meyer
Council for Scientific and Industrial Research, Pretoria, South Africa
lleenen@csir.co.za
ralberts@csir.co.za
abritz@csir.co.za
agerber@csir.co.za
tmeyer@csir.co.za
Abstract: In this paper we describe a research project to develop an optimal information retrieval system in an
Information Operations domain. Information Operations is the application and management of information to gain
an advantage over an opponent and to defend one’s own interests. Corporations, governments, and military
forces are facing increasing exposure to strategic information-based actions. Most national defence and security
organisations regard Information Operations as both a defensive and offensive tool, and some commercial
institutions are also starting to recognise the value of Information Operations. An optimal information retrieval
system should have the capability to extract relevant and reasonably complete information from different
electronic data sources which should decrease information overload. Information should be classified in a way
such that it can be searched and extracted effectively. The authors of this paper have completed an initial phase
in the investigation and design of a knowledge system that can be used to extract relevant and complete
knowledge for the planning and execution of Information Operations. During this initial phase of the project, we
performed a needs analysis and problem analysis and our main finding is the recommendation of the use of
logic-based ontologies: it has the advantage of an unambiguous semantics, facilitates intelligent search, provides
an optimal trade-off between expressivity and complexity, and yields optimal recall of information. The risk of
adopting this technology is its status as an emerging technology and therefore we include recommendations for
the development of a prototype system.
Keywords: information operations, knowledge representation, ontology, query language
1. Introduction
Businesses, governments, and military forces are increasingly reliant on the effective management of
vast sources of electronic information. The type of information can be documents, images, maps, or
other formats. These data sources can be used in Information Operations (IO).
McCrohan (McCrohan 1998) defines IO as “actions taken to create an information gap in which we
possess a superior understanding of a potential adversary’s political, economic, military, and
social/cultural strengths, vulnerabilities, and interdependencies than our adversary possesses of us”.
All institutions that rely on information are facing increasing exposure to strategic information-based
actions, and need to consider systems security. Most national defence and security organisations
regard IO as both a defensive and an offensive tool, and some commercial institutions are starting to
recognise the value of IO. In any competitive environment, an institution has to protect their strategies
from competitors and gather information regarding their competitors’ objectives and plans. IO include
competitive intelligence, security against the efforts of competitors, the use of competitive deception,
and the use of psychological operations. (McCrohan 1998).
The aim of an efficient information retrieval system is to support institutions in planning IO. Information
has to be presented for processing by computers in a knowledge system such that information can be
retrieved and conclusions can be drawn from existing knowledge. Information should be classified in a
way that it can be searched and extracted effectively.
We present the main decisions required in the investigation and design of a knowledge system that
can be used to extract relevant and complete knowledge for the planning and execution of IO and
give a motivation for our main recommendation: the use of logic-based ontologies in a knowledge
system for IO.
151

Louise Leenen et al.
2. Intelligent knowledge retrieval methods and technologies
We describe appropriate technologies for intelligent search and retrieval of information over a range
of different sources and types. The operative word here is intelligent, focussing on methods that will
ensure maximum recall with a high level of fidelity. In other words, the aim is to get as close as is
currently feasible to the ideal situation in which all and only relevant information will be returned. In
order to do so, it is necessary to be more precise in deciding what it means for information to be
relevant. The most important step in this direction is the distinction between syntactic and semantic
relevance.
Syntactic relevance refers to search based on the syntactic structure of the entities to be searched,
while semantic relevance is concerned with the underlying meaning of the syntactic objects being
represented. Search based on syntactic relevance can be better or worse depending on some
flexibility built into the search mechanisms, but this provides only for a very limited and restricted form
of intelligence. To be seen as performing intelligent search in any true sense of the word, it is
necessary to make use of some version of semantic relevance.
The basic assumption is that information can be accessed electronically. Information in this sense is
defined very broadly: it can refer to data entries stored in database systems, or in more sophisticated
structures. It can also refer to electronic documents, or an image in any of the known formats, or any
one of the other numerous resources that can be stored electronically. The main reason why it is
possible to allow for such a broad definition is that the methods detailed in this survey allow for a
clean separation between information, the structures employed to store the information, and the
methods used to access the information.
2.1 Query languages
2.1.1 Boolean combinations of keywords
Keyword search is an established technology (Kalyanpur et al. 2006). The simplest form is when a list
of keywords is used with the intention to locate information containing all keywords in the list. More
flexible keyword searches can be done by using Boolean operators such as AND, OR and NOT. This
kind of query language can not be used in database-style structures. A second difficulty is that
searches become complex when there are large numbers of keyword hits.
2.1.2 Logic-based query languages
The use of logic-based languages is pervasive in database systems. It has its origins in languages
such as SQL and later extensions such as the query languages for Datalog (Ceri et al. 1989) and
logic programming (Lloyd 1987). These languages are all fragments of first-order logic (Ben-Ari 2008).
In addition to the Boolean operators discussed in the previous section, these query languages also
allow for the use of variables, existential quantification (exists), universal quantification (for all), and
function symbols, and combinations of these additions in manner reminiscent of the recursive
definition in the previous section. This allows us to express complex queries such as:
“Find all countries in Africa with a per capita income of at most $X, and with a military
style government, or where there is no adherence to human rights”.
The main advantages of these types of query languages are that they allow for much more complex
queries, can be used to express queries about concepts as well as individuals, and are applicable to
information contained in database-style structures as well as electronic documents. However, the
processing of such queries can be very complex, and is directly related to the complexity of queries. It
is good practice to limit the expressivity of a chosen query language to precisely what is necessary in
order to maximise the efficiency of query processing.
2.2 Information types
It is useful to assume that information is tagged with the relevant components to be matched with
queries. This assumption enables us to reduce the original question to a decision of how a piece of
information should be tagged. A tag is a keyword associated with a piece of information. The purpose
of a tag is to describe an item and to enable an electronic search to find it .
152

Louise Leenen et al.
We distinction between using text or keywords as tags, and between information contained in
database-style structures and electronic documents viewed as information.
2.2.1 Text as tags
In the case of information contained in database-style structures, the only practical option is to view
the information itself as its own tag. In the case of electronic documents, the simplest form of tagging
is the brute force approach of using the raw text contained in a document. In a sense the document is
tagged with all of its textual content. The advantage of such an approach is that it is relatively simple
to implement, but this simplicity is associated with high levels of inaccuracy. In particular, this
approach is bound to lead to many false positives and it does not guarantee that all relevant
documents will be located. The main problem is that this is a purely syntactic approach. There is no
attempt to tag documents with keywords related to the meaning of the document, and there is
therefore no guarantee that the tags will be truly relevant to the content of the document.
2.2.2 Keywords as tags
In contrast with using text as tags, the practice of tagging information with appropriate keywords
allows for a much more flexible approach. The goal is to tag documents with keywords that are clearly
relevant to the meaning of the document, ideally to tag documents with all and only the relevant
keywords. The primary issue to be resolved here is to how to decide on the relevant keywords.
Tagging can take one of three forms: Manual tagging, semi-automated tagging, or automated tagging
(Buitelaar, Cimiano 2008; Buitelaar, Magnini 2005). Current techniques are relatively good at picking
out keywords related to concepts and individuals, but much work still needs to be done regarding
keywords related to relationships between concepts or individuals.
Manual tagging is a good starting point however, using only manual tagging is usually not feasible,
due to factors such as time constraints and the availability of domain experts. A better approach is to
interleave processes for manual, semi-automated and automated tagging of documents. Automated
tagging is faster but not as accurate, whereas semi-automated tagging provides better results, but is
more time consuming to set up. Keep in mind that the results obtained even from manual tagging are
only as good as the knowledge applied by the person(s) performing the tagging.
The good news is that tagging method lends itself to an incremental approach. One can start with a
fairly course-grained tagging methodology, and refine this increasingly over time.
2.3 Information retrieval methods
2.3.1 Direct retrieval
Direct retrieval is concerned with methods for extracting information stored explicitly in as efficient a
manner as possible. This is the kind of retrieval based on indexing techniques that one would obtain
from traditional database systems and from keyword searches based on syntactic relevance (Gray,
Reuter 1992; Kroenke 1997). In the case of direct document retrieval, keywords in a query are
identified and are matched directly with the keywords used to tag the document.
Direct retrieval techniques are firmly established, and are able to deal efficiently with huge amounts of
information. The only drawback is the restriction on the type of information to be extracted: it has to be
stored explicitly in some form.
2.3.2 Indirect retrieval
A more sophisticated approach is to employ some kind of indirect retrieval where the task is to match
the keywords identified in the query not just with the exact keywords with which a document is tagged,
but also with related keywords. The hard part is to determine what constitutes being related. Standard
approaches to indirect document retrieval are mostly still syntax-based:
The use of synonyms using resources such as WordNet (http://wordnet.princeton.edu/)
(Fellbaum 1998).
153

Louise Leenen et al.
Lemmatisation, the process of grouping together the different inflected forms of a word so they
can be analysed as a single item (Brown 1993). For example, the verb “to walk” may appear as
“walk”, “walked”, “walks”, “walking”. The base form, “walk”, is called the lemma of the word.
Stemming, which is closely related to lemmatisation but operates on a single word without
contextual information. Related words should map to the same stem, but the stem does not have
to be a valid root.
A more nuanced version of indirect document retrieval involves structures able to capture and
represent sophisticated relationships between entities. The more sophisticated version of indirect
retrieval employs methods for performing inference of some kind. Indirect retrieval also includes
information that can be inferred implicitly from what is stored explicitly.
The most appropriate technology able to deal with indirect information retrieval is that based on
ontologies (Staab, Studer 2004). The following definition of an ontology is taken from Wikipedia
(http://en.wikipedia.org/wiki/Ontology_(information_science)): “an ontology is a formal representation
of a set of concepts within a domain and the relationships between those concepts. It is used to
reason about the properties of that domain, and may be used to define the domain”.
In addition to facilitating the hierarchical structuring of information from a domain of discourse,
ontologies also provide the means to impose a whole variety of other constraints, which makes it a
very powerful method for representing concepts, individuals, and the relationships between them. The
use of logic-based ontologies is particularly apt, since it provides the means for employing powerful
and efficient mechanisms for performing inference.
2.4 Ontologies and ontology-based engineering
In the past fifteen years, advances in technology have ensured that access to vast amounts of data is
no longer a significant problem. Paradoxically, this abundance of data has lead to a problem of
information overload, making it increasingly difficult to locate relevant information. The technology of
choice at present is keyword search, although many argue that this is already delivering diminishing
returns, as Figure 1 below by Nova Spivack (Spivack 2007) indicates. Spivack illustrates how keyword
search is becoming less effective as the Web increases in size. The broken line shows that the
productivity of keyword search has reached a plateau and its efficiency will decrease in future, while
the dotted line plots the expected growth of the Web.
Any satisfactory solution to this problem will have to involve ways of making information machineprocessable,
a task which is only possible if machines have better access to the semantics of the
information. It is here that ontologies play a crucial role. Roughly speaking, an ontology structures
information in ways that are appropriate for a specific application domain, and in doing so, provides a
way to attach meaning to the terms and relations used in describing the domain. A more formal, and
widely used definition, is that of Grüber (Grüber 1993) who defines an ontology as a formal
specification of a conceptualisation.
The importance of this technology is evidenced by the growing use of ontologies in a variety of
application areas, and is in line with the view of ontologies as the emerging technology driving the
Semantic Web initiative (Berners-Lee et al. 2001). The construction and maintenance of ontologies
greatly depend on the availability of ontology languages equipped with a well-defined semantics and
powerful reasoning tools. Fortunately there already exists a class of logics, called Description Logics
(DLs), that provide for both, and are therefore ideal candidates for ontology languages (Baader et al.
2003).
The need for sophisticated ontology languages was already clear fifteen years ago, but at that time,
there was a fundamental mismatch between the expressive power and the efficiency of reasoning that
DL systems provided, and the expressivity and the large knowledge bases that ontologists needed.
Through the basic research in DLs of the last fifteen years, this gap between the needs of ontologists
and the systems that DL researchers provide has finally become narrow enough to build stable
bridges. In fact, the web ontology language OWL 2.0, which was accorded the status of a World Wide
Web Consortium (W3C) recommendation in 2009, and is therefore the official Semantic Web ontology
language, is based on an expressive DL (http://www.w3.org/TR/owl2-overview/).
154

Louise Leenen et al.
There is growing interest in the use of ontologies and related semantic technologies in a wide variety
of application domains. Arguably the most successful application area in this regard is the biomedical
field (Hahn, Schulz 2007; Wolstencroft et al. 2005 ). Some of the biggest breakthroughs can be traced
back to the pioneering work of Horrocks (Horrocks 1997) who developed algorithms specifically
tailored for medical applications. Recent advances have made it possible to perform standard
reasoning tasks on large-scale medical ontologies such as SNOMED CT - an ontology with more than
300 000 concepts and more than a million semantic relationships - in less than half an hour; a feat
that would have provoked disbelief ten years ago (Suntisrivaraporn et al. 2007). However, a number
of obstacles still remain before the use of ontologies can be regarded as having reached the status of
an established technology: mainly these are issues relating to conceptual modeling and data usage.
Figure 1: Productivity of keyword search
2.4.1 Conceptual modeling
There are currently no firmly established conceptual modelling methodologies for ontology
engineering. Although a variety of tools exist for ontology construction and maintenance (Kalyanpur et
al. 2006; Sirin et al. 2007; Protégé 2009) they remain accessible mainly to those with specialised
knowledge about the theory of ontologies. One way of dealing with this problem is to design ontology
languages that are as close to natural language as possible, while still retaining the unambiguous
semantics of a formal language (Schwitter et al. 2007). A related approach is to use unstructured text
to automatically identify concepts and relationships in application domains, and in doing so contribute
to the semi-automated construction of ontologies (Buitelaar, Cimiano 2008).
Another major obstacle is that, while most tools for ontology construction and maintenance assume a
static ontology, the reality is that ontologies are dynamic entities, continually changing over time for a
variety of reasons. This has long been identified as a problem, and ontology dynamics is currently
seen as an important research topic (Baader et al. 2005; Lee et al. 2006).
2.4.2 Data usage
Assuming that the problems relating to conceptual modeling have been solved, and that it is possible
to construct and maintain high-quality ontologies, a number of stumbling blocks related to data usage
still remain.
155

Louise Leenen et al.
The main problem is that most available data are currently in the form of unstructured or semistructured
text, or can be found in traditional relational database systems. The rich conceptual
structures provided by ontologies are therefore of little use unless ways can be found to automate, or
semi-automate, the process of populating ontologies with this data. Regarding data in textual form,
there have been some recent attempts to perform semi-automated instantiation of ontologies from text
(Buitelaar, Cimiano 2008; Williams, Hunter 2007). With regards to the data found in database
systems, it is necessary to employ data coupling - finding ways of linking the data residing in
database systems to the ontologies placed on top of such systems (Calvanese et al. 2006). This
challenge is currently being met by tools for Ontology Based Data Access (OBDA) (Rodriguez-Muro
et al. 2008).
Once an ontology is populated, it becomes possible to use it as a sophisticated data repository to
which complex queries can be posed, at least in principle. In practice, at least two challenges remain.
The first is to perform query answering efficiently, a topic of ongoing research (Calvanese et al. 2007).
The second is to go beyond purely deductive reasoning to answer queries and to be more proactive.
A good example of this type of reasoning occurs during medical diagnosis, which is an instance of a
form of reasoning technically known as abduction (Elsenbroich et al. 2007).
2.5 Tools for user support
There is a danger that the complexity of the techniques discussed above will pose a barrier to their
general uptake. Most techniques incorporate some level of familiarity with technical issues such as
formal logic languages, which can be disconcerting for the more casual user. We discuss two classes
of methods used to bridge the gap between users and the technology.
2.5.1 Controlled natural language
A controlled natural language is a suitable fragment of a natural language, usually obtained by
restricting the grammar and vocabulary. This is done primarily to ensure that there is no ambiguity in
the interpretation. It can also assist with a reduction in complexity. Controlled natural languages can
usually be mapped to existing formal languages, typically a fragment of first-order logic.
For our purposes the translation will be to a suitable DL used to represent ontologies. Because of this
mapping, controlled natural languages have a formal semantics, making them suitable as knowledge
representation languages, able to support inference tasks such as query answering. The advantage
of using controlled natural languages instead of their logic counterparts is that it appears to the user
as if a natural language is being used. Work on controlled natural language most relevant for logicbased
ontologies include Manchester OWL Syntax (Horrocks et al. 2006), Sydney OWL Syntax (SOS)
(Rodriguez-Muro et al. 2008 ), and the Rabbit language (Hart et al. 2008 ).
2.5.2 Contextual navigation
This subsection is concerned with the principles of the design and development of an intelligent query
interface (Catarci et al. 2004). The interface is intended to support users in formulating queries which
best capture their specific information needs. The distinctive part of this approach is the use of an
ontology as the support for the intelligence contained in the query interface. The user can exploit the
vocabulary in the ontology to formulate the query. Using the information contained in the ontology, the
system is able to guide the user to express their intended query more precisely. Queries can be
specified through an iterative refinement process supported by the ontology through contextual
navigation. In addition, users may discover new information about the domain without explicit
querying, but through the subparts of a query, using classification. Work on contextual navigation is
not restricted to logic-based ontology languages, but it does depend on an underlying knowledge
representation language with an associated formal reasoner. In the context of ontologies, it has led to
the development of a query tool as part of the European Union funded SEWASIE project (SEmantic
Webs and AgentS in Integrated Economies) (http://www.sewasie.org/).
3. Research methodology
We first conducted a needs analysis with our client with the aim of identifying their expectations and
requirements, followed by a problem analysis where the client’s domain was studied and
recommendations in terms of the most appropriate technologies for their applications were made.
156

3.1 Needs analysis
Louise Leenen et al.
Needs analysis is an interactive process with the aim of extracting information from the client to
understand their needs and expectations. It involves asking specific questions to the client and
recording and documenting their responses. Usually several interactions are required before this
process is completed.
The type of questions that were posed to our client can broadly be defined as:
What is the reality of your domain?
What do you do?
What are the challenges you experience?
What are your expectations from an information operation?
The aim of these questions is to identify the type of IO the client wants to execute, the range of
required information sources and how information should be interpreted. It should also point to the
type of information repositories that will be needed, and how they should be populated and updated.
As a result we compiled an extensive set of derived questions. These questions depict the scope of
information required by our client for an operation.
3.2 Problem analysis
In this phase we analysed the various methodologies and technologies available for an appropriate
knowledge representation system for the client’s domain. A basic assumption is that all information
can be accessed electronically and includes documents, images or maps, and data stored in
database systems, or in more sophisticated structures.
The following three primary questions were applied to the client’s domain:
In which way will a user extract information, i.e. which query language is to be used?
How will the type of information to be extracted be matched with the query?
Which method will be used to retrieve the information contained in the query from the information
repository?
A formal problem statement was written that includes strategic long term direction and objectives.
3.3 Findings
The main recommendation is that a logic-based ontology is to be used as the underlying technology
for the retrieval system. The adoption of logic-based ontologies as underlying formalism for a
knowledge representation system has a number of advantages.
The semantics of such an ontology is
unambiguous;
it facilitates intelligent search;
it provides an optimal tradeoff between expressivity and complexity; and
it can yield optimal recall of information.
The risk of adopting this technology is its status as an emerging technology. Its impressive progress in
the biomedical domain lends strong support for its adoption in the IO domain, but there are presently
no off-the-shelf ontologies available for IO.
The development of such an ontology that is both reliable and complete is a highly complex research
endeavour. With this in mind, we recommend an incremental approach to the adoption of this
technology in order to realise the long term strategic objectives outlined earlier.
The developmental recommendations for a prototype system are:
Define a suitable sub-domain for initial development. Our client’s domain is vast and complex.
The recommendation is to start with a smaller, focused domain.
157

Louise Leenen et al.
The documents in the domain should be tagged. The choice of tags will depend on the ontology
and the concepts used in existing information sources.
An ontology-based search facility should be developed.
An appropriate query language should be decided on in conjunction with a suitable user interface.
which may involve controlled natural language or contextual navigation, or both.
The evaluation of a prototype system will determine the extension of the system into a comprehensive
knowledge system.
4. Conclusion
In this paper we have focused on the technologies relevant for intelligent information retrieval for
Information Operations. Conceptually, the survey is decomposed into three parts:
Choices for a suitable query language;
Type of information to be extracted;
Methods employed for information retrieval.
Supplementary to this is a discussion on ontologies, as well as on tools for supporting users of
systems for intelligent retrieval.
Our main conclusion is that the use of logic-based ontologies has the potential to be of enormous
benefit in systems demanding true intelligent retrieval. However, it has to be taken into account that
this is an emerging technology that will still require a substantial amount of research in order to reach
maturity. The good news is that it is possible to approach matters in an incremental fashion,
developing an information repository based on more traditional methods, and gradually increasing its
sophistication.
References
The Protégé Ontology Editor. Available: http://protege.stanford.edu/. [2009, January].
Baader, F., Calvanese, D., McGuinness, D., Nardi, D. & Patel-Schneider, P. (2003) The Description Logic
Handbook: Theory,Implementation, and Applications, Cambridge University Press.
Baader, F., Lutz, C., Milicic, M., Sattler, U. & Wolter, F. (2005) "Integrating Description Logics and Action
Formalisms: First results", AAAI 05.
Ben-Ari, M. (2008) MathematicalLlogic for Computer Science, Springer.
Berners-Lee, T., Hendler, J. & Lassila, O. (2001), "The semantic web", Scientific American, Vol. 284, No. 5.
Brown, L. (1993) The New Shorter Oxford English Dictionary on Historical Principals, Vol 1, Oxford University
Press.
Buitelaar, P. & Cimiano, P. (2008) "Ontology Learning and Population: Bridging the Gap Between Text and
Knowledge", Frontiers in Artificial Intelligence and Applications, Vol. 167.
Buitelaar, P. & Magnini, B. (2005) "Ontology Learning From Text: Methods, Evaluation and Applications",
Frontiers in Artificial Intelligence and Applications, Vol. 123.
Calvanese, D., De Giacomo, G., Lembo, D., Lenzerini, M., Poggi, A. & Rosati, R. (2006) "Linking Data to
Ontologies: The Description Logic DL-LiteA.", The 2 nd workshop on OWL.
Calvanese, D., Giacomo, G.D., Lembo, D., Lenzerini, M. & Rosati, R. (2007) "Tractable Reasoning and Efficient
Query Answering in Description Logics: The DL-Lite Family.", Journal of Automated Reasoning, Vol. 39, No.
3.
Catarci, T., Dongilli, P., Mascio, T.D., Franconi, E., Santucci, G. & Tessaris, S. (2004) "An Ontology Based Visual
Tool for Query Formulation Support", ECAI 2004.
Ceri, S., Gottlob, G. & Tanca, L. (1989) "What you always wanted to know about Datalog (and never dared to
ask.)", IEEE Transactions on Knowledge and Data Engineering, Vol. 1, No. 1.
Elsenbroich C., Kutz O. & Sattler, U. (2007) "A Case for Abductive Reasoning over Ontologies", OWLED.
Fellbaum, C. (1998) WordNet: An Electroni Lexical Database, MIT Press.
Gray, J. & Reuter, A. (1992), Transaction Processing: Concepts and Techniques, Morgan Kaufmann Publishers.
Grüber, T. (1993) "A translation approach to portable ontology specifications", Knowledge Acquisition, Vol. 5.
Hahn, U. & Schulz, S. (2007) "Ontological foundations for biomedical sciences", Artificial Intelligence in Medicine,
Vol. 39, No. 3.
Hart, G., Dolbear, C. & Johnson, M. (2008) "Rabbit: Developing a Control Natural Language for Authoring
Ontologies", 5th European Semantic Web Conference.
Horrocks, I. (1997) Optimising Tableaux Decision Procedures for Description Logics, University of Manchester.
Horrocks, M., Drummend, N., Goodwin, J., Rector, A., Stevens, R. & Wand, H. (2006) "The Manchester OWL
Syntax", OWL Experiences and Directions Workshop.
Kalyanpur, A., Parsia, B., Sirin, E., Cuenca-Grau, B. & Hendle, J. (2006) "Swoop: A Web Ontology Editing
Browser", Journal of Web Semantics, Vol. 4, No. 2).
158

Louise Leenen et al.
Kroenke, D.M. (1997) Database Processing: Fundamentals, Design, and Implementation, Prentice-Hall.
Lee, K., Meyer, T., Pan, J.Z. & Booth, R. (2006) "Finding Maximally Satisfiable Terminologies for the Description
Logic ALC", Proceedings of AAAI 06.
Lloyd, J.W. (1987) Foundations of logic programming, Springer-Verlag, New York.
McCrohan, K.F. (1998) "Competitive Intelligence: Preparing for the Information War", Long Range Planning, Vol.
31, No. 4.
Rodriguez-Muro, M., Lubyte, L. & Calvanese, D. (2008) "Realizing Ontology Based Data Access: A plug-in for
protoge", ICDE Workshops.
Schwitter, R., Cregan, A. & Meyer, T. (2007) "Sydney OWL Syntax - towards a Controlled Natural Language
Syntax for OWL 1.1.", OWL Experiences and Directions, Third International Workshop.
Sirin, E., Parsia, B., Grau, B.C., Kalyanpur, A. & Katz, Y. (2007) "Pelet: A practical OWL-DL reasoner", Journal of
Web Semantics, Vol. 5, No. 2.
Spivack, N. (2007). Available:
http://novaspivack.typepad.com/nova_spivacks_weblog/2007/03/beyond_keyword_.html. [2010, November
2010]
Staab, S. & Studer, R. (eds) (2004) Handbook on Ontologies, Springer.
Suntisrivaraporn, B., Baader, F., Schulz, S. & Spackman, K. (2007) "Replacing SEP-Triplets in SNOMED CT
using Tractable Description Logic Operators", AIME.
Williams, M. & Hunter, A. (2007) "Harnessing ontologies for argument-based decision-making in breast cancer",
International Conference for Tools with Artificial Intelligence.
Wolstencroft, K., Brass, A., Horrocks, I., Lord, P., Sattler, U., Stevens, R. & Turi, D. (2005) "A little semantic web
goes a long way in biology", International Semantic Web Conference.
159

CAESMA – An On-Going Proposal of a Network Forensic
Model for VoIP traffic
Jose Mas y Rubi, Christian Del Carpio, Javier Espinoza, and Oscar Nuñez Mori
Pontificia Universidad Catolica del Peru, Lima, Peru
jlmasyrubi@pucp.edu.pe
delcarpio.christian@pucp.edu.pe
jmespino@pucp.edu.pe
oscar.nunez@pucp.pe
Abstract: In the near future, service convergence will be a reality, which presents us with a possible misuse
problem of these technologies. One of these services is Voice over IP (VoIP), which provides the phone
communication services in this scheme. Currently VoIP is a very popular technology, and could be use by
malicious attackers related to informatics crimes, to perform their illicit actions, which will be difficult to track
because of IP network’s nature. Because of this, our approach is to achieve a preliminary analysis to create a
forensic model for detection and tracing of VoIP traffic, which will allow us to make an adequate evidence
recollection which could be used by the police authorities.
Keywords: network forensics, forensic model proposal, voice over IP
1. Introduction
Due to the inadequate use of the telephone service in converged networks, mainly generated by
malicious attackers who misuse this technology, it becomes necessary to identify the security gaps in
this network and provide a possible solution.
Therefore, previous to the development of this article we analyze the security gaps (Annex 1), and
based on that analysis we perceive like a potential security problem “the user identification for the
calls originated from internet (VoIP)”, due to the lack of user data validation at the registration process
when the named source is use it.
This problem hinders the proper evidence recollection from the authorities, leading to the fact that
many times this acts stay unpunished due to the lack of possible identification of the attackers.
This document propose a preliminary data recollection model for a posterior forensic analysis in a
VoIP network environment for calls generated from the Internet, based on the network architecture
shown in Figure 1. For our analysis, we will rely on the Digital Forensics Research Workshop
(DFRWS) model, which is a general model for a proper digital forensic analysis.
Figure 1: Network architecture
160

Jose Mas y Rubi et al.
As we can see within the network architecture, the originating point of the calls for our analysis will be
the Internet cloud, the establishment path and signaling is the following:
a. Connection to the SIP server, which contains the database of all the users in the VoIP network.
b. After the validation of the destination user, which is part of the VoIP network, the SIP server sends
the corresponding signaling for call establishment with the VoIP network.
The rest of the article is organized as follows: In section II we introduce all the information related to
our work, which offers a clear base about the DFRWS general analysis model and the technology
behind VoIP service. In section III we describe the CALEA and REN-JIN models, offering a theoretical
basis and techniques that will allow us to understand in a better way the proposal of this work. In
section IV we develop a comparative analysis between CALEA and REN-JIN models, taking into
account the DFRWS general model as study base for both of them. In section V we propose a new
forensic model which is the result of the previous analysis, and we study its preliminary architecture
and basic operation. Finally we present our conclusions and possible future works.
2. Theoretical basis
To start our investigation, it is necessary that we study our referential general model for forensic
analysis of the DFRWS and the technical concepts of the VoIP technology, in order to contextualize
our analysis in a suitable environment.
2.1 Digital Forensics Research Workshop (DFRWS) model
Several forensic investigators have analyzed multiple digital forensic models. Within those models,
they found that the DFRWS model is rigid and linear but is particularly suitable where necessary
investigative activities are well-understood (Ray 2007). Also, they highlight the fact that in the
development of this model, for the first time, academic entities were involved, which didn’t happen
with other forensic models in its time. All other models were more focused on guidelines established
by law enforcement (Reith 2002).
Therefore, we choose the DFRWS model because allows a comprehensive approach and is more
goal-oriented to the objectives of this academic article. To proceed, we show the step sequence
followed by this model for an adequate forensic analysis:
Table 1: Steps for a digital forensic analysis (DFRWS 2001)
2.2 Voice over IP (VoIP)
The important point to keep in mind about the VoIP technology is concerning the shared information
between the terminal devices and the data itself, which will enable us to discriminate the calls and
their types. Those elements are presented in the following list (Pelaez 2010):
a) Terminal device information:
161

Numbers called.
Source and destination IP addresses.
IP geographical localization.
Incoming calls.
Start/end times and duration.
Voice mail access numbers.
Call forwarding numbers.
Incoming/outgoing messages.
Access codes for voice mail systems.
Contact lists.
Jose Mas y Rubi et al.
b) VoIP data:
Protocol type.
Configuration data.
Raw packets.
Inter-arrival times.
Variance of inter-arrival times.
Payload size.
Port numbers.
Codecs.
The Session Initiation Protocol (SIP) is an important part of the VoIP network communication. SIP is
an IETF standard for IP multimedia conferences. SIP is an application layer control protocol use to
create, modify and terminate session with one or more participants. These sessions include internet
multimedia conferences, internet phone calls and multimedia distribution. The signaling allows the
transportation of call information across the network boundaries. The session management provides
the ability to control the attributes of an end-to-end call (Fernandez 2007).
3. Related works
In our preliminary investigation, we searched different models that could adapt to the DFRWS general
model, and among the most outstanding models we found REN-JIN and CALEA, which will be
describes in the following subsections.
3.1 CALEA model
Government Surveillance is a network forensic special case. Communications Assistance for Law
Enforcement Act (CALEA) is another term use for this electronic surveillance. This means that is
legally valid to introduce an agent inside a communication channel to intercept information, without
altering it (Scoggins 2004).
The wiretapping installation is based on the wire modem’s MAC address, so it can be use for the data
or digital voice connections. This characteristic is controlled by the command interface, intercepted
cable, which requires a MAC address, an IP address and an UDP port number as their parameters
(Scoggins 2004).
When it is active, the router examines each packet with the desirable MAC addresses and when finds
a match to one of those addresses (either from the origin or destination terminal device), a copy is
send to the server, specifying the IP address and port number (Scoggins 2004).
Figure 2 shows how the components of CALEA model (Delivery Function, Collection Function and
Law Enforcement Agency) integrate with a VoIP system providing a transparent lawful interception.
Calls are routed through an access gateway that hides any intercepts in place (Pelaez 2007).
162

Figure 2: CALEA forensic model (Pelaez 2007)
Jose Mas y Rubi et al.
Telephone interception can be classified in two categories:
Call detail: Send and receive call details from a subscriber, that will pass to LEA. The generated call
registration created from signaling message can be very valuable in criminal investigations. The
signaling message contains data from phone calls, not about the content of the conversation.
Therefore, the recollection and analysis of signaling messages cannot be subject to the same legal
restrictions as recording voice conversations (Moore 2005).
Call content: It is the real content of the call that we pass to LEA. The suspect must not detect the
mirror, so this element must be produced inside the network and not in the subscriber link. Also this
mirror must not be detectable by any change in time, availability characteristics or operation (Pelaez
2007).
In order that LEA take advantage of the call content without the subscriber knowledge of any change,
all the calls must pass through a device that duplicate the content and then pass it to the agency
(Pelaez 2007).
3.2 REN–JIN model
This model, conceived by Wei Ren and Hai Jin, is designed to capture the network traffic and to
register the corresponding data. This network forensic system has 4 elements (Pelaez 2006):
Network Forensics Server, which integrates the forensic data and analyzes it. It also guides the
network packet filter and captures the behavior of the Network Monitor. It can request the
activation of an investigation program in the Network Investigator has an answer to a sensitive
attack.
Network Forensics Agents, is responsible of data recollection, data extraction and data secure
transportation. These agents are distributed around the network and the monitored hosts.
Network Monitor, is a packet and network traffic capture machine.
Network Investigator, is the network surveillance machine. It investigates a target when the server
gives the command. It activates a real time response program for each network intrusion.
The forensic network and Honeynet systems have the same data recollection function for system
misuse. A Honeynet system lures attackers and gains information about new types of intrusions.
Network forensic system analyzes and reconstructs the attack behavior. The integration of both
systems will help to create an active self-learning and response system to capture the intrusion
behavior and investigate the attack original source (Pelaez 2006).
163

Figure 3: REN-JIN forensic model (Pelaez 2006)
Jose Mas y Rubi et al.
The Honeynets are highly controlled type of network architecture, one in which you can monitor all
activity that occurs. By placing real victims (which can be any type of system, service or information)
inside the network like an attack target, it creates an environment where you can observe everything
that happens on it, allowing the attacking intruders interact with the Honeynet while information from
that attack is being collected. This happens because Honeynets are high interaction real networks
which implement traps to detect, deviate, or in some cases, to counteract non-authorize uses of the
information system; where no service neither traffic is generated. Therefore, any interaction with the
Honeynet implies malicious or non-authorize activities. Any connection initiated to a Honeynet implies
that someone has compromised a system and has initiated a suspicious activity. This makes much
easier the activity analysis, because all the captured information can be assumed as non-authorize or
malicious one (Honeynet 2006).
4. Comparative analysis
One of the objectives of our work is to discuss the structure of REN-JIN and CALEA models, so that
at the end, we could affirm if one of these models can be applicable for a VoIP traffic forensic
analysis, and also proposing possible improvement to the selected model in this analysis process.
The methodology to follow implies that the mentioned models are analyzed in the DFRWS general
model structure, to identify if all the elements functions of each individual model meet the
requirements of the chosen general model.
In conclusion, the elements that integrate the forensic models CALEA and REN-JIN will be located in
the corresponding step of the DFRWS model structure, to identify if the functions that those elements
provide can cover one of the general model’s important steps.
4.1 Discussion and analysis
Table 2 shows the main function of each of the analyzed models, and then compared to the general
model functions:
4.2 REN-JIN and CALEA operation differences
The main functions of CALEA are focused on a single component, LEA, which will depend on the
traffic mirror used by the forensic agents to collect the required information. This makes the model
easily adaptable to the rules governing the legal interception in the countries where these type of tools
are used. However, it is the duty of each country to lay down rules for the use of this type of system,
so the collected evidence could have full legality in the judicial environment.
164

Jose Mas y Rubi et al.
Table 2: Comparative analysis between REN-JIN and CALEA models
In contrast, the main functions of REN-JIN are distributed between different components of the model,
which are mainly controlled by the Network Forensic Server, which has autonomous power to
determine what type of traffic should be captured and analyzed. This allow the tool to collect evidence
in sequential steps, being able to obtain more precise and adequate information, regarding to the
requirements of the judicial entities.
Due to the characteristics of CALEA model, forensic investigators should have action freedom over
the analyzed networks. However, because those networks can be public, there is a potential risk that
interceptions could involve innocent users, violating their privacy rights.
REN-JIN, as CALEA model, requires that forensic investigators have action freedom over the
analyzed network. However, the traffic to be analyze is canalize to a Honeynet used by the model,
preserving the privacy rights of all the user that are not involve in this study.
It can be considered that CALEA performance is reactive, due to the fact that forensic investigators
should identify the suspect and after it, they have to implement the analysis and capture platform
proposed by the model.
On the other hand, REN-JIN performance is also of the reactive type, but instead of previously identify
the suspect, you need to identify the attacked network, which will become our decoy network
(Honeynet), based in the analysis and capture platform proposed by the model.
4.3 Model election
Based on our analysis and after doing a balance between advantages and limitations of the two
studied models, we observed that REN-JIN model has a more adequate architecture that possess the
majority of the functions of the DFRWS general model, and when its limitations are overcome, this
model can be validated as a network forensic model. Also, while REN-JIN is a theoretical model, we
believe that it could be properly implemented.
4.4 Improvements in the chosen model
Considering REN-JIN as the chosen model, we observed that it presents several flaws, so we
propose to correct them through the insertion of new elements that allow us to strengthen the
architecture for a good VoIP forensic analysis.
The identification function could be implemented in a convergence network through technologies like
MEGACO H.248 protocol (ITU 2005) and ENUM (IETF 2004).
165

Jose Mas y Rubi et al.
The preservation function could be complemented with the deployment of a backup system like
incremental backups and mirror system backups.
The presentation function would be implemented with a report mechanism which contains the basic
parameters that would allow to make an adequate legal analysis, and to use it as a proof and to
possibly validate it as evidence. By modifying the REN-JIN model and introduce this new elements to
it, a new forensic model is achieved, which we’ll call CAESMA model.
5. Proposition of CAESMA model
This proposition is an on-going investigation, so, in the following subsection we present a preliminary
architecture and its basic operation.
5.1 Presentation of the new architecture
To be clear about the information flow between the elements that forms this network architecture, we
present a basic diagram which is the following:
Figure 4: Proposed network architecture
By inserting an IP Multimedia Subsystem (IMS) module, this element will allow us to integrate various
existing communication service platforms. Likewise, an ENUM module will allow us to link an
identification number to a system user, having in mind that for each of the users may be various
means of communication previously integrated to IMS. To make this user identification proposition
viable is necessary that, for each of the services offered by the Service Provider, exists an appropriate
registration in ENUM. For example:
Figure 5: ENUM operation
166

Jose Mas y Rubi et al.
Another pending point in the improvement is the preservation function, and this can be improved
through data duplication techniques like RAID disc structures, or by redundant servers; this
modification must be implemented specifically in the Network Forensics Server, which can send the
backup data to a medium describe above, after the data is previously analyzed.
For the presentation function, the purpose of this element is to generate reports which will be
presented to the competent authorities, for this is necessary to count with specialized personal that
can adequately identify the proofs and validate them as possible evidences. For this purpose, we
consider that an element that can fulfill this function is the Legal Enforcement Agency (LEA), which is
a fundamental part of the CALEA model. Some of the basic parameters to be considered would be
the ones presented in section II under the VoIP topic.
5.2 Proposed network basic operation
The operation of the network architecture and the relevant states for our analysis are appointed in the
following lines:
1) A call is generated from the Internet; it wants to communicate with some user on the network,
for which it uses a number, for example, 4981791.
2) Once the Gateway received the internet user communication petition, it will interact with the
IMS core, which will interact at the same time with ENUM, and will return the user identification of
the called number, according to SIP signaling.
3) The CAESMA network will intercept the IMS core response and identify the affected user for
the criminal acts which is being communicated.
4) CAESMA will connect the capture network and starts the real time forensic process.
5) The called user acts and proceeds with the communication normally.
6) When the communication is finalized, the forensic process of recollecting proofs is also
finished.
Figure 6: Relevant states in CAESMA network operation
6. Conclusions
The current trend of widespread use of VoIP communications make indispensable to the forensic
investigators to count with the necessary tools to study and prevent all the possible vulnerability
threats in the communications.
Possible applicable tools to this problematic issue, according to the investigation made in this paper,
are the REN-JIN model and the CALEA model. Both were thought as network forensic models and
are not fully adequate for evidence recollection in VoIP communications, due to the special
parameters of the evidence, that allow the network forensic investigators to identify and capture
specific data from the crime.
167

Jose Mas y Rubi et al.
In this sense, the new CAESMA model is proposed, which appears to cover the shortcomings noted
in the forensic models previously mentioned, meeting all necessary steps for a proper VoIP forensic
analysis, as established in the DFRWS general model.
In conclusion, the CAESMA model offers a robust network forensic system for identification,
preservation, collection, examination, analysis and presentation of the information concerning the
VoIP traffic, which ultimately will provide us with validate evidence for an adequate use by judicial
authorities.
7. Future works
Based in the comparative analysis completed in this work and the preliminary presentation of the
CAESMA model, the next step in our work is to develop this new forensic model and its respective
validation for an adequate VoIP network analysis.
8. Annex 1
Tree of trouble
168

Tree of Objectives
Acknowledgements
Jose Mas y Rubi et al.
To Juan C. Pelaez from U.S. Army Research Laboratory, USA, for his collaboration and for supply us
with updated work material.
To Juergen Rochol and Liane M. Rockenbach Tarouco from UFRGS, RS-Brazil, for their state of the
art documentation.
References
DFRWS: Digital Forensics Research Workshop. (2001) "A Road Map for Digital Forensics Research 2001”.
Digital Forensics Research Workshop 6 November. http://www.dfrws.org/2001/dfrws-rm-final.pdf
IETF: Internet Engineering Task Force. (2004) “RFC 3761: The E.164 to URI DDDS Application (ENUM)”,
http://www.ietf.org/rfc/rfc3761.txt
ITU: International Telecommunication Union, (2005) “Recommendation H.248.1”, http://www.itu.int/rec/T-REC-
H.248.1-200509-I/en
Fernandez, Eduardo; Pelaez, Juan and Larrondo-Petrie, Maria. (2007) “Security patterns for Voice over IP
Networks”, Journal of Software, Vol. 2, No. 2, August.
169

Jose Mas y Rubi et al.
Moore, T.; Meehan, A.; Manes, G. and Shenoi, S. (2005) “Using Signaling Information in Telecom Network
forensics”. Advances in Digital Forensics: IFIP International Conference on Digital Forensics, National
Center for Forensic Science, Orlando, Florida, USA.
Pelaez, Juan and Fernandez, Eduardo. (2006) “Wireless VOIP Network Forensics”, Fourth LACCEI International
Latin American and Caribbean Conference for Engineering and Technology (LACCET’2006), Mayaguez,
Puerto Rico.
Pelaez, Juan; Fernandez, Eduardo; Larrondo-Petrie, Maria and Wieser, Christian. (2007) “Attack Patterns in
VoIP”, Florida Atlantic University, USA. University of Oulu, USA.
Pelaez, Juan and Fernandez, Eduardo. (2010) “VoIP Network Forensic Patterns”, U.S. Army Research
Laboratory, USA. Florida Atlantic University, USA.
Ray, Daniel and Bradford, Phillip. (2007) “Models of Models: Digital Forensics and Domain-Specific Languages”,
Department of Computer Science, The University of Alabama, USA.
Reith, Mark; Carr, Clint and Gunsch, Gregg. (2002) “An Examination of Digital Forensic Models”, International
Journal of Digital Evidence, Fall, Volume 1, Issue 3.
Scoggins, Sophia. (2004) “Security Challenges for CALEA in Voice over Packet Networks”. Texas Instruments,
April 16, USA.
The Honeynet Project. (2006) “Know Your Enemy: Honeynets”, http://www.honeynet.org
170

Secure Proactive Recovery – a Hardware Based Mission
Assurance Scheme
Ruchika Mehresh 1 , Shambhu Upadhyaya 1 and Kevin Kwiat 2
1
State University of New York at Buffalo, USA
2
Air Force Research Laboratory, Rome, USA
rmehresh@buffalo.edu
shambhu@buffalo.edu
kwiatk@rl.af.mil
Abstract: Mission Assurance in critical systems entails both fault tolerance and security. Since fault tolerance via
redundancy or replication is contradictory to the notion of a limited trusted computing base, normal security
techniques cannot be applied to fault tolerant systems. Thus, in order to enhance the dependability of mission
critical systems, designers employ a multi-phase approach that includes fault/threat avoidance/prevention,
detection and recovery. Detection phase is the fallback plan for avoidance/prevention phase, as recovery phase
is the fallback plan for detection phase. However, despite this three-stage barrier, a determined adversary can
still defeat system security by staging an attack on the recovery phase. Recovery being the final stage of the
dependability life-cycle, unless certain security methodologies are used, full assurance to mission critical
operations cannot be guaranteed. For this reason, we propose a new methodology, viz. secure proactive
recovery that can be built into future mission-critical systems in order to secure the recovery phase at low cost.
The solution proposed is realized through a hardware-supported design of a consensus protocol. One of the
major strengths of this scheme is that it not only detects abnormal behavior due to system faults or attacks, but
also secures the system in case where a smart attacker attempts to camouflage by playing along with the
predefined protocols. This sort of adversary may compromise certain system nodes at some earlier stage but
remain dormant until the critical phase of the mission is reached. We call such an adversary The Quiet Invader.
In an effort to minimize overhead, enhance performance and tamper-proof our scheme, we employ redundant
hardware typically found in today’s self-testing processor ICs, like design for testability (DFT) and built-in self-test
(BIST) logic. The cost and performance analysis presented in this paper validates the feasibility and efficiency of
our solution.
Keywords: security, fault tolerance, mission assurance, critical systems, hardware
1. Introduction
Research in the past several decades has seen significant maturity in the field of fault tolerance. But,
fault tolerant systems still require multi-phased security due to the lack of a strong trusted computing
base. The first phase in this regard is avoidance/prevention, which consists of proactive measures to
reduce the probability of any faults or attacks. This can be achieved via advanced design
methodologies like encryption. The second phase, detection, primarily consisting of an intrusion
detection system attempts to detect the faults and malicious attacks that occur despite the preventive
measures. The final phase is the recovery that focuses on recuperating the system after the
occurrence of attack/fault. Generally, fault tolerant systems rely on replication and redundancy for
fault-masking and system recovery.
These three layers of security provide a strong defense for mission critical systems. Yet, if a
determined adversary stages an attack on the recovery phase of an application, it is quite possible
that the mission will fail due to the lack of any further countermeasures. Therefore, these systems
need the provisioning of another layer of defense to address attacks that may be brought about by
malicious opponents during the recovery phase itself.
The quiet invader is another serious threat that we consider. Attacking the mission in its critical phase
not only leaves the defender with less time to respond, but cancelling the mission at this late stage is
far more expensive than cancelling it at some earlier stage. In the case where the defender is not left
with enough time to respond to the attack, it can lead to major economic loss and even fatalities.
We develop a framework for mission assured recovery using the concept of runtime node-to-node
verification implementable at low-level hardware that is not accessible by the adversary. The rationale
behind this approach is that if an adversary can compromise a node by gaining root privilege to userspace
components, any solution developed in the user space will not be effective since such solutions
may not remain secure and tamper-resistant. In our scheme, the entire verification process can be
carried out in a manner that is oblivious to the adversary, which gains the system an additional
171

Ruchika Mehresh et al.
advantage. We explore the potential of utilizing the test logic on the processors (and hence the name
“hardware-based mission assurance scheme”) for implementing our secure proactive recovery
paradigm. This choice makes our solution extremely cost effective. In order to establish the proof-ofconcept
for this proposal, we will consider a simple mission critical system architecture that uses
majority consensus for diagnosis and recovery. Finally, we analyze the security, usability and
performance overhead for this scheme.
2. Related work
The solutions proposed in the literature to address faults/attacks in fault tolerant systems are
designed to employ redundancy, replication and consensus protocols. They are able to tolerate the
failure of up to f replicas. However, given enough time and resources, an attacker can compromise
more than f replicas and subvert the system. A combination of reactive and proactive recovery
approaches can be used to keep the number of compromised replicas under f at all times (Sousa et
al. 2007). However, as the attacks become more complex, it becomes harder to detect any faulty or
malicious behavior (Wagner and Soto 2002). Moreover, if one replica is compromised, the adversary
holds the key to other replicas too. To counter this problem, researchers have proposed spatial
diversity in software. Spatial diversity can slow down an adversary but eventually the compromise of
all diverse replicas is possible. Therefore, it was further proposed to introduce time diversity along
with the spatial diversity. Time diversity modifies the state of the recovered system (OS access
passwords, open ports, authentication methods, etc.). This is to assure that an attacker is unable to
exploit the same vulnerabilities that he had exploited before (Bessani et al. 2008).
3. Threat model
We developed an extensive threat model to analyze security logically in a wide range of scenarios.
Assume that we have n replicas in a mission-critical application and the system can tolerate the failure
of up to f replicas during the entire mission.
Scenario 1: Attacks on Byzantine fault-tolerant protocols
Assume that no design diversity is introduced in a replicated system. During the mission lifetime, an
adversary can easily compromise f+1 identical replicas and bring down the system.
Scenario 2: Attacks on proactive recovery protocols
In proactive recovery, the whole system is rejuvenated periodically. However, the adversary becomes
more and more knowledgeable as his attacks evolve with each succeeded/failed attempt. So it is only
a matter of time before he is able to compromise f+1 replicas between periodic rejuvenations.
Furthermore, the compromised replicas can disrupt the system’s normal functioning in many ways like
creating extra traffic so the recovery is delayed and the adversary gains more time to compromise f+1
replicas (Sousa et al. 2007).This is a classic case of attacking the recovery phase.
Scenario 3: Attacks on proactive-reactive recovery protocols
Proactive-reactive recovery solves several major problems, except that if the compromised node is
recovered by restoring the same state that was previously attacked, the attacker will already know the
vulnerabilities (Sousa et al. 2007). In this case, a persistent attacker may get faster with time, or may
invoke many reactive recoveries exhausting the system resources. Large number of recoveries also
affects the system availability adversely. This is also an instance of attacking the recovery phase.
Furthermore, arbitrary faults are very difficult to detect (Haeberlen et al. 2006).
Scenario 4: Attacks on proactive-reactive recovery with spatial diversity
Spatial diversity in replicas is proposed to be a relatively stronger security solution. It can be difficult
and more time-consuming for the adversary to compromise f+1 diverse replicas but it is possible to
compromise these diverse replicas eventually, especially for long running applications. Also, most of
the existing systems are not spatially diverse. Introducing spatial diversity into the existing systems is
expensive.
Time diversity has been suggested to complement the spatial diversity so as to make it almost
impossible to predict the new state of the system (Bessani et al. 2008). The complexity involved in
172

Ruchika Mehresh et al.
implementing time diversity in a workable solution is very high because it will have to deal with on-thefly
compatibility issues and much more. Besides, updating replicas and other communication
protocols consume considerable time and resources. A decent workable solution employing space
diversity still needs a lot of work (Banatre et al. 2007), so employing time diversity is a step planned
too far into the future.
Scenario 5: The quiet invader
In the presence/absence of spatial diversity, an adversary may be able to investigate a few selected
nodes quietly and play along with the protocol to avoid getting caught and gain more time to
understand the system. After gathering enough information, the adversary can design attacks for f+1
replicas and launch the attacks on all of them at once when he is ready or when the mission enters a
critical stage. If these attacks are not detected or dealt with in time, the system fails. This is an
evasive attack strategy for subverting the detection and recovery phases. Similar threat models have
been discussed in literature previously (Todd et al. 2007, Del Carlo 2003).
Scenario 6: The physical access threat
Sometimes system nodes are deployed in an environment where physical access to them is a highly
probable threat. For instance, in the case of wireless sensor network deployment, sensor nodes are
highly susceptible to physical capture. To prevent such attacks, we need to capture any changes in
the physical environment of a node. A reasonable solution may involve attaching motion sensors to
each node. Any unexpected readings from these motion sensors will indicate a possible threat and
then our scheme can be used to assure the mission.
4. System design
4.1 Assumptions
We work with a simplified, centralized architecture of a mission critical application in order to describe
and evaluate the proposed scheme. No spatial or time diversity is assumed, though our scheme will
work with any kind of diversity.
The network can lose, duplicate or reorder messages but is immune to partitioning. The coordinator
(central authority and trusted computing base) is responsible for periodic checkpointing in order to
maintain a consistent global state. The stable storage at coordinator holds the recovery data through
all the tolerated failures and their corresponding recoveries. We assume sequential and equidistant
checkpointing (Elnozahy et al. 2002).
The replicas are assumed to be running on identical hardware platforms. Each node has advanced
CPU (Central processing unit) and memory subsystems along with the test logic (in the form of DFT
and BIST) that is generally used for manufacture test. Refer to Fig. 1(a). All the chips comply with the
IEEE 1149.1 JTAG standard (Abramovici and Stroud 2001). Fig. 1(b) elaborates the test logic and
boundary scan cells corresponding to the assumed hardware.
We assume a software tripwire running on each replica that can be used to detect a variety of
anomalies at the host. By instrumenting the openly available tripwire source code (Hrivnak 2002), we
can direct the "intrusion alert/alarm" to a set of system registers (using low level coding).The triggered
and latched hardware signature will be read out by taking a snapshot of the system registers using
the “scan-out” mode of the observation logic associated with the DFT hardware. The bit pattern will be
brought out to the CPU ports using the IEEE 1149.1 JTAG instruction set in a tamper-resistant
manner. Once it is brought out of the chip, it will be securely sent to the coordinator for verification and
further action. This way, the system will be able to surreptitiously diagnose the adversary’s action.
4.2 Conceptual basics
We present a simple and practical alternative to the spatial/time diversity solutions in order to increase
the resilience of a fault tolerant system against benign faults and malicious attacks. In particular, this
is to address the threat of a quiet invader (Scenario 5 of Section 3). An adversary needs to
compromise f+1 replicas out of the n correctly working replicas in order to affect the result of a
majority consensus protocol and disrupt the mission.
173

Figure 1(a): Replicated hardware
Figure 1(b): Capturing signature
Ruchika Mehresh et al.
The key idea is to detect a system compromise by a smart adversary who has taken over some
replicas (or has gained sufficient information about them) but is playing along in order to gain more
time. From the defender’s point of view, if the system knows which of the n replicas have become
untrustworthy, the mission can still succeed with the help of the surviving healthy replicas. Smart
attackers try to minimize the risk of getting caught by compromising only the minimum number of
replicas required in order to subvert the entire system. Aggressive attackers can be clearly and easily
detected and thus their attacks can be recovered from. So a smart defender should be able to detect
the attacks surreptitiously so as not to make the attacker aggressive. This especially holds for the
cases when a smart attacker has been hiding for long and the mission is nearing completion. At this
stage, the priority is not to identify the attacker but to complete the mission securely.
The proposed scheme offers a passive detection and recovery, in order to assure the adversary of its
apparent success to prevent him from getting more aggressive. At some later stage, when the
adversary launches an attack to fail f+1 replicas at once, the attack fails because those replicas have
already been identified and ousted from the voting process without the knowledge of the attacker. In
our solution, we require that there should be at least two correctly working replicas to provide a duplex
system at a minimum, for the mission to succeed. The advantage of this approach is that in the worst
case where all the replicas are compromised, the system will not deliver a result, rather than
delivering a wrong one. This is a necessary condition for many safety-critical missions. If an adversary
can compromise a replica by gaining root privilege to user-space components, one should note that
any solution developed in the user space will not be effective since such solutions will not remain
secure and tamper-resistant. Therefore, our paradigm achieves detection of node compromise
through a verification scheme implementable in low-level hardware. We use software or hardwaredriven
tripwires that would help detect any ongoing suspicious activity and trigger a hardware
signature that indicates the integrity status of a replica. This signature is generated without affecting
the application layer, and hence the attacker remains oblivious of this activity. Also, a smart attacker is
not likely to monitor the system thoroughly as that may lead to detection. This signature is then
securely collected and sent to the coordinator that performs the necessary action.
4.3 Checkpointing
In our simplified application, the checkpointing module that affiliates to the coordinator establishes a
consistent global checkpoint and also carries out voting procedures that lead to anomaly detection
due to faults, attacks or both.
174

Ruchika Mehresh et al.
The coordinator starts the checkpointing/voting process by broadcasting a request message to all the
replicas, asking them to take checkpoints. It also initiates a local timer that runs out if the coordinator
does not receive the expected number of replies within a specific time frame. On receiving this
message, all the replicas pause their respective executions and take a checkpoint. These checkpoints
are then sent over the network to the coordinator through a secure channel using encryption. On
receiving the expected number of checkpoints, coordinator compares them for consistency. If all
checkpoints are consistent, it broadcasts a commit message that completes the two-phase checkpoint
protocol. After receiving the commit message, all the replicas resume their respective executions. This
is how the replicas execute in lockstep. In case the timer runs out before the expected number of
checkpoints are received at the coordinator, it sends out another request message. All the replicas
send their last locally stored checkpoints as a reply to this request message. In our application, we
have limited the number of repeated checkpoint requests to three per non-replying replica. If a replica
does not reply to three (or a threshold count) checkpoint request messages, it is considered dead by
the coordinator and a commit message is sent to the rest of the replicas if their checkpoints are
consistent. In case that the checkpoints are not consistent, the coordinator replies with a rollback
message to all the replicas. This rollback message includes the last consistent checkpoint that was
stored on the stable storage at the coordinator. All the replicas then return to the previous state of
execution as defined by the rollback message. If a certain replica fails to deliver consistent checkpoint
and causes more than three (or a threshold count) consecutive rollbacks, the fault is considered
permanent and the replica is excluded from the system.
A hardware signature is generated at each replica and piggybacked on the checkpoint when it is sent
to the coordinator. This signature quantifies the integrity status of the replica since the last successful
checkpoint. For simplicity, we use the values – all-0s (for an uncompromised replica) and all-1s (for a
compromised replica). A host-based intrusion detection sensor at all the replicas is responsible for
generating these signatures. If the coordinator finds any hardware signature to be all-1s, then the
corresponding replica is blacklisted and any of its future results/checkpoints are ignored at the
coordinator. However, the coordinator continues normal communication with the blacklisted replica to
keep the attacker unaware of this discovery.
Finally, all the results from each of the non-blacklisted replicas will be voted upon by the coordinator
for the final result.
4.4 Using built-in test logic for hardware signature generation and propagation
As described under assumptions, the system uses a software-driven trip-wire that monitors the
system continuously for a specified range of anomalies. Tripwire raises an alarm on anomaly
detection by setting the value of a designated system register to all-1s (it will be all-0s otherwise). This
value then becomes the integrity status indicator for the replica and is read out using the scan-out
mode of the test logic. It is then securely sent to the coordinator for verification.
5. Performance analysis
Most of the mission critical military applications that employ checkpointing or proactive security tend to
be long running ones. For instance, a rocket launch countdown running for hours/days. Therefore, our
performance analysis will focus on long running applications and their overall execution time.
Since our scheme employs built-in hardware for implementing security, and security-related
notifications piggyback the checkpointing messages, our security comes nearly free for systems that
already use checkpointing for fault tolerance. However, many legacy systems that do not use any
checkpointing will need to employ checkpointing before they can benefit from our scheme. In such
cases, cost of checkpointing is also included in the cost of employing our security scheme. To cover
all these possibilities, we consider the following three cases.
Case 1: This case includes all the mission critical legacy systems that do not employ checkpointing or
security.
Case 2: This case examines mission critical systems that employ checkpointing as a safety measure
in the absence of any failures or attacks. Note that this will be the worst case scenario for Case 1
systems that may adopt our scheme because there are practically no faults/attacks. Also, our security
scheme is nearly free for Case 2 systems, if they choose to employ it.
175

Ruchika Mehresh et al.
Case 3: The systems considered under Case 3 employ checkpointing and our proposed security
scheme (hardware signature verification). This case considers the occurrence of failures and securityrelated
attacks.
These three cases allow us to study the cost of adopting our security scheme in all possible
scenarios.
Since the proposed system is composed of both hardware and software subsystems, we could not
use one standard simulation engine to simulate the entire application accurately and obtain data.
Therefore, we combined the results obtained from individually simulating the software and the
hardware components using our multi-step simulation approach (Mehresh et al. 2010).
5.1 Simplified system prototype development
Figure 2 shows the modular design of the simplified system for mission critical applications with n
replicas. The coordinator is the core of this centralized replicated system. It is responsible for voting
operations on intermediate results, integrity signatures and checkpoints obtained from the replicas.
The heartbeat manager broadcasts periodic ping messages to determine if the nodes are alive. The
replicas are identical copies of the workload executing in parallel in lockstep.
Figure 2: Overall system design
5.2 Multi-step simulation approach
We use a multi-step simulation approach to evaluate the system performance for the three cases.
This new approach is required because there are currently no benchmarks for evaluating such
systems. A combination of pilot system implementation and simulation is used to obtain more realistic
and statistically accurate results.
Different components of this evaluation include a JAVA implementation based on Chameleon
ARMORs (Kalbarczyk et al. 1999), ARENA simulation (http://www.arenasimulation.com/) and
CADENCE simulation (http://www.cadence.com). ARENA simulation is discrete event and it simulates
the given system at a high level of abstraction. The lower levels of abstraction that become too
complex to model are parameterized using the data obtained from conducting experiments with the
JAVA system prototype. Another reason for using ARENA simulator is the analysis of long running
mission critical applications. Such an analysis with real-time experiments is not efficient and extremely
time consuming. The Java prototype consists of socket programming across a network of 100 Mbps
bandwidth. The experiments for measuring performance were conducted on Windows platform with
an Intel Core Duo 2 GHz processor and 2 GB RAM. CADENCE simulation is primarily used for the
feasibility study of the proposed hardware scheme. To verify the precision of our simulators, test
cases were developed and deployed for the known cases of operation.
This system accepts workloads from the user and executes them in a fault tolerant environment. We
used the Java SciMark 2.0 workloads as user inputs in this system prototype. The four workloads that
we used are: Fast Fourier Transform (FFT), Jacobi Successive Over-relaxation (SOR), Sparse Matrix
176

Ruchika Mehresh et al.
multiplication (Sparse) and Dense LU matrix Factorization (LU). The standard large data sets
(http://math.nist.gov/scimark2) were used.
Data-sets from short running replicated experiments were collected and fitted probability distributions
were obtained using ARENA input data analyzer. These distributions defined the stochastic
parameters for ARENA simulation model.
We examine the feasibility of the hardware component of this architecture (as described under
assumptions) as follows. The integrity signature of a replica is stored in the flip flops of the boundary
scan chain around a processor. This part of our simulation is centered on a boundary scan inserted
DLX processor (Patterson and Hennessy 1994). Verilog code for the boundary scan inserted DLX
processor is elaborated in cadence RTL compiler. To load the signature into these scan cells
a multiplexer is inserted before each cell, which has one of the inputs as test data input (TDI) and the
other from the 32 bit signature vector. Depending on the select line either the test data or the
signature is latched into the flip flops of the scan cells. To read the signature out the bits are serially
shifted from the flip flops onto the output bus.
5.3 Results
We analyze the prototype system for the three cases described earlier. Since we want to evaluate the
performance of this system in the worst case scenario where the checkpointing overhead is
maximum, we choose sequential checkpointing (Elnozahy et al. 2002). For the following analysis
(unless mentioned), checkpoint interval is assumed to be 1 hour. Table 1 presents the execution
times for the four Scimark workloads. The values from Table 1 are plotted in Figure 3 on a logarithmic
scale. We can see that the execution time overhead increases a little when the system shifts from
Case 1 to Case 2 (i.e., employing our scheme as a preventive measure). However, the execution time
overhead increases rapidly when the system moves from Case 2 and Case 3. The execution
overhead will only increase substantially if there are too many faults present, in which case it would be
worth the fault tolerance and security that comes along. As we can see from the values of Table 1, an
application that runs for 13.6562 hours will incur an execution time overhead of only 13.49 minutes in
moving from Case 1 to Case 2.
Figure 3: Execution times for Scimark workloads across three cases, on a logarithmic scale
Figure 4 shows the percentage increase in execution times of various workloads when the system
upgrades from a lower case to a higher one. It is assumed that these workload executions do not
have any interactions (inputs/outputs) with the external environment. The percentage increase in
execution times of all the workloads when the system upgrades from Case 1 to Case 2 is only around
1.6%. An upgrade from Case 1 to Case 3 (with mean time to fault, M =10) is around 9%. These
percentages indicate acceptable overheads.
177

Ruchika Mehresh et al.
Table 1: Execution times (in hours) for the Scimark workloads across three cases
Case 1
Case 2
Case 3 (M=10)
Case 3 (M=25)
FFT LU SOR Sparse
3421.09 222.69 13.6562 23.9479
3477.46 226.36 13.8811 24.3426
3824.63 249.08 15.2026 26.7313
3593.39 233.83 13.8811 24.3426
Figure 4: Percentage execution time overheads incurred by the Scimark workloads while shifting
between cases
As Table 1 shows, for a checkpoint interval of 1 hour and M =10, the workload LU executes for
approximately 10 days. Figure 5 shows the effect of increasing checkpoint interval for workload LU for
different values of M ranging from 5 to 25. The optimal checkpoint interval values (and the
corresponding execution times) for the graph plots in Figure 5 are provided in Table 2.
Figure 5: Effect of checkpoint interval on workload execution times at different values of M
Note that we used the multi-step approach for this simulation and the parameters for the simulation
model were derived from experimentation. Therefore, these results do not just represent the data
trends but are also close to the statistically expected real-world values.
178

Ruchika Mehresh et al.
Table 2: Approximate optimal checkpoint interval values and their corresponding workload execution
times for LU (Case 3) at different values of M
6. Conclusion
Optimal Checkpoint Interval (hours)
Execution Times(hours)
M=5 M=10 M=15 M=25
0.3 0.5 0.65 0.95
248.97 241.57 238.16 235.06
This paper proposes a hardware based proactive solution to secure the recovery phase of mission
critical applications. A detailed threat model is developed to analyze the security provided by our
scheme. The biggest strengths of this research is its ability to deal with smart adversaries, give priority
to mission assurance, and use redundant hardware for capturing integrity status of a replica outside
the user space. Since this scheme is simple and has no visible application specific dependencies, its
implementation has the potential to be application transparent. For performance evaluation, we
investigated a simplified mission critical application prototype using a multi-step simulation approach.
We plan to enhance the centralized architecture to a distributed system for our future research work.
We defined cases to investigate the cost involved in applying our security scheme to all kinds of
systems (including the legacy systems with no fault tolerance). The performance evaluation showed
promising results and the cost/performance overhead is only a small percentage of the original
execution times when faults are absent. As the rate of fault occurrence increases, the overhead
increases too, but this additional overhead comes with fault tolerance and security. Overall, we
believe that our solution provides strong security at low cost for mission critical applications.
Acknowledgments
This work was supported in part by ITT Grant No. 200821J. This paper has been approved for Public
Release; Distribution Unlimited: 88ABW-2010-6094 dated 16 Nov 2010.
References
Abramovici, M. and Stroud, C.E. (2001) "BIST-based test and diagnosis of FPGA logic blocks", IEEE
Transactions on VLSI Systems, volume 9, number 1, pages 159-172, February.
Banatre, M., Pataricza, A., Moorsel, A., Palanque, P. and Strigini, L. (2007) From resilience-building to resiliencescaling
technologies: Directions – ReSIST, NoE Deliverable D13. DI/FCUL TR 07–28, Dep. Of
Informatics, Univ. of Lisbon, November.
Bessani, A., Reiser, H.P., Sousa, P., Gashi, I., Stankovic, V., Distler, T., Kapitza, R., Daidone, A. and Obelheiro,
R. (2008) “FOREVER: Fault/intrusiOn REmoVal through Evolution & Recovery”, Proceedings of the ACM
Middleware'08 companion, December.
Del Carlo, C. (2003) Intrusion detection evasion, SANS Institute InfoSec Reading Room, May.
Elnozahy, E.N., Alvisi, L., Wang, Y. and Johnson, D.B. (2002) "A survey of rollback-recovery protocols in
message-passing systems", ACM Computing Surveys (CSUR), volume 34 number 3, pages 375-408,
September.
Haeberlen, A., Kouznetsov, P. and Druschel, P. (2006) “The case for Byzantine fault detection”, Proceedings of
the 2nd conference on Hot Topics in System Dependability, volume 2, November.
Hrivnak, A. (2002) Host Based Intrusion Detection: An Overview of Tripwire and Intruder Alert, SANS Institute
InfoSec Reading Room, January.
Kalbarczyk, Z., Iyer, R.K., Bagchi, S. and Whisnant, K. (1999) "Chameleon: a software infrastructure for adaptive
fault tolerance", IEEE Transactions on Parallel and Distributed Systems, volume 10, number 6, pages 560-
579, June.
Mehresh, R., Upadhyaya, S. and Kwiat, K. (2010) “A Multi-Step Simulation Approach Toward Fault Tolerant
system Evaluation”, Third International Workshop on Dependable Network Computing and Mobile Systems,
October.
Patterson, D. and Hennessy, J. (1994) Computer Organization and Design: The Hardware/Software
Interface, Morgan Kaufmann.
Sousa, P., Bessani, A., Correia,M., Neves, N.F. and Verissimo, P. (2007) “Resilient intrusion tolerance through
proactive and reactive recovery”, Proceedings of the 13th IEEE Pacific Rim Int. Symp. on Dependable
Computing, pages 373–380, December.
Todd, A.D., Raines, R.A., Baldwin, R.O., Mullins, B.E. and Rogers, S.K. (2007) “Alert Verification Evasion
Through Server Response Forging”, Proceedings of the 10th International Symposium, RAID, pages 256-
275, September.
Wagner, D. and Soto, P. (2002) “Mimicry attacks on host-based intrusion detection systems”, Proceedings of the
9th ACM conference on Computer and communications security, November.
179

Identifying Cyber Espionage: Towards a Synthesis
Approach
David Merritt and Barry Mullins
Air Force Institute of Technology, Wright Patterson Air Force Base, Ohio, USA
david.merritt@afit.edu
barry.mullins@afit.edu
Abstract: Espionage has existed in many forms for as long as humans have kept secrets. With the skyrocketing
growth of digital data storage, cyber espionage has quickly become the tool of choice for corporate and
government spies. Cyber espionage typically occurs over the Internet with a consistent methodology: 1) infiltrate
a targeted network, 2) install malware on the targeted victim(s), and 3) exfiltrate data at will. Detection methods
exist and are well-researched for these three realms: network attack, malware, and data exfiltration. However,
formal methodology does not exist for identifying cyber espionage as its own classification of cyber attack. This
paper proposes a synthesis approach for identifying targeted espionage by fusing the intelligence gathered from
current detection techniques. This synthesis of detection methods establishes a formal decision-making
framework for determining the likelihood of cyber espionage.
Keywords: covert channel, cyber espionage, data exfiltration, intrusion detection, malware analysis
1. Introduction and background
The cyber espionage threat is real. Because of the low cost of entry into and the anonymity afforded
by the Internet realm, any curious or incentivized person can steal secret information off private
computer networks (US-China, 2008). If a spy steals proprietary knowledge of a private company's
innovative product research and development, then this data holds a high monetary value, reportedly
billions of dollars, to an industry competitor (Epstein, 2008). If that stolen information is sensitive to
national defense or national strategy decision-making, then the value is arguably immeasurable.
A consistently effective defense against cyber espionage requires a consistently effective way to
identify it. While there are methodologies to detect facets of cyber espionage, there is no formal
approach for identifying cyber espionage as a stand-alone network event classification in its own right.
This paper proposes a new approach that uses the synthesis of current cyber warfare detection and
analysis techniques in a framework to holistically identify malicious or suspicious network events as
cyber espionage.
Due to the myriad of network attack methods and traditional espionage techniques, this paper cannot
comprehensively address all techniques that a cyber spy would employ to achieve his mission (e.g.,
insider threat or physical access). Instead, the paper focuses on the most common method of
performing cyber espionage from a remote location outside the victims’ local network. Historically, the
most common method for infiltrating a network for this purpose is through targeted spear phishing
emails with malicious file attachments (SANS Institute, 2008). Both the emails and attachments are
products of effective social engineering methods that tailor the content to the recipients of the emails.
When an unsuspecting, targeted user opens the attachment, the malware, and therefore the cyber
spy, establish a foothold on the computer and affected network. The spy can then use his specialized
malware to search for interesting data on the victim computer and network and exfiltrate this
potentially sensitive data from the victim network to a place of his choosing.
The synthesis approach and decision-making framework proposed in this paper allows a network
defender to correctly identify this kind of targeted cyber espionage event. If this methodology is to
catch cyber spies targeting specific victims, then this detection approach must look at each malicious
activity (i.e., network infiltration, malware installation, and data exfiltration) within the context of the
whole espionage event. This approach does not attempt to introduce new ways to detect network
attacks, malware infections, or data exfiltration beyond the bounds of the current field of research.
Rather, the current detection methods are integrated in a new way that yields a synthesis approach to
categorize cyber espionage events. The paper first discusses techniques to detect each of the spy's
three steps to espionage success, and then the synthesis approach and resulting framework are
explained. Section 2 reviews network infiltration detection methods. Section 3 looks at detecting
malware on a computer. Section 4 discusses the detection of data exfiltration. Section 5 poses the
synthesis detection approach, followed by a conclusion and discussion of future work in Section 6.
180

2. Network infiltration detection
David Merritt and Barry Mullins
Intrusion detection helps us answer the question: “Is there a malicious intrusion into the network?”
Because there are countless manual and automated mechanisms to identify suspicious network
behavior, this section will only discuss the most common techniques for intrusion detection. This
glimpse into intrusion detection serves as a backdrop for the explanation of the synthesis approach,
which assumes that network infiltration can be detected somewhat reliably.
A network-based intrusion detection system (NIDS) detects network-oriented attacks and traditionally
monitors the access points into a network. If a cyber spy chooses a common network attack method
to infiltrate a network, such as a common buffer overflow exploit, then the NIDS will have a high
detection success rate (Patcha and Park, 2007: 3448-3470). If there is a novel or sophisticated attack
that is difficult to detect, NIDS relies on its anomaly detection capability. Kuang and Zulkernine (2008:
921-926) have shown that an anomaly-based NIDS employing the Combined Strangeness and
Isolation measure K-Nearest Neighbors algorithm can accurately identify novel attacks at a detection
rate of 94.6%, where the detection rate is defined as the ratio of correctly classified network intrusion
samples to the total number of samples.
3. Malware detection
Malware detection helps us answer the question: “Is there something malicious happening on a
host?” This section is not an exhaustive survey of all malware detection mechanisms and methods.
Rather, it simply makes evident the fact that there are numerous ways to reliably detect most malware
on a system. Malware comes in many forms with many names. For simplicity and convenience, we
will refer to any unwanted and malicious program or code running on a system as malware. Naturally,
detection of unknown malware is the goal, assuming the cyber spy will use sophisticated, novel
malicious programs to establish footholds on a computer and within a network.
3.1 Antivirus
Antivirus, or anti-malware, software does not need much explanation as it is a commonly used and
moderately understood term. Antivirus products rely primarily on signature-based detection, although
most products have integrated at least a rudimentary mechanism for behavioral analysis of
executables. The vast majority of known malware is caught by commodity software. As a point of
reference, most antivirus products have proven they can detect malware in sample sizes of over one
million with accuracy in the upper 90 th percentile (Virus Bulletin, 2008).
3.2 Malware analysis
There are historically two methods of analyzing unknown programs, or binaries: static and dynamic
(Ding et al, 2009: 72-77). Static analysis starts with the conversion of a program from its binary
representation to a more symbolic, human-readable version of assembly code instructions. This
disassembly ideally takes into account all possible code execution paths of the unknown program,
which provides a reverse engineer with the complete set of program instructions and therefore inner
workings of the unknown program’s code. Analyzing this code to discover a program’s purpose and
capabilities makes up the bulk of static analysis. Christodorescu et al (2005: 32-46) and Kruegel,
Robertson and Vigna (2004: 91-100) discuss a couple effective approaches in using this kind of
analysis to detect and classify unknown malware.
On the other hand, analyzing the code during execution is called dynamic analysis. Dynamic analysis
is effective against binaries that obfuscate themselves or are self-modifying. This is due to the fact
that the destiny of all programs is to be run on a system, so when the program is running, its behavior
and subsequent system modifications can be seen. Willems, Holz and Freiling (2007: 32-39) and
Bayer et al (2006: 67-77) discuss dynamic analysis techniques that are successful in detecting
unknown malware. Also, Rieck et al (2008: 108-125) used a learning based approach to automatically
classify 70% of over 3,000 previously undetected malware binaries.
4. Data exfiltration detection
Data exfiltration detection helps us answer the question: “Is someone stealing data off the network?”
Detecting suspicious and outright malicious events in the realm of data exfiltration is arguably the
most difficult but most important to achieve out of the three steps of cyber espionage. Because the
existence of a computer network implies the need for data to be accessed both inbound to and
181

David Merritt and Barry Mullins
outbound from a network, the task of identifying a “bad” stream of data leaving the network amidst a
flood of “good” data is daunting.
Many convenient overt channels exist with the Internet. With a significant bulk of network traffic on
any given local network being Internet-related, any web-based protocol offers a readily available overt
channel within which a spy can easily exfiltrate stolen data. The sheer amount of web traffic makes it
easy to hide the communication channel—the data is just one animal in a herd at that point.
Fortunately, custom signatures can be generated for specific, sensitive data that would trigger a NIDS
alert if this data were detected on its way out of a network (Liu, 2008).
Thanks to several innovative research efforts, it is possible to detect many kinds of covert channels.
Gianvecchio and Wang (2007) use a corrected conditional entropy (CCE) approach to accurately
detect covert timing channels in HTTP (hypertext transfer protocol) traffic. Similarly, Cabuk, Brodley,
and Shields (2009) use a measure of compressibility to distinguish covert timing channel traffic from
conventional web-based traffic. While there are a multitude of other types of covert channels, like
those using packet header fields or timestamps, there are approaches to eliminate, reduce, or at least
detect these (Zander, Armitage, and Branch, 2007: 44-57).
5. Synthesis detection approach
From the perspective of preventing the compromise of sensitive information, it is crucial to determine
if anomalous, suspicious, or malicious occurrences are part of a cyber espionage attempt or not. In
other words, to prevent cyber espionage, one must first be able to identify it reliably. However, there is
a surprising lack of research focused on identifying or labeling network events as cyber espionage.
The Defense Personnel Security Research Center (PERSEREC) produced a technical report in 2002
on 150 cases of espionage against the United States by American citizens (Herbig and Wiskoff,
2002). The Defense Intelligence Agency's (DIA) Counterintelligence and Security Activity (DAC) used
the results of PERSEREC's report to produce a guide to aid its employees in reporting potential
espionage-related behaviors in their colleagues (Office 2007). Essentially, the DIA relies on a
synthesis of indicators to aid in its detection of spies.
This paper adopts the same synthesis approach to detecting cyber espionage. Operating under the
premise that cyber espionage emits telltale signs, the search for these indicators begins by looking at
a series of questions with, hopefully, intuitive and obvious answers that lead to a framework of
measurement.
5.1 How would a spy infiltrate a network?
If an attacker were only concerned with gaining access into a network, he would justifiably launch as
many attacks against as many victims as possible. This increases his likelihood of success. But this
torrent of binary madness will also draw much attention. A cyber spy who intends to steal sensitive
information from a network will typically take a more streamlined avenue into the network, one that is
less noisy and has a higher probability of success. This mentality and intention will drive the spy to
use more strategy in choosing his attack tools and methods. Also, based on the spy’s knowledge of
his victims and his desire to evade detection, he will target a relatively small number of victim
systems. Spear phishing emails sent to a handful of selected victims is indicative of espionage. In
addition, if the content of the email is tailored to be very specific and relevant to the industry, then this
would be a telltale sign of cyber espionage. This thought process reveals a couple indicators we can
use to distinguish network intrusions that are highly probable espionage events from those that are
not: targeted and tailored.
5.2 What kind of malware would a spy use?
If an attacker just wanted to infect as many machines as possible to expand his ever-growing botnet,
this attacker's malware of choice would eventually run rampant and widespread across the Internet, or
else it would not accomplish its master's goal. Looking at the other end of the spectrum, assuming a
spy would want to evade detection and maintain persistent, reliable access to data, the spy would
probably choose malware that is not easily detectable. Malware that is very well known is likely not
the strategically-chosen tool of a cyber spy. In addition, since the name of the espionage game is to
obtain information, it would make sense for espionage-related malware to have some sort of datagathering
functionality. Furthermore, if the malware is sophisticated enough to change tactics or focus
182

David Merritt and Barry Mullins
on certain information upon receiving new commands from the attacker, then this would be an even
stronger indicator of espionage. Essentially, we have established two more indicators to find probable
espionage malware: detectability and information-gathering.
5.3 How would a spy exfiltrate data?
We have already discussed that there are many ways to move data out of a network. In fact, the ease
of data transfer is an underlying measure of network usefulness. If a typical network attacker were
only concerned with collecting data regardless of who else sees it, then he may choose the most
convenient avenue of data exfiltration. A cyber spy would want to follow the same mentality portrayed
in his choice of network intrusion and malware infection techniques. That is, the spy would probably
prefer to evade detection altogether, or at least attempt to hide his needle in the haystack of network
traffic. In addition, the spy would most likely prefer to hide the data itself while it is transiting the
network. Sending the stolen information over the network in clear text may reveal too much of his
intent.
Naturally, the spy would want to make his efforts worthwhile—the more data he can steal, the more
worthwhile the mission. A spy who collects all information pertaining to a certain product will surely be
sending relatively large amounts of data outbound, and his intentions would be difficult to detect if the
data were encrypted. Clearly, very large amounts of encrypted data emitting from a network warrants
a closer look, and this method of data exfiltration seems fairly spy-like. If this data could be decrypted
to uncover very specific information relevant to the industry, especially if it is private or proprietary,
then this is surely a telltale sign of espionage. In fact, this metric of industry-specific information is a
strong indicator by itself. But it may not always be possible to decrypt the data in a timely manner, so
we must include this indicator with other indicators of data exfiltration.
Inherently, hiding the very existence of a communication channel screams of the intent to evade
detection and, thus, warrants a closer look. Suffice it to say that the use of a covert channel is very
spy-like. Therefore, more espionage indicators have been uncovered pertaining to data exfiltration:
channel covertness, transfer size, encryption, and relevance of information.
5.4 Espionage identification framework
The following is a summary of potential indicators for cyber espionage:
Intrusion:
Targeted with selective victims
Tailored through social engineering
Malware:
Novel or unknown
Information/data-stealer
Exfiltration:
Covert channel
Encrypted data or channel
Large amount of data
Industry-specific information
These indicators can be used as an objective framework for subjective decision-making concerning
the probability of espionage for a given event. An overall event that satisfies every intrusion, malware,
and exfiltration indicator is likely espionage-related, but a cyber espionage event may not explicitly
fulfill each and every indicator. In other words, the absence of one of these indicators does not
automatically preclude an overall event from being attributable to cyber espionage.
Given this framework, if there is a way to detect and subsequently score each individual intrusion,
malware, or exfiltration event, then one can calculate a synthesis of those scores to categorize the
overall intrusion + malware + exfiltration event. Taken a step further, if this synthesis score is related
183

David Merritt and Barry Mullins
to the probability of cyber espionage, it is possible to use this score to measure the probability of the
entire event as being cyber espionage.
It is important to note that an individual event detected by itself may not express outright if a
circumstance is cyber espionage-related or not. A targeted, socially-engineered intrusion might be a
sophisticated spam or phishing attempt. New and undetected information-stealing malware could be a
new variant of benign adware. A consistent transfer of significant amounts of encrypted data could
end up being an authorized VPN (virtual private network) connection. The subtlety of a covert channel
may be difficult to detect or declare with certainty its intentions, but it does serve as an impetus to
investigate further to determine the context of the channel.
The advantage behind this synthesis approach is that intrusion, malware, or exfiltration detection can
be viewed within the context of the whole event. Not doing so could lead to incorrect conclusions
being drawn from insufficient context. But each step of a cyber spy's attack methodology is not of
equal value to the investigator. For instance, it is a challenge to judge the intent of malware simply by
looking at its detectability and functionality. Many malicious programs have the same functionality but
are used for different purposes. In fact, many legitimate programs are frequently used maliciously
(e.g., Remote Administration Tools). On the contrary, a targeted intrusion that is industry-relevant
hints at the intentions of the adversary—to quietly get to specific targets. Thus, the intrusion factor
should be weighted more than the malware “factor”. Similarly, with data exfiltration detection,
covertness of the channel and sensitivity of the data are significant factors affecting the
characterization of espionage. These factors' weights should have more weight than the malware
installation factor.
This strategic weighting of indicators is integrated to establish the Espionage Probability Matrix (EPM)
framework, shown in Table 1. The EPM is used to determine an EPM score based on varying degrees
of espionage probability, as indicated by the three columns of High, Medium, and Low Probability.
Each indicator is assigned a value associated with its column, with High, Medium, and Low indicators
being assigned values of 3, 2, and 1, respectively. The values for the indicators (e.g., targeted and
tailored network intrusion) within each factor (e.g., Intrusion) are averaged to provide an EPM score
for that factor. For example, a network intrusion that is not targeted at a specific user/group but
contains somewhat tailored content results in an Intrusion factor EPM score of 1.5. This is calculated
by averaging the “Not targeted” indicator (i.e., 1) with the “Potentially tailored” indicator (i.e., 2).
Table 1: Espionage Probability Matrix (EPM)
Intrusion
Malware
Exfiltration
High Probability Medium Probability Low Probability
Targeted; specific victims
Tailored; social engineering
required
Novel or unknown
Advanced info/data- stealer
Covert channel
Custom encryption
Significant data transfer
Industry-specific
Potentially targeted
Potentially tailored; social
engineering may be used
Not well known; variant of
known
Info/data- stealer
Attempts to hide channel
Standard encryption
Non-trivial data transfer
Partially industry-specific
Not targeted
Well-known methods
Well known
Not info/data-stealer
No attempt to hide channel
Not encrypted
Negligible data transfer
Not industry-specific
The Intrusion row has a α multiplier, where α > 1, to represent the relative importance of intrusion
classification to the overall EPM score. The Exfiltration row has a β multiplier, where β > 1, to
represent the relative importance of data exfiltration classification to the overall EPM score. This
effectively assigns greater importance to the factors that deserve it, as discussed. These individual
probabilities are brought into context of the entire event by calculating an overall EPM score using the
following equation:
EPM Score = α·Intrusion + Malware + β·Exfiltration
184

David Merritt and Barry Mullins
Essentially, summing the individual weighted scores yields a “grade” for intrusion, malware, and
exfiltration classification taken within the context of one another. For the purpose of this paper, a
notional α multiplier of 2 and a β multiplier of 3 are used to illustrate the effectiveness and flexibility of
this synthesis approach. Operationally, these values can be fine-tuned and adjusted as needed.
However, this score has little value without a translation to what it could mean. The EPM score is
used in the Espionage Threshold Matrix (ETM), shown in Table 2.
Table 2: Espionage Threshold Matrix (ETM), assuming α=2 and β=3
Overall Probability of
Cyber Espionage
EPM Score
High Probability ≥12
Medium Probability ≥9
Low Probability

David Merritt and Barry Mullins
2010). The attackers use social engineering and target source code and intellectual property (Stamos
2010: 1). This attack receives the maximum Intrusion and Malware EPM scores. In the absence of full
details, we assume the exfiltration channel uses standard encryption, and the amount of data
transferred is not significant from the perspective of each individual company. Exfiltration receives a
score of 2.5 to produce an overall EPM score of 16.5. This is well above the threshold for high
probability of cyber espionage, according to the ETM.
The scores of the EPM and thresholds of the ETM can be tuned according to a user's tolerance of
false positives, false negatives, or strength of desire to prevent sensitive data loss. The ETM score
can be a critical decision-making tool for network defenders and data owners who understand the
importance of identifying cyber espionage using a reliable, consistent, and robust framework based
on an innovative synthesis approach.
6. Conclusion and future work
This paper discusses the significant threat of cyber espionage and the importance of identifying and
attributing activities to cyber espionage. The paper introduces a new synthesis approach and
framework for identifying cyber espionage that fills the void in this research area due to the lack of
formal methods for holistically determining cyber espionage events. This new approach capitalizes on
current detection capabilities and integrates their results into a framework called the EPM. This
framework takes into account the context of individual events to determine the likelihood of cyber
espionage by using the ETM.
Because this synthesis approach is the first formal methodology for categorizing holistic network
events as cyber espionage, there are several questions that it begs. Is this framework effective if all
three steps of espionage cannot be detected or they are detected out of order (e.g., exfiltration is the
initial indicator of a suspicious event)? On effectiveness, how is it measured, and is there a more
effective or efficient algorithm or methodology for identifying cyber espionage? Is it possible to
automate the entire model, or will manual, human-in-the-loop processes always be needed?
To help answer these questions, this approach and framework should be put to experiment, tested,
and analyzed. It will surely be helpful to create an automated system that gathers data, alerts, and
other relevant information from network and host-based sensors as well as from human analysis and
inputs. In addition, observing additional real-world espionage-related malware and network intrusions
is important to measuring the effectiveness of this model and answering the questions posed above.
Acknowledgements
This research is funded by the Center for Cyberspace Research at the Air Force Institute of
Technology and the 688 th Information Operations Wing at Lackland Air Force Base, Texas. The views
expressed in this paper are those of the authors and do not reflect the official policy or position of the
United States Air Force, Department of Defense, or the U.S. Government.
References
Cabuk, S., Brodley, C. E. and Shields, C. ‘IP Covert Channel Detection’, ACM Trans. Information and Syst.
Security, vol. 12, no. 4, article 22, Apr. 2009.
Ding, J., Jin, J., Bouvry, P., Hu, Y. and Guan, H. ‘Behavior-based Proactive Detection of Unknown Malicious
Codes’, 2009 4 th Int. Conf. Internet Monitoring and Protection, Venice/Mestre, Italy.
Epstein, K. (2008, Dec. 7) ‘U.S. Is Losing Global Cyber War, Commission Says’, BusinessWeek, [Online],
Available: http://www.businessweek.com/bwdaily/dnflash/content/dec2008/db2008127_
817606.htm?chan=top+news_top+news+index+-+temp_ dialogue+ with+readers.
Gianvecchio, S. and Wang, H. ‘Detecting Covert Timing Channels: An Entropy-Based Approach’, Proc. 14th
ACM Conf. on Computer and Communications Security, Alexandria, Virginia, October 28-31, 2007.
Herbig, K. and Wiskoff, M ‘Espionage Against the United States by American Citizens’, TRW Systems, Defense
Personnel Security Research Center, Monterey, CA, Tech. Rep. 02-5, July 2002.
Keizer, G. (2010, Sep. 15) ‘Google hackers behind Adobe Reader PDF zero-day bug, Symantec warns’, [Online],
Available: http://news.techworld.com/security/3239606/google-hackers-behind-adobe-reader-pdf-zero-daybug-symantec-warns/
Kuang, L.L. and Zulkernine, M. ‘An anomaly intrusion detection method using the CSI-KNN Algorithm’, in Proc.
2008 ACM Symposium on Applied Computing, Fortaleza, Ceara, Brazil, March 16-20.
Liu, T., Corbett, C., Chiang, K., Archibald, R., Mukherjee, B. and Ghosal, D. ‘Detecting Sensitive Data Exfiltration
by an Insider Attack’, Proc. 4th Annu. Workshop on Cyber Security and Information Intelligence Research:
186

David Merritt and Barry Mullins
Developing Strategies to Meet Cyber Security and Information Intelligence Challenges Ahead, Oak Ridge,
TN, May 12-14, 2008, vol. 288, no. 16.
Office of the National Counterintelligence Executive (2007, Mar.) ‘Your Role in Combating the Insider Threat’,
[Online], Available: http://www.ncix.gov/archives/docs/Your_Role_in_Combating_the_ Insider_Threat.pdf.
Patcha, A. and Park, J. M. “An overview of anomaly detection techniques: Existing solutions and latest
technological trends,” Computer Networks, vol. 51, no. 12, Aug. 2007.
Rieck, K., Holz, T., Willems, C., Dussel, P. and Laskov, P. ‘Lecture Notes in Computer Science’, Detection of
Intrusions and Malware, and Vulnerability Assessment, vol. 5137, Berlin/Heidelberg, Germany: Springer,
2008.
SANS Institute (2008) ‘Top Ten Cyber Security Menaces for 2008’, [Online]. Available:
http://www.sans.org/2008menaces/.
Stamos, A. (2010) ‘”Aurora” Response Recommendations’, iSEC Partners, Inc.
2008 Report to Congress, [Online], http://www.uscc.gov/annual_report/2008/annual_report _full_08.pdf
Virus Bulletin Ltd. (2008, Sept. 2) ‘AV-Test Release Latest Results’, Virus Bulletin, [Online], Available:
http://www.virusbtn.com/news/ 2008/09_02.
Zander, S., Armitage, G., Branch, P. ‘A Survey of Covert Channels and Countermeasures in Computer Network
Protocols’, IEEE Communications Surveys and Tutorials, vol. 9, no. 3, 2007.
Zetter, K. (2010, Jan. 14) ‘Google hack attack was ultra sophisticated, new details show’, [Online], Available:
http://www.wired.com/threatlevel/2010/01/operation-aurora/.
187

Security Analysis of Webservers of Prominent
Organizations of Pakistan
Muhammad Naveed
Free Lance Research, Pakistan
mnaveed29@gmail.com
Abstract: Insecure webservers are a serious threat to the organization’s repute and resources. Successful attack
on webservers can destroy the trust of customers or people getting services from the organization. Webservers
were selected for this study because they provide easily accessible entrance to the network from the Internet and
security of webservers should be considered as an index to assess the organization’s overall information security.
This study analyzes the webservers of prominent organizations of Pakistan to assess their level of security.
Webservers of different types of organizations were selected to provide a general view of security of Pakistani
webservers. The selected webservers were of the organizations who should be first to secure their webservers as
they are the leaders in their respective fields in the country. So, all the smaller organizations can be assumed to
have much lesser concern for security. Benchmark for every type of organization was first established to compare
the results of the analysis with it. Nmap scanner was used to scan the webservers for security threats. The results
reveal that the webservers in Pakistan are not secure and there is extreme need of awareness about information
security in the country. The lack of importance given to information security can lead to cyber terrorism and might
create lot of troubles for the country.
Keywords: information security, analysis, security threats, Webserver, Pakistan, Nmap
1. Introduction and background
Security is one of the fundamental requirements for each and every network, just like it is the
requirement for each and every human. Without proper security, a network is just like a house without
doors and windows. In case the network has a lot of valuable information and resources, it’s like a
bank full of money without any guards and security cameras. Just like the bank in the example will be
a serious place for potential theft or robbery, same is the case with the insecure networks. But, there
is much difference in human perceptions about the unsafe bank and insecure networks. People don’t
understand the ultimate results of insecure networks and in Pakistan the situation is worst.
Businesses and individuals don’t even consider it to be an element that needs consideration.
Negligence in information security can have terrible consequences. It is not difficult to imagine the
chaos created if an ill-intentioned person gains access to the country’s most trusted news channel’s
website. Let’s suppose he just adds one single headline that a bomb has been placed at a specified
place in the city or on some road side, what would be the troubles faced by the people? Let’s take
another example, if he just adds one line that prime minister has said that we are going to attack our
neighbor soon, which may end up in bloody feud between the two countries or at least create
misunderstandings between the countries and can seriously damage the relationships between the
countries. Trend Micro Data–stealing malware focus report of June 2009 says, “In March 2008, data
from 4.2 million credit card numbers were stolen in transmission as a result of malware installed on all
of Hannaford Brothers’ servers in 300 stores”. (Trend Micro 2009) There are hundreds of other
examples of attacks performed to achieve malicious objectives.
The study analyzes the webservers of famous and most reputable organizations of the country. Three
types of organizations were considered for the study: Education and Research, Commercial
Organizations and News channels. Benchmark is first set by analyzing the world’s respectable
organizations and whose analysis shows their webservers to be almost completely secure.
Benchmark is set, so that the results can be compared with them. Exactly similar Pakistani
organizations’ webservers as the organizations used to set benchmarks were analyzed to give an
insight about the information security awareness in the country. Organizations selected for analysis
should be first to implement security on the basis of their status and business capacity. Webservers
were selected because they can be easily analyzed from Internet and analysis of webservers
provides insight for the complete network security of the organization. Nmap scanner was used to get
the results. The identity of the Pakistani organizations analyzed is kept secret because of the possible
damage to the repute of the organization. But, it is simple to use Nmap scanner to analyze any
organization’s web server and getting almost the similar results for many organizations of the similar
type. So, the results are basically an indicator of the security awareness on a large scale.
188

Muhammad Naveed
Pakistan Computer Emergency Response Team’s list of only reported hacked Pakistani websites
from 1999 to 2005 is available on (PakCert 2005). Statistics of hacked Pakistani websites is shown in
Figure 1. (PakCert 2008) Recently, many important websites of Pakistan were hacked including
website of Supreme Court of Pakistan, Pakistan Navy and lot of others websites of extremely
important organizations. (PakCert, 2005; PakCert, 2008; The Express Tribune, 2010; Jahanzaib,
2010; GEO Pakistan, 2010; DawnNews, 2010)
Figure 1: Statistics of hacked Pakistani websites (only .PK TLD) (PakCert (2008), ‘Defacement
Statistics (January 1999 - August 2008)'’, Pakistan Computer Emergency Response
Team)
Paper is organized as: Section 2 gives the related work, section 3 shows the experimental setup used
for the study, section 4 explains different port states shown by Nmap, section 5 sets the benchmarks
for comparison, section 6 shows the actual analysis of web servers in Pakistan, and section 7
concludes the paper and gives the simple solution to rectify the security problems.
2. Related work
There is very little work done on analyzing information security of Pakistani organizations. To the best
of my knowledge the first study to address the concern about the need of information security in
Pakistan is (Syed 1998) which proposes that it is very important for Pakistan to have both offensive
and defensive Information Warfare capabilities.(Syed 1998)
Vorakulpipat, C. et. al have explored information security practices in Thailand and have emphasized
the need for information security benchmarking of an organization with best security practices.
(Vorakulpipat, C 2010) Ahmad A. Abu-Musa has conducted a survey to evaluate Computerized
Accounting Information Systems security controls in Saudi organizations. (Ahmad 2006) Rafael et. al
have performed a survey to analyze Canadian IT security practices. Three hundred IT security
specialists were the subject of the survey to evaluate the Canadian IT security practices. (Rafael
2009) Australian Taxation Office conducted a review of information security practices at the Australian
Tax Office, to prevent any potential breach of data. (Australian Taxation Office 2008) US
Environmental Protection Agency have conducted an audit to determine whether the Office of
Administration’s (OARM’s) Integrated Contract Management System (ICMS) is complying with
Federal and Agency information system security requirements. (United States Environmental
Protection Agency 2006)
The related work shows that where other people are concerned about their already secure
information systems and is working to avoid any potential attack, Pakistani organizations are not
189

Muhammad Naveed
putting any efforts into information security which is evident from hacking of websites of Supreme
Court of Pakistan, Pakistan Navy and many others important websites.
3. Experimental setup
All the tests were performed from the Internet using the following system and software:
Table 1: Experimental setup
Computer Intel Pentium D, 3.2 Ghz processor with 2 GB RAM
Operating System Fedora 12 x86_64 (64bit Operating system)
Scanning Software Nmap v5.21-1.x86_64 (a free open source scanner)
4. Nmap port states
According to Nmap official reference guide, the port states shown by Nmap are described as follows:
4.1 open
“An application is actively accepting TCP connections, UDP datagrams or SCTP
associations on this port. Finding these is often the primary goal of port scanning.
Security-minded people know that each open port is an avenue for attack. Attackers and
pen-testers want to exploit the open ports, while administrators try to close or protect
them with firewalls without thwarting legitimate users. Open ports are also interesting for
non-security scans because they show services available for use on the network.” (Nmap
Reference Guide)
4.2 closed
“A closed port is accessible (it receives and responds to Nmap probe packets), but there
is no application listening on it. They can be helpful in showing that a host is up on an IP
address (host discovery, or ping scanning), and as part of OS detection. Because closed
ports are reachable, it may be worth scanning later in case some open up.
Administrators may want to consider blocking such ports with a firewall. Then they would
appear in the filtered state, discussed next.” (Nmap Reference Guide)
4.3 filtered
“Nmap cannot determine whether the port is open because packet filtering prevents its
probes from reaching the port. The filtering could be from a dedicated firewall device,
router rules, or host-based firewall software. These ports frustrate attackers because
they provide so little information. Sometimes they respond with ICMP error messages
such as type 3 code 13 (destination unreachable: communication administratively
prohibited), but filters that simply drop probes without responding are far more common.
This forces Nmap to retry several times just in case the probe was dropped due to
network congestion rather than filtering. This slows down the scan dramatically.” (Nmap
Reference Guide)
4.4 unfiltered
“The unfiltered state means that a port is accessible, but Nmap is unable to determine
whether it is open or closed. Only the ACK scan, which is used to map firewall rulesets,
classifies ports into this state. Scanning unfiltered ports with other scan types such as
Window scan, SYN scan, or FIN scan, may help resolve whether the port is open.”
(Nmap Reference Guide)
4.5 open|filtered
“Nmap places ports in this state when it is unable to determine whether a port is open or
filtered. This occurs for scan types in which open ports give no response. The lack of
190

Muhammad Naveed
response could also mean that a packet filter dropped the probe or any response it
elicited. So Nmap does not know for sure whether the port is open or being filtered. The
UDP, IP protocol, FIN, NULL, and Xmas scans classify ports this way.” (Nmap Reference
Guide)
4.6 closed|filtered
“This state is used when Nmap is unable to determine whether a port is closed or filtered.
It is only used for the IP ID idle scan.” (Nmap Reference Guide)
5. Benchmark for the analysis
The study was based on the following types of organizations:
Educational and Research
Commercial Organization
News Channels
Before analysis of the webservers in Pakistan, benchmark is set for the analysis using the famous
organizations, which were assumed to be secure and the scans also showed them to be secure. As
the study is based on the three types of organizations, we have set benchmarks for each of them.
5.1 Education and research organizations
To set the benchmark for education and research organization, Massachusetts Institute of
Technology (MIT) webserver was scanned using its domain address. The scanned results show the
best security, which is very impressive and attests that highly skilled and information security aware
people are working in the network.
The MIT’s scan result shows that only opened ports are those that are used by webserver and they
should be open for the web service, all other ports are blocked. The aggressive operating system
scan reveals with 94% accuracy that FreeBSD operating system is running on the server.
The scan results for MIT are shown in Table 2 to Table 4.
Table 2: Scan details for MIT
Scanned Web Server www.mit.edu (18.9.22.169)
Scan Launching Time 2010-08-14 00:50 PKST
Scan Type Slow Comprehensive Scan
Scan Time 2935.93 seconds
Raw packets sent 4150 (156.946KB)
Raw packets received 483 (29.058KB)
Table 3: Port scan results for MIT
Port Protocol State Service
80 Tcp Open http
443 Tcp Open http
8001 Tcp Open http (probably for MIT Radio)
Table 4: Aggressive OS scan results for MIT
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
Free BSD 6.2-
General FreeBSD FreeBSD 6.X 94%
RELEASE
Purpose
To further enhance the benchmark Indian Institute of Technology at Delhi was also analyzed which
also revealed that the webserver is very secure. The only ports that were found open were the ports
that are used by the webserver to provide web services. All other ports that were used were either
behind the firewall and were protected or they were blocked. Aggressive operating system scan
191

Muhammad Naveed
shows a firewall OS probably installed on the firewall of the organization with 86% accuracy. Table 5
to Table 7 show the results of IIT at Delhi, India.
Table 5: Scan details for ITTD
Scanned Web Server www.iitd.ac.in (220.227.156.20)
Scan Launching Time 2010-08-14 00:55 PKST
Scan Type Slow Comprehensive Scan
Scan Time 3118.12 seconds
Raw packets sent 3366 (126.658KB)
Raw packets received 1368 (69.263KB)
Table 6: Port scan results for ITTD
Port Protocol State Service
80 Tcp Open http
135 Tcp Filtered msrpc
139 Tcp Filtered netbios-ssn
443 Tcp Open http
445 Tcp Filtered microsoft-ds
593 Tcp Filtered http-rps-epmap
1720 Tcp Filtered H.323/Q.931
2100 Tcp Filtered unknown
4111 Tcp Filtered unknown
4444 Tcp Filtered krb524
5060 Tcp Filtered sip
Table 7: Aggressive OS scan results for IITD
OS Name and Version Type Vendor OS Family OS Generation Accuracy
of result
SonicWALL Aventail EX-1500
SSL VPN appliance
Firewall SonicWALL Embedded No Details available 86%
5.2 Commercial organizations
To set the benchmark for commercial organizations, AT&T webserver was analyzed which revealed
that the server is very secure based on our scans. The results shows that only the ports used for web
services are open and all other ports are blocked. Aggressive operating system scan shows that
Linux 2.6.9 – 2.6.30 is installed on the system. Table 8 to Table 11 show the results of scans for
AT&T webserver. Table 11 show only general purpose OSs from the result because the webserver
should be installed with a general purpose server OS.
Table 8: Scan details for AT&T
Scanned Web Server www.att.com (118.214.121.145)
Scan Launching Time 2010-08-14 00:51 PKST
Scan Type Slow Comprehensive Scan
Scan Time 2982.98 seconds
Raw packets sent 5125 (198.226KB)
Raw packets received 778 (43.980KB)
Table 9: Port scan result for AT&T
Port Protocol State Service
80 Tcp Open http
443 Tcp Open https
192

Muhammad Naveed
Table 10: Aggressive OS scan result for AT&T (Most probable)
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
Linux 2.6.9 – 2.6.30 General Purpose Linux Linux 2.6.X 93%
Table 11: Aggressive OS scan result for AT&T (Other)
Type Vendor OS Family OS Generation Accuracy of result
General Purpose Linux Linux 88%
General Prupose Toshiba Linux 2.4.X 88%
General Purpose Linux Linux 2.4.X 87%
5.3 News channels
To set benchmark for news channel’s webservers, we analyzed the webserver of BBC which revealed
that the only open ports are those that are used to provide web services. Though the result also
shows some port in Open | filtered state which means that scan was not able to determine whether
the port is opened or firewalled. SNMP port was found open on the server which is used for managing
the server. The web server has good security. The aggressive OS scan revealed that there is Linux
2.6.9 – 2.6.18 installed on the server. Table 12 to Table 14 show the results of scans for BBC web
server.
Table 12: Scan details for BBC
Scanned Web Server www.bbc.co.uk (212.58.244.71)
Scan Launching Time 2010-08-14 01:01 PKST
Scan Type Slow Comprehensive Scan
Scan Time 1211.74 seconds
Raw packets sent 2593 (96.057KB) |
Raw packets received 3662 (191.411KB)
Table 13: Port Scan result for BBC
Port Protocol State Service
80 Tcp Open http
135 Tcp Filtered Msrpc
139 Tcp Filtered Netbios-ssn
443 Tcp Open http
445 Tcp Filtered Microsoft-ds
1720 Tcp Filtered H.232/Q.931
5060 Tcp Filtered Sip
53 Udp Open|filtered
123 Udp Open | filtered
135 Udp Filtered Msrpc
136 Udp Filtered Profile
137 Udp Filtered Netbios-ns
Port Protocol State Service
138 Udp Filtered Netbios-dgm
139 Udp Filtered Netbios-ssn
161 Udp Open Snmp
445 Udp Filtered Microsoft-ds
193

Muhammad Naveed
5060 Udp Open |filtered
20919 Udp Open | filtered
Table 14: Aggressive OS scan results for BBC
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
Linux 2.6.9 – 2.6.18 General Purpose Linux Linux 2.6.X 93%
6. Analysis of web servers of Pakistan
Webservers of the most prominent organizations were analyzed. The choice of the webservers to be
scanned is the organization very similar in their services and status to the web servers used to set the
benchmark. The identity of the webservers in Pakistan is kept hidden because the reputation of the
organization might be affected by mentioning their name. But the trend shown is very common, and
one can himself scan the various webservers in Pakistan and will come to the same conclusion. Any
randomly chosen organization will reveal almost the same level of security because the study
analyzed the most well reputed organization, which should be first to implement security.
6.1 Education and research institutions
For analyzing webservers of education and research organization, webservers of reputable
universities of the country were selected. Two web servers were scanned.
The analysis of the first web server revealed that the web server is being used as a mail server, ftp
server, DNS and database server and the ports for all of these services were opened. First of all
webserver should only be used as webserver by such a large organization, and if they should be
used, they should be behind the firewall. None of the port was found filtered which may means that
the organization doesn’t even have a firewall installed to protect their web server. Firewall also
doesn’t guarantee complete security, but it’s a first step to secure the server, intrusion detection and
prevention should also be used to enhance security. But, here the case is worst, they don’t even
bother to install firewall to protect their webserver or if they have installed it, they haven’t used it to
protect their server. The scan also revealed that Microsoft Windows 2003 Server SP2 was installed
on the server, which due to its extensive use is more vulnerable to attacks then Linux based OS. As
the Table 18 shows the other possibilities (Windows XP and 2000) but one can judge that they cannot
be installed on the webserver.
Table 15: Scan details
Scanned Web Server Hidden (because of Possible Objections)
Scan Launching Time 2010-08-14 00:49 PKST
Scan Type Slow Comprehensive Scan
Scan Time 4214.71 seconds
Raw packets sent 5090 (195.486KB)
Raw packets received 191 (11.459KB)
Table 16: Port scan results
Port Protocol State Service
20 Tcp Closed ftp-data
21 Tcp Open ftp
25 Tcp Open Smtp
26 Tcp Open Smtp
53 Tcp Open Domain
80 Tcp Open http
110 Tcp Open Pop3
143 Tcp Open Imap
443 Tcp Closed https
465 Tcp Closed Smtps
995 Tcp Open Pop3
1038 Tcp Closed Unknown
1039 Tcp Closed Unknown
1434 Tcp Closed Ms-sql-m
194

Muhammad Naveed
2006 Tcp Open Mysql
3306 Tcp Open Mysql
3389 Tcp Open Microsoft-rdp
Port Protocol State Service
8402 Tcp Open http
8443 Tcp Open http
53 Udp Open Domain
161 Udp Closed Snmp
162 Udp Closed Snmptrap
Table 17: Aggressive OS scan results (Most probable)
OS Name and Version Type Vendor OS Family OS Generation Accuracy of
result
Microsoft Windows Server
2003 SP2
General Purpose Microsoft Windows 2003 96%
Table 18: Aggressive OS scan results (Other)
Type Vendor OS Family OS Generation Accuracy of result
General Purpose Microsoft Windows XP 95%
General Purpose Microsoft Windows 2000 89%
The second webserver scanned also revealed the worst condition of security. Ssh server working at
port 26 was found to be open for Internet, which should not be open. DNS, mysql and other ports
detailed in table 20 were found open which also should not be open. A lot of ports are in Open|filtered
state, and the ports might be open or firewalled. So, the web server is potentially insecure and one
can easily see it form the results of port scan. Aggressive OS scan reveals that Linux 2.4.28 – Linux
2.4.35 is installed on their server with 97% accuracy. Other OS guesses for webserver also shows
that the webserver is installed with Linux. The old Linux version can be a potential security threat. The
Linux version should not be so much old because that might not provide the required security. Scan
results for the institution are shown in Table 19 to Table 22.
Table 19: Scan details
Scanned Web Server Hidden (because of Possible Objections)
Scan Launching Time 2010-08-14 00:48 PKST
Scan Type Slow Comprehensive Scan
Scan Time 1132.40 seconds
Raw packets sent 2550 (92.637KB)
Raw packets received 4548 (237.954KB)
Table 20: Port scan results
Port Protocol State Service
26 Tcp Open Ssh
53 Tcp Open Domain
80 Tcp Open http
111 Tcp Open Rpcbind
1720 Tcp Filtered H.323/Q.931
3306 Tcp Open Mysql
5060 Tcp Filtered Sip
8009 Tcp Open
32768 Tcp Open Rpcbind
53 Udp Open Domain
111 Udp Open Rpcbind
135 Udp Open | filtered
5003 Udp Open | filtered
5060 Udp Open | filtered
18676 Udp Open | filtered
18818 Udp Open | filtered
20279 Udp Open | filtered
21454 Udp Open | filtered
23176 Udp Open | filtered
195

Muhammad Naveed
32768 Udp Open Rpcbind
32769 Udp Open | filtered
32772 Udp Open | filtered
Port Protocol State Service
48480 Udp Open | filtered
54711 Udp Open | filtered
57409 Udp Open | filtered
63420 Udp Open | filtered
Table 21: Aggressive OS scan results (most probable)
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
Linux 2.4.28 – 2.4.35 General Purpose Linux Linux 2.4.X 97%
Table 22: Aggressive OS scan results (other)
Type Vendor OS Family OS Generation Accuracy of result
General Purpose Ubiquiti Linux 2.4.X 95%
General Purpose Linux Linux 2.6.X 94%
6.2 Commercial organizations
For the commercial organization, the webserver scanned is of the organization providing the same
services in Pakistan as AT&T provides in America. The organization have hundreds of millions of
customers and was selected as this organization should be first to implement security. The scan
reveals horrible results, even the telnet port is opened as well as SSH. The server is being used as
ftp, telnet, ssh, mail (smtp, imap, pop3) and many other servers as shown by forth column of table 24.
Many ports are found open on the server to provide the various services, although webserver is
supposed to provide only web services and should not be used as any other server at least for such a
big organization. The OS installed is a Prerelease version of FreeBSD, which is released to find bugs.
The server should be installed with a stable OS.
Table 23: Scan Details
Scanned Web Server Hidden (because of Possible Objections)
Scan Launching Time 2010-08-14 00:50 PKST
Scan Type Slow Comprehensive Scan
Scan Time 7589.54 seconds
Raw packets sent 2387 (88.397KB)
Raw packets received 2302 (112.940KB)
Table 24: Port scan results
Port Protocol State Service
21 Tcp Open ftp
22 Tcp Open Ssh
23 Tcp Open telnet
25 Tcp Open Smtp
80 Tcp Open http
106 Tcp Open Pop3pw
110 Tcp Open Pop3
143 Tcp Open Imap
443 Tcp Open http
587 Tcp Open Smtp
993 Tcp Open Imap
995 Tcp Open Pop3
1720 Tcp Filtered H.323/Q.931
3306 Tcp Open Mysql
5060 Tcp Filtered Sip
5190 Tcp Open Smtp
196

Muhammad Naveed
8009 Tcp Open Ajp13
8080 Tcp Open http
9878 Tcp Open http
Port Protocol State Service
514 Udp Open | filtered
5060 Udp Open | filtered
5632 Udp Open | filtered
49169 Udp Open | filtered
Table 25: Aggressive OS scan results (most probable)
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
FreeBSD6.3-
PRERELEASE
General
Purpose
Table 26: Aggressive OS scan results (other)
FreeBSD FreeBSD 6.X 96%
Type Vendor OS Family OS Generation Accuracy of result
General Purpose FreeBSD FreeBSD 5.X 93%
General Purpose FreeBSD FreeBSD 7.X 90%
Type Vendor OS Family OS Generation Accuracy of result
General Purpose Apple Mac OS X 10.4.X 89%
General Purpose Apple Mac OS X 10.5.X 89%
General Purpose FreeBSD FreeBSD 8.X 89%
General Purpose FreeBSD FreeBSD 5.X 89%
6.3 News channel
For this type of organization, the webserver of country’s most widely seen and most trusted news
channel’s webserver was scanned. The results showed that the server is being used for a lot of other
services like ftp, mail, DNS and many more as can be seen from table 28. A lot of ports are found
open on such a sensitive website. Aggressive OS scan also shows with 97% accuracy that Microsoft
Windows Server 2003 SP2 is installed on the server which due to its extensive use is more vulnerable
to attacks. The OS guesses as shown by Table 30 also shows that they cannot be installed on a
server system. Results are shown in Table 27 to Table 30.
Table 27: Scan results
Scanned Web Server Hidden (because of Possible Objections)
Scan Launching Time 2010-08-14 01:03 PKST
Scan Type Slow Comprehensive Scan
Scan Time 1772.15 seconds
Raw packets sent 2265 (85.521KB)
Raw packets received 2354 (117.486KB)
Table 28: Port scan result
Port Protocol State Service
21 Tcp Filtered ftp
25 Tcp Open Smpt
53 Tcp Open Domain
80 Tcp Open http
110 Tcp Open Pop3
135 Tcp Open Msrpc
445 Tcp Open Microsoft-ds
646 Tcp Filtered Ldp
1026 Tcp Open Msrpc
1027 Tcp Open Msrpc
1248 Tcp Open Netsain
1433 Tcp Open Ms-sql-s
1720 Tcp Filtered H.323/Q.931
3306 Tcp Open Mysql
197

Muhammad Naveed
3389 Tcp Open Microsoft-rdp
5060 Tcp Filtered Sip
8081 Tcp Open http
Port Protocol State Service
8402 Tcp Open http
8443 Tcp Open http
9999 Tcp Open http
53 Udp Open Domain
123 Udp Open | filtered
161 Udp Open | filtered
445 Udp Open | filtered
500 Udp Open | filtered
1028 Udp Open | filtered
1434 Udp Open | filtered
3456 Udp Open | filtered
4500 Udp Open | filtered
5060 Udp Open | filtered
Table 29: Aggressive OS scan results (most probable)
OS Name and Version Type Vendor OS Family OS Generation Accuracy of result
Microsoft Windows General Microsoft Windows 2003 97%
Server 2003 SP2 Purpose
Table 30: Aggressive OS scan results (other)
Type Vendor OS Family OS Generation Accuracy of result
General Purpose Microsoft Windows XP 91%
General Purpose Microsoft Windows 2000 88%
General Purpose Microsoft Windows PocketPC/CE 88%
7. Conclusion and suggestions
By looking at the statistics presented, it can be easily seen that the most prominent organizations of
Pakistan don’t have their webservers secure. The results show the large number of ports that can be
used to attack the webservers. Each of such ports is a potential venue of attack for the ill-intentioned
people. The results can be compared with the benchmarks which have the best security. On the basis
of these results it can be inferred that, if these wealthy and large organization don’t bother to invest
the time and money in network security, the conditions for small organization will be worst. This study
is intended to give just an overview of importance given to security in our region and is by no means a
detailed security analysis of these webservers. Webservers are used just as an index to study the
security practices because they are most easily accessible and most important resource of an
organization.
All of the organization having webservers or networks connected to the Internet should use the
scanners like Nmap (which we have used in this study) to find the security loopholes in their networks
and then try to rectify them. Every organization should have proper network security policy and it
should be ensured that the network security policy is implemented well. Every effort should be done
to make the network as secure as possible. Even the most secure networks are not secure today, so
the insecure networks can presents a lot of difficulties and problems, which might not be apparent
today but insecure networks have to pay the price in future.
Pakistan is already suffering from terrorism. Thousands of people have lost their lives and billions of
dollars have been spent on the war against terrorism. Cyber terrorism is one of the next avenue that
terrorist can use to give a new direction to their terrorist activities. One can imagine the severe
consequences if terrorists are able to exploit webserver of popular news channel. They can transmit a
message about a plane crash, presence of bomb in a very busy place, announcement about attack
on the country’s active enemy and lot of others that may have very adverse effects. Pakistan being a
nuclear power cannot afford this in any case because that might lead to a nuclear war.
References
Ahmad A. Abu-Musa (2006), " Evaluating the Security Controls of CAIS in Developing Countries: The Case of
Saudi Arabia," The International Journal of Digital Accounting Research, 2006, vol. 6 no. 11, pp. 25 – 64
198

Muhammad Naveed
Austalian Taxation Office (2008), ‘Information Security Practices Review’ V2.0, [Online] Available:
http://www.ato.gov.au/content/downloads/COR138560InfoSecurity.pdf [April 2008]
DawnNews (2010), ‘Govt starts securing 36 hacked websites’, [Online] Available:
http://www.dawn.com/2010/11/30/forty-pakistan-government-websites-hacked.html [30 November 2010]
GEO Pakistan (2010), ‘Supreme court website hacked’, [Online] Available: http://www.geo.tv/9-30-
2010/72139.htm [30 September 2010]
Jahanzaib Haque (2010), 'Cyber warfare: Indian hackers take down 36 govt websites', The Express Tribune,
[Online] Available: http://tribune.com.pk/story/84269/cyber-warfare-indian-hackers-take-down-36-govtwebsites/
[01 Dec 2010]
Nmap Reference Guide, [Online] Available: http://nmap.org/book/man.html
PakCert (2005), ‘Defacement Archive of hacked Pakistani Web Sites'’, Pakistan Computer Emergency Response
Team [Online] Available: http://www.pakcert.org/defaced/index.html
PakCert (2008), ‘Defacement Statistics (January 1999 - August 2008)'’, Pakistan Computer Emergency
Response Team [Online] Available: http://www.pakcert.org/defaced/stats.html
Rafael Etges, Walid Hejazi and Alan Lefort (2009), "A Study on Canadian IT Security Practices," ISACA Journal,
2009, vol. 2, pp. 1 – 3 Available:http://www.isaca.org/Journal/Past-Issues/2009/Volume-
2/Documents/jpdf0902-online-a-study.pdf
Syed M. Amir Husain (1998), 'Pakistan needs an Information Warfare capability', Defence Journal, [Online]
Available: http://www.defencejournal.com/july98/pakneeds1.htm
The Express Tribune (2010), ‘36 government sites hacked by 'Indian Cyber Army'’, [Online] Available:
http://tribune.com.pk/story/83967/36-government-websites-hacked-by-indian-cyber-army/ [30 November
2010]
Trend Micro (2009), “Data-stealing Malware on the Rise – Solutions to Keep Businesses and Consumers Safe”,
[Online]
Available:http://us.trendmicro.com/imperia/md/content/us/pdf/threats/securitylibrary/data_stealing_malware_
focus_report_-_june_2009.pdf [June 2009]
United States Environmental Protection Agency – Office of Inspector General (2006), ‘Information Security
Series: Security Practices' Report No. 2006-P-00010, [Online] Available:
http://www.epa.gov/oig/reports/2006/20060131-2006-P-00010.pdf [31 January 2006]
Vorakulpipat, C.; Siwamogsatham, S.; Pibulyarojana, K. (2010) , "Exploring information security practices in
Thailand using ISM-Benchmark," Proceedings of Technology Management for Global Economic Growth
(PICMET), 2010, pp.1-4, 18-22 July 2010
199

International Legal Issues and Approaches Regarding
Information Warfare
Alexandru Nitu
Romanian Intelligence Service, Bucharest, Romania
alexandru.nitu@gmail.com
Abstract: In present times, societies and economies increasingly rely on electronic communications, becoming
more vulnerable to threats from cyberspace. At the same time, states' military and intelligence organizations are
increasingly developing the capability to attack and defend computer systems. The progress of information
technology makes it possible for adversaries to attack each other in new ways, inflicting new forms of damage;
technological change enables cyberwarfare acts that do not fit within existing legal categories, or may reveal
contradictions among existing legal principles. The paper examines the relationship between information warfare
and the law, especially international law and the law of war, as it is apparent that some fundamental questions
regarding this new and emerging type of security threat need to be explored. For example, what types of
activities between nation states, could or should be called information warfare? What are ‘force’, ‘armed attack’,
or ‘armed aggression’ - terms from the UN Charter - in the Information Age, and do they equate to information
warfare? Information warfare is neither ‘armed’ in the traditional sense, nor does it necessarily involve conflict, so
an important issue is if ‘war’ between states necessarily require physical violence, kinetic energy, and human
casualties. A threshold question that arises from the development of information warfare techniques is thus the
definitional one: has the development of information warfare technology and techniques taken information
warfare out of the existing legal definition of war? Characteristics of information technology and warfare pose
problems to those who would use international law to limit information warfare, and leave legal space for those
who would wage such warfare. Consequently, there may be confusion over what limits may apply to the conduct
of information warfare, and when information warfare attacks may be carried out. Prospects of new technological
attacks pose problems for international law because law is inherently conservative. From this point of view, the
paper examines how the law itself might change in response to the fast development of information technology
and how will long-established legal principles such as national sovereignty and the inviolability of national borders
be affected by the ability of cyberspace to transcend such concepts.
Keywords: international law, information warfare, use of force, Charter of the United Nations, Geneva
conventions
1. Introduction
Intensive development of information and communication technologies and their wide use in all
spheres of human activity have accelerated post-industrial development and the building of a global
information society, becoming a driving force for social development. The global information
infrastructure provides unprecedented opportunities for communication among people, their
socialization and access to information. Individuals, societies and states depend on the stability and
reliability of the information infrastructure.
Computers and computer networks have become increasingly integral to government, military, and
civilian functions. They allow instant communication and provide platforms on which business and
government alike can operate. Computers now control both military and civilian infrastructures,
including nuclear arsenals, telecommunication networks, electrical power systems, water supplies, oil
storage facilities, financial systems, and emergency services.
As the worldwide explosion of information technology (IT) is changing the ways that business,
government, and education are conducted, it also promises to change the way wars are waged. The
development of information technology makes it possible for adversaries to attack each other in new
ways and to inflict new forms of damage, and may create new targets for attack. Attackers may use
international networks to damage or disrupt enemy systems, without ever physically entering the
enemy's country.
Information technologies enable a fundamentally new and effective means to disrupt or destroy a
country's industry, its economy, social infrastructure and public administration. They have the
potential to be a means of combat capable of achieving goals related to inter-state confrontation at
the tactical, operational and strategic levels. Whatever the development and diffusion of information
technology mean for the future of warfare, it is apparent that many of the new forms of attack that
information technology enables are qualitatively different from prior forms of attack. The use of such
tools as computer intrusion and computer viruses, for example, take war out of the physical, kinetic
200

Alexandru Nitu
world and bring it into an intangible, electronic one. Effects previously attainable only through physical
destruction are now accomplished remotely with the silent means of information technology.
These new ways of fighting have been labeled Information Warfare (IW). Definitions and conceptions
of IW are numerous, but generally entail preserving one’s own information and information technology
while exploiting, disrupting, or denying the use of an adversary’s (Shackelford 2009). In US military
doctrine, IW it is part of a much larger strategic shift that was named Information Operations (IO).
Information Operations involve actions taken to affect adversary information and information systems
while defending one’s own information and information systems. Information Operations apply across
all phases of an operation, throughout the range of military operations, and at every level of war.
Information Warfare is Information Operations conducted during time of crisis or conflict, including
war, to achieve or promote specific objectives over a specific adversary or adversaries (Joint Chiefs of
Staff 1998).
The new emerging vulnerabilities that information age generates are more likely to be exploited by
opponents of developed states that cannot hope to prevail on the battlefield, or even at the
negotiations table. A lesser-advantaged state hoping to seriously harm a dominant adversary must
inevitably compete asymmetrically. It must seek to counter the strengths of the opponent not head-on,
but rather employing unorthodox means to strike at centers of gravity.
IW offers such asymmetrical benefits. In the first place, in many cases a computer network attack will
either not merit a response involving the use of force, or the legality of such a response could be
debatable, even if the victim is able to accurately identify the attack and its source. Thus, because of
the potentially grave impact of cyber attacks on a state’s infrastructure, it can prove a high gain, low
risk option for a state outclassed militarily or economically. Moreover, to the extent that an opponent is
militarily and economically advantaged, it is probably technologically dependent, and, therefore,
teeming with tempting targets.
2. IW and the ‘use of force’ concept
Several rules govern when force can be used (the jus ad bellum, which focuses on the criteria for
going to war, covering issues such as right purpose, duly constituted authority, last resort) and how
states can use that force in an armed conflict (the jus in bello or ‘law of war’, that creates the concept
of just war-fighting, covering discrimination, proportionality, humanity etc). These rules have diverse
sources, including the U.N. Charter, international humanitarian law treaties, including the 1949
Geneva Conventions, as well as customary international humanitarian law. Some of these existing
laws involve principles of general applicability that could encompass IW. Nevertheless, the gap
between physical weaponry (whether kinetic, biological, or chemical) and IW’s virtual methods can be
substantial, creating translation problems.
The sort of intangible damage that IW attacks may cause is analytically different from the physical
damage caused by the use of armed force in traditional warfare. The kind of destruction that bombs
and bullets cause is easy to see and understand, and fits well within longstanding views of what war
means. In contrast, the disruption of information systems, including the corruption or manipulation of
stored or transmitted data, may cause intangible damage, such as disruption of civil society or
government services. These may be more closely equivalent to activities such as economic sanctions
that may be undertaken in times of peace rather than acts of aggression (Greenberg 1998).
Whether or not an information warfare attack can be considered ‘use of force’ or ‘aggression’ is
relevant to the fact that a forceful response can be justified as self-defense, as well as to the issue of
whether a particular response would be proportionate to the original attack.
Modern law on the use of force is based on the U.N. Charter. An analysis of international law and IW
could begin with the prohibition of the use of force in Article 2(4): ‘All Members shall refrain in their
international relations from the threat or use of force against the territorial integrity or political
independence of any state, or in any other manner inconsistent with the Purposes of the United
Nations’ (Charter of the United Nations, Art.2(4)). The drafters intended to prohibit all types of force,
except those carried out under the aegis of the United Nations or as provided for by the Security
Council, and wanted to restrict the use of force severely by sharply limiting its use to situations
approved by the Security Council (Barkham 2001).
201

Alexandru Nitu
The fact is that neither the Charter nor any international body has defined the term ‘use of force’
clearly. That might be the main reason why the use of force prohibition encounters difficulty when
translated into the IW context. Not all hostile acts are uses of force. Traditionally, states defined ‘force’
in terms of the instrument used, including ‘armed’ force within the prohibition, but excluding economic
and political forms of coercion. This distinction reflects an effort to proscribe those acts most likely to
interfere with the U.N.’s primary purpose: maintaining international peace and security.
The classic ‘instrumentality’ approach argues that IW does not qualify as armed force because it lacks
the physical characteristics associated with military coercion (Hollis 2007). The analysis looks at
whether there is kinetic impact: some type of explosion or physical force. The Charter was created in
the days of weapons that provided blast, heat, and fragmentation damage, so it is clear that these
types of kinetic weapons were exclusively present in the minds of the drafters.
Still, some types of cyber attacks can be determined to be uses of force. Since the determination of a
use of force requires that a weapon be used, there first must be a method of analogizing IW attacks to
weapons. A very good method could be the one proposed by Ian Brownlie, which shifts the traditional
use of force analysis from a purely kinetic analysis, based on physical force being applied to the
target, to a result-based analysis, evaluating IW attacks is not limited to focusing on the method of the
attack (Brownlie 1963). A result-based analysis requires looking at whether there is a kinetic result,
that cause damage or injury, rather than whether the weapon itself is kinetic.
The text of the U.N. Charter offers additional support for the ‘instrumentality’ view in Article 41, which
states that ‘measures not involving the use of armed force’ include ‘complete or partial interruption of
(…) telegraphic, radio, and other means of communication’ (Charter of the United Nations, Art.41).
Clearly, ‘other means of communications’ fairly encompasses computer communications and
communication over computer networks. It seems that Article 41 permits countries to deprive another
nation of its communications, as well as interrupting communications by manipulation of the target
country's data such that it is corrupt and untrustworthy, altering the data to render it useless for that
nation's purpose, and actually altering the data such that it achieves an intended purpose for the
aggressor nation (DiCenso 2000). Although such measures sound like fair game for IW, the
provisions of Article 41 still require the Security Council to decide what measures are to be employed
under that article, including force and actions that do not include armed force.
In order to retain its effectiveness, the Charter’s interpretations must evolve to some degree. The
extent to which this happens is important in applying use of force analysis under Article 2(4) as new
types of warfare develop. If the definition of the ‘use of force’ is static, then the ban on the use of force
gradually will become less effective as new interstate actions occur beyond the boundaries of what
the drafters considered (Barkham 2001).
Difficulty in characterizing certain forms of information warfare as ‘force’ or ‘aggression’ under
international law does not mean that international legal institutions cannot respond to such attacks.
For example, Chapter VII of the U.N. Charter gives the UN Security Council the authority and
responsibility to determine the existence of any ‘threat to the peace’ or acts of aggression (Charter of
the United Nations, Article 39) and the Council can recommend and lead responses to that (Charter of
the United Nations, Article 40). Many information attacks that may not constitute ‘force’ or ‘aggression’
could certainly be considered threats to the peace and thus subject to Security Council action,
perhaps including the use of military force. After all, anything that would anger a government to the
point that it might feel the need to resort to military action could thus threaten the peace, even if the
provocative action was not technically illegal (Greenberg 1998).
Of particular interest for IW analysis is Article 51 of the U.N. Charter, the only exception to the rule
stated in Article 2(4). According to Article 51, states can use force pursuant to the inherent right of
self-defense in response to an armed attack: ’Nothing in the present Charter shall impair the inherent
right of individual or collective self-defense if an armed attack occurs against a Member of the United
Nations, until the Security Council has taken measures necessary to maintain international peace and
security’ (Charter of the United Nations, Art.51). As sole authorization of unilateral use of force outside
the U.N. Charter security system, this provision responds to the reality that the international
community may not be able to react quickly enough to armed aggression to forestall attack on a victim
state. It therefore permits states and their allies to defend themselves until the international help
arrives pursuant to Chapter VII.
202

Alexandru Nitu
Article 51 restricts a state’s right of self-defense to situations involving ’armed attack’, a narrower
category of act than Article 2(4)’s ’use of force’. Although coercion not involving armed force may
violate Article 2(4) and result in action under Article 39, it does not follow that states may also react
unilaterally pursuant to Article 51. This narrowing plainly reflects the Charter’s preference for
community responses over individual ones, even to threats to peace (Schmitt 1999). In the case of a
IW attack, it is also a prudent approach due to the difficulty states may have in identifying the correct
source of an attack.
The main problem IW poses for Article 2(4) does not derive from its large-scale applications, but from
attacks that do not destroy life or property, such as subversion of property, electronic blockades, and
incursions. The large-scale attacks are similar to conventional methods of warfare and fit comfortably
within traditional use of force analysis. The lower-level attacks present the problem when analyzed
under Article 2(4) because they threaten to erase the distinction between acts of force and acts of
coercion. The severity of an IW attack might not be identified promptly, so it would not be feasible to
require a victim to conduct a damage assessment to determine whether an IW penetration were a use
of force or merely of coercion. (Barkham 2001)
3. International legal limits on IW
3.1 Limits on the use of weapons
Many of the international legal provisions regarding armed conflicts are found in the 1949 Geneva
Conventions and the 1977 Additional Protocols to the Geneva Conventions. The Geneva
Conventions, with their focus on the protection of persons in enemy hands, are of some relevance to
IW. Without reference to specific weapons, the Additional Protocols (AP) address various methods
and means of warfare in general terms, thus being able to present a framework for the use of IW.
In order for International Humanitarian Law (IHL) to apply to a particular armed conflict, neither formal
declaration of war, nor recognition of a state of war is required. Instead, the requirements of the law
become applicable as from the actual opening of hostilities. An international armed conflict is
perceived as any difference arising between two States and leading to the intervention of armed
forces, even if one of the Parties denies the existence of a state of war (Pictet 1952).
There is no doubt that an armed conflict exists and IHL applies once traditional kinetic weapons are
used in combination with new methods of IW. The most difficult situation, as far as applicability of IHL
is concerned, would be the one where the first, or the only hostile acts are conducted by means of IW.
The question is if this type of conflict depends on the type of attack in order to be qualified as
constituting an armed conflict within the meaning of the 1949 Geneva Convention and the Additional
Protocols.
Same as in the U.N. Charter’s case, the fact that IW developed only after the adoption of the
Protocols does not exclude their applicability. The first Additional Protocol to the Geneva Conventions
made specific reference for consideration of new weapons. Article 36 of Additional Protocol I (AP I) is
a strong indicator that the drafters of AP I anticipated the application of its rules to new developments
of methods and means of warfare. This provision requires that ‘In the study, development, acquisition
or adoption of a new weapon, means or method of warfare, a High Contracting Party is under an
obligation to determine whether its employment would, in some or all circumstances, be prohibited by
this Protocol or by any other rule of international law applicable to the High Contracting Party’
(Protocol Additional to the Geneva Conventions 1977). This statement obligates a nation at least to
consider the laws of armed conflict before employing IW means. That consideration should focus on
both the means of force and perhaps more importantly on the effects.
Consequently, the fact that a particular military activity constituting a method of warfare is not
specifically regulated does not mean that it can be used without restrictions. Based on that, nothing
precludes assuming that the more recent forms of IW, which do not involve the use of traditional
weapons, are subject to IHL just as any new weapon or delivery system has been so far when used in
an armed conflict. (Dörmann 2004)
Another fundamental rule of warfare, found in Article 35 (1) of AP I, states that ‘the right of the Parties
to the conflict to choose methods or means of warfare is not unlimited’ (Protocol Additional to the
Geneva Conventions 1977). So far, hostilities have involved physical violence and kinetic energy
203

Alexandru Nitu
leading to human casualties or material damage. In the case of IHL, the motivation for the application
of the law is to limit the damage and provide care for the casualties. This would support an expansive
interpretation of when IHL begins to apply. If a cyber attack is directed against an enemy in order to
cause physical damage or loss of life, it can hardly be disputed that such an attack is in fact a method
of warfare and is subject to limitations under IHL. (Dörmann 2004)
3.2 The principle of distinction
Just as information warfare attacks may be difficult to encompass within the ‘use of force’ concept, it
may be also difficult to define their targets as military (and thus generally legitimate targets) or civilian
(generally forbidden). The dual-use nature of many telecommunications networks complicates the
questions of the applicability of IHL as a constraint on information warfare, because the intangible
damage that cyber attacks cause may not be the sort of injuries against which the humanitarian law of
war is designed to protect noncombatants. (Greenberg 1998)
The definition of the term “attack” is of decisive importance for the application of the various rules
giving effect to the principle of distinction and for most of the rules providing special protection for
certain objects. In accordance with Art. 49 (1) of AP I, ‘attacks’ means acts of violence against the
adversary, whether in offence or in defense (Protocol Additional to the Geneva Conventions 1977). If
the term ‘acts of violence’ denotes only physical force, the concept of ‘attacks’ excludes dissemination
of propaganda, embargoes or other non-physical means of psychological, political or economic
warfare. (Dörmann 2004)
Based on that understanding and distinction, cyber attacks through viruses, worms, logic bombs etc.
that result in physical damage to persons, or damage to objects that goes beyond the computer
program or data attacked can be qualified as ‘acts of violence’ and thus as an attack in the sense of
IHL. From this point of view, it is helpful to look at how the concept of attack is applied to other means
and methods of warfare. There is general agreement that, for example, the employment of biological
or chemical agents that does not cause a physical explosion, such as the use of asphyxiating or
poisonous gases, would constitute an attack (Dörmann 2004).
If one admits that employing a IW method constitute an attack, AP I imposes:
The obligation to direct attacks only against "military objectives" and not to attack civilians or
civilian objects; (Protocol Additional to the Geneva Conventions 1977, Art. 48, 51 (2), 52)
The prohibition of indiscriminate attacks, including attacks that may be expected to cause
excessive incidental civilian casualties or damages; (Protocol Additional to the Geneva
Conventions 1977, Art. 51 (4), (5))
The requirement to take the necessary precautions to ensure that the previous two rules are
respected, (Protocol Additional to the Geneva Conventions 1977, Art. 57) in particular the
requirement to minimize incidental civilian damage and the obligation to abstain from attacks if
such damage is likely to be excessive to the value of the military objective to be attacked;
(Protocol Additional to the Geneva Conventions 1977, Art. 51 (5)(b), 57 (2)(a)(ii) and (iii))
These rules operate in exactly the same way whether the attack is carried out using traditional
weapons or IW techniques. Problems that arise in applying these rules are therefore not necessarily
unique to IW. They are more related to the interpretation of, for example, what constitutes a military
objective or which collateral damage would be excessive.
4. Legal perspectives on IW
The laws of war always faced two challenges. The first was that war's confrontational nature and
tremendously high stakes often frustrated efforts to set reasonable limits on behavior. Fortunately, the
international community has generated international conventions and war crimes tribunals to solve
this problem.
The laws of war also face a second challenge, which is how to adapt these laws to technological
change. This dynamic itself is as old as civilization, but it became more acute in the last one hundred
years, since technological progress has accelerated. The result is that weapons are developing much
faster than international law, and there is every reason to believe that this trend will continue to
accelerate in the future.
204

Alexandru Nitu
As IW strategy and technology evolve, international law scholars will have to fit this new kind of
warfare into an analytical framework developed to address a different conception of war.
First, the U.N. Charter and other existing treaty regimes do not create a clear legal prohibition of many
types of IW attacks. For international law effectively to address IW attacks there must be established
a correspondence between terms like ‘use of force’, ‘armed attack’ or ‘armed aggression’ and IW
methods and means of combat. Also, it would be necessary to set limits to IW activities similar to the
classic jus in bello principles, like just war, discrimination or proportionality.
The second, and the more difficult part, is to find a way to solve the practical problems associated
with both launching and defending against cyber attacks, including the fundamental issue of
attribution and in particular state responsibility for cyber attacks. It is technically challenging to localize
the physical place from which such an act originates. But even if the origin of an attack can be
localized within a particular state, it would be challenging to determine whether the attacker was
acting in an individual capacity, or on behalf of a criminal organization, the government or armed
forces.
Just as the identity of the attacker raises difficult questions for any potential IW treaty, so does the
identity of the victim. In an IW context, it becomes necessary to ask whether an attack on a company
or an institution is an attack on a whole country. It is not necessarily clear that the state in whose
territory the injured party resides is the injured state. In a conventional attack, the country where the
attack is located has been attacked because its territorial integrity has been violated, but cyberspace
is not a customary arena over which states may exercise such control.
From a humanitarian law perspective, it would be essential to be able to ‘mark’ in some way the
information systems used to maintain the viability of critical social infrastructure facilities. In the
physical world, some of these facilities (such as hospitals) display a distinctive sign, indicating their
protected status. Such identifying signs are absent in cyberspace, nor do criteria exist for designating
these systems as critical infrastructure.
5. Conclusions
Because of the newness of much of the technology involved, no provision of international law
explicitly addresses to information warfare. This absence of prohibitions is significant because, as a
crudely general rule, that which international law does not prohibit it permits. But the absence is not
dispositive, because even where international law does not address particular weapons or
technologies, its general principles may apply to the use of those weapons and technologies
(Greenberg 1998).
Although the existing body of international law does not necessarily provide definitive and universally
accepted answers to the legal issues that Information Warfare development rises, it does provide a
structure by which these issues could be addressed and analyzed. However, in order to apply existent
norms to IW, it is necessary to accept the consequence-based interpretations of “armed conflict” and
“attack”. In the absence of such understandings, the applicability, and therefore adequacy, of presentday
humanitarian law principles would come into question. The consideration of IW in the context of
jus ad bellum also leads to consequence-based interpretation.
Devising a system of international law adressing Information Warfare or Information Operations could
rectify many of the deficiencies of the current legal system and provide states with additional
functional benefits that do not currently exist. First, it can remedy uncertainty. Drafting new rules
provides an opportunity to rectify translation problems that plague IW under the law of war. It could
give states and their militaries a clear sense of the rules of engagement in the information age.
A dedicated law would allow states not simply to choose among available interpretations of the
prohibition on the use of force, but to craft a standard tailored to IW without the additional inclusion
problems that currently exist. Similarly, states could set the bar for when IW triggers the civilian
distinction requirement and address whether any or all information networks constitute legitimate
military objectives.
Disclaimer:The views, opinions, and recommendations contained in this analysis are those of the
author and should not be construed as an official position, policy, or decision of the Romanian
Intelligence Service
205

6. References
Alexandru Nitu
Barkham, J. (2001), Information Warfare and International Law on the Use of Force, New York University Journal
of International Law and Politics, vol. 34, pp. 57-113.
Brownlie, I. (1963), International Law and the Use of Force by States, Clarendon Press, Oxford
Charter of the United Nations and Statute of the International Court of Justice (1985), United Nations,
Department of Public Information
DiCenso, D. (2000), Information Operations: An Act of War?, Air & Space Power Chronicles. Available at
http://www.airpower.maxwell.af.mil/airchronicles/cc.html.
Dörmann, K. (2004), Applicability of the Additional Protocols to Computer Network Attacks, International Expert
Conference on Computer Network Attacks and the Applicability of International Humanitarian Law,
Stockholm, Available at http://www.icrc.org/web/eng/siteeng0.nsf/html/68LG92
Greenberg, L.T., Goodman, S.E., Soo Hoo, K.J. (1998), Information Warfare and International Law, National
Defense University Press. Available at http://www.iwar.org.uk/law/resources/iwlaw/iwilindex.htm
Hollis, Duncan B. (2007), Why States Need an International Law for Information Operations. Lewis & Clark Law
Review, Vol. 11, p. 1023, Temple University Legal Studies Research Paper No. 2008-43. Available at
http://ssrn.com/abstract=1083889
Joint Chiefs of Staff (1998), Joint Doctrine for Information Operations, Joint Publication 3-13.
Pictet, J. (1952), Commentary on the Geneva Convention for the Amelioration of the Condition of the Wounded
and Sick in Armed Forces in the Field, International Committee of the Red Cross, Geneva.
Protocol Additional to the Geneva Conventions of 12 August 1949, and relating to the Protection of Victims of
International Armed Conflicts (Protocol I), 8 June 1977. Available at http://www.icrc.org
Schmitt, Michael N. (1999), Computer Network Attack and the Use of Force in International Law: Thoughts on a
Normative Framework, Columbia Journal of Transnational Law, Vol. 37, 1998-99. Available at:
http://ssrn.com/abstract=1603800
Shackelford, S.J. (2009), From Nuclear War to Net War: Analogizing Cyber Attacks in International Law, Berkeley
Journal of International Law, Vol. 25, No. 3, pp. 191-250.
206

Cyberwarfare and Anonymity
Christopher Perr
Auburn University, USA
cwp0002@auburn.edu
Abstract: Public policy and strategy do not keep up to date with technology. There is generally a lag time
between the release and application of a technology till a shortcoming is observed. Once a shortcoming is
revealed it is a race to address that potential weakness with improved policy, updated strategy, a technological
initiative to combat the shortcoming, or a necessary combination of all methods. The invent of computer reliant
and networked systems has created a modern arms race which has seen more innovation and more need for
updated policy and strategy than any other period in history, yet the United States continues to fall behind in this
arms race. When security cannot be verified, but only risk mitigated, it is time to think deterrence. Unfortunately,
deterrence falls apart when you cannot identify the perpetrator behind attacks. This paper will look at the role that
information has played in previous conflicts, as well as the modern strategy towards protecting the United States
in cyberspace, and will draw a singular conclusion as to the best course of action towards improving our security.
Through a mix of policy, strategy, and technology the anonymity which attackers use as a shield needs to be
eliminated in order to allow room for a strong policy of deterrence with a verifiable response. In establishing the
means to identify our attackers and provide serious recourse cybersecurity can be greatly improved for the
United States.
Keywords: information warfare, security, policy, strategy, history, information security
1. The motivation
“We’re already at war in cyberspace; have been for many years.”
Gen Ronald E. Keys, Commander, Air Combat Command
On 6 September 2007 Fulghum reported that Israeli aircraft flew into Syria from Turkey and destroyed
a construction site (2007). The site was thought to have contained equipment for the refinement of
weapons grade nuclear material provided by North Korea.
The interesting part of this story for the purposes of this paper is that Syria, a country with an
advanced anti-air defense system purchased from Russia, did not even see the 10 F-15Is appear on
their radar. These are not stealthy aircraft, and with weapons hanging off the wings, should have been
easily spotted on radar. Further, troops were massing at Israel’s borders signaling a possible attack.
Syria was expecting something. So what happened?
The thought is that the Israeli’s were able to somehow disable the radar sites and to provide a window
where the jets could get in, bomb the target, and leave without threat. Was it a trap door in the radar
software? Did the Israeli’s use a special UAV to signal blank radar screen to the radar sites? They
haven’t said yet, and the only clear part is that Israel ‘owned’ those sites for a single night and proved
the strength of cyber warfare.
Unfortunately, if the U.S. were in this tale we would be more like Syria than Israel.
2. Open source
Due to publication constraints, and the desire to stay at the unclassified level, this paper will deal only
with open resources.
3. The (not so) recent history of information operations
“It is pointless to deal with enemy military forces if they can be bypassed by strategy or
technology.”
Col John A. Warden III, USAF, Retired
Net-centric warfare has become a much bandied about buzzword in the modern military vernacular. A
simple definition of net-centric warfare from the Office of Force Transformation (2005) is:
“the translation of an information advantage, enabled in part by information technology,
into a competitive war fighting advantage through the use of well-informed geographically
dispersed forces.
207

Christopher Perr
Historical examples of this can be pointed to before the term ‘IT’ was even coined, one such being
General William T. Sherman’s use of the telegraph to effectively shorten the kill chain of his day.
The kill chain is how forces find, fix, track, target, engage, and assess an enemy force today. It is a
loop where the exit is the destruction of your target. In Sherman’s time the kill chain was shortened by
drastically cutting the amount of time it took to communicate with his geographically separated forces.
None of these terms were used in Sherman’s time, but the concept is not new.
According to Arquilla (2007), Sherman is also useful for another example. His dependence on the
telegraph and the lack of security was highlighted when the Confederate forces started to attack the
lines that carried the vital communications. This caused troops to be pulled from the battlefield for
protection, and while it may have been too late in the war to make a difference, caused a dilution of
the Union’s forces. The telegraph showed how the kill chain can be thought of not in distances but in
time to decision making, and was also shown to be a possible center of gravity to which doctrine must
be modified to defend.
History is rife with examples of how technology has affected the way we think about and execute
conflict. The telegraph is historically the single largest increase in communication bandwidth. As its
was recognized as a powerful tool for command and control, dependence on the telegraph as the only
manner for controlling troops was recognized as a possible center of gravity and weakness to be
exploited
4. The (more) recent history of information operations the environment of
information operations
“An information war is inexpensive, as the enemy country can receive a paralyzing blow
through the Internet, and the party on the receiving end will not be able to tell whether it
is a child’s prank or an attack from its enemy.”
Wei Jincheng, excerpted from the Military Forum column, Liberation Army Daily, 25 June
1996
The First Gulf War is widely viewed as a major success according to Campen (1992). The
preparations involved repetitive rehearsals, planning, critique, and then more rehearsal. The rest of
the world watched as, what was at the time, the fourth largest force in the world got rolled over in a
matter of days. That was 1991, and even though the communication network was almost thrown
together the tactics and techniques used proved to be game changing.
Baucon (2010) notes that by 1995 forces around the globe had taken such a notice to the
revolutionary way that U.S. forces had used modified blitzkrieg maneuvers combined with supreme
command and control enabled by a technical advantage that those forces had changed their strategy
and force composition. It was clear that smart weapons and use of information warfare had made a
profound effect
Fast forward a bit, and a lot has happened since the Gulf War. In 2007 a conflict arose in Estonia with
Russia over the existence and placement of the Bronze Soldier of Tallinn. This spawned what the
Russian government called a ‘online response by patriotic individual citizens’. Estonia, a ‘highly
connected web friendly’ country, was now the victim of various bot-net and denial of service attacks
which brought the internet in that country to a halt. Waterman (2007) wrote that the attack was
characterized by Professor James Hendler, a former chief scientist at DARPA, as
“...more like a cyber riot than a military attack”
Speculation seems to imply that the Russian government sought out the help of organized crime and
individual hackers to carry out the attacks. The effect was the same as a conventional siege, and the
attacks were reported as a ‘crime’ by the Russians. The Estonian government requested aid in
investigation as outlined in Mutual Legal Assistance Treaty. Russia declined their requests (Leyden,
2008)
Other cases to look at are the cyber attacks perpetrated by North Korea on the United States and
South Korea in July of 2009. On the 4th of July North Korea attacked a large number of government
websites with bot-net and DDoS attacks seeking suspected political bargaining power. The attacks
were felt mildly here in the U.S. due to filtering addresses and distribution of website sources, but the
208

Christopher Perr
attacks again helped to show how vulnerable we are to even unsophisticated cyber attacks (U.S. eyes
N. Korea for ‘massive’ cyber attacks, 2010).
5. The current state of our cyber doctrine
It has become appallingly obvious that our technology has exceeded our humanity.
Albert Einstein
The opening of this paper ends with a pretty controversial statement, and is done so with a purpose.
The case with Iran and Syria show how a dependence on technology can seriously threaten a nation.
Evidence exists to show that the United States might be in a position where we are overly dependent
on technology in key areas with a limited ability to defend ourselves. Our current policies regarding
cyber warfare serve as the main cause.
The most recent example to support this statement is in the written answers which General Keith
Alexander, the nominee for commander of the new Cyber Command, provided to the Senate Armed
Services Committee on 15 April 2010. In one question he answered
“President Obama’s cybersecurity sixty-day study highlighted the mismatch between our
technical capabilities to conduct operations and the governing laws and policies, and our
civilian leadership is working hard to resolve the mismatch (Markoff, 2010).”
General Alexander’s response highlights an ongoing issue in the Department of Defense and, since
the vulnerability to the United States extends into the civil realm, in public policy as well. General
Alexander also speaks to the large gap created by having very effective offensive cyber capabilities
without developed defensive capabilities.
The 2003 Information Operations Roadmap served as the initial White House level guide for how the
armed forces conduct information operations (Miller, 2010). This document is very general and at a
level above specifics about cyber-warfare, but some important information can be gleaned from it.
First, cyber warfare is treated as an extension of information and conventional operations. Second, it
was decided that our current policy and force preparedness was not at a level capable of meeting the
countries cyber needs. Third, the civil realm of cyber operations was almost completely ignored
except to say that there could be some effect from operations and as such considerations should be
weighed.
The only other repeating theme in the document was to note the need to “deny, degrade, disrupt or
destroy a broad range of adversary threats, sensors, command and control and critical support
infrastructure.” This seems to assume that when cyber comes into play, it will be only against another
country that has a similar dependence on technology as the United States. This document also
highlights how the term “cyber war” can be incredibly limiting, and neglects a lot of the tactics and
resources which could be utilized if cyber operations were not limited to ‘conventional war’ alone.
The first main theme is vital to understand, and is echoed in a recent article in the Air and Space
Power Journal “Cyber This, Cyber That...So What? (Trias, 2010)” This article discusses integrating
cyberspace operations as well as counter cyberspace with everything from special operations to aerial
refueling is greatly advocated. Due to the pervasive nature of cyberspace almost all doctrine should
be looked at to at least include defensive elements of cyber security, and could probably benefit from
looking to how offensive cyber operations could aid in mission effectiveness.
The article also recognizes how slow going and agonizing the process of updating doctrine without
clear policy guidance can be.
“Air Force strategists are struggling to create doctrinal principles for cyber warfare in the
form of Air Force Doctrine Document (AFDD) 2-11, “Cyberspace Operations,” now
several years in draft.” (Trias, 2010)
The reason the Air Force could be having such a difficult time is linked to our second issue. In
response to the Information Operation Roadmap some major changes began to take place in the
cyber realm. New commands and squadrons were stood up across the Department of Defense (DoD)
in what from the outside looked like a power grab, and in eventual response it was decided that there
needed to be a new joint command created to oversee cyber operations and defense, and to track
capabilities and assets in the DoD.
209

Christopher Perr
This command is the new U.S. Cyber Command and was announced in June of 2009. Before that the
Air Force was hoping to form their own combatant command, but instead settled for a numbered
command. The Navy and Army have their own units as well. With all these new units confusion
regarding responsibility is inevitable.
The mission of U.S. Cyber Command is:
“...to coordinate computer-network defense and direct U.S. cyber attack operations (US
military prepares for ‘cyber command, 2010).”
Unfortunately, this new command with a somewhat clear mission did not seem to solve all of the ills
that cyberspace has created. In January of 2010 the Pentagon attempted to respond to a simulated
cyber attack.
“The results were dispiriting. The enemy has all the advantages: stealth, anonymity, and
unpredictability. No one could pinpoint the country from which the attack came, so there
was no effective way to deter further damage by threatening retaliation. What’s more, the
military commanders noted that they even lacked the military authority to respondespecially
because it was never clear if the attack was an act of vandalism, an attempt at
commercial theft, or a state-sponsored effort to cripple the United States, perhaps as a
prelude to conventional war (Markoff, 2010).”
As U.S. Cyber Command has not officially stood up yet it can only be hoped that the response to a
cyber attack would improve after a governing body has been established. Unfortunately, this still
leaves a third problem in our cyber strategy. What about the civilian side?
In March of this year a graduate student in Liaoning, China named Wang Jianwei authored a paper
titled “Cascade-Based Attack Vulnerability on the U.S. Power Grid.” The paper actually had nothing to
do with attacking the U.S. power grid, but instead was a technical exercise with the goal of increasing
security for networked power grids. The paper still created cries of outrage and questions as to who
was in charge of our grids well-being. The interesting part to take note of is that Jianwei chose the
U.S. power grid because it had the most information available on the inner workings of the network
(Markoff, 2010).
At the same time, according to Nielsen Online, in August of 2009 almost 75% of the United States
was listed as ‘users of the internet’ (Miniwatts Marketing Group, 2009). You can imagine that ‘internet
user’ includes lots of activities like banking, social networking, commerce, and business. Without even
mentioning necessities like the power grid or other services, the e-commerce sector alone was worth
more than $100 billion in 2007. You can see why the civilian sector would have a vested interest into
the handling of cybersecurity. The concern is that the DoD will dominate the area of cybersecurity and
the civilian side will be forced to submit to harsh and sometimes arbitrary regulation.
The answer to the concerns raised about the DoD’s dominance of cyber security and operations? The
Department of Homeland Security will eventually be receiving a Director for Cybersecurity, and
currently has in place an Office of Cybersecurity and Communications. Their specific responsibility is
listed below.
“The Office of Cybersecurity and Communications (CS&C) is responsible for enhancing
the security, resiliency, and reliability of the nation’s cyber and communications
infrastructure. CS&C actively engages the public and private sectors as well as
international partners to prepare for, prevent, and respond to catastrophic incidents that
could degrade or overwhelm these strategic assets (Department of Homeland Security,
2010).”
As of right now it could be said that none of that is taking place. Recently, when Google first feared
that their operation in China had been hacked, they turned to the NSA, not the Department of
Homeland Security, to help sort out the problem (Markoff, 2010). Where is the communication and
organization for who deals with what? This is without even mentioning that the FBI and the Secret
Service both have units that work in cyber security. The FBI is now also responsible for investigating
cyber crime on U.S. companies even though the attack may have occurred well outside our borders
(FBI probes cyber attack on Citigroup, 2010).With the convoluted policies and rapid changes it is easy
to see where one might be confused. There is no clear guide as to who responds, or how.
Unfortunately, that does not bode well for the defense of the United States. The best that can be said
210

Christopher Perr
about the current state of our cyber doctrine and policies is that we are rapidly improving, but aren’t
there yet.
6. The proposition
“The dogmas of the quiet past are inadequate to the stormy present. The occasion is
piled high with difficulty, and we must rise with the occasion. As our case is new, so we
must think anew and act anew.”
Abraham Lincoln, President of the United States
Message to Congress, 1 December 1862
When the nuclear bomb was unleashed on the world individual countries began seeking their own
nuclear weapons. As a country it was difficult to feel safe without one. With a weapon so massive it
was important that the person with ‘the bomb’ knew that you had the same capability, and that you
would use it if necessary. Unfortunately, this strategy seems ripe to fall apart as the technology
proliferates to anonymous parties. Cyberwar shares a lot in common with the development of strategy
for nuclear weapons. It was a massive revolution in warfighting that spawned a new arms race.
Unfortunately, anonymity is already a very serious issue. Anonymous parties are able to develop and
use very powerful informational weapons, and there is little to identify them or to link them to a party
that can be held accountable. On the bright side, while we cannot yet invent a safe nuclear bomb, we
can invent a safe internet by making several improvements to the one we have now. Lets think of
these improvements in the three ways t0 affect Cybersecurity: strategy, policy, and technological
advancement.
Strategy needs to be considered for both the short term and the long term, and is closely tied in to
technological development. In the short term it is best to consider how to continue patching and
modifying our current internet protocols to make a defensible position in cyberspace. This is basically
applying some common rules in Cybersecurity. If it doesn’t need to be online, don’t put it online. If
there are serious benefits to be gained by networking a system, such as applying networks to the
power grid to facilitate more efficient generation of power, then by all means network the system but
keep it as closed off and private as possible. Finally, when you do need to share something with the
internet or transmit information keep classified information separate, secure the site as much as
possible. Don’t forget to compartmentalize the system as much as possible, geographically distribute
your network where appropriate, keep constant backups, and maintain an appropriate level of
redundancy. For the short term, if these rules are applied judiciously, we just might make it out alive.
Technological advancement and policy are going to be playing a smaller but still vital role in the short
term. Technologically it would be impossible to create the defensible position without working to
defeat and patch the vulnerabilities which the attacks are exploiting, and to track the perpetrators to
the ultimate conclusion. To ignore current security flaws with the hope that the next update would fix
close the gap would be to look the other way at our own peril, and to embolden the individuals or
governments exploiting the flaws in the current system. In the short term, policy should be made that
clearly defines the jurisdiction and responsibilities to the agencies and military bodies charged with
defending the U.S.’s efforts in cyberspace. This effort is to include funding for the technology required
to close the gaps in the security of our networked systems. It should also be noted that a clear
offensive strategy needs to be explained in the short term, especially to note how to abolish the
anonymity which antagonistic countries are operating under as a shield for their own offensive cyber
operations. Funding for education also need to be taken under special consideration as these
antagonistic nations are also funding and attracting top notch talent to their cause instead of working
to develop peaceful relations in this realm.
In the long term the hope is now that we can create a much safer and more stable future by applying
thoughtful design. In this sense the long term goal of cyber strategy and technological development
should be to create a network infrastructure which is more anticipatory against attack then reactive to
attacks that have already occurred. When the internet was initially developed the idea was to create a
simple communication scheme which was simple and open, allowing for evolution into a much more
complex animal. Having gone through several revisions, it is time to update the protocols and
methods used daily to decrease the ability and relative ease of cyber attack. This is of course going to
be accomplished by setting long term strategic goals, and then funding technological initiatives which
are then in turn supported by policy both domestic and internationally. The first step in supporting this
strategy is to fund the minds that are interested in forming a safer internet. A internet which limits the
211

Christopher Perr
anonymity of attackers, separates classified networks from the unclassified, develops systems where
security is integral in the design, and creates a robust network which recovers gracefully from error
and attack while limiting the scope of that attack at every level. This is where funding is necessary for
new research an innovation in the relatively immature field of computing and networks.
7. Conclusion
Cyberspace is dangerous and scary. The borders are vast, and the landscape is constantly changing.
Fortunately the possibilities of operating in cyberspace offers excellent rewards and given an
appropriate but flexible strategy, reinforcing policy measures, and the drive to guide technological
development cyberspace can also be a safe place to operate. This paper should serve as a call to
make strides in these three areas, and to humbly offer up a base guide to tackling both present and
future issues in cyberspace.
References
Agence France-Presse, US military prepares for 'cyber command:' official | ABS-CBN News | Latest Philippine
Headlines, Breaking News, Video, Analysis, Features. ABS-CBN News. Available at: http://www.abscbnnews.com/technology/04/24/09/us-military-prepares-cyber-command-official
[Accessed September 11,
2010].
Alexander, K., Advanced Questions for Lieutenant General Keith Alexander, USA, Nominee for Commander,
United States Cyber Command, Available at:
http://docs.google.com/viewer?a=v&q=cache:Kcm4Wm7WxDcJ:armedservices.senate.gov/statemnt/2010/04%2520April/Alexander%252004-15-
10.pdf+Advance+Questions+for+Lieutenant+General+Keith+Alexander,+USA+Nominee+for+Commander&
hl=en&gl=us&pid=bl&srcid=ADGEESii_NfX8DuWogAeIT3BXixKWHsUgQjUlYpebRb4XQjwsDRhXLVTbXwl
aGTT7EulMH-DBJeo4rim_l2kT3M32rWC7AxmMzROsxLQwQVOYDVY2Gi9pKohKDV89kkb-
GHIOMwFll3A&sig=AHIEtbSnKTroECzRqeFhTGnXyvf4JMu62A [Accessed September 11, 2010].
Arquilla, J., 2007. Information strategy and warfare : a guide to theory and practice, New York: Routledge.
Baocun, W. & Fei, L., INFORMATION WARFARE. Available at:
http://www.fas.org/irp/world/china/docs/iw_wang.htm [Accessed September 11, 2010].
Campen, A., 1992. The first information war : the story of communications, computers, and intelligence systems
in the Persian Gulf War, Fairfax Va.: AFCEA International Press.
Clarke, R., 2010. Cyber war : the next threat to national security and what to do about it 1st ed., New York: Ecco.
Department of Homeland Security, DHS | Office of Cybersecurity and Communications. Available at:
http://www.dhs.gov/xabout/structure/gc_1185202475883.shtm [Accessed September 11, 2010].
Fulghum, Israel used electronic attack in air strike against Syrian mystery target - ABC News. Available at:
http://abcnews.go.com/Technology/story?id=3702807&page=1 [Accessed September 11, 2010].
Leyden, J., 2008. Estonia fines man for DDoS attacks • The Register. The Register. Available at:
http://www.theregister.co.uk/2008/01/24/estonian_ddos_fine/ [Accessed September 11, 2010].
Markoff, J., Google Asks N.S.A. to Investigate Cyberattacks - NYTimes.com. Available at:
http://www.nytimes.com/2010/02/05/science/05google.html?fta=y [Accessed September 11, 2010].
Markoff, J. & Barboza, D., Chinese Academics’ Paper on Cyberwar Sets Off Alarms in U.S. - NYTimes.com.
Available at: http://www.nytimes.com/2010/03/21/world/asia/21grid.html?_r=1 [Accessed September 11,
2010].
Markoff, J., Sanger, D.E. & Shanker, T., CYBERWAR - In Digital Combat, U.S. Finds No Easy Deterrent - Series
- NYTimes.com. Available at:
http://query.nytimes.com/gst/fullpage.html?res=9404E4DE123BF935A15752C0A9669D8B63 [Accessed
September 11, 2010].
Miller, F.P., Vandome, A.F. & McBrewster, J., 2010. Information Operations Roadmap.
Miniwatts Marketing Group, United States Internet Usage, Broadband and Telecommunications Reports -
Statistics. Available at: http://www.internetworldstats.com/am/us.htm [Accessed September 11, 2010].
msnbc.com staff, U.S. eyes N. Korea for ‘massive’ cyber attacks - Technology & science - Security - msnbc.com.
Available at: http://www.msnbc.msn.com/id/31789294 [Accessed September 11, 2010].
Office of Force Transformation, 2005. Implementation of Network-Centric Warfare, Office of Force
Transformation.
Reuters, FBI probes cyber attack on Citigroup: report | Reuters. Available at:
http://www.reuters.com/article/idUSTRE5BL0I320091222 [Accessed September 11, 2010].
Trias, E.D. & Bell, B.M., Cyber This, Cyber That . . . So What? Air & Space Power Journal, Spring 2010.
Available at: http://www.airpower.maxwell.af.mil/airchronicles/apj/apj10/spr10/trias.html [Accessed
September 11, 2010].
Wallace, R., 2009. Spycraft : the secret history of the CIA's spytechs, from communism to Al-Qaeda, New York:
Plume.
Waterman, S., Analysis: Who cyber smacked Estonia? - UPI.com. Available at:
http://www.upi.com/Business_News/Security-Industry/2007/06/11/Analysis-Who-cyber-smacked-
Estonia/UPI-26831181580439/ [Accessed September 11, 2010].
212

Catch me if you can: Cyber Anonymity
David Rohret and Michael Kraft
Joint Information Operations Warfare Center (JIOWC) Texas, USA
drohret@ieee.org
mkraft5@csc.com
Abstract: Advances in network security and litigation have empowered and enabled corporations to conduct
Internet and desktop surveillance on their employees to increase productivity and their customers to gain valuable
marketing data. Governments have spent billions to monitor cyberspace and have entered agreements with
corporations to provide surveillance data on adversarial groups, competitors, and citizenry (Reuters, 2010). The
Chinese government’s monitoring of the Internet (Markoff, 2008), the United Kingdom’s plan to track every email,
phone call, and website visited (Whitehead, 2010), and the recent announcement from the United States that a
program named the “Perfect Citizen” (Bradley, 2010) will be used to identify those committing cybercrimes and
terrorist activities. These government surveillance programs have many concerned that anonymity on the Internet
is non-existent and that real objectivity and candidness found on news, educational, and research websites is
being replaced with a “big brother” atmosphere; preventing open discussion and information transfers between
domains. Although the initial intent of network and Internet monitoring may be honourable; terrorists, hackers,
and cyber-criminals already have access to the necessary tools and methodologies to continue in their activities
unabated. State and non-state adversaries can use these same tools and methodologies to divert malicious and
offensive actions towards a common adversary, avoiding attribution while increasing tensions among non-actors.
Concerned educators, scientists, and citizens are rebelling against Internet monitoring providing the impetus for
developers and entrepreneurs to create methods, tools, and virtual private networks that provide secrecy for
those wishing to remain invisible; avoiding detection from employers, law enforcement, and other government
agencies (Ultimate-Anonymity, 2010). The intent of this research is to first briefly identify the efforts required by
governments to track and monitor individuals and groups wishing to remain anonymous within the cyber community.
The authors define “cyber community” as the boundaries within any tool, process, or mechanism utilizing
Transmission Control Protocol (TCP)/ Internet Protocol (IP), or similar protocols that allow for the transfer and
aggregation of information and data. In contrast, the authors will then identify a process to remain wholly anonymous
in the context of an internet identity. This will be demonstrated in a step-by-step case study using a ”paranoid”
approach to remaining anonymous.
Keywords: anonymity, network, internet surveillance, foreign proxy, hacker, big brother
1. Terms defined
The term Internet anonymity, and the abstract or hypothetical optimum of remaining anonymous, have
differing definitions based on the “completeness” of anonymity desired. In several definitions “anonymous”,
is simply remaining obscure (Answers.com, 2010), and not necessarily completely hidden
from site. In other definitions, anonymous refers to remaining nameless, without shape or form (wordnetweb.princeton.edu,
2010), and this is the definition the authors have used throughout this paper.
This theme also extends to other terms that describe deception, the destruction of data or misdirection;
specifically, the completeness of the action being described. The word “government” will also be
used in a manner that includes all government entities, including law enforcement, military, and intelligence
agencies.
2. Overview
Network-centric red teams are charged with emulating known adversaries and hackers (remote and
insider threats) using, for the most part, only open-source and publically accessible tools and software.
Unlike penetration testers, who use exploits to validate vulnerabilities, red teams are responsible
for viewing networks or systems from every angle to defeat defences in place. This will include,
but is not limited to, physical security, biometrics, social engineering, and of course, preventing the
blue team from assigning attribution to the red teams actions. In this type of security stress-test a client
is able to fully realize their systems security posture, which encompasses much more than a vulnerability
scan and penetration test.
Governments and corporations have realized the advantages of communications and data transfers
via the Internet for economical and defensive purposes. They have also realized the dangers and
costs of cyber crimes, malicious hacking, espionage, and cyber warfare; developing new technologies
and implementing new legislation to defend networks and to trace/track attacks to their electronic
point of origin (EPO). Without verification and validation courts will not convict and governments are
unwilling to counter attack as clear attribution cannot be assigned. In order to remain anonymous or
213

David Rohret and Michael Kraft
assign blame to another party, the authors use the Praestigiae Cone (Rohret & Jett, 2009) displayed
in Figure 1. The Praestigiae Cone can be visualized as seven protective layers (cone architecture)
used in multiple steps to allow hackers, adversaries, or any other group to operating from a cloaked
vantage point. The organization or individual attempting to identify what the shields are hiding can
attack any of them at one time, but cannot move from one layer to the next without first solving the
initial “who-is” puzzle for the layer they have identified. Making the task of identifying the actual
user(s) more difficult is that each shield is time-sensitive; creating a fast moving defensive environment
that is held hostage to a cyber criminal’s (or users) schedule.
Figure 1: The Praestigiae Cone is used to hide and deceive one from those trying to identify the
original source of an attack or network traffic (Rohret & Jett, 2009
As difficult as it appears for law enforcement and government agencies to crack all seven layers, it
only takes one mistake or missed-step by an adversary or hacker to allow investigators to see their
true identity. Therefore, the authors have provided a brief description of known capabilities to establish
the requirement for an adversary to take the seemingly paranoid precautions identified later in this
paper in order to remain anonymous.
3. Identifying and tracking internet users
“...the FBI successfully infected the anonymous source's computer, and they soon discovered
his identity” (Begun, 2009).
In order to quantify the actions taken to remain anonymous we must first identify the many ways an
individual or group can be located, tracked, and discovered. By no means are the methods described
below solely used for cyber crimes or cyber warfare, but they are a major part of a government’s arsenal
in fighting cyber crime and dissidents. Because there are so many different tools and techniques
used by different governments and agencies, the authors have generalized techniques using
specific examples to represent the greater capabilities. This brief overview will help to demonstrate
why a paranoid approach is required to protect an anonymous identity on the Internet.
Trojans, Beacons, and Worms
The above quote from Daniel Begun illustrates one way to identify illegal media downloads or snoopy
hackers. The process is as easy as providing interesting material on known download sites with embedded
Trojans or beacons that notify law enforcement of the violation. Although effective, it’s difficult
for government agencies to target specific groups or individual violators as this process is more of a
214

David Rohret and Michael Kraft
reverse phishing expedition. For targeting specific groups such as cyber criminals or adversarial governments,
similar techniques would be used with live data or in a well designed honeypot that seemingly
held the type of data the targeted group would maintain on their site. The music industry has had
minor successes using these techniques (Associated Press, 2005).
Financial Transactions
Financial transactions can easily be associated with an individual anywhere they take place. For an
international economy to work, governments and corporations, often at odds with one-another, must
work together to prevent crimes that threaten markets and currencies. Because the world has rapidly
become digitized credit cards, Internet paying services, and smart phone purchases allow anyone
with a bank account to be a consumer. Furthermore, most businesses and banks now utilize video
surveillance at the point of transaction creating a scenario where even cash purchases of a serialnumbered
commodity or a financial document can lead investigators to a digital picture of the perpetrator.
The United States agency, The Financial Crimes Enforcement Network (FinCEN) was established
in 1990 and is considered the leading expert in solving crimes involving financial transactions,
to include cyber crimes (Kimery, 2010; FinCEN, 2010).
Digital and Cellular Communications
"It's time for you to get some new cell phones, quick," was the warning given to Brian Ross and his
ABC News investigation team (Ross, 2006) by someone they considered an NSA insider. This older
news story describes an agency leak that identified how intelligence agencies, (and presumably law
enforcement agencies) are able to track individuals using telecommunications for activities they (the
agency) deem interesting or counter to national security. Radio Frequency (RF) triangulation to pinpoint
locations of smart phones and other on-line digital devices is also possible with the use of good
spectrum analyzers and a direction finder. This applies to 802.11, 802.16, GSM, CDMA and other
Internet Protocol (IP) over radio and wireless standards.
Tracking Internet Traffic
The most common method of identifying malicious Internet activity and attempting to identify the culprit
is through network and Internet surveillance. Intrusion detection systems, intrusion prevention systems,
intelligent and stateful firewalls, packet sniffers, etc, provide network administrators and cyber
crime investigators powerful tools for identifying attack signatures and sophisticated pattern analysis’
that help investigators attribute an attack or malicious actions to a specific group or individual. This is
not to say they know the actual identity of the group or individuals involved, but rather, they can match
patterns of attacks or actions with enough confidence to suggest that the same perpetrators were involved.
These capabilities have become more precise in recent years as corporations and governments
cooperate in sharing information and sensor data. For example, the marriage between the
search engine giant Google and the NSA made headlines sending shock waves through the Internet
community creating worries that anyone can be “spied” on at any time (Reuters, 2010). An adversary
or malicious hacker must also assume that international arrangements and agreements have also
been implemented providing world-wide coverage and tracing capabilities.
Computer Forensics
Possession of a suspect’s computer is the golden egg for investigators. The term computer forensics,
for use in this paper, refers to identifying incriminating evidence on the suspects system or a storage
device used by the suspect. Entire computer laboratories are dedicated to forensic analysis for identifying
incriminating evidence; ranging from simple low-tech techniques to highly sophisticated electron
interferometry. An example of a low-tech analysis would consist of the capture of a system that is still
running and accessible; whereas electron interferometry involves reading open and closed memory
gates on a system’s memory at temperatures below negative 60 Celsius, even if the system has been
shut down for several minutes (Vourdas & Sanders, 1998).
Physical Investigations
“Feet” on the ground to identify patterns and locations are part of the final stage of an investigation to
identify and/or catch a suspect. This includes using video surveillance from Internet cafes frequented
215

David Rohret and Michael Kraft
by the suspect or an old fashioned stake-out to catch them in the act. Cyber crime investigations are
common place and many are high profile, prompting law enforcement agencies to allocate significant
resources to rapidly solve cases.
4. A paranoid approach to remaining anonymous
Why a paranoid approach to anonymity? Governments, adversaries, corporations, cyber criminals,
even cheating spouses require a repeatable process they can employ to accomplish sensitive activities
across the World Wide Web without detection or retribution. In a recent article prepared for the
North Atlantic Treaty Organization (NATO) Parliamentary Assembly (Myrli, 2010) the cost of cyber
crimes to governments and corporations is reported to be over US $100B annually. In response to
cyber crime, governments and corporations spend billions more on technology and methodologies to
identify, track, and prosecute cyber criminals (Fenwick, 2010). Not only have governments increased
expenditures and resources to combat cyber crime, there is now unprecedented cooperation among
governments and corporations to provide data and information sharing to identify and/or capture offenders
(Golubev, 2005). Therefore, for an adversary or cyber criminal to successfully use the internet
for nefarious reasons and remain anonymous, they must take a holistic view of the security available
to their intended targets; that is to say, they must assume each capability is available and successfully
deployed. Just as a network security officer does not have the luxury of only defending against some
or most of the vulnerabilities on their network, a cyber criminal or cyber warrior cannot depend on a
law enforcement agency to only use some of the methods described in section 3.
This paper is the result of research into adversarial capabilities in cyber warfare, specifically, how a
network-centric red team, acting as the adversary, would prevent positive attribution after conducting
network reconnaissance or an attack. The following case study reflects precautions and actions used
to create the shields in the Praestigiae Cone, described in Figure 1; using combinations of publically
available technology, services, and research. Figure 2 outlines the process of achieving the seven
shields, resulting in complete anonymity. The details are explained using a scenario based on an actual
case study involving a red team assessment on an enterprise network.
Figure 2: A process for remaining anonymous in cyber space
Scenario: The red team’s goal was to emulate a hackers capability to remotely identify and disable an
automated network-controlled surveillance system that included wireless video, fence and ground
sensors, autonomous vehicle sentries, and network security; without being identified as the adver-
216

David Rohret and Michael Kraft
sary. The red team assumed that all networks were monitored and Internet service providers, search
engines, and even proxy services would provide information to authorities in a timely manner. Each
action taken by the red team, and all services purchased and used, are publically available and operating
in a legal capacity. The following steps provided Internet and network anonymity, allowing the
red team to accomplish its mission without allowing security managers to assign attribution to the attack.
Physical Security and Financial Shields
The red team’s first step was to build laptop systems specifically for their requirement. This included
downloading free VM software for the installation of multiple operating systems. By using freely distributed
VM software, the red team was able to avoid having information identifying their use of VM
software through registration services or processes (Oracle, 2010). Operating systems already configured
for use in a VM environment were also available for public download and each download and
installation was accomplished from a non-authenticating Internet cafe. Two anonymity proxy services
were required and were purchased using two separate MasterCard gift cards that were separately
purchased with cash at two convenience stores that were found not to be using video surveillance.
Virtualization and Spoofing Shields
Creating a system providing protection against evidence retrieval is vital for a red team emulating adversarial
techniques. Virtual operating systems provide developers and administrators the capability to
create instances of an entire network for testing and evaluation, similarly, cyber criminals and adversaries
use virtual networks for pre-exploit testing and as disposable systems following an attack or
exploitation. If all other layers of anonymity fail, it is imperative that attribution cannot be determined
from information, logs, or data found on the attackers host system. In this case study, our red team
used multiple pre-built virtual machines on re-usable host systems, creating temporary and disposable
attack platforms. Continuing our paranoid approach, we used open-source resources to download
and install the following files using a false identify:
Virtual Machine Hosting Software: The authors downloaded Microsoft’s Virtual PC 2007 software.
With Microsoft Virtual PC 2007, you can create and run one or more virtual machines (each with
its own operating system) on a single computer. This provides you with the flexibility to use different
operating systems on a single host platform (Microsoft, 2010).
Virtual Machine Images: Virtual operating system images can be obtained in several ways; they
can be loaded directly into the VM system (using un-registered software) or downloaded already
built. Windows XP or Vista VM images are available at no cost from the National Institute of Standards
and Technology (NIST, 2010), and a Linux distribution was also obtained from an opensource
location (Back|Track-Linux.org, 2010). Hacker forums, how-to publications, and trial
downloads also provide sources locations for acquiring operating systems to populate your virtual
machines without a financial or registration trail.
Host and VM System MAC Spoofing: Every network interface card (NIC) is assigned a unique
serial number called a media access control (MAC) address. An investigator or network security
officer can trace a MAC address in a similar way that an IP address is traced by simply using a
packet sniffing tool, like Wireshark, and filtering traffic by the MAC. Many novice hackers or careless
cyber criminals will neglect spoofing MAC addresses prior to an attack, and just as often, forget
to change them back to the original following an attack. In the red team’s quest to eliminate
any trace of their attacking systems on their host platforms, they used publically available freeware
called Spoofmenow.exe (SourceForge, 2010) to change the MAC addresses of both the VM
system and their host platforms. Once the red teams actions were completed (for each session),
they returned the host system to the original MAC address and deleted the VM system. This action
would prevent investigators from identifying the host system as the computer used for an attack,
even if no other evidence was available. It was necessary to change the VM system’s MAC
address for two reasons; first, changing the MAC address to a manufacturer that reflected the location
of the proxy server used for the attack, created a better deception of where the attack
originated from. Secondly, and just as importantly, to avoid identifying the system used as a VM
system. Most vulnerability scanners will identify the MAC address of a VM system as a virtual machine.
217

Proxy and Remailer Shields
David Rohret and Michael Kraft
The side effect of increased capabilities by law enforcement is an increase in on-line services to help
defeat law enforcement capabilities, such as anonymous proxies and remailers. Proxies are servers
that act as go-betweens, making requests for data on behalf of clients. A proxy receives a "request"
for a file, website, or other resource from a client, connects to the remote site, and obtains the information
sending it back to the client. Remote proxies can allow you to surf the Web privately without
being monitored and are widely used by individuals who download copyrighted media or those who
circumvent network security measures in order to view blocked Websites (Hazel Morgan, 2010).
An anonymous remailer is an email service which receives client messages (with embedded instructions
on where to send them) and then forwards the messages without revealing where they originally
came from. By not maintaining a users list or a log of the addresses their messages were sent to, a
remailer can ensure any message which has been forwarded leaves no internal information behind
that could be used to break identity confidentiality (Wikipedia, 2010).
Two proxy services were used by the red team; the first proxy service, Ultimate-Anonymity (Ultimate-
Anonymity, 2010), was purchased using the first cash gift card and a false identity at a nonauthenticating
wireless cafe. Red team members quickly set their proxy location to a proxy in India via
an encrypted VPN. Using an on-line IP lookup after starting the anonymous proxy service the red
team confirmed they were seen on the Internet as originating from the location in India, as shown in
Figure 3.
Figure 3: This screen capture was acquired using an IP lookup from the host system and identifies
the host is associated with an IP address from an Internet service provider located in India
and even provides the information in the host ISP’s primary customer languages
The second proxy service, HideMyAss.com (HMA), was purchased using the second gift card from
another non-authenticating wireless cafe while connected through the first proxy, using a different
false identity (HideMyAss.com, 2010). HMA’s user-friendly interface allowed the red team to choose
multiple proxies in the Netherlands and Russia, changing IP addresses every 10 minutes.
Although anonymous proxy services advertise they do not maintain user logs and delete user information
in a timely manner, it was assumed by the red team the anonymous proxy services would cooperate
with investigators. Therefore the red team would not use each proxy service for more than
one session, repeating the process for each follow-on action, using different proxy locations, session
locations, and new identities.
218

Data (Evidence) Removal Shield
David Rohret and Michael Kraft
There are various levels of paranoia which will dictate how one might try and destroy the computer
evidence. One might have little paranoia and decide to just delete the virtual machine from the computer.
A more nervous approach might include using a disk cleaner wiping a hard drive in accordance
with the DoD 5220.22-M standard (www.usaid.gov, 2010), which features multiple overwrites of random
characters. Open source programs like Darik's Boot and Nuke (DBAN) is a self-contained boot
disk that securely wipes the hard disks of most computers. DBAN will automatically and completely
delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or
emergency data destruction (Sourceforge, 2010). Lastly, after completing disk scrubbing, the extreme
case of paranoia might include destroying the computer by physically damaging the hard drives and
memory.
Location/Deception and Time Shields
As discussed earlier, time is the adversary’s or cyber criminal’s ally. The end goal is to accomplish an
action without being identified or having it attributed to your team. By using a disciplined approach
and restricting the amount of time each session is executed, each proxy service is used, and an identity
is held, investigators will be kept busy allocating resources to identify computers and users that no
longer exist. Even if investigators are able to eventually locate one of the EPOs, the perpetrator will
have completed their mission and moved onto a new location with a new identity. Solving computer
crimes requires resources and specific skill sets that are not always readily available even to the most
advanced cyber crime organizations. By remaining difficult to trace and providing multiple targets that
are easily erased, authorities will not be able to focus their efforts in a timely enough manner to locate
and positively identify the offender.
The key component of keeping time as your ally is preventing a positive identification of your location.
By location the authors refer to both the physical location of the attacker and their perceived location.
Earlier we discussed the use of multiple non-authenticating Internet cafes and the use of multiple foreign
proxies, one tunneled through the other, but there are other methods to hide your true locations;
the use of third-party hackers and on-line resources that provide exploitable computers. Third-party
hacking services are available and can be purchased using a gift card while logged onto a proxy service.
Furio Gaming (Furio Gaming, 2010) is one such service that will either hack a system for you or
will provide you the tools to do so. This service represents itself as a gaming and hacking company
and is located in a foreign country providing a layer of anonymity in itself. Other on-line services, such
as Shodanhq.com (SHODAN, 2010), provide an easy-to-use research tool allowing hackers to identify
systems worldwide that are exploitable in every country. By identifying and exploiting a vulnerable
system in a country that may not cooperate with the country you are working in, a cyber criminal can
execute their objectives with little fear of attribution. Other methods for individuals or organizations
with greater resources would be to setup and configure their own anonymous proxies in countries and
locations that have liberal or non-existent cyber laws. For large scale cyber attacks or highly profitable
schemes, this method may be more applicable and more robust.
5. Summary
The inexpensive solution to cyber anonymity outlined in this case study can easily be implemented
with minimal resources and without expert skill levels. Movies and television shows, such as “24”
(IMDB 24, 2010) and “Live Free or Die Hard” (IMDB Live Free or Die Hard, 2010) depict governments
and advanced cyber techniques that can pinpoint network and Internet users in real time; but for the
most part, these capabilities do not exist. The fact remains tracking a cyber criminal requires extensive
resources and is a time consuming process involving multiple agencies and governments. It is
also imperative that government decision makers be wary of assigning attribution to a specific country
or group for an attack or malicious action as the current state of cyber defence and investigations rely
heavily on the offending group to make a mistake that would provide positive identification. The authors
do not intend to imply such capabilities cannot be or are not being developed, but rather the current
state of Internet security and cyber laws do not provide sufficient capabilities and processes for
positive attribution. As this case study has demonstrated, even if authorities are able to follow an attack
or cyber crime to its electronic point of origin, that trail will only lead to a non-traceable false identity.
Catch me if you can.
219

References
David Rohret and Michael Kraft
Answers.com. http://www.answers.com/topic/anonymity Anonymity definition. Oct 2010.
Associated Press. Teen Convicted of Illegal Net Downloads. http://www.msnbc.msn.com/id/7122133/. March 7,
2005.
Back|Track-Linux.org. VMware Fusion 3.1. http://www.backtrack-linux.org/downloads/. Oct 2010.
Begun, Daniel, A. FBI Uses Spyware to Capture Cyber Criminals. Hothardware.com, Monday, April 20, 2009.
http://hothardware.com/News/FBI-Uses-Spyware-to-Capture-Cyber-Criminals/. 1 Oct 2010.
Bradley, Tony. NSA 'Perfect Citizen' Raises 'Big Brother' Concerns, PC World, July 08, 2010 02:02 PM ET,
http://www.networkworld.com/news/2010/070810-nsa-perfect-citizen-raises-big.html. Oct 2010.
Fenwick, Samual, Dr. Cyber security – believe the hype? Industrial Fuels and Power.
http://www.ifandp.com/article/006583.html. August 18, 2010.
FinCEN. http://www.fincen.gov/. Oct 2010.
Furio Gaming. http://www.furiogaming.com/index.php?page=home. Oct 2010.
Golubev, Vladimir. International Cooperation in Fighting Cybercrime. Computer Crime Research Center,
http://www.crime-research.org/articles/Golubev0405. April 16 2005.
Hazel Morgan, e. C. (2010, March). Information on How Proxies Work. Retrieved October 12, 2010, from eHOW:
http://www.ehow.com/facts_6054712_information-proxies-work.html.
HideMyAss.com; Anonymous remailer and proxy service, http://www.HideMyAss.com. April 13, 2010.
IMDB. 24 (2001 - 2010). http://www.imdb.com/title/tt0285331/. Oct 2010.
IMDB. Live Free or Die Hard (2007). http://www.imdb.com/title/tt0337978/. Oct 2010.
Kimery, Anthony. Big Brother Wants to Look in your Bank Account
http://www.wired.com/wired/archive/1.06/big.brother_pr.html. 25 Sep 2010.
Markoff, John. Surveillance of Skype Messages Found in China. New York Times: Internet. 1 October, 2008.
Microsoft. Microsoft Virtual PC 2007. http://www.microsoft.com/downloads/en/details.aspx?FamilyId=04D26402-
3199-48A3-AFA2-2DC0B40A73B6&displaylang=en. Oct 2010.
Myrli, Sverre. 173 DSCFC 09 E bis – NATO and Cyber Defence. NATO Parliamentary Assembly,
http://www.nato-pa.int/default.asp?SHORTCUT=1782. Sep 10 2010.
NIST. National Institute of Standards and Technologies. http://csrc.nist.gov/ Oct 2010.
Oracle. Oracle VM VirtualBox. http://dlc.sun.com/virtualbox/vboxdownload.html. Oct 2010.
Reuters. Google, NSA to team up in cyberattack probe. February 4, 2010.
Rohret, David, M. And Jett, Andrew. Red Teaming; A Guide to Non-kinetic Warfare. 2009.
Ross, Brian. Federal Source to ABC News: We Know Who You're Calling. ABC News.
http://blogs.abcnews.com/theblotter/2006/05/federal_source_.html. May 15, 2006.
SHODAN. http://www.shodanhq.com/. Oct 2010.
Sourceforge. (n.d.). Darik's Boot And Nuke (DBAN). http://www.dban.org/. Oct 2010.
SourceForge. http://sourceforge.net/projects/spoof-me-now/files/Spoof-Me-
Now%20%28No%20Installer%29.zip/download. September 2010.
Ultimate-Anonymity. Anonymous remailer and proxy service. http://www.ultimate-anonymity.com/ July 7, 2010.
USAid.gov. www.usaid.gov. http://www.usaid.gov/policy/ads/500/d522022m.pdf. October 2010.
Vourdas, A., and Sanders, B. Determination of quantized electromagnetic-field state via electron interferometry
1998 Europhys. Lett. 43 659 doi: 10.1209/epl/i1998-00414-0.
Whitehead, Tim. Every email and web site to be stored. Telegraph.co.uk.
http://www.telegraph.co.uk/technology/news/8075563/Every-email-and-website-to-be-stored.html 20 Oct
2010.
Wikipedia. (2010, July 14). Anonymous remailer. Retrieved October 12, 2010, from Wikipedia:
http://en.wikipedia.org/wiki/Anonymous_remailer.
Worldnet. the State of being anonymous; nameless. http://wordnetweb.princeton.edu/perl/webwn?s=anonymity:
Oct 2010.
220

Neutrality in the Context of Cyberwar
Julie Ryan 1 and Daniel Ryan 2
1 The George Washington University, Washington, USA
2 National Defense University, Washington, USA
jjchryan@gwu.edu
ryand@ndu.edu
Abstract: This paper will examine the legal antecedents of the concepts of neutrality and current enforceability of
declarations of neutrality in the context of information operations amongst belligerents. This is a non-trivial point
of understanding, given the potential for belligerents to use and abuse infrastructure elements owned and/or
operated by nation states desiring to remain neutral. The analysis will consider the instantiated concepts of
neutrality, the potential for expanding or contracting the concepts of neutrality in the context of cyberwar, and the
possibility of erosion of neutrality in cyberwar scenarios. We have a notion enshrined in international law that
says that you don't lose your neutrality if belligerents use your telephone lines or telegraph lines to communicate
even if they are crossing your territory, even if they are passing operational orders. The problem with cyberwar is
that they are potentially not just transferring orders but also potentially weapons -- cyber-weapons. So it becomes
a more complex problem and the challenge is to understand at what point the nation state should be required to
act, or if such a point exists at all. This analysis will examine the intersection between technology and law in
regards to this issue.
Keywords: neutrality; law of armed conflict; international humanitarian law; cyberwar
1. War and the laws of armed conflict
During less than one percent of the last two million or so years of human evolution has agriculture and
animal husbandry replaced the hunter-gatherer existence as a characteristic way of life. (Gat 2006, p.
4) During the hunter-gatherer phase, humans engaged in endemic primitive warfare. (Keegan 1193,
p. 5 and pp. 115ff) As technology evolved, it influenced – and was influenced by – warfare, producing
revolutions in military affairs. (Boot 2006, p. 8) The longbow, stirrups, gunpowder, conoidal bullets,
machine guns, aircraft, radar, sonar, rockets and spacecraft, and now computers and precisionguided
weapons, are but a small sample of the technologies that have continuously changed the face
of warfare throughout history. As warfare became the province of nation-states, belligerencies
between and among nations led to some states declaring their intent to remain neutral, and the
development of conditions under which their neutrality was recognized by the belligerents and other
conditions under which neutrality was lost. This paper addresses modern concepts of neutrality, and
explores the potential for, and perhaps need to, change our concepts of neutrality in the context of
cyberwar as information technologies change warfare as it was previously practiced.
War is “a condition of armed hostility between States,” (Hyde 1945, p. 1686. Cited in Elsea &
Grimmett 2007, p. 23) or “a contention, through the use of armed force, between states, undertaken
for the purpose of overpowering another.” (von Glahn 1992. p. 669. Cited in Elsea & Grimmett 2007,
p. 23) War is “an armed conflict, or a state of belligerence, between two factions, states, nations,
coalitions or combinations thereof. Hostilities between the opponents may be initiated with or without
a formal declaration by any of the parties that a state of war exists.” (Dupuy, p. 261) Marcus Tullius
Cicero (106-43 BCE) famously said in an oration, Pro Tito Annio Milone ad iudicem oratio (Pro
Milone), in defense of Titus Annius Milo, who had been accused of murdering Publius Clodius
Pulcher, a political enemy, “Silent enim leges inter arma” (the law is silent in times of war), (Clark
1907) but his assertion wasn’t true in antiquity, and isn’t true today.
Except in limited conditions, war was made illegal by the Charter of the United Nations, which is a
treaty among the world’s nations signed in the aftermath of World War II, a terrible conflict in which
some fifty million (perhaps as many as eighty million) died worldwide. (White 2005) Article 2(4) of the
Charter provides that, “All Members shall refrain in their international relations from the threat or use
of force against the territorial integrity or political independence of any state, or in any other manner
inconsistent with the Purposes of the United Nations.” However, Article 51 makes use of military force
is permissible in self-defense, and Article 42 makes military force permissible if authorized by the
Security Council.
When military force is used, its use is subject to other treaties that limit the nature and extent of force
that may be employed in achieving military objectives. Philosophers, statesmen and military
221

Julie Ryan and Daniel Ryan
commanders have struggled to balance the destructive forces of armed combat with national and
international humanitarian concerns, (Kolb 1997, n. 3) leading to the twin concepts of jus ad bellum —
“the conditions under which belligerents might justly resort to the use of armed force as a means of
conflict resolution” (Hensel 2008, p. 5) — and jus in bello —“the conditions for the just employment of
armed force at the strategic, operational and tactical levels during periods of armed hostilities” (Hensel
2008, p. 5) — that together comprise the notions of just war. The notion of jus in bello (“justice in war”)
was known to Sun Tzu in 4 th century BCE China. (Giles) Even, so, the concept of jus in bello was
more slow to develop than jus ad bellum. In addition to the United Nations Charter, limitations on the
use of military force include inter alia the Geneva Conventions and Protocols, and the Hague
Conventions.
2. Cyberwar
As human beings have moved into cyberspace, they have begun to engage in all the usual types of
human behavior, good and bad, allowed by the technology: communicating, working, contracting,
playing, and socializing, as well as stealing, breaching contracts, engaging in tortious behavior, and
invading other users’ privacy. Now, nation-states are looking at cyberspace as place to conduct
warfare operations, and terrorists are examining the possibilities inherent in asymmetric attacks
through cyberspace on critical infrastructures.
The “nature” of cyberspace, however, differs in significant ways from the physical, electrical, chemical,
and photonic properties of “real” space. Communications across the Internet take the form of packets
containing addressing and administrative data as well as the intended bits being exchanged. ("What is
a packet?") The paths taken by packets exchanged across the Internet are under the control of
algorithms within the switches that relay the packets. (Tyson 2001) The paths are neither known to
nor controllable by the users of the network.
Traditional approaches developed in real space for responding to misbehavior are hampered in
cyberspace by difficulties in attribution, and only a loose correlation exists between “location” in
cyberspace and location of users and cyber equipment within traditional legal jurisdictions. These
realities will certainly impact the development of weapons, strategies, doctrines and tactics for use in
cyberwar and countering cyberterrorism. Nevertheless, nations will undoubtedly seek to exercise and
enhance national power by means of information operations in cyberspace, and the laws of armed
conflict that have served civilized nations well in real space must be examined to determine how they
can be used, and if they must be changed, to meet the realities of cyberwar and cyberterrorism. This
paper will specifically address the legal issues associated with nation-state neutrality as applicable to
these new realities.
3. Neutrality during periods of belligerency
“Neutrality” refers to concepts in customary international law and treaty law concerning the nonparticipation
of some nations in warfare when a state of belligerency exists among other nations. The
laws of neutrality presuppose the coexistence of war and peace – belligerents and their allies at war
with other belligerents and their allies, while diplomacy, commerce, communications and so forth
continue with and among nations not involved in the belligerencies, both neutral states with other
neutral nations and neutral states with the belligerents. (Neff 2000, p. 1. Cited by Kelsey 2008, p.
1442) Neutrality is a “legal, temporary situation of one state in relation to a conflict between two or
more states. Neutrality consists in not participating directly in the war, through not rendering
assistance to any belligerent party.” (Osmanczyk & Mango 2004, A-F, p. 1547) It may be manifested
by unilateral declaration or by entry into bilateral or multilateral treaties. Grotius identified two rules for
neutrals: (1) neutrals should neither strengthen the position of a belligerent power with an unjust
cause, nor hinder the position of a belligerent with a just cause, (Book III, Chapter XVII (III)(1))and (2)
warring parties should be treated alike when the cause of the war is in doubt. (Book III, Chapter XVII
(III)(1))
Even before the second half of the 19th century when the laws of war began to be
codified in multilateral treaties, some principles relating to the conduct of armed hostilities
had been included in bilateral treaties.... The rights and duties of neutrality in war,
especially at sea, have been addressed in a large number of bilateral treaties between
states from at least the early 17th century. [Footnote 12: W. E. Hall, The Rights and
Duties of Neutrals, Longman's Green, London, 1874, pages 27-46, in a chapter
surveying the growth of the law affecting belligerent and neutral states to the end of the
222

Julie Ryan and Daniel Ryan
18th century, refers to "innumerable treaties" relating to neutrality that were concluded
over several centuries (page 28).] Sometimes, following the conclusion of a bilateral
treaty on neutrality, additional states proceeded [sic] to it. [Footnote 13: For example, on
February 27, 1801 Denmark ceded to the convention between Russia and Sweden for
the Reestablishment of an Armed Neutrality, which had been signed on 16 December
1800. 55 CTS (1799-1801) 411-24.] (Roberts & Guelff 1982, p. 4)
The law of neutrality was eventually codified in the Hague Conventions of 1907, including No. 3,
Convention Relative to the Opening of Hostilities (requiring notice to neutrals of a state of war); No.
11, Convention Relative to Certain Restrictions with Regard to the Exercise of the Right of Capture in
Naval War; and especially No. 5, Convention Respecting Rights and Duties of Neutral Powers and
Persons in Case of War on Land. (The Avalon Project)
Having assumed a position of neutrality, a nation must not allow transit of military forces or equipment
by belligerents across its land territory or the airspace above its land territory. The rules with respect
to belligerent naval vessels, and aircraft flying over a neutral’s territorial waters and exclusive
economic zones, are more complicated. The notion of transit passage applies to “straits which are
used for international navigation between one part of the high seas or an exclusive economic zone
and another part of the high seas or an exclusive economic zone.” (UNCLOS 1982, Art. 37) Ships and
aircraft operated by belligerent nations may transit the territorial waters of a neutral state “solely for
the purpose of continuous and expeditious transit of the strait . . . .” (UNCLOS 1982, Art. 38) During
transit passage, ships and aircraft must: “proceed without delay . . ., refrain from any threat or use of
force against the sovereignty, territorial integrity or political independence of States bordering the
strait . . ., and refrain from any activities other than those incident to their normal modes of continuous
and expeditious transit unless rendered necessary by force majeure or by distress.” (UNCLOS 1982,
Art. 39)
The notion of innocent passage applies to passage through the territorial waters of a neutral state and
is permitted “so long as it is not prejudicial to the peace, good order or security of the coastal State.”
(UNCLOS 1982, Art. 19) Passage is not innocent if it involves “any threat or use of force against the
sovereignty, territorial integrity or political independence of the coastal State . . ., any exercise or
practice with weapons of any kind, . . . any act of propaganda aimed at affecting the defence or
security of the coastal State, . . . the launching, landing or taking on board of any aircraft [or] military
device, [or] any act aimed at interfering with any systems of communication or any other facilities or
installations of the coastal State.”(UNCLOS 1982, Art. 19)
Once a state decides on a position of neutrality, it must take steps to prevent its territory
from becoming a base for military operations of a belligerent. It must prevent the
recruiting of military personnel, the organizing of military expeditions, and the
constructing, outfitting, commissioning, and arming of warships for belligerent use. A
neutral state is under no obligation to prevent private persons or companies from
advancing credits or selling commodities to belligerents. Such sales are not illegal under
the international law of neutrality. A neutral state may, if it chooses, go beyond the
requirements of international law by placing an embargo upon some or all sales or
credits to belligerents by its nationals. If it does so, it has the obligation to see that
legislation, commonly referred to as neutrality laws, is applied impartially to all
belligerents. Once enacted, neutrality laws are not to be modified in ways that would
advantage one party in the war. (Neutrality 2008)
There is a limited communications exception in the law of neutrality for communications by
belligerents and their allies across the land territory of neutral states. Hague Convention V, Article 8,
provides, “A neutral Power is not called upon to forbid or restrict the use on behalf of the belligerents
of telegraph or telephone cables or of wireless telegraphy apparatus belonging to it or to companies
or private individuals.” The Internet did not exist when the Hague Conventions were written, of course,
but arguably this exception applies to Internet communications as well as telegraph and telephone
communications. The nature and scope of this exemption is a key issue for neutrality in the context of
cyberspace.
4. Neutrality in the context of cyberwar
When Hague V(8) was written, communications across the territory of a neutral nation via telegraph or
telephone cables, or by wireless telegraphy, might have involved passing a variety of types of
information. Command and control information might have been passed, for example, or intelligence
223

Julie Ryan and Daniel Ryan
or targeting information. Assuming that military units knew their own locations (not, necessarily, a
reasonable assumption in those days), unit locations may have been reported. In short, information
useful in prosecuting the belligerency, if it could be reduced to textual or numeric form suitable for
transmission across the communications systems in use at that time, could be transmitted without
imposing a burden on the neutral state to recognize or interdict the transmission. Some information
may have been encoded or enciphered, and transmission would have necessarily been slow by
today’s standards, but fast relative to other media and transmission capabilities available at the time
(foot, horseback, railroad, ship). (Lail 2002, p. 4)
Fast forward to the twenty-first century, and the ability to pass useful information across the Internet is
much enhanced. Now not just text and numbers may be communicated, but sound to at least the
level of voice recognition, imagery including high-quality color pictures, and measurement and
telemetry data, such as GPS data, can be communicated quickly and easily across the Internet.
Perhaps more importantly, tools and even weapons themselves, perhaps in the form of malware, can
be moved across the territory of neutrals and belligerents alike using the Internet. Those engaged in
such Internet communications do not and, for the most part cannot, know the path the packets
comprising their communications will take, much less can they control the path. In fact, some of the
packets may take different paths from other packets that are part of the same transmission, all
transparent to and beyond the control of those engaged in the communication.
Historically, warfare has involved the use of kinetic weapons (e.g. projectiles) to kill and destroy.
Modern warfare continues to use kinetic weapons, but may also use energy weapons – lasers, for
example; but note that Protocol IV of the 1980 Convention on Certain Conventional Weapons
specifically outlaws the use of blinding lasers – or may use logic weapons to attack and defend cyberdependent
infrastructures. In a modern warfare, information operations may be used in connection
with kinetic operations (as in the confrontation between Russia and Georgia in 2008), (Tikk 2010, p.
66ff) or can be used without ancillary kinetic operations (as in the confrontation between Russia and
Estonia in 2007). (Tikk 2010, p. 14ff) It is highly probable that we will never again see kinetic
operations of any great extent without a cyber component. Whether information operations among
nation-states without “armed conflict” will be deemed to be warfare probably depends upon the level
of destruction realized. (Article 51 of the United Nations Charter uses the expression “armed attack” to
justify war in self-defense by nation-states. However, the expression is not defined. It is not clear that
it is proper, or desirable, to view a purely cyber incident as an armed attack. See Wingfield 2006, p.
12. See also Sullivan 2010) Information operations among, between or with non-nation-states cannot,
by definition, be war, regardless of the level of destruction attained or the used of uniformed military
personnel by one side or another and despite the common misuse of the term in referring to conflicts
that are not between or among nation-states, as in “the global war on terror” (Rumsfeld Memo 16
October 2003) or the “war on drugs.” (Testimony of OMB Director Nussle)
While belligerents’ use of networks that cross a neutral’s territory can take place without violating the
neutrality status of the nations through whose territory the communications pass, Hague V(8) arguably
did not foresee that that use might include weapons. The rules concerning neutrality require that
passage of weapons or other military materials and equipment across the territory of a neutral must
be interdicted by the neutral state, and if it fails to do so, or is unable to do so, the belligerents against
whom the weapons or materials are to be used have a legal right to attack the transfer. (Brown 2006,
p. 210) Hague V(1) forbids land transfers and Hague V(2) forbids use of the atmosphere. Some
analysts have, therefore, concluded that cyberwar is not permitted under current neutrality law without
a likely violation of the claimed neutrality. (Kelsey2008, pp. 1441-6) They recommend changes to
bring the law into conformance with the reality of Internet transfers. (Kelsey 2008, pp. 1448-9) One
recommendation would focus on intent: the rules of neutrality would not be violated unless the
belligerent intended to use the information infrastructure of the neutral to deliver the weapons. The
neutral would not have to interdict an unintentional passage, and would not be subject to attack by the
other side based on an unintentional crossing of its territory by the cyber weapons. (Kelsey 2008, pp.
1448-9) This approach seems hopeless to us. The neutral probably has no knowledge that weapons
are passing across its territory, could realistically do nothing if it did know, and has even less access
to knowledge of the belligerent’s intent with respect to the crossing.
However, there is an alternative approach to framing the problem and it’s solution. Extra-atmospheric
movements of weapons (other than nuclear weapons) and military materials above the territory of
neutrals is permitted without imposing a duty on the neutral to interdict. The United Nations adopted a
224

Julie Ryan and Daniel Ryan
“Declaration of Legal Principles Governing the Activities of States in the Exploration and Use of Outer
Space” in 1963 (Wolter 2003, p. 4) The Declaration has since been supplemented by three
resolutions laying down the legal principles applicable to the exploration and exploitation of outer
space, a “Declaration on International Cooperation in the Exploration and Use of Outer Space for the
Benefit and in the Interest of All States, Taking into Particular Account the Needs of Developing
Countries,” and five treaties and agreements governing the use of space and space-related activities.
(United Nations Treaties and Principles on Space Law ) These treaties, agreements and principles
are collectively known as the “United Nations Treaties and Principles in Outer Space.” Nuclear
weapons are forbidden, but other weapons (kinetic weapons, lasers) are permitted. (Although nuclear
weapons are banned, it is recognized that some uses of nuclear power are needed in space, the
Treaties and Principles provide for safety in its use, mitigation of risks, and liability for states that fail to
control the nuclear power or its sources.)
The very nature of outer space is such that spacecraft do not have the same ability to control their
flight paths that aircraft operating within the atmosphere have, (Braeunig 1997-2008) and the cost of a
space program that could interdict is large, (Fox 2007) so a rule requiring interdiction of belligerents’
weapons in space by the neutral does not make sense. Spacecraft and satellites in orbit pass above
both belligerents and neutrals and cannot avoid doing so, being subject to the laws of celestial
mechanics. Accordingly, the notions of territorial control that apply in the laws of the sea and the
regulation of aircraft, cannot apply in outer space. If neutrals were required to exercise control over
the use of outer space in the same way they exercise control over air traffic in the skies above their
territories, it would be practically impossible to maintain neutrality at all.
Similarly, recognizing the impossibility of neutrals interdicting belligerent Internet use of the neutral’s
information infrastructure without prohibitive costs or unacceptable consequences for the neutral’s licit
use of its own infrastructure: "a state may not be able to prevent [cyber] attacks from leaving its
jurisdiction unless it severs all connections with computer systems in other states." (Brown 2006, p.
210) This indicates that the appropriate rule for Internet use is more like the rule for space than the
rule for air or land traffic, even when the use involves cyber weapons or information useful to the
belligerent for military purposes (telemetry, GPS, weather data, etc.). Such acceptable use would, of
course, apply to all belligerents, because the rules of neutrality prohibit the neutral state favoring one
side in any way over the other side. (Brown 2006, p. 211)
5. Conclusion
Phillip Jessup, in 1936, concluded, "There is nothing new about revising neutrality; it has undergone
an almost constant process of revision in detail." (Jessup 1935-6, p. 156. Cited in Walker 2000, p.
109) With the advent of cyberwar, rules governing neutrality during periods of belligerency need to be
reconsidered and revised yet again. The realities of the Internet age mean that weapons as well as
information can move across communications networks in ways that were not possible or foreseeable
during the earlier evolution of the laws of war and neutrality. Yet the paths that those weapons will
take as they traverse the Internet on the way to their intended targets are beyond the knowledge or
control of the belligerents that launch them. Detection, identification and interdiction by neutrals
across whose territories the weapons may pass are impractical without sacrificing the utility of the
networks for licit use by the neutrals and others, hence impossible.
However, it is the only the details of the rules of neutrality that must change. Neutrals will not be
required to do what they cannot do, and will not be subject to attack when they do not detect, identify
and interdict the flow of weapons through their information infrastructures. The key principle of
neutrality requiring that neutrals do not knowingly and willingly participate in the belligerency, or favor
one side over the other, can and must be retained.
Disclaimer: Opinions expressed in this paper are those of the authors and do not represent positions
of George Washington University, or of the Information Resources Management College, the National
Defense University, the Department of Defense, or the United States Government.
References
The Avalon Project: Documents in Law, History and Diplomacy. Yale Law School, Lillian Goldman Law Library.
http://avalon.law.yale.edu/default.asp.
Boot, Max (2006) War Made New: Technology, Warfare, and the Course of History, 1500 to Today. New York:
Gotham Books.
225

Julie Ryan and Daniel Ryan
Braeunig, Robert A. (1997-2008) Orbital Mechanics. http://www.braeunig.us/space/orbmech.htm.
Brown, Davis, A Proposal for an International Convention To Regulate the Use of Information Systems in Armed
Conflict, 47 Harv. Int'l L.J. 179 (2006).
Clark, A. C. (1907) Q. Asconii Pediani Orationum Ciceronis Quinque Enarratio.
http://www.attalus.org/latin/asconius2.html#Milo.
Dupuy, Trevor N. et al. eds. (2003) Dictionary of Military Terms, 2 nd Ed. New York: H.W. Wilson.
Elsea, Jennifer K. & Grimmett, Richard F. (2007) Declarations of War and Authorizations for the Use of Military
Force: Historical Background and Legal Implications. Washington, DC: Congretional Research Service
RL31133. http://www.fas.org/sgp/crs/natsec/RL31133.pdf.
Fox, Bernard et al. (2007) Guidelines and Metrics for Assessing Space System Cost Estimates. Santa Monica,
CA: Rand Corporation. http://www.rand.org/pubs/technical_reports/2008/RAND_TR418.pdf.
The Gale Group, Inc. (2008) West's Encyclopedia of American Law, Edition 2. Farmington Hills, MI: Thomson
Gale. http://legal-dictionary.thefreedictionary.com/neutrality.
Gat, Azar (2006) War in Human Civilization. Oxford: Oxford University Press.
Giles, Lionel (1910) Sun Tzu on the Art of War. http://www.chinapage.com/sunzi-e.html.
Grotius, Hugo (1925) Du Jure Belli ac Pacis [Of the Law of War and Peace]
Libri Tres. Oxford: Clarendon Press. [Reproduced as a Special Edition (1984) Birmiingham, AL: Legal Classics
Library.] In particular, see Chapter XVII: On Those Who Are of Neither Side in War.
Hall, W. E. (1874) The Rights and Duties of Neutrals, Longman's Green, London.
Hague Convention (V) respecting the Rights and Duties of Neutral Powers and Persons in Case of War on Land.
The Hague, 18 October 1907. http://www.icrc.org/ihl.nsf/FULL/200?OpenDocument.
Hensel, Howard M. (2008) Legitimate Use of Military Force. Surrey, UK:Ashgate Publishing Group.
Hyde, Charles C. (1945) International Law Chiefly as Interpreted and Applied by the
United States, Vol. 3. New York: Hachette Book Group USA (Little Brown & Co.).
International Humanitarian Law - Treaties & Documents by Date. International Committee of the Red Cross.
http://www.icrc.org/ihl.nsf/INTRO?OpenView.
Jessup, Phillip and Deák, Francis (1935-6) Neutrality, Its History, Economics and Law: Vol. IV Today and
Tomorrow. New York: Columbia University Press.
Johnson, Phillip A., et al. (May, 1999) An Assessment of International Legal Issues in Information Operations.
Washington, DC: Department of Defense Office of General Counsel.
Kastenberg, Jushua E. (2009) “Non-Intervention and Neutrality in Cyberspace: An Emerging Principle in the
National Practice of International Law.” 64 A.F. L. Rev. 43.
Keegan, John (1993) A History of Warfare. New York: Alfred A. Knopf.
Kelsey, Jeffrey T. G. (2008) “Hacking into International Humanitarian Law: The Principles of Distinction and
Neutrality in the Age of Cyber Warfare.” 106 Mich. L. Rev. 1427.
Lauterpacht, Hersch, Oppenheim's International Law (7th Ed., 1948) London: Longmans, Green & Co.
Kolb, Robert (1997) “Origin of the twin terms jus ad bellum/jus in bello,” International Review of the Red
Cross, No. 320, p.553-562. Online at
http://www.icrc.org/web/eng/siteeng0.nsf/iwplist163/d9dad4ee8533daefc1256b66005affef.
Lail, Benjamin (2002) Broadband Network and Device Security. Sydney: McGraw-Hill. http://books.mcgrawhill.com/downloads/products/0072194243/0072194243_ch01.pdf.
Neff, Stephen C. (2000) The Rights and Duties of Neutrals. Manchester, UK: Manchester University Press.
Neutrality. (2008) West's Encyclopedia of American Law, Edition 2. http://legaldictionary.thefreedictionary.com/neutrality.
Osmanczyk, Edmund Jan & Mango, Anthony (2004) Encyclopedia of the United Nations and International
Agreements. Florence, Kentucky: Routledge.
Roberts, Adam and Guelff, Richard (1982) Documents on the Laws of War, 3d Ed. Oxford: Oxford University
press.
“Rumsfeld Memo 16 October 2003” (2008) SourceWarch.
http://www.sourcewatch.org/index.php?title=Rumsfeld_Memo_16_October_2003
Sullivan, Bob (2010) “Could Cyber Skirmish Lead U. S. to War?” http://redtape.msnbc.com/2010/06/imagine-thisscenario-estonia-a-nato-member-is-cut-off-from-the-internet-by-cyber-attackers-who-besiege-the-countrysbandw.html
“Testimony of OMB Director Nussle” (2008) The White House.
http://www.whitehouse.gov/omb/legislative_testimony_director_nussle_021308
Tikk, Eneken et al. (2010) International Cyber Incidents: Legal Considerations. Tallinn: Cooperative Cyber
defence Center of Excellence.
Tyson, Jeff. (April 3, 2001) "How Internet Infrastructure Works" HowStuffWorks.com.
http://computer.howstuffworks.com/internet/basics/internet-infrastructure.htm
United Nations Convention on the Law of the Sea (UNCLOS), (1982)
http://www.un.org/Depts/los/convention_agreements/convention_overview_convention.htm.
United Nations Convention on Prohibitions or Restrictions on the Use of Certain Conventional Weapons Which
May Be Deemed to Be Excessively Injurious or to Have Indiscriminate Effects, Protocol IV (1980).
http://www.un.org/millennium/law/xxvi-18-19.htm.
United Nations Treaties and Principles on Space Law (2010)
http://www.unoosa.org/oosa/en/SpaceLaw/treaties.html
226

Julie Ryan and Daniel Ryan
von Glahn, Gerhard (1992) Law Among Nations: An Introduction to Public International Law (6th ed.) New York:
Macmillan.
Walker, George K. (November, 2000) “Information Warfare and Neutrality.” 33 Vand. J. Transnat'l L. 1079.
"What is a packet?" (December 1, 2000) HowStuffWorks.com.
http://computer.howstuffworks.com/question525.htm
White, Matthew (2005) Source List and Detailed Death Tolls for the Twentieth Century Hemoclysm.
http://users.erols.com/mwhite28/warstat1.htm.
Wingfield, Thomas C. (2006) “When is a Cyberattack an ‘Armed Attack?’ Legal Thresholds for Distinguishing
Military Activities in Cyberspace.” Cyber Conflict Studies Association.
http://www.docstoc.com/docs/445063/when-is-a-cyberconflict-an-armed-conflict
Wolter, Detlev (2003) Common Security in Outer Space and International Law: A European Perspective.
(Geneva: United Nations, UNIDIR/2005/29, 2006)
227

Labelling: Security in Information Management and
Sharing
Harm Schotanus, Tim Hartog, Hiddo Hut and Daniel Boonstra
TNO Information and Communication Technology, Delft, The Netherlands
Harm.schotanus@tno.nl
Tim.hartog@tno.nl
Hiddo.hut@tno.nl
Daniel.boonstra@tno.nl
Abstract: Military communication infrastructures are often deployed as stand-alone information systems
operating at the System High mode. Network-Enabled Capabilities (NEC) and combined military operations lead
to new requirements for information management and sharing which current communication architectures cannot
deliver. This paper informs information architects and security specialists about an incremental approach
introducing labelling of documents by users to facilitate information management and sharing in security related
military scenarios.
Keywords: labelling, meta-information, information security, cross-domain solutions, information sharing, needto-protect,
duty-to-share
1. Introduction
This paper presents an overview of the steps to develop a meta-information capability. First, it
presents a broad overview on what meta-information and labelling is and how it can be applied. Then
it focuses on one specific security application of labelling which is secure information exchange, i.e.
selective and regulated information sharing, based on meta-information. We also present a possible
roadmap for implementing a secure information sharing capability based on meta-information. The
purpose of this roadmap is to analyse what ‘ingredients’ are required for implementing such a
capability, i.e. the problems we have identified and the technology that is necessary to solve these
problems.
The importance of sharing information in networked military operations, especially coalition networks,
is commonly recognised. An important driver for future communication architectures is (NATO)
Network-Enabled Capabilities (NNEC)(Buckman 2005). The integrated and coordinated deployment
of all capabilities within a coalition is the central goal relying heavily upon regulated information
sharing (Schotanus 2009)(Martis 2006). Better integrated communication architecture contributes to
sharing of relevant military information by making it easier and quicker. But how does confidentiality fit
into this picture? What if a coalition partner does not want to share specific information because
sharing poses a bigger risk for them or for the mission than not sharing or vice versa? Which methods
are available to differentiate between information to-be-shared and information not-to-be-shared? The
primary objective is that the owner of the information remains in control of that information.
Relevant information produced during military coalition operations usually does not originate from a
single partner but is the result of multiple partners working together using some form of online or
offline shared information mechanism like documents distributed via e-mail or digital photos shared
via situational awareness applications. Information is nowadays typically divided amongst the coalition
partners, each creating a separate information domain in which the information is stored and
processed. Such an information domain is usually a standalone network. Transferring information
from one domain is handled often by out-of-band means That may cause more problems than it
solves as there is little control over the information exchange. Connecting these different domains is a
step that is currently taken, but also leads to many problems. Not in the least because of different
responsibilities for each of these domains. Information sharing without compromising the
confidentiality is a problem that has to be solved by choosing an information management strategy
that is based on the ability to regulate the sharing of information and that cannot be addressed by
infrastructural solutions. In essence, this is caused by the inability of the infrastructure to determine
the value of the information and hence it cannot enforce decisions about whether information can or
cannot be shared with the intended partner.
228

Harm Schotanus et al.
In the remainder of this paper we will often use the term information domain. This is defined as a
collection of information under one responsibility (e.g. a nation, or organisation) that operates for a
single purpose (e.g. a mission) and has a single security policy.
2. Meta-information and labelling
A new information management strategy could be based on mechanisms that make decisions based
on meta-information instead of on the information itself. By adding relevant meta-information, the user
can effectively control on what conditions information can be released.
Meta-data or meta-information is information about information. For example, a military security
marking (such as NATO SECRET) on the top and bottom of each page of a document is a form of
meta-information because it conveys the classification of the document, in other words it is (security
specific) meta-information about other information. To enable regulated sharing of information
between different information domains or with partners in a coalition, meta-information can be used to
describe certain properties of information objects. These properties can be used to enforce decisions
in a release mechanism whether information should or should not be shared. The meta-information is
often called a label, and the process of creating a label is called labelling. This reflects two important
concepts:
Sharing information between coalition partners presumes a way of deciding whether a specific
information object may or may not be shared.
For each information object a set of properties can be determined that can form a basis decision
process for sharing information.
The crucial concept in our labelling approach is that we separate the logic to enforce decisions from
the intelligence to determine the properties of the information. This means we can reduce the
complexity of the decision making process.
2.1 Examples of meta-information
The use of properties of the information in addition to the original information, creates new
possibilities. If information objects such as files carry meta-information, for example the type-of-file
(presentation, document or image), file extension (ppt, doc, pdf, jpg), author, security marking, timeof-creation,
then these meta-information properties can be used for making decisions in several
scenarios [see Figure 1].
Figure 1: Examples of information with their meta-information
Because our aim is to both facilitate regulated sharing mechanisms and to present the power and
flexibility of meta-information, we categorised these new possibilities in two categories: use cases
within a single information domain and use cases in federated information domains.
Many software applications already store meta-information within information objects. Image files for
example carry resolution information while photos carry the camera manufacturer and model that was
used to take the photo. One problem with proprietary file formats and closed-source applications (e.g.
Microsoft Word) is that the meta-information cannot be easily accessed outside the native software
application because the file is a black box. A second problem is that each file format will have its own
approach to storing meta-information. That implies that a labelling solution has to be adjusted for
every format. A solution for this problem is an application-independent approach where information is
stored in a separate object. Storing meta-information separately from information objects in a
standardised format also improves the flexibility to work with meta-information without having to
depend on the knowledge of the file format or implementation in software.
In certain use-case scenarios where third parties need to process another one’s meta-data, a
standardized specification for conveying the meta-data is needed. NATO has proposed a standard
based on XML labelling (Eggen 2010)(Oudkerk 2010). On september 1 st 2009 POWDER (Protocol for
Web Description Resources) became a W3C recommendation (POWDER 2009). The POWDER suite
229

Harm Schotanus et al.
facilitates the publication of descriptions of (multiple) resources. The goal of the POWDER working
group has been to develop a mechanism that allows not only the provision of descriptions but also a
way to apply them to groups of (online) resources and for the authentication of those descriptions in
relation to establishing a trust level of those descriptions.
2.2 Possibilities of meta-information within a single network
2.2.1 Information Lifecycle Management
Information Lifecycle Management is about the different lifecycle phases that information can go
through, from the creation of information, via different manipulations or updates to the deletion of
information or at least archiving the information for future reference. Easy accessible meta-information
can facilitate Information Lifecycle Management and create new possibilities. For example, with more
meta-information available, information objects could also be archived for different reasons. For
example archive every file that was created by ‘Danielle Zeeg’ because she no longer works at the
company or archive every information object that has been tagged as ‘SFOR’ because that mission
has ended.
Similar to the archiving scenario aiding users or administrators in searching for information can also
benefit from having more meta-information available. For instance search all information objects that
carry file extension ‘pdf’ and are created in 2010 and have been authored by ‘Kees de Witte’ and have
been tagged with ‘SFOR’.
2.2.2 Integrity protection
It is also possible to embed integrity protection capabilities in meta-information. For example by
creating a digital signature of the information, the signature can later be used to verify information has
been changed or validate who created it. This kind of meta-information helps to protect information as
any modifications to the information can be detected. If meta-information were to include integrity
protection then users or administrators could for example find all data objects that were modified after
the meta-information was generated. Another possibility would be to establish the trustworthiness of
information by distinguishing between data objects that do or do not have integrity protection
embedded in their meta-information.
Meta-information can also be used for identification purposes. For example meta-information
containing the type, manufacturer, location or capability of a specific hardware sensor deployed in the
field can be used to select certain sensor feeds, i.e. select feeds of all sensors of type audio-sensor,
or select feeds of all sensors that are located within a one-kilometre radius of GPS coordinate with
latitude 50.84064 and longitude 4.35498.
2.3 Possibilities of meta-information in a federated domain
The different types of meta-information discussed in the previous paragraph may also be used in
federated context. Not only to regulate information flows between different domains, but as we shall
see, may have other possibilities too.
Although sharing information may be a main means of NNEC, not all information has to be shared. It
may not be relevant or useful, or it cannot be shared due to limitations other than security. In other
words we must be able to make intelligent decisions on which information is eligible for sharing. For
example one may wish to share a photo but due to bandwidth constraint it is only possible to share it
in a resolution lower than 800x600 pixels. Software may then be used to automatically scale the photo
if it is too large. Another example is to share all recent information objects for which the author is “Jan
de Bruin” because he is one of the planners of an important and complex mission. Many more
examples can be conceived from operational needs, such as: share feeds from sensors from a certain
type like audio only, share images and videos made within a certain range of a GPS location to a
team on a reconnaissance mission or based on keywords selecting which information is sent to such
a mission. Or determine the communication system to use based on an urgency statement in a
document. Depending on the granularity and type of the meta-information the possibilities are virtually
endless.
230

Harm Schotanus et al.
2.3.1 Secure labelled release
Meta-information can also be used to protect, i.e. ensure that information is not shared. For example
do not share objects for which the meta-information says that the creation date is the current month.
Or do not share videos with a resolution higher than 640x480. Or do not share presentation files
which are classified ‘NATO CONFIDENTIAL’ or higher. We address a specific case where criteria that
are suitable for determining the releasability to another domain are carried in meta-information bound
to an information object as secure labelled release.
2.3.2 Dissemination of release information
Somewhere in the middle of duty-to-share and duty-to-protect is the usage to include metainformation
to inform the recipient about any restrictions or responsibilities when processing or resharing
the information. We address this by the moniker disseminating release information.
These developments are not without consequences or certain security challenges. Especially in the
areas of binding meta-information to information and protecting the integrity of (a) this binding, (b) the
information and (c) the meta-information has to be carefully designed. When meta-information is used
in a sharing mechanism and a user on a local workstation can create meta-information, then the
(integrity of the) workstation and its components become critical because an insecure or untrusted
operating system might trick a user into sharing the wrong information. The required level of
assurance depends largely on the level of security that needs to be attained but is also affected by the
specific application of meta-data.
There must also be a fundament to build the meta-information on, such as a system to store and
manage meta-information, retrieve the meta-information given the information itself or vice versa. And
there are many other related challenges in handling data, e.g. how to handle to conflicting sets of
meta-information, how can meta-information be revoked or changed, and so on. These issues need to
be addressed in an information management system 1 .
3. Labelling: An incremental approach
In the previous section we have seen that labelling has manifold purposes. The emphasis has mostly
been on secure labelled release for exchanging information across different security domains. We
propose an incremental approach in which partially related developments are tied together so that
functionality enabled by labelling can be realised step-by-step. This has two main advantages. One, it
will make the development process better organised and hence can be more efficient and costeffective.
Second, users and organisations can benefit from labelling directly because the new
functionality can be used as soon as the step is completed. This is also beneficial for the userexperience.
To achieve this incremental approach, a clear overview is needed of which steps must be taken to
realise each of the intermediate functionality whilst ensuring that the ultimate goal, which is also the
most complex, can still be reached. In this section we propose a plan to achieve the secure labelled
release in a series of smaller, incremental steps that add useful functionality to existing or new
processes. We distinguish four phases:
1. Information lifecycle management
2. Disseminating cross-domain information
3. Integrity protection
4. Secure labelled release.
3.1 Information lifecycle management
In this context, labelling functionality is used to improve information management within a single
information domain. A user may add additional meta-information to an information object, such as the
author, title, publication date, classification – the possibilities are virtually endless. This enables
various management functionality to be used on the document as discussed in Section 2, including
archiving, searching, and deleting information.
1
An information management system comprises more aspects than a content management system that is merely a container
to store and share information within a single domain.
231

Harm Schotanus et al.
The security requirements are minimal, as the binding between the document and the label is weak at
this point. Basically the label only needs to contain a reference to the original document. Within an
information domain, it could be used for enforcing need-to-know separation or communities of
interest. Figure 2 shows an abstraction of the functionality needed for this approach.
Labelling
application
Workstation
Labels and
documents
Information
management
system
Figure 2: Labelling for information lifecycle management purposes
Essentially, the architecture for this set-up contains only two main aspects:
An application that can create labels.
An information management system: an environment or system that can be used to store
information and labels together.
When a user creates information, the labelling application can be used to link several attributes to the
information. The information and the label will both be stored in the information management system
(IMS). The user may disseminate the information either through the IMS or by separate means. The
IMS can in the latter case be used to retrieve the label, when the information is presented.
3.2 Disseminating cross-domain information
We can extend the information lifecycle management functionality so that it is possible to inform a
recipient of information in another information domain about the way the information should be
treated; e.g. under what memorandum of understanding it is exchanged or what classification is
attached to the information. In this case when a user sends the information to a recipient, the label
with the necessary meta-information has to be sent as well. This purpose is mostly intended of
information-sharing across different information domains, where each information domain has the
same or a very similar security policy. The label here has an informative, procedural aim and does not
necessarily form a technical enforcement.
Labelling
application
Workstation
Labels and
documents
Document
Information
management
system
Figure 3: Labelling for disseminating cross-domain information
232
Label
Release
mechanism

Harm Schotanus et al.
In this setup we add a third element, namely the release mechanism. Essentially, the other elements
stay the same. This release mechanism has a two-fold purpose. The first is to verify that a suitable
label accompanies the information and if not, try to retrieve the label from the information
management system. The suitability is established by validating that all the necessary information is
present. The second purpose is the ability to translate an internal label to an external label. For
example certain elements may be removed from the document (such as the name of the author) or
other information may be added (e.g. the date of information exchange), or a different labelling
structure may be used for internal and external purposes 2 .
3.3 Integrity protection
The third step in extending the labelling architecture is to realise integrity protection of information.
Integrity protection refers to the means to establish whether a document is authentic or has been
changed. And as a secondary benefit, it may be established who assessed the authenticity.
The label has to be extended to include a secure binding to link the information and the label together,
in such a way that it can always be detected if an existing label is attached to other (different or
altered) information, or if the label content has been changed. Making a change to an information
object can be detected because that would result in a different object.
For the binding to be secure we need cryptographic support. A method, amongst others, of realising
this is through a PKI. A user has to use a private key to sign the binding in the label, which links the
binding also directly to the user. That is, it can easily be determined who created the label. To validate
the integrity of the document, the public key of the user that created the binding can be used to verify
the binding in the label. In case any changes have been made, the verification will fail.
Certificates
and CRL
Labelling
application
Trusted OS
Workstation
Labels and
documents
PKI
Document
Information
management
system
Label
Release
mechanism
and IEG
Figure 4: Labelling for integrity protection
For a high assurance environment 3 , we also need to ensure that the labelling process works correctly.
In other words we must have a level of assurance that the information the user actually labelled is the
correct information and has not been modified unbeknownst to the user during the process. We
cannot attain that level of assurance on a normal platform (operating system); therefore we need an
operating system or platform that can provide us the needed assurance. This has been named a
trusted operating system. Essentially, each step in the process of labelling must be carried out under
2 Note that the release mechanism does not comprise the entire interconnection here, there may be other elements needed too,
for instance cryptographic units or firewalls to ensure a secure connection.
3 For instance information domains which process highly classified information.
233

Harm Schotanus et al.
conditions that are guaranteed by the operating system, but on the other hand a user must also be
capable of performing his regular tasks on the same platform. We see opportunities to establish this
based on a virtualisation layer on top of a minimal, but trusted core operating system. One virtual
machine will comprise normal functionality and a second will form the labelling application with strict
limitations, this concept is further elaborated upon in (Verkoelen 2010).
An architecture of a workstation that is suitable for creating labels in a trusted manner, is shown in
Figure 5 (Hartog 2010). In essence, this is a virtualisation platform with two virtual machines. One is
used as a workstation with the common applications. The other is used specifically for labelling which
is focussed on binding a label to a given information object in such a way that the process cannot be
disrupted and assurance can be given that only the provided information object is labelled and
nothing else. The information to be labelled has to be exported from the generic to the specific virtual
machine where a label can be created. Then the label can be transferred back to the workstation.
Workstation
Desktop
Labelling
High Assurance
Platform
Hardware
Figure 5: Architecture of a workstation for trusted labelling
The needed level of assurance is created by a high assurance platform. The core component
therefore can be a separation kernel (Rushby 1981)(Information Assurance Directorate 2007), which
is in control of all resources in the system and all communication between the virtual machines. The
virtualisation is layered on top of the HAP. In certain cases with high assurance requirements, specific
hardware requirements may have to be used, but mostly it can be based on generic hardware.
3.4 Secure labelled release
The final objective of this incremental approach is the secure labelled release. The label can then be
used to validate the suitability of exchanging a document across different security domains where the
security policies of the domains may be different. The suitability is determined by different metainformation
stored in a protected label. This could for example refer to the classification of the
information in the document, but may also refer to capabilities of the source of the information
(Smulders 2010),such as the quality of the camera used to take an aerial photograph, or the range of
radar. And of course combinations are also possible. The validation takes place at the border of the
information domain. The label is intended for internal usage, and does not have to be included after
the information has been released. However, it is also a possibility to translate the label to use as in
the case of “Disseminating release information”.
To extend the integrity protection set-up to a full secure labelled release setup we have to add an
extended release mechanism. This extension is twofold. In the first place the release mechanism
must be capable of integrating with the PKI to validate the authenticity of the label and match it
against the document. The release mechanism has to validate the certificate of the user that created
234

Harm Schotanus et al.
the label (by way of for example a CRL) and ascertain the integrity of the document so that it can be
established that the label matches the document and the label is valid.
Labelling
application
Trusted OS
Certificates
and CRL
Workstation
Labels and
documents
PKI
Document
Information
management
system
Label
CRL
Release
mechanism
Trusted OS
Figure 6: Secure labelled release
In the second place, since the release mechanism is now a security device that mediates between
different security domains, it is necessary to raise the assurance of the correct behaviour of this
platform. Therefore it is necessary to introduce a trusted platform for this element as well. In contrast
to what is needed on the workstation, this system is dedicated to a single task and hence, the
operating system only has to ascertain the correct working of that platform and thus this is a different
form of a trusted OS.
To determine whether the document is suitable for release the contents of the label have to be
matched against a policy; each of the criteria in the label may affect the decision of the release
mechanism. A simplified policy could for example be “all documents with a classification of
Unclassified or NATO Restricted may be released”; and “all images with a resolution less than
800×600 may be released”. A real policy may actually be quite complex to establish. Important issues
are establishing the completeness and consistency of the release policy.
3.5 Functional building blocks
This chapter has shown four situations in which meta-information encapsulated in a label added
useful functionality to existing or new processes. For these different applications we have shown the
necessary functional building blocks needed to realise them. This section provides an overview of the
relation between the different applications and functional building blocks and also shows the essential
components within each functional building block.
Figure 7 provides an overview of the relation between the different applications and functional building
blocks. From the left to the right the figure describes an incremental approach to obtain more complex
application functionality with the use of the functional building blocks discussed in Section 3. We
distinguish four basic building blocks:
A labelling mechanism that can be used to construct meta-information.
A release mechanism that controls under which conditions information can be shared with other
domains.
A trusted OS to attain the required level of assurance.
A PKI to ascertain the binding between the label and the information object.
235

Labelling
Label creation
Information lifecycle
Management
Release mechanism
Labelling
Verification
Label translation
Label creation
Disseminate
release information
Harm Schotanus et al.
PKI
Labelling
Trusted OS
CA
Smartcard auth.
Certificate Valid
Secure binding
Label translation
Label creation
…
Secure login
HAP
Integrity
protection
PKI
Release mechanism
Labelling
Trusted OS
CA
Smartcard auth.
Certificate Valid
Certificate valid
Authorisation
Verification
Secure binding
Label translation
Label creation
…
Secure login
HAP
Secure labelled
release
Figure 7: An incremental approach to introduce labelling
Each functional building block can consist of several components which have to be implemented
depending on the functionality we require. When these requirements increase additional functional
building blocks are required and the complexity of the building blocks may increase as more
components are added. As such we have established an incremental approach in which we add
complexity in small steps but in the mean time we create new useful functionality.
The first basic step to use labelling is to implement a system which can create labels and utilise these
labels in an (existing or new) Information Management System to manage information. When all the
processes and procedures are in place and people are used to work with this new form of information
management it can be decided to extend the labelling with more functionality. A next step can be to
implement a release mechanism which can decide to translate internal labels into external labels and
share these labels with other domains. To ensure the integrity of the data-object and metadata-object
PKI and Trusted OS functionality can be added. At the end all four functional building blocks are in
place resulting in a “secure labelled release” application.
Each step goes along with other advantages such as reduced complexity, people have time to
experience and use new functionality, processes and procedures will change incremented and an
better acceptance of the functionality in the organisation.
4. Conclusion
Labelling is an important step to provide the technical means to realise a NEC environment and
implement a duty-to-share mechanism. Not only does it allow the sharing of information, it also
realises a basis so that the information owner can remain in control of which information is shared.
Creation of labels in itself is not a difficult process, nor is the validation of the correctness of such a
label. Most of the means for these are already in place e.g. in the form of PKI. Assurance is a totally
different criterion. To attain the right level it is vital to ascertain that the label is attached correctly to
the right information. Hence it requires many additional controls to achieve that certainty. Crucial in
that aspect is the choice of a platform as this is the basis for assurance.
Implementing labelling for a high security environment is a costly and long-term development. But in
the long run, it can also be a very useful technique to create a solution to exchange information
across different security domains. But on the short term, obtaining results is difficult. However,
encapsulating meta-data in a label can be useful for many other purposes as well. We argued that
236

Harm Schotanus et al.
these aspects can be combined to develop a labelling solution that in the end delivers a cross domain
solution, but in the mean time can be useful for several purposes. We have provided a proposition for
an incremental approach to create a cross domain solution.
By starting with labelling for information management purposes, we can quickly gain results as it can
make accessing the right information easier. This can be extended with limited effort to support a
method to exchange release information with other domains having a similar security policy. This way,
not only have we provided the technical basis for labelling, but also have we prepared the users to
work with labels and appreciate their purpose. The third step in this process can be to implement
integrity protection and this requires an elevation of the assurance of the label creation process. And
finally we reach a true cross domain solution if we elevate the assurance on the validation side as
well. It can be easily spotted nevertheless that careful planning and a solid overview of each individual
step as well as the whole is a necessity to reach the goal. On the other hand, implementing a cross
domain solution in one big step may be just a bridge too far.
5. Future work
The proposed means to realise a cross domain solution can be further extended with other
functionality. These require further research to determine feasibility and technical means to realise
them.
Fine-grained control over information, e.g. labels on individual chapters or paragraphs.
Automatic labelling of information; for instance information from sensors, such as radar or
cameras can be automatically labelled, depending on both the content as well as the capabilities
to generate the information.
Integration of applications and labelling, so that the user can control the process of labelling
(semi-)automatically from the applications.
Life cycle management of information, e.g. use of labels to express changes in the information.
Cross Domain Solutions; it can be a very useful technique to use different labels to exchange
information across different security domains. Based on a domain policy external labels can be
translated into an internal label which is understandable within the domain.
Methodology for policy development. A core concept of an automate release mechanism is
enforcing a policy; creating a usable policy is a complex task, hence a methodology to develop
based on all rules and agreements is needed to ensure the completeness and consistency.
6. References
Buckman, T. (2005) “Nato Network Enabled Capability Feasibility Study – Executive Summary”, [online] version
2.0, NC3A, http://www.dodccrp.org/files/nnec_fs_executive_summary_2.0_nu.pdf
Schotanus, H.A., Boonstra, D. and te Paske, B.J. (2009) “Information Labeling – Cross- Domain Solutions”,
Intercom Vereniging Officieren Verbindingsdienst, 38 th year, No. 2
Martis, E.R., et al. (2006) “Information Assurance : Trendanalysis”, TNO report TNO-D&V 2006 B312
Eggen, A., et al. (2010) “Binding of Metadata to Data Objects – A proposal for a NATO specification”, Norwegian
Defence Research Establishment (FFI) & NC3A
Hartog, T., Degen, A.J.G. and Schotanus, H.A. (2010) “High assurance platform for labelling solutions”, TNO
Information and Communication Technology
Rushby, J. (1981) “Design and Verification of Secure Systems”, ACM Operating Systems Review, Vol. 15, No. 5,
pp 12-21, http://www.csl.sri.com/papers/sosp81/sosp81.pdf
Smulders, A.C.M. (2010) “Rubriceren bottleneck voor informatiedeling”, Intercom Vereniging Officieren
Verbindingsdienst, 39 th year, No. 1, p 33-34
Verkoelen, C.A.A., et al. (2010) “Security shift in future network architectures”, information assurance and cyber
defence; NATO RTO IST 091
Information Assurance Directorate (2007), “U.S. Government Protection Profile for Separation Kernels in
Environments Requiring High Robustness”, version 1.03, http://www.niapccevs.org/pp/pp_skpp_hr_v1.03.pdf
Oudkerk, S., et al. (2010) “A Proposal for an XML Confidentiality Label Syntax and Binding of Metadata to Data
Objects”, information assurance and cyber defence, NATO RTO IST 091
W3C, POWDER: Protocol for Web Description Resources, 1 september 2009, http://www.w3.org/2007/powder/
237

Information Management Security for Inter-Organisational
Business Processes, Services and Collaboration
Maria Semmelrock-Picej 1 , Alfred Possegger 2 and Andreas Stopper 2
1
eBusiness Institute, Klagenfurt University, Austria
2
Infineon IT-Services GmbH Austria, Austria
Maria.Semmelrock-Picej@aau.at
Alfred.Possegger@infineon.com
Andreas.Stopper@infineon.com
Abstract: Web-based collaborations and cross-organizational processes typically require dynamic and contextbased
interactions between involved parties and services. Due to temporary nature of collaboration and an
evolving of competencies of involved companies over time security issues like trust, privacy and identity
management are of a high interest for a long lasting success of virtual collaborations This paper adresses this
issue by presenting some results of an international research project. The vision of this project is to implement a
virtual cooperation system for SMEs to be used for realizing competitive advantages through virtual cooperations.
The paper describes some results of this system. Especially we will discuss issues concerned with identity
management. Identity Federation is one of the key concepts of SPIKE to support “virtual organizations”, their fast
setup, comfortable maintenance and orderly closing. This paper describes the mechanisms from which
collaboration partners, registered at the SPIKE platform, will be authenticated by using a standardized identity
federation protocol – Shibboleth. It is shown how the identity data of a company, using its own IDMS, can be
integrated into the SPIKE platform and what a company has to setup from a technical point of view so that its
employees can be authenticated via Shibboleth. Further an approach is presented suitable for mostly SMEs
which do not have an own IDMS.
Keywords: eCollaboration, security, identity management, phases of cooperation
1. Introduction
Nowadays competition is no longer between single enterprises but among supply chains with numerous
actors. Effective supply chain management has therefore become a potentially valuable way of
securing a competitive advantage and improving organizational performance. Firms are seeking
synergistic combinations of resources and changing their roles and value positions through digital
collaborations (Klein, Rai and Straub 2007). However the understanding of the how and which areas
are most important for the success is still incomplete.
It has been noted in literature that information and communication technologies have a significant
impact on the economic situation and knowledge based activites in peripheral regions. Especially for
SMEs in the cross-border region Carinthia and Slovenia (Ziener 2010) identified a low rate of
internationalization, a small amount of crossborder supply chain networks and activities limited to
regional borders.
ICT support collaboration among people with different competencies and capabilities in virtual
collaborations (Mohrmann et al. 2003), facilitate knowledge access and sharing (Davenport and
Prusak 1998) and enable the codification and dissemination of explicit knowledge (Zack 1999). Virtual
collaboration also increases the knowledge about who knows what, enabling virtual joint work and
supporting easier and fast setup of short-term project based and loosely coupled chains among
participants. In doing so, studies have analyzed that a participation of small and medium sized
enterprises in eCollaboration environments could improve their situation in peripheral regions.
However, despite the general agreement on the positive impacts of virtual collaborations, detailed
micro level evidence on the preconditions and success is limited. Yet it has been analysed, that the
way SMEs interact in collaborative environments depends to a big extent on the security
functionalities and management which impact on almost all knowledge-related activities as a basic
precondition. In other words, existing work typically narrows to very specific processes or activities.
This contribution emphasizes the potential capability of ICTs and their fundamental role to create a
virtual dimension through which companies can share and create new knowledge at both tacit and
explicit level.
Companies have a serious privacy concern about how their information is used, disclosed and
protected and the degree of control they have over the dissemination of the information. Especially
238

Maria Semmelrock-Picej et al.
they are concerned about possible undesirable economic consequences resulting from a misuse of
such information. Indeed, many companies express concern about the privacy and identity
management and research suggests that identity management is of focal concern to companies.
Identity Management is a hot area, experiencing considerable growth and gets more and more one of
the challenging key disciplines an IT department of a midsize to large enterprise has to ise (Jackson
2010). It is not surprising because organizations, supply chains and customers have been tightly
connected together in digital networked economy. Another important aspect is that of identity theft
and misuse, leading to serious damages within enterprises and also in the Internet development.
The major contribution of this paper is in revealing and discussing the identitiy federation approach
that impact trust in collaborative environments. In doing so, this paper shows, based on the
standardized Shibboleth protocol, how the identity data of a company can be integrated, when taking
part in collaborations. The second contribution of this paper is in identifying the requirements of
smallest companies in this field. When talking about these issues in an enterprise context mostly midsize
to large enterprises are in the focus of consideration. This paper presents solutions which bridge
this gap by offering the necessary functionality also to smallest companies. These findings should
enhance very small companies to also start collaborating virtually.
2. The SPIKE project
2.1 Introduction
SPIKE as a virtual infrastructure aims at researching and implementing a virtual collaboration
platform. In order to reach these goals SPIKE’s security infrastructure is highly reliable and adaptive
and consists of the following layers (see next figure), (Semmelrock-Picej and Possegger 2010):
A: Network Enterprise Layer – at level A different companies offer their particular tacit and explicit
knowledge, expertise, resources and skills. All involved companies are characterized by a number
of criteria like strategic position, size of company, market, location, and so on.
B: Conceptual SPIKE Layer: The Service Mediatior of this layer combines all provided tangible
and intangible resources and coordinats them accordingly to the requirements of the market
which than form a new product (see figure 1 B).
Level B also consists of mapping instruments to assign involved companies and their services and
capabilities to the tasks of the business process. This layer particularly supports the selection,
orchestration, management and execution several kinds of services in a controlled way.
2.2 Security functions in SPIKE
In participating the SPIKE platform companies/users first name their identity. The system validates the
user’s claimed identity (authentication). Both steps precede access control which aims at preventing
unauthorized use of a resource as well as use of resources in an unauthorized way.
As identities in virtual cooperations are not anonymous trust and reputation mechanisms are the key
to success of open, dynamic and service oriented virtual collaborations as they lead to social trust of
involved persons in virtual cooperations and are therefore the best strategy to ensure virtual
cooperation. However, this trust is based on repeated interactions wich can be successful or fail.
Therefore a key aspect of our approach is the permanent process of the analysis and evaluation of
interactions which automatically determine trust.
In the last years trust has mostly been connected and analysed in combination with technical security
issues. Based on this several definitions has been developed (Josang, Ismail and Boyd 2007; Artz
and Gil 2007). For our discussion we understand trust more human centric which relies on previous
interactions and improves human collaboration supported with technical systems in a virtual environment.
For this communication is the basis for directly influencing trust between individuals in business
collaborations (Economist 2008) and relies on the experiences of previous interactions (Billhardt,
Hermoso, Ossowski and Centeno 2007; Mui, Mohtashemi and Helberstadt 2002) and the similarity of
interests and skills (Matsuo and Yamamoto 2009). In addition especially in social networks and
collaborations trust is strongly related to information disclosure, identity management and privacy and
can also be used as a basic model to improve document recommendations to better match interests
of users.
239

Maria Semmelrock-Picej et al.
Figure 1: Creation of dynamic value chains for eCollaboration
This paper emphasizes on Federated Identity Management which is based on trust. (Fuchs and
Pernul 2007) define the environment of an Identity Management system as an integrated,
comprehensive framework which is based on three pillars: policies, processes and used technologies.
Identity Management processes deal with user management, organisational as well as technical
approval workflows, and escalation procedures. They form the main administrative workload as they
comprehend the management of the whole user lifecycle. In order to regulate identity related
information flows and processes, policies have to be defined. For example, policies express
regulations for user management processes, delegation issues or general security requirements. The
third pillar technologies can be subdivided in the following three main components:
Directory services provide synchronised information about users and resources forming the
foundation of a comprehensive identity management infrastructure.
240

Maria Semmelrock-Picej et al.
User management deals with the process of managing digital identities throughout their lifecycle,
starting with the creation of accounts, maintenance, i.e. by processing change requests, up to the
deactivation or termination.
Access management deals with the authentication and authorisation of users, controlling access
to connected resources.
2.3 Identity management architecture
First of all, the term Identity Management needs to be discussed in detail. Within the SPIKE project
we have to distinguish when thinking of Identity Management. Companies manage the digital
identities of their users in their IDM systems what is called in-house IDM. When those identities are
used in an inter-organisational manner, we speak about federated IDM. The federated IDM system of
SPIKE is based on Shibboleth. Shibboleth is needed to make use of the digital identities in an interorganisational
context, i.e. the identity information of User A from Company A is used to access
Resource X managed by Company Y. Shibboleth mainly consists of three components: the Where
Are You From Service (WAYF), the Shibboleth Service Provider (Shib SP) and the Shibboleth Identity
Provider (Shib IdP).
SPIKE requires connecting to an existing IDM system of the collaborating companies. Thereby the
already existing digital identities can be used in an interorganisational manner. However, the SPIKE
project targets on organisations of all sizes, from small- and medium-sized enterprises to large
organisations. Large organisations and many medium-sized companies usually run their own IDM
systems, but small and sometimes medium companies as well do not operate an IDM system.
Therefore, SPIKE must distinguish between those two cases (Companies without an IDMS and
companies with IDMS).
Figure 2 shows the generic Identity Management architecture of SPIKE. The figure is reduced to IDMrelevant
components to describe the basic idea of SPIKE’s IDM. SPIKE considers both – companies
running their own IDM solutions as well as enterprises without an IDM system.
Figure 2: SPIKE IDM architecture
In Figure 2, Company A for instance represents a small enterprise employing only a handful of
persons. Therefore they might not have a comprehensive IDM system which is required to participate
in virtual alliances operated by SPIKE. To enable such companies being part of an online
collaboration, SPIKE runs its own IDM solution and thereby covers this existing lack. Therefore, the
SPIKE platform has its own Shibboleth IdP installed which is connected with SPIKE’s IDM solution.
The SPIKE Shibboleth IdP is registered on the SPIKE WAYF service. The IDMS of SPIKE can be
accessed via the SPIKE portal.
241

Maria Semmelrock-Picej et al.
Company B, on the other hand, represents all enterprises running their own IDM systems. Those
companies have to install and configure the Shibboleth IdP software on the IT systems within their
company and connect their IDM solution appropriately. Furthermore the Shib IdPs have to be
registered and connected with the SPIKE WAYF service. Such companies do not need SPIKE’s
IDMS.
In the following, two sequence diagrams show the general procedure for connecting an external IDMS
to SPIKE as well as making use of SPIKE’s integrated IDM solution on a high level basis. The shown
diagrams are reduced to IDM-related steps.
Figure 3 represents the high-level procedure for connecting an external IDMS with the SPIKE
platform. Firstly an administrator of the collaborating company has to install and configure the
Shibboleth IdP software (1). After that a connection between the companies’ IDMS and the Shibboleth
IdP needs to be set up by registering the IDMS (2). According to the required attributes of SPIKE and
the respective resources provided by the alliance partners the administrator of the company can
assign attributes to the involved digital identities (3). The attributes required to access a resource
provided by a service provider are defined during the configuration phase of the SP [D7.2b]. After the
project has finished all connections are disabled and Shibboleth IdP will be uninstalled (4).
Figure 3: Connecting external IDMS with SPIKE
Figure 4 shows a high-level procedure for using SPIKE’s IDMS.
Figure 4: Using SPIKE IDM system
In order to make use of SPIKE’s IDMS, firstly the SPIKE administrator has to create a respective user
account equipped with sufficient access rights and attributes for the responsible user of the particular
company (1). The administrator of company N establishes the needed digital identities in the IDMS of
242

Maria Semmelrock-Picej et al.
SPIKE. Attributes will be assigned respectively, according to the required attributes of SPIKE and the
resources provided by the partners. When an employee leaves the project or the company or the
project ends, the company’s admin destroys those digital identities (2). Within the third step the
SPIKE administrator will delete the admin account of the respective company after finishing the
collaboration project (3).
By means of the IDM solutions – either the companies’ own IDM or SPIKE’s IDM – the collaboration
partners can manage their users and respective attributes by themselves and thereby allow for the
paradigm of federated identity management..
2.4 Evaluation of the applicability of potential solutions for identity management
architecture
In this section a brief introduction on the topic of the applicbility of potential solutions is given whereas
two potential solutions, Apache DS and OpenLDAP, are compared and evaluated against the
requirements defined in section 2.2.:
Table 1 shows a comparison between Apache DS and OpenLDAP based on the requirements for
SPIKE’s integrated IDMS defined in section 2. Both solutions fulfill the defined requirements if
respective admin-GUIs are used in addition. However, during the test phase we also recognized
some minor differences leading to our decision described in the following.
Table 1: Comparison between Apache Directory Service and Open LDAP
Identity Management processes mainly deal with user management and security policies. Apache
Directory Server in conjunction with its corresponding administration tool Apache Directory Studio
offers the possibility to create, delete, and change user accounts and attributes. Thus, the user can be
administrated via Apache Directory Studio. Apache DS itself does not provide an Admin-GUI by
default. Apache DS also covers the three main components of technologies: directory services, user
management and access management. Furthermore it is possible to monitor and log all carried out
actions in order to comply with any kind of legal obligation or regulation. Apache DS also enables the
definition and application of policies. For instance, policies for the quality of a user password in terms
of the string length, the usage of special signs, etc. can be defined.
Summarizing, Apache DS and OpenLADP fulfill all defined requirements, support auditing
functionality and require a separate tool for administration.
In the following a special application case will be presented and we start with the discussion of the
user requirements.
243

Maria Semmelrock-Picej et al.
3. Application case identity federations
3.1 User requirements
Prior to the introduction of the Identity Management System (IDMS) in 2005, access information on
file shares, computers and accounts was distributed to several systems like Active Directory, SunOne
and other applications. Those systems worked independently and there was no mechanism available
to guarantee consistent data (e.g. departments, cost center, phone numbers and names of persons),
based on the delivery from designated master systems, throughout the different systems deployed in
the company. Thus, helpdesk support was required frequently.
Therefore Infineon introduced the IDMS to have a mechanism at hand to collect data from different
master systems, combining the necessary data to digital identities and distribute and enforce this
identity information consequently throughout different directory services and applications. In order to
improve the IDMS and to save the ROI, an automatic user provisioning system and RBAC has to be
set up in a next step.
The major function of provisioning is once a new identity enters the IDMS from the global HR system,
an automatic workflow is triggered to its manager based on certain attributes (like location and
manager information). The respective manager chooses the respective roles for the new employee
and dependent on the request the necessary access to resources (accounts, groups, group
memberships) is set by the IDMS (mostly no human interaction is necessary anymore). Thus, during
the life cycle of the identity roles are added and removed and once an employee leaves the company
access to his resources will be disabled completely. The last case is also called de-provisioning. A
basic approach for provisioning (without a portal- and workflow solution) was developed and
implemented at Infineon in 2007. The results are shown in (Obiltschnig 2007).
Another issue which cannot be tackled exclusively by a centrally-organized IDMS is the collaboration
with external partners. This topic has been deeply researched for more than two decades. Already
started in the mid of the 1980s, research in this area is still ongoing. Wellknown and representative
terms used for enterprise collaboration (alliances) are Virtual Organizations (Skyrme 2007),
Networked Organizations (Lipnack and Stamps 1994) and Collaborative Innovation Networks [GL06].
The so-called Virtual Team represents another well-known expression on the micro-level (Lipnack
and Stamps 1997).
A common sense of the mentioned concepts can be summarized by the following aspects (Lipnack
and Stamps 1997):
Independent people and groups act as independent nodes in a network,
Are linked across conventional boundaries (e.g. departments and geographies)
And work together for a common purpose.
A collaboration has multiple leaders, lots of voluntary links and interacting levels,
Is based on mutual responsibility, i.e. there is no hierarchical management structure but the
involved individuals act as equal partners,
And teams are readjusted or disbanded as needed.
A successful collaboration requires the fulfillment of the following principles (Skyrme 2007):
Each partner must contribute some distinctive added value for the corporation.
Members must develop high degree of mutual trust and understanding. Thus, similar groups or
even the same people will work together again and again.
Projects or whole services should be the focus of the cooperation.
In the run-up of a collaboration one has to define general rules of engagement in terms of inputs
to the cooperation and rewards expected, though the momentum is lost if these are too formalized
too soon.
Members of the cooperation should recognize the need for coordination roles and either commit
time to develop and nurture these roles or pay one of the members to undertake the coordination
roles on behalf of them.
244

Maria Semmelrock-Picej et al.
A clear interface needs to be developed with non virtual customers - they like tidy relationships
and clear contracts. Thus either one member of the virtual cooperation must act on behalf of the
others (using them as subcontractors) or create a joint company to act as their legal entity and
administration service.
The highly dynamic business forces Infineon to set up strategic alliances (project partnerships)
frequently, in order to be competitive in cost and time. The chip design process and the production
environment (silicon foundries) serve as good examples for necessary alliances. While partnerships in
the course of the chip design aim at reducing the time to market, alliances during the production focus
on covering customer demands which increase the available production capacities. Especially the
design process for very complex chips sometimes requires setting up an alliance with one or more
competitors to reduce the overall development costs of the chip. For the automotive industry (one of
our three business areas), highly-logic special-function chips are designed. The business strategy of
Infineon also includes cooperation in terms of an alliance with a customer to develop “next
generation” chips which represent a quantum leap in technology and/or function (Schelmer 2008).
Today a complex process for the setup of collaborations exist (see figure 5)
The process starts with an internal employee requesting an identity entry in the IDMS for the external
persons belonging to other organisations of the business alliance. The following phases include the
provisioning of resources and carrying out the revocation of access on the respective resources once
the alliance ends. This process is applied for each (strategic) alliance wherein external staff is
involved.
However, this approach requires an internal employee at Infineon to trigger a lot of things prior to an
external alliance partner being able to start performing his tasks. A lot of single resources have to be
provisioned for the external partners (there is currently no role-model and a suitable tooling available)
accompanied by a lot of approval workflows which slows down the whole setup process. Furthermore,
knowledge about external employees, e.g. which resources they need to access at Infineon, is
necessary in advance (reduction in flexibility). Moreover, today the whole identity information of
external persons is also kept in the IDMS whereby the data volume is blowing up.
To overcome these deficiencies, the approach of Federated Identity Management (also called identity
federations) whose core idea is to allow individuals to use the same accounts and passwords they
have in their company to get access to a network of another company was established.
At first a user’s identity data is maintained at an identitiy provider in its IDMS. In the context of SPIKE
the partner company of INF takes over the role of an identity provider, while INF acts as service
provider during this collaboration. Subsequently, the user tries to access a service (an application, a
data source, and so on) of the service provider. Thereby, the user is verified at the identity provider
(the collaboration partner) by the service provider (INF). If the identity provider successfully
authenticates the data – or spoken in SPIKE terminology fulfils the tasks which were negotiated in the
collaboration contract -, the user will get access to the requested service.
Business partners trust each other for the user authentication mechanisms they employ in their
company and also guarantee that only authenticated users will have access to services (resources,
applications) of the alliance partner. This is a precondition for companies to use applications in a
common way without being forced to use the same directory services, authentication mechanisms
and duplicate digital identities to the other system.
Federated Identity Management also reduces the administration overhead in an alliance because it is
not required that the collaboration partner has to know the involved employees who need access to
the resources of the alliance partner in advance. The identity provider has also a large flexibility to
manage (exchange, increase, decrease) the staff during the existence of the alliance according to the
needs of the service provider. The service provider only has to care for the access to applications
needed by both companies (e.g. design application in the chip design area or administration
applications in the IT area, and so on).
In the next chapters the requirements of the component SPIKE/IF (identity federation module) of a life
cycle model for collaborations will be described in order to overcome the mentioned deficiencies.
245

Maria Semmelrock-Picej et al.
Figure 5: Creation process for external collaboration partners
3.2 Description of the requirements for connecting to external IDM
Federated Identity Management enables the usage of digital identities in an inter-organisational way.
This means that users can apply their local digital identity at their home company in order to access
shared resources within collaborations. A fundamental precondition is the administration of digital
identities in an IDMS which needs to be connected with SPIKE. For organisations willing to participate
246

Maria Semmelrock-Picej et al.
in collaborations operated by SPIKE we identified some technical requirements which must be fulfilled
and which are presented in the next chapter:
3.2.1 Overview
SPIKE Identity Federation Module (short SPIKE/IF) ist the building block in the architecture (see next
figure) for the setting up of collaborations between companies, defining roles and resource bundles
and the access management of federated identities during collaboration.
In Figure 6 the collaboration model is shown. Before a company can take part in any collaboration,
the phase “collaboration setup” has to be passed. This phase describes the tasks of a company’s
administrator, to provide the required resources. The most basic resource to be provided is the
network configuration.
Figure 6: Identity federation life cycle model
3.2.2 Setting up a collaboration
In our project there are different types of collaboration possible, depending on who is carrying out the
service provider function in the collaboration.
It is that users of a company can only be assigned to services of a partner company by the
responsibles of their own company (security, reducing complexity and keep flexibility). Only the hub
company can extend a collaboration with additional partner companies (security aspect). In the
following the setting up of a collaboration is visualized.
Unfortunately, nowadays collaborative applications commonly use centralized infrastructures. The use
of such systems has generated a huge interest in decentralized systems so that in our case different
types of collaboration are possible depending on who is carring out the service provider funtion in the
collaboration. In the following the centralized collaboration is presented (figure 8):
247

Figure 7: Steps to set up a collaboration
Figure 8: Centralized collaboration
Maria Semmelrock-Picej et al.
248

Maria Semmelrock-Picej et al.
In the case of a centralized collaboration only the hub company offers services which are accessed by
partners. The partner companies only act as identity provider for their federated users. This type of
collaboration mostly apperas when only one large company is involved which offers a large service
and application landscape with complex business processes supported by workflow management
systems and when partners are mostly smaller companies without an own service infrastructure but
specialized and/or cost-efficient employees which take over whole outsourced services of the Hub
company.
In the case of a decentralized collaboration (see figure 9) all partners offer services in the
collaboration and act as Service Providers which are accessed mutually. All Partner act as identity
Provider for their federated users. This type of collaboration often appears when one or more large
companies are involved which offer a large service and application landscape with complex business
processes supported by workflow management systems and those workflows include the involvement
of highly specialized partner companies or when partners are companies with few but highly
specialized services which can be offered cost-efficiently.
Figure 9: Decentralized collaboration
3.2.3 Role and resource management
Modeling roles is a research topic with a long history. There are a lot of approaches (Ferraiolo, Kuhn
and Chandramouli 2003) which are more or less successful. They can be classified according to three
different strategies:
Top-down is based on the analysis of business processes and organizational structures;
Bottom-up tries to analyze information of existing permissions throughout different systems and
aggregate similar patterns (clusters) to roles;
Hybrid approaches combine both strategies
The necessary steps during resource and role management are modelled in figure 10.
249

Maria Semmelrock-Picej et al.
Figure 10: Steps during role and resource management
4. Conclusions
In this paper the architecture of SPIKE IDMS is presented and it is shown how it can be integrated
with an IdP. The SPIKE IDMS has been thought to work mainly for SMEs which do not own a
propietary IDMS and therefore need this extra tool when a collaboration within SPIKE is started. In
doing so we improve the opportunities of SMEs in a globalising world.
References
Artz, D. and Gil, Y. (2007) „A survey of trust in computer science and the semantic web“, Journal of Web
Semantics, Vol 5, No. 2, pp 58-71.
Billhardt, H., Hermoso, R., Ossowski, S. and Centeno, R. (2007) „Trust-based service provider selection in open
environments“, ACM Symposium on Applied Computing (SAC), pp 1375-1380.
Davenport, T.H. and Prusak, L. (1998) Working Knowledge: How Organizations Manage What they know,
Harvard Business School Press, Boston MA.
Ferraiolo, D.F., Kuhn, R.D. and Chandramouli, R. (2003) Role-Based Access Control, Artech House.
Economist (2008) “The role of trust in business collaboration. An Economist Intelligence Unit”, Cisco Systems,
Vol 10, No. 70.
250

Maria Semmelrock-Picej et al.
Fuchs, L. and Pernul, G. (2007) “Supporting Compliant and Secure User Handling – A Structured Approach for
In-House Identity Management”, The Second International Conference on Availability, Reliability and
Security (ARES 2007), IEEE Society, Los Alamitos, pp 374–384.
Jackson, G. (2010) “Identity and Access Management”, [online], The University of Chicago, Overview paper,
www.internet2.edu/pubs/200703-ISMW.pdf.
Josang, A., Ismail, R. and Boyd, D. (2007) “A survey of trust and reputation systems for online service provision”,
Decision Support Systems, Vol 43, No. 2, pp 618-644.
Klein, R., Rai, A. and Straub, D.W. (2007) “Competitive and cooperative positioning in supply chain logistics
relationship”, Decision Sciences, Vol 38, No. 4, pp 611-646.
Lipnack, J. and Stamps, J. (1994) The age of the Network – Organizing principles for the 21 st Century, John
Wiley & Sons.
Lipnack, J. and Stamps, J. (1997) Virtual Teams – Reaching across space, time and organizations with
technology, John Wiley & Sons.
Matsuo, Y. and Yamamoto, H. (2009) “Community gravity: Measuring bidirectional effects by trust and rating on
online social network”, International World Wide Web Conference (WWW), pp 751-760.
Mohrman, S. A., Finegold, D. and Mohrman, A. M. (2003) “An empirical model of the organization knowledge
system in new product development firms”, Journal of Engineering Technology Management, Vol 20, No. 1,
pp 7-38.
Mori, J., Sugiyaman, T. and Matsuo, Y. (2005) “Real-world oriented information sharing using social networks”,
Group, pp 81-85.
Mui, L., Mohtashemi, M. and Halberstadt, A. (2002) “A computational model of trust and reputation for e-
Business”, Hawaii International Conferences on Systems Sciences (HICSS), p.188.
Obiltschnig, A. (2007) Role-based Provisioning - Ein praktischer Ansatz im Identity Manage-ment, Institute for
Applied Computer Science, Faculty for Technical Sciences, University of Klagenfurt, Klagenfurt.
Schmelmer M. (2008) “Infineon setzt bei IT auf Einsparungen”, [online],
www.cio.de/strategien/methoden/850789/index.html.
Semmelrock-Picej, M.Th. and Possegger, A. (2010) “Ausgewählte Sicherheitsrelevante Aspekte der
eCollaboration”, D-A-CH Security 2010, pp 314-325.
Skyrme, D. (2007) „Insights“, [online], www.skyrme.com/insights/.
Zack, M.M. (1999) “Managing codified knowledge”, Sloan Management Review, Vol 40, No. 4, pp 45-58.
Ziener, K. (2010) Grenzüberschreitende Wirtschaftskooperationen und Interreg III A Projekte, Klagenfurt 2010.
251

Anatomy of Banking Trojans – Zeus Crimeware (how
Similar are its Variants)
Madhu Shankarapani and Srinivas Mukkamala
(ICASA)/(CAaNES)/New Mexico Institute of Mining and Technology, USA
madhuk@cs.nmt.edu
srinivas@cs.nmt.edu
Abstract: To add complexity to existing cyber threats; targeted Crimeware that steals personal information for
financial gains is for sale as low as $700 dollars. Baking Trojans have been notoriously difficult to kill and to date
most antivirus and security technologies fail to detect or prevent them from causing havoc. Zeus which is
considered as one of the most nefarious financial and banking Trojans targets business and financial institutions
to perform unauthorized automated clearinghouse (ACH) and wire transfer transactions for check and payment
processing. Zeus is causing billions of dollars in losses and is facilitating identity theft of innocent users for
financial gains. Zeus Crimeware does one thing very well that every security researcher envy’s – obfuscation.
Zeus kit conceals the exploit code every time a binary is created. Zeus Crimeware has an inbuilt binary generator
that generates a new binary file on every use that is radically different from others; which evades detection from
antivirus or security technologies that rely on signature based detection. The effectiveness of an up to date
antivirus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23% which is alarming. No
matter how smart and how different Zeus binaries are, most of them share a few common behavioral patterns
such as an ability to take screenshots of a victim's machine, or control it remotely, hijacking E-banking sessions
and logging them to the level of impersonation or add additional pages to a website and monitor them, or steal
passwords that have been stored by popular programs and use them. In this paper we present detection
algorithms that can help the antivirus community to ensure a variant of a known malware can still be detected
without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is
performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of
code or binary under inspection contains a particular malware. The hypothesis is that all versions of the same
malware family or similar malware family share a common core signature that is a combination of several
features of the code (binary). Results from our recent experiments on 40 different variants of Zeus show very
high similarity scores (over 85%). Interestingly Zeus variants have high similarity scores with other banking
Trojans (Torpig, Bugat, and Clampi) and a well know data stealing Trojan Qakbot. We present experimental
results that indicate that our proposed techniques can provide a better detection performance against banking
Trojans like Zeus Crimeware.
Keywords: Zeus Crimeware, banking Trojans, Torpig, Bugat, Clampi, malware similarity analysis, anatomy of
Zeus, malware analytics
1. Introduction
One of the major concerns in network security is controlling the spread of malware over the Internet.
In particular, polymorphic and metamorphic versions of the malware are the most troublesome among
malware families, because of their capabilities not only to infect the systems but also have potential to
steal confidential user data and be persistent. These kinds of malware are written with the intent of
taking control of large number of hosts on the internet. Once the hosts are infected by Trojans, they
may join a botnet for stealing personal data such as user credentials (Holz, Engelberth and Freiling,
2008), (Kanich et al, 2008). Over a period of time writing malware has changed from developed for
fun, to the present, where it is written for financial gains.
Trojans in the past were used for sending spam emails, installing third party malware, keystroke
logging, crashing the host machine, uploading or downloading of files on the infected machines. In the
present generation Trojans are far more complex, when Trojan notices the user visiting the websites
of targeted bank it springs into action. When the user is carrying out some transactions, the Trojan
looks at the available balance and calculates how much money to steal. These Trojans are given
upper and lower bound limits that are below the amount that triggers antifraud systems. ZEUS,
Torpig, zlob, vundo, smitfraud, etc are a few examples for deadly Trojans that caused major financial
loss.
Torpig is a malware program that was developed to steal sensitive information from its infected hosts.
In early 2005 over 180 thousand machines were infected and about 70 GB of data were stolen and
uploaded to the bot-masters (Stone-Gross et al, 2009), (Nichols, 2009). Torpig depends on domain
flux for its main C&C servers, and also the servers to perform drive-by-download to spread on a
252

Madhu Shankarapani and Srinivas Mukkamala
network. Using JavaScript, it generates pseudo-random domain name on-the-fly and redirects victims
to a malicious webpage.
Vundo, also known as VirtuMundo, VirtuMonde, and MS Juan, spreads via email, peer-to-peer file
sharing, and by other malware (Bell and Chien, 2010). It exploits browser vulnerability and displays
pop-up advertisements. This Trojan has capabilities to inject advertisements into search results.
Fraudulent or misleading applications, intrusive pop-ups, fake scan results are characteristics of this
Trojan. Vundo lowers security settings, prevents access to certain websites, and also disables
antivirus programs, to make it further difficult to remove them. Its new variants are far more
sophisticated with their payloads and its functionality. They have the capability to exploit vulnerability
to download misleading software, and extensions that encrypt files in order to force user for money.
Zeus is a Trojan horse that steals banking information from infected machines, which spreads using
drive-by-downloads and phishing emails. Since from the date it was first identified, Zeus has been
very active in the wild with constant increase in threat. The most threatening is a large group working
on Zeus to create enormous Zeus/Zbot variants builder, which can evade the present anti-virus
software.
The problem is so critical, that a significant research effort has been invested to gain a better
understanding of these malware characteristics. One of the approaches to study the characteristics is
to perform passive analysis of secondary effects that are caused by the activities of compromised
hosts. Many researchers have performed passive analysis like collecting spam emails that are likely
to be sent by bots (Zhuang et al, 2008), DNS queries (Rajab et al, 2007), (Rajab et al, 2006) or DNS
blacklist queries (Ramachandran, Feamster and Dagon, 2006) performed by the bot-infected
machines, analysis of network traffic for cues that are characteristics for certain botnets (Karasaridis,
Rexroad and Hoeflin, 2007).
While these analysis provides interesting insights into particular characteristics of Trojans and bots, its
approach is limited to those botnets that actually exhibit the activity targeted by the analysis. Active
approaches to analyze botnets are through permeation. In this approach researchers join the bot to
perform analysis. Usually honeypots or spam traps are used to collect a copy of a malware sample.
Later, the obtained samples are executed in controlled environment and observe its behavior.
Observations include traffic that is exchanged between bots and its command and control server(s),
IP addresses of other clients that are concurrently logged into the IRC channel (Rajab et al, 2006),
(Cooke, Jahanian and McPherson, 2006), (Freiling, Holz and Wicherski, 2005). Unfortunately these
techniques do not work on stripped-down IRC or HTTP servers as their C&C channels.
Present anti-virus techniques are based on either signature-based detection which is not effective
against polymorphic and unknown malware, or heuristic-based algorithms which are inefficient and
inaccurate. Detection based on string signatures uses a database of regular expressions and a string
matching engine to scan files and detect infected ones. Each regular expression of the database is
designed to identify a known malicious program. Though traditional signature-based malware
detection methods does exists from ages, there are lots to improve the signature-based detection and
to detect new malware a few data mining and machine learning techniques are proposed (Westfeld,
2001: 289-302), (Sallee, 2005: 167-189), (Solanki, Sarkar and Manjunath, 2007: 16-31) examined the
performance of various classifiers such as Naïve Bayes, support vector machine (SVM) and plotting
ROC curves using decision tree methods. (Lyu, and Farid, 2002: 340-354) applied Objective-Oriented
Association (OOA) mining based classification (Fridrich, 2004: 67-81), (Shi, Chen and Chen, 2006) on
Windows API execution sequences called by PE files. A Few of these methods entirely rely on the
occurrence of API sequence of execution. There are methods where websites are crawled to inspect
if those websites host any kind of malicious executables (Pevny, Fridrich, 2007). This study is
generally for web server security, advertising and third-party widgets. Their basic idea of approach
shows how malware executables are often distributed across a large number of URLs and domains.
Analyze and detect these obfuscated malicious executable is by itself a vast field.
Our work is based on collection of Zeus/Zbot variants collected at Offensive Computing (Offensive
Computing, 2010). As of today, Offensive Computing has one of the largest malware databases which
include various kinds of executables like spyware, adware, virus, worms, Trojans, etc. Among
thousands of malware in computing world, the unique executables is likely to be much lower as many
253

Madhu Shankarapani and Srinivas Mukkamala
binaries differ only in binary packing (Chen and Shi, 2008) and not in their functionality. In this paper
we show how Zeus/Zbot variants can be detected effectively.
In our recent engagements we used this methodology to detect variants of Conficker, Zeus
Crimeware, and Data stealers that bypassed several popular antivirus tools, host based security tools,
and perimeter security devices.
In this paper, we present API call sequence approach to detect Zeus samples. Our approach rests on
the analysis of Windows API call sequence, and applying distance measures to detect how similar are
these variants.
In summary, the main contribution of this paper is to detect Zeus effectively. In this paper, we talk
about a few lethal malware and how important is it to find a good defensive mechanism, in
introduction. Next is about the evolution of Zeus, followed by its reverse engineered result. And the
following section we explain our method of analyzing Zeus. Finally, we conclude with our conclusion
based on our experiments and references.
2. Evolution of Zeus/Zbot
Zeus is a Trojan horse that steals banking information from infected machines, which spreads using
drive-by-downloads and phishing emails. Its persistence is because of large number of attackers
using Zeus builder. These attackers pay thousands of dollars for the latest Zeus builders which are
up-to-date undetectable bot builds (SHEVCHENKO, 2009). Everyday a new Zeus/Zbot samples are
distributed by modifying the bot that are being produced in the wild, or by using packers and
encrypted on top with all sorts of packers, and few using custom built packers. Before its release,
these samples are uploaded to multi-anti-virus scanners to make sure they are not detected by any
anti-virus vendor.
The worse thing of Zeus/Zbot is in latest generation of bot which uses rootkit techniques to hide its
presence on infected machine, and injects additional fields into online Internet banking websites.
These details are collected and sent to remote systems, which is later stored in remote database.
From this database the attacker uses user credentials to transfers desired amount to his account.
In July 2007, Zeus was first found infecting United States Department of Transportation and stole data
from over 1000 PCs (Wikipedia, 2010), (Ragan, 2009). As of October 2009, 1.5 million phishing
messages were sent through Facebook. In November 2009, A malicious spam emails were spreading
Zeus purporting to be from Verizon Wireless (Moscaritolo, 2009). On October 1, 2010 a major cyber
crime network had hacked into US computers using Zeus and stole around $70 million (Wikipedia,
2010). Since its discovery to this day gangs have netted more than $200 million (McMillan and Kirk,
2010).
3. Reverse engineering Zeus/Zbot
Zeus has been in the wild since 2006, though its method of propagation is through spam campaigns
and drive-by downloads, due to its versatile nature even other vectors may also be utilized. The user
may receive masquerading email message as if it is from well known organizations such as FDIC,
IRS, Facebook or Microsoft. The message body warns the user about a financial problem and
suggests visiting the link provided in the message body. Once the user visits the link, Trojan gets
downloaded and compromises the host machine.
Based on behavior of an executable (Qureshi) Zeus can be classified as Trojans. Zeus propagates
using drive-by-downloads and phishing emails. It uses compromised FTP servers and peer-to-peer
networks to spread, and unlike worm the end-user have to initiate the download. Once Zeus is
downloaded on to a computer, it gets installed by itself, and tries to connect to the bots command
controls for further instructions. From the command control it downloads configuration files and infects
the browser. Later the malware monitors browser activities and steals appropriate data based on the
encrypted information in the configuration file. Since it hooks up with services like svchosts to act as
man in the browser, this shows characteristics of a virus.
Figure (1) shows that the Trojan is packed using UPX, one of the most widely used packers and
Figure (2) is its opcode instructions with initial EntryPoint. Figure (3) shows that the Trojan is packed
and encrypted with the custom made Zeus builder and Figure (4) is its opcode instructions.
254

Figure 1: UPX packed Trojan
Figure 2: Opcode instructions with entry points
Madhu Shankarapani and Srinivas Mukkamala
Figure 3: Trojan packed and encrypted with the custom made Zeus builder
255

Madhu Shankarapani and Srinivas Mukkamala
Figure 4: Opcode instructions with entry points for the Trojan with custom made Zeus builder
According to our observations though these two Trojans were created using different packers, their
characteristics of using Windows API are almost similar. We observed the API call sequence of both
the Trojans. When we applied distance measures after its API sequence alignment between them, we
found they are about 92.32% similar to each other. This shows that irrespective of the obfuscation
method used to create Zeus variants; our methodology can detect these Trojans.
4. Analysis methodology
First, the Zeus sample is decompressed and passed through a PE file parser, producing the
intermediate representation which consists of a Windows API calling sequence. This sequence is
compared to a known malware sequence or signature (from the signature database) and is passed
through the similarity measure module to generate the similarity report. The detection decision is
made based on this similarity report. The PE binary parser transforms the PE binary file into an API
calling sequence. It uses two components, W32Dasm version 8.9 and a text parser for disassembled
code. W32Dasm by URSoftware Co. is a commercial disassembler, which disassembled the PE code
and outputs assembly instructions, imported modules, imported API’s, and recourse information. The
text parser parses the output from W32Dasm to a static API calling sequence, which becomes our
signature.
Table 1: Similarity analysis of Zeus/Zbot compared among different variants
Tro
jan.
Troj
Sp
Troj an. Troj Troj
Troj
y.Z
Troj an. Spy an.S an.S
Troj
an.
eus Troj Troja an.B Zbo .Ze py.Z py.Z Troja Troja an.Z Spy.
.1. an.Z n.Spy roke t- us. eus. eus. n.Zbo n.Spy bot- DHL Zeu
Ge bot- .Zeus r- 134 1.G 1.Ge 1.Ge t- .Zeus 115 _DO s.1.
n. 85. .2.Ge 12. 2.m en. n.m n.m 290. .1.Ge 1.m C.m Gen
mal mal n.mal mal al mal al al mal n.mal al al .mal
Trojan.Sp 10
y.Zeus.1. 0.0 51.9
92.3 70. 51. 71.2 60.9
79.8 71.2 47.7
Gen.mal 0 0 67.00 2 06 72 7 3 63.45 61.43 8 7 1
Trojan.Zb 46. 100.
51.2 58. 53. 70.3 52.4
63.5 69.5 45.3
ot-85.mal
Trojan.Sp
83 00 58.19 7 00 44 9 6 56.69 42.69 3 0 3
y.Zeus.2. 41. 49.7 100.0 66.0 70. 66. 30.9 51.9
58.4 61.0 53.9
Gen.mal
Trojan.Bro
31 2 0 3 78 95 9 1 88.23 60.26 9 7 0
ker- 49. 34.7
100. 43. 52. 38.2 44.1
64.6 44.0 38.8
12.mal 59 3 47.55 00 98 98 7 7 47.82 45.79 6 3 1
256

Trojan.Zb
ot-
1342.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Zb
ot-
290.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Zb
ot-
1151.mal
DHL_DO
C.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
MemScan
Trojan.Sp
y.Zeus.C.
mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Zb
ot-
1652.mal
GenTroja
n.Heur.Zb
ot
Zeus.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
ZeuS_bin
ary.mal
ZeuS_bin
ary.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Zb
ot-
2819.mal
Trojan.Sp
y.Zeus.1.
Gen.mal
Tro
jan.
Sp
y.Z
eus
.1.
Ge
n.
mal
58.
89
65.
58
54.
23
57.
96
29.
14
64.
30
65.
65
40.
35
52.
77
78.
75
75.
87
69.
79
71.
28
64.
18
51.
25
76.
05
70.
61
44.
52
52.
94
52.
74
Troj
an.Z
bot-
85.
mal
Madhu Shankarapani and Srinivas Mukkamala
Troja
n.Spy
.Zeus
.2.Ge
n.mal
63.7
9 72.30
68.4
6 68.26
56.9
4 65.71
49.4
8 88.34
44.2
3 47.07
69.3
7 76.24
59.4
3 71.08
40.5
1 51.52
52.9
6 58.50
78.2
5 61.34
75.2
3 86.08
69.3
9 71.49
76.3
2 77.17
53.6
7 62.34
59.0
7 68.87
87.6
1 72.13
77.7
5 76.10
43.0
8 61.80
57.5
7 58.88
68.8
1 49.63
Troj
an.B
roke
r-
12.
mal
83.4
4
84.6
2
76.9
2
83.9
8
41.5
5
87.5
5
83.6
5
62.8
6
66.4
3
76.6
3
77.0
7
71.6
0
64.0
2
75.5
4
79.9
1
70.2
4
68.3
8
64.4
1
68.6
3
51.0
9
Troj
an.
Zbo
t-
134
2.m
al
100
.00
58.
25
74.
23
76.
37
34.
21
70.
67
75.
80
43.
59
79.
69
75.
13
74.
35
78.
77
76.
97
81.
87
69.
26
73.
69
69.
21
39.
01
64.
06
64.
13
Troj
an.
Spy
.Ze
us.
1.G
en.
mal
77.
09
100
.00
59.
96
59.
37
38.
33
70.
03
75.
86
52.
05
60.
01
79.
93
66.
52
73.
46
67.
71
65.
30
58.
36
79.
45
73.
13
46.
47
63.
33
64.
95
257
Troj
an.S
py.Z
eus.
1.Ge
n.m
al
55.0
1
70.9
0
100.
00
67.5
2
30.2
3
64.6
9
61.8
1
40.0
0
64.7
5
71.8
8
71.0
9
74.1
7
77.2
0
72.5
4
53.3
1
67.9
8
70.0
6
41.9
1
67.5
3
71.1
3
Troj
an.S
py.Z
eus.
1.Ge
n.m
al
Troja
n.Zbo
t-
290.
mal
Troja
n.Spy
.Zeus
.1.Ge
n.mal
76.7
1 80.02 58.13
81.7
1 54.58 42.36
66.6
9 96.12 54.59
100.
00 51.16 54.44
53.7
3
74.6
3 61.09
100.0
0 21.68
100.0
0
63.1
1
62.5
61.11 57.36
6 66.98 41.70
78.7
2 76.44 60.37
84.0
5 85.10 80.75
72.3
5 53.98 63.05
85.2
8 92.50 70.64
70.9
9
69.1
79.78 75.07
2 75.56 69.18
78.0
0
67.8
64.52 65.70
4
75.0
67.21 70.49
0 51.33 61.99
47.0
1 36.19 27.44
71.3
3 41.23 49.47
64.1
8 85.66 48.82
Troj
an.Z
bot-
115
1.m
al
81.3
8
74.6
0
62.0
7
79.1
0
42.6
4
79.6
6
100.
00
60.1
0
74.2
4
76.9
8
81.0
5
67.2
1
74.7
2
74.2
0
81.7
3
78.1
5
74.1
7
62.2
9
82.6
5
57.2
8
DHL
_DO
C.m
al
94.4
6
82.9
1
73.7
4
66.5
3
68.1
3
86.2
4
59.7
3
100.
00
90.7
7
88.7
8
79.3
2
88.5
8
79.6
6
71.8
5
91.7
5
80.0
6
72.9
7
53.7
2
71.6
6
73.7
6
Troj
an.
Spy.
Zeu
s.1.
Gen
.mal
68.9
1
57.0
6
71.5
6
61.7
5
51.3
0
71.8
5
68.9
8
47.2
8
100.
00
86.4
1
77.8
9
83.5
2
85.1
6
72.7
1
59.1
7
79.5
9
68.1
6
41.1
5
57.5
6
70.8
3

Trojan.Sp
y.Zeus.1.
Gen.mal
Trojan.Zb
ot-
1307.mal
Trojan.Zb
ot-
2163.mal
Tro
jan.
Sp
y.Z
eus
.1.
Ge
n.
mal
54.
23
57.
10
63.
53
Troj
an.Z
bot-
85.
mal
Madhu Shankarapani and Srinivas Mukkamala
Troja
n.Spy
.Zeus
.2.Ge
n.mal
63.8
2 78.15
58.4
6 63.92
56.5
1 81.88
Troj
an.B
roke
r-
12.
mal
61.3
3
78.4
7
84.0
4
5. Similarity analysis results
Troj
an.
Zbo
t-
134
2.m
al
86.
42
82.
03
74.
65
Troj
an.
Spy
.Ze
us.
1.G
en.
mal
66.
27
60.
21
55.
75
Troj
an.S
py.Z
eus.
1.Ge
n.m
al
59.4
5
59.6
4
68.0
1
Troj
an.S
py.Z
eus.
1.Ge
n.m
al
Troja
n.Zbo
t-
290.
mal
Troja
n.Spy
.Zeus
.1.Ge
n.mal
66.6
9 76.85 58.62
54.5
9 64.83 64.50
60.6
6 50.08 60.47
We apply the traditional similarity functions on Vs’ and Vu’. Cosine measure, extended Jaccard
measure, and the Pearson correlation measure are the popular measures of similarity for sequences.
The cosine measure is given below and captures a scale-invariant understanding of similarity.
Cosine similarity: Cosine similarity is a measure of similarity between two vectors of n dimensions
by finding the angle between them.
Extended Jaccard measure: The extended Jaccard coefficient measures the degree of overlap
between two sets and is computed as the ratio of the number of shared attributes ofVs’ AND Vu’to the
number possessed byVs’ORVu’.
Pearson correlation: Correlation gives the linear relationship between two variables. For a series of
n measurements of variablesVs’andVu’, Pearson correlation is given by the formula below.
Where and are values of variable Vs’ and Vu’ respectively at position i, n is the number of
measurements, and are standard deviations of Vs’ and Vu’ respectively and and are
means of Vs’ and Vu’ respectively.
In these experiments, we calculated the mean value of the three measures. For a particular measure
between a virus signature and a suspicious binary file, S(m)(Vs’i, Vu’), which stands for the similarity
between virus signature i and a suspicious binary file. Our similarity report is generated by calculating
the S(m)(Vs’i, Vu’) value for each virus signature in the signature database.
In this experiment, we compared Zeus/Zbot variants against itself, creating n-by-n matrix which shows
how similar are the variants. Table 1 shows the similarity values of Zeus/Zbot compared among
themselves. From the Table 1 we can infer that variants of Zeus/Zbot are almost similar to sequence
in which the Windows APIs are called.
6. Conclusion
In this paper, we present our effort of approach on malware detection based on Windows API call
sequence. According to our observations, though there is tremendous increase in Zeus/Zbot variant
builders, its behavior of API calls remains almost the same. Thus our approach can detect its variants
258
Troj
an.Z
bot-
115
1.m
al
74.0
3
73.5
8
78.3
0
DHL
_DO
C.m
al
(3)
80.9
5
64.2
9
50.7
3
(1)
(2)
Troj
an.
Spy.
Zeu
s.1.
Gen
.mal
87.5
1
54.3
4
56.1
0

Madhu Shankarapani and Srinivas Mukkamala
very robust and efficiently. Experimental results show that our method is able to show how similar are
these variants, which have evaded the present virus defense systems. From this method it shows how
accurately we can detect Zeus/Zbot variants.
References
Bell, Henry and Chien, Eric. (2010) Trojan.Vundo, Symantec Technical Report [online], 17 Mar, Available:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-112111-3912-99 [12 Sep 2010].
Chen, C. and Shi, Y. Q. (2008) “JPEG image steganalysis utilizing both intrablock and interblock correlations”,
IEEE International Symposium on Circuits and Systems, Seattle, WA, 18-21 May.
Cooke, E., Jahanian, F. and McPherson, D. (2006) “The zombie roundup: Understanding, detecting, and
disrupting botnets”, in Usenix Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI).
Freiling, F., Holz, T. and Wicherski, G. (2005) “Botnet Tracking: Exploring a Root-Cause Methodology to Prevent
Distributed Denial-of-Service Attacks”, in European Symposium on Research in Computer Security
(ESORICS).
Fridrich, J. (2004) "Feature-based steganalysis for JPEG images and its implications for future design of
steganographic schemes", in Information Hiding, 6th International Workshop, LNCS 3200, pp. 67-81.
Holz, T., Engelberth, M. and Freiling, F. (2008) Learning More About the Underground Economy: A Case-Study
of Keyloggers and Dropzones, ReiheInformatik TR-2008-006, University of Mannheim.
Kanich, C., Levchenko, K., Enright, B., Voelker, G. and Savage, S. (2008) “The Heisenbot Uncertainty Problem:
Challenges in Separating Bots from Chaff”, in USENIX Workshop on Large-Scale Exploits and Emergent
Threats.
Karasaridis, A., Rexroad, B. and Hoeflin, D. (2007) “Wide-scale botnet detection and characterization”, in
USENIX Workshop on Hot Topics in Understanding Botnet.
Lyu, S. and Farid, H. (2002) "Detecting hidden messages using higher order statistics and support vector
machines", in Information Hiding, 5th International Workshop, LNCS 2578, pp. 340-354.
McMillan, Robert and Kirk, Jeremy. (2010) US charges 60 in connection with Zeus Trojan [online], 30 Sep,
Available: http://www.csoonline.com/article/620830/us-charges-60-in-connection-with-zeus-trojan [1 Oct
2010].
Moscaritolo, Angela. (2009) New Verizon Wireless-themed Zeus campaign hits [online], 16 Nov,
Available:http://www.scmagazineus.com/new-verizon-wireless-themed-zeus-campaign-hits/article/157848
[8 Sep 2010].
Nichols, Shaun. (2009) UCSB researchers hijack Torpig botnet [online], V3.co.uk, 04 May, Available:
http://www.v3.co.uk/vnunet/news/2241609/researchers-hijack-botnet [06 May 2009].
Offensive Computing [online], Available: http://offensivecomputing.net [21 Jul 2010].
Pevny, T., and Fridrich, J. (2007) “Merging Markov and DCT features for multi-class JPEG steganalysis”, in
Proceedings of SPIE Electronic Imaging, Photonics West, pp. 03-04.
Qureshi, Mohammad. MBCS, MIET [online], Available: http://umer.quresh.info/Network%20Attacks.pdf [13-Dec-
2010].
Ragan, Steve. (2009) ZBot data dump discovered with over 74,000 FTP credentials [online], 29 Jun, Available:
http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTPcredentials
[5 Jul 2009].
Rajab, M. A., Zarfoss, J., Monrose, F. and Terzis, A. (2006) “A Multifaceted Approach to Understanding the
Botnet Phenomenon”. ACM Internet Measurement Conference (IMC).
Rajab, M. A., Zarfoss, J., Monrose, F. and Terzis, A. (2007) “My Botnet is Bigger than Yours (Maybe, Better than
Yours): Why Size Estimates Remain Challenging”, in USENIX Workshop on Hot Topics in Understanding
Botnet.
Ramachandran, A., Feamster, N. and Dagon, D. (2006) “Revealing Botnet Membership Using DNSBL Counter-
Intelligence”, in Conference on Steps to Reducing Unwanted Traffic on the Internet.
Sallee, P. (2005) “Model based methods for steganography and steganalysis”, International Journal of Image and
Graphics, Vol. 5, No. 1, 2005, 167-189.
SHEVCHENKO, SERGEI. (2009) Time to Revisit Zeus Almighty [online], 16 Sep, Available:
http://blog.threatexpert.com/2009_09_01_archive.html [19 Sep 2009].
Shi, Y. Q., Chen, C. and Chen, W. (2006) "A Markov process based approach to effective attacking JPEG
steganography", in Proceedings of the 8th international conference on Information hiding.
Solanki, K., Sarkar, A. and Manjunath, B. S. (2007) "YASS: Yet another steganographic scheme that resists blind
steganalysis", in Proceedings of 9th Information Hiding Workshop, ISBN:3-540-77369-X 978-3-540-77369-
6, pp. 16-31, Saint Malo, France.
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C. and Vigna, G.
(2009) “Your Botnet is My Botnet: Analysis of a Botnet Takeover”, CCS’09, 9–13 Nov, Chicago, Illinois,
USA.
Westfeld, A. (2001) “High capacity despite better steganalysis (F5-a steganographic algorithm)”, Information
Hiding, 4th International Workshop, LNCS 2137, pp. 289-302, Springer-Verlag Berlin Heidelberg.
Zeus (trojan horse). Wikipedia [online], Available: http://en.wikipedia.org/wiki/Zeus_(trojan_horse), [12 Sep 2010].
Zhuang, L., Dunagan, J., Simon, D., Wang, H., Osipkov, I., Hulten, G. and Tygar, J. (2008) “Characterizing
botnets from email spam records”, in USENIX Workshop on Large-Scale Exploits and Emergent Threats.
259

Terrorist use of the Internet: Exploitation and Support
Through ICT Infrastructure
Namosha Veerasamy and Marthie Grobler
Council for Scientific and Industrial Research, Pretoria, South Africa
nveerasamy@csir.co.za
mgrobler1@csir.co.za
Abstract: The growth of technology has provided a wealth of functionality. One area in which Information
Communication Technology (ICT), especially the Internet, has grown to play a supporting role is terrorism. The
Internet provides an enormous amount of information, and enables relatively cheap and instant communication
across the globe. As a result, the conventional view of many traditional terrorist groups shifted to embrace the
use of technology within their functions. The goal of this paper is to represent the functions and methods that
terrorists have come to rely on through the ICT infrastructure. The discussion sheds light on the technical and
practical role that ICT infrastructure plays in the assistance of terrorism. The use of the Internet by terrorist
groups has expanded from traditional Internet usage to more innovative usage of both traditional and new
Internet functions. Global terrorist groups can now electronically target an enormous amount of potential
recipients, recruitees and enemies. The aim of the paper is to show how the Internet can be used to enable
terrorism, as well as provide technical examples of the support functionality and exploitation. This paper
summarises the high-level functions, methods and examples for which terrorists utilise the Internet. This paper
looks at the use of the Internet as both a uni-directional and bi-directional tool to support functionality like
recruitment, propaganda, training, funding and operations. It also discusses specific methods like the
dissemination of web literature, social-networking tools, anti-forensics and fund-raising schemes. Additional
examples, such as cloaking and coding techniques, are also provided. In order to analyse how ICT infrastructure
can be used in the support of terrorism, a mapping is given of communication direction to the traditional Internet
use functions and methods, as well as to innovative Internet functions and methods.
Keywords: anti-forensics, internet, terrorism, ICT, propaganda, social-networking
1. Introduction
According to the Internet World Stats webpage, the latest number of world Internet users (calculated
30 June 2010) are 1 966 541 816 representing a 28.7% penetration of the world population (2010).
Although this does not reflect a majority of the world population, it presents an enormous amount of
potential recipients, recruitees and enemies that global terrorist groups can target electronically.
However, terrorist groups’ embracing of technology used to be an uncommon phenomenon.
In the book, The secret history of al Qaeda, an eye witness to the al Qaeda men fleeing United States
bombardments of their training camps in November 2001 are quoted: "Every second al Qaeda
member [was] carrying a laptop computer along with his Kalashnikov" (Atwan 2006). This scenario is
highly paradoxical where an organisation utterly against the modern world (such as al Qaeda), are
increasingly relying on hi-tech electronic facilities offered by the Internet to operate, expand, develop
and survive. Especially in the early 1980s, some groups in Afghanistan were opposed to using any
kind of technology that is of largely Western origin or innovation (Atwan 2006).
However, the world has changed. Technology has been introduced in most aspects of daily lives and
the Internet has become a prominent component of business and private life. It provides an enormous
amount of information and enables relatively cheap and instant communication across the globe. As a
result, the traditional view of many traditional terrorist groups shifted to embrace the use of technology
within their functions. In 2003, a document titled 'al Qaeda: The 39 principles of Jihad' was published
on the al-Farouq website. Principle 34 states that 'performing electronic jihad' is a 'sacred duty'. The
author of the principle document calls upon the group's members to participate actively in Internet
forums. He explains that the Internet offers the opportunity to respond instantly and to reach millions
of people in seconds. Members who have Internet skills are urged to use them to support the jihad by
hacking into and destroying enemy websites (Atwan 2006).
Keeping this principle in mind, the use of the Internet by terrorist groups has expanded from only
traditional Internet usage to more innovative usage of both traditional and new Internet functions. This
paper will summarise the high-level functions, methods and examples for which terrorists utilise the
Internet. The examples and methods often provide for various functions and thus a strict one-to-one
260

Namosha Veerasamy and Marthie Grobler
mapping cannot be provided. Rather, the examples given shed light on the technical and practical role
that ICT infrastructure plays in the support of terrorism.
2. Functionality of the internet
Terrorists use the Internet because it is easy and inexpensive to disseminate information
instantaneously worldwide (Piper 2008). By its very nature, the Internet is in many ways an ideal
arena for activity by terrorist groups. The Internet offers little or no regulation, is an anonymous
multimedia environment, and has the ability to shape coverage in the traditional mass media
(Weimann 2005).
Whilst the Internet was originally created to facilitate communication between two computers, its
functionality now extends to information repository as well. Figure 1 shows the general functions that
terrorists may use the Internet for, with an indication of which type of methods are used for each
functionality type.
Recruitment – the process of attracting, screening and selecting individuals to become members
of the terrorist groups; both web literature and social networking tools can be applied for this
purpose.
Training – the process of disseminating knowledge, skills and competency to new recruits with
regard to specific topics of knowledge that may be needed during terrorist operations; social
networking tools and anti-forensics methods are employed for this purpose.
Communication – the process of conveying information to members of the terrorist group; social
networking tools and anti-forensics methods are employed for this purpose.
Operations – the direction and control of a specific terrorist attack; web literature, anti-forensics
and fundraising methods are employed for this purpose.
Propaganda – a form of communication aimed at influencing the terrorist community toward a
specific cause; both web literature and social networking tools can be applied for this purpose.
Funding – financial support provided to make a specific terrorist operation possible; fundraising
methods are used for this purpose.
Psychological warfare – the process of spreading disinformation in an attempt to deliver threats
intended to distil fear and helplessness within the enemy ranks; both web literature and social
networking tools can be applied for this purpose.
The Internet is the perfect tool to exploit in order to support terrorist activities. Not only does it provide
location independence, speed, anonymity and internationality, but is also provides a relatively low
cost-benefit ratio (Brunst 2010), making it a desirable tool. Figure 1 shows the complexity of terrorist
groups' use of the Internet (as both traditional communication and information gathering tool) in
innovative new ways. The Internet is also used as both uni-directional and bi-directional
communication tool.
Although this list of functionalities is not exhaustive, it provides a better understanding of the need for
specific methods to exploit the ICT infrastructure to support terrorist activities. The next section
discusses the methods in more detail, and explains these with actual examples.
3. Exploiting the ICT infrastructure to support terrorist activities
For the purpose of this article, Internet exploitation methods are divided into four distinct groups: web
literature, social networking tools, anti-forensics and fundraising. Figure 2 shows these groups with
some examples of how the methods may be employed.
3.1 Web literature
Web literature refers to all writings published on the web in a particular style on a particular subject.
Some of the types of web literature facilitated by terrorist groups include published periodicals and
essays, manuals, encyclopaedias, poetry, videos, statements and biographies. Since web literature
often takes on the form of mass uni-directional communication, this media is ideal for terrorist use in
recruitment, operations, training and propaganda.
261

Namosha Veerasamy and Marthie Grobler
Figure 1: The Internet as terrorist supporting mechanism
Figure 2: Examples of how terrorists may use the Internet
262

Namosha Veerasamy and Marthie Grobler
Radio Free Europe/Radio Liberty compiled a special report on the use of media by Sunni Insurgents
in Iraq and their supporters worldwide. This report discusses the products produced by terrorist media
campaigns, including text, audiovisual and websites (Kimmage, Ridolfo 2007). The distribution of text
and audiovisual media is a traditional use of the Internet, with little innovative application. Text media
include press releases, operational statements, inspirational texts and martyr biographies. Audiovisual
media include recordings of al Qaeda operations in Iraq (Atwan 2006). Online training material can
provide detailed instructions on how to make letter bombs; use poison and chemicals; detonate car
bombs; shoot US soldiers; navigate by the stars (Coll, Glasser 2005) and assemble a suicide bomb
vest (Lachow, Richardson 2007).
The use of dedicated websites within terrorist circles is prominent. By the end of 1999, most of the 30
organisations designated as Foreign Terrorist Organisations had a maintained web presence
(Weimann 2009). In 2006, this number has grown to over 5000 active websites (Nordeste, Carment
2006). These websites generally provide current activity reports and vision and mission statements of
the terrorist group. Sympathetic websites focus largely on propaganda. These websites have postings
of entire downloadable books and pamphlet libraries aimed at indoctrinating jihadi sympathizers and
reassuring already indoctrinated jihadists (Jamestown Foundation 2006). Pro-surgent websites focus
on providing detailed tutorials to group members, e.g. showing how to add news crawls that provide
the latest, fraudulent death toll for US forces in Iraq.
According to an al Qaeda training manual, it is possible to gather at least 80% of all information
required about the enemy, by using public Internet sources openly and without resorting to illegal
means (Weimann 2005). More than 1 million pages of historical government documents have been
removed from public view since the 9/11 terror attacks. This record of concern program aims to
"reduce the risk of providing access to materials that might support terrorists". Among the removed
documents is a database from the Federal Emergency Management Agency with information about all
federal facilities, and 200 000 pages of naval facility plans and blueprints. The data is removed from
public domain, but individuals can still request to see parts of the withdrawn documents under the
Freedom of Information Act (Bass, Ho 2007).
Other examples of web literature and information collected through the Internet include maps, satellite
photos of potential attack sites, transportation routes, power and communication grids, infrastructure
details, pipelines systems, dams and water supplies, information on natural resources and email
distribution lists. Although this type of information may not necessarily be useful in cyberterrorism
activities, it can be used to plan traditional terrorism activities without actually going to the
geographical location of the target. Some terrorist groups have recently been distributing flight
simulation software. Web literature can thus be used in the initial recruitment campaigns by glorifying
terrorism through inspirational media, as well as the training of members, propaganda and the
operations of the terrorist group.
3.2 Social networking tools
Social networking tools focus on building and reflecting social networks or social relations among
people who share a common interest. Some types of social networking tools facilitated by terrorist
groups include online forums and blogs, websites, games, virtual personas, music and specialised
applications. Social networking tools offer both uni-directional and bi-directional communications, and
can be used for recruitment, training, propaganda and communication within terrorist groups.
Social networking and gaming sites often require new members to create accounts by specifying their
names, skills and interests. Through the creation of these virtual personas, terrorist groups are able to
gather information on potential recruits. Individuals with strong technical skills in the fields of
chemistry, engineering or weapons development can be identified and encouraged to join the group.
This type of information can be derived from interactions in social networking sites, forums and blogs
where users share information about their interests, beliefs, skills and careers. Online gaming sites
also provide a source of potential members. For example, terrorist groups identify online players with
a strong shooting ability that might be indicative of violent tendencies. In some terrorist groups, this
type of temperament would be ideal for operational missions.
In addition to traditional social networking sites like Facebook and MySpace, Web 2.0 technologies
evolved to customisable social networking sites. West and Latham (2010) state that social networking
creation sites are an online extremist's dream - it is inexpensive, easy-to-use, highly customisable and
263

Namosha Veerasamy and Marthie Grobler
conducive to online extremism. Ning users, for example, can create an individualised site where users
have the ability to upload audio and video files, post and receive messages and blog entries, create
events and receive RSS feeds. If a terrorist group sets up a customised social site, they would have
the ability to control access to members, post propaganda videos and even use the site for
fundraising.
Another way of promoting a cause is with music (Whelpton 2009). Islamic and white supremist groups
perform captivating songs with pop and hip-hop beats that often attract young influential teenagers.
The lyrics of the music promote the cause and the catchy beats keep the youth captivated.
Other examples of social networking include chat rooms, bulletin boards, discussion groups and micro
blogging (such as Twitter). The type of social networking used by terrorist groups depends on the
group’s infrastructure, ability and personal preference. For example, al Qaeda operatives use the
Internet in public places and communicate by using free web based email accounts. For these public
types of communication, instructions are often delivered electronically through code, usually in
difficult-to-decipher dialects for which Western intelligence and security services have few or no
trained linguists (Nordeste, Carment 2006).
3.3 Anti-forensics
Anti-forensics is a set of tools or methods used to counter the use of forensic tools and methods.
Some of the identified types of anti-forensic measures include steganography, dead dropping,
encryption, IP-based cloaking, proxies and anonymising. Since anti-forensic measures mostly offer
targeted uni-directional communication, it is ideal for training, operations and communication within
terrorist groups.
Steganography is a method of covertly hiding messages within another. This is done by embedding
the true message within a seemingly innocuous communication, such as text, image or audio. Only
individuals that know of the hidden message and have the relevant key will be able to extract the
original message from the carrier message. The password or passphrase is delivered to the intended
recipient by secure alternative means (Lau 2003). Although it is difficult to detect the modified carrier
media visually, it is possible to use statistical analysis. The February 2007 edition of Technical
Mujahid contains an article that encourages extremists to download a copy of the encryption program
“Secrets of the Mujahideen” from the Internet (2007). The program hid data in the pixels of the image
and compressed the file to defeat steganalysis attempts.
Another technique that would bypass messaging interception techniques is the use of virtual dead
dropping, or draft message folders. Bruce Hoffman from Rand Corp. (in (Noguchi, Goo 2006)) states
that terrorists create free web based email accounts and allow others to log into the accounts and
read the drafts without the messages ever been sent. The email account name and password is
transmitted in code in a chat forum or secure message board to the intended recipients. This
technique is used especially for highly sensitive information (Nordeste, Carment 2006) and if
electronic interception legislation may come into play.
Redirecting of traffic through IP-based cloaking is another anti-forensic technique. At a seminar in
FOSE 2006, Cottrell (in ((Carr 2007))) stated that: “When the Web server receives a page request, a
script checks the IP address of the user against a list of known government IP addresses. If a match
is found, the server delivers a Web page with fake information. If no match is found, the requesting
user is sent to a Web page with real information”. From this, the expression cloaking as the authentic
site is masked. This also leads to a similar technique called IP-based blocking that prevents users’
access to a site instead of redirecting the traffic.
Other techniques include the use of a proxy and secure channel to hide Internet activity. The Search
for International Terrorist Entities Institute (SITE) detected a posting that encouraged the use of a
proxy as it erases digital footsteps such as web addresses and other identifiable information (Noguchi,
Goo 2006). The premise of this approach is that the user connects to a proxy that requests an
anonymising site to redirect the user to the target site. The connection to the proxy is via a secure
encrypted channel that hides the originating user’s details. The well-known cyber user Irhabi 007
(Terrorist 007) also provided security tips by distributing anonymising software that masks an IP
address (Labi 2006).
264

Namosha Veerasamy and Marthie Grobler
Another innovative use of the Internet is provided by spammimic.com. Spam (unsolicited distribution
of mass email communication) has become a nuisance for the average netizen. Most people
automatically delete these messages or send it to the spam folder. Spammimic.com provides an
interesting analogue of encryption software that hides messages within the text of ordinary mail. It
does not provide true encryption, but hides the text of a short message into what appears to be an
average spam mail. Not only will the messages be disguised, but few people will take the chance to
open the email in fear of attached malware. Thus, only the intended recipients will know about the
disguised messages and decode it through the web interface (Tibbetts 2002).
3.4 Fundraising
Fundraising is the process of soliciting and gathering contributions by requesting donations, often in
the form of money. Some of the identified types of fundraising methods include donations,
auctioneering, casinos, credit card theft, drug trafficking and phishing. Since fundraising methods
mostly offer targeted communication, it can be used for operations and funding activities.
Since the 9/11 terrorist attack, terrorist groups have increasingly relied on the Internet for finance
related activities. Popular terrorist organisation websites often have links such as “What You Can Do”
or “How Can I Help”. Terrorist websites publish requests for funds by appealing to sympathetic users
to make donations and contribute to the funding of activities. Visitors to such websites are monitored
and researched. Repeat visitors or individuals spending extended periods on the websites are
contacted (Piper 2008). These individuals are guided to secret chat rooms or instructed to download
specific software that enables users to communicate on the Internet without being monitored
(Nordeste, Carment 2006).
However, malicious or disguised methods of fundraising are also possible. Electronic money transfer,
laundering and generating support through front organisations are all fundraising methods used by
terrorists (Goodman, Kirk & Kirk 2007). According to the Financial Action Task Force, “the misuse of
nonprofit organizations for the financing of terrorism is coming to be recognized as a crucial weak
point in the global struggle to stop such funding at its source” (Jacobson 2009). Examples of such
undertakings include Mercy International, Rabita Trust, Global Relief Fund, and Help the Needy
(Conway 2006). Some charities are founded with the express purpose of financing terror, while others
are existing entities that are infiltrated by terrorist supporters from within (Jacobson 2009).
Other methods related to fundraising include online auctioneering to move money around. This
involves two partners, known as smurfs, to arrange a fake transaction. One partner bids on an item
and pays the auction amount to the auction house. The other partner receives payment for the fake
auction item. There are also scams where users bid on their own items in an effort to store money and
prevent detection (Whelpton 2009). In one specific auction, a set of second-hand video games were
offered for $200, whilst the same set could be purchased brand new from the publisher for $39.99
(Tibbetts 2002). Although the ludicrously high selling price is not illegal, this item will only attract
selected attention from a trusted agent. This allows terrorist groups to move money around without
actually delivering the auctioned goods or services.
Online casinos can be used for both laundering and storing money. When dealing with large sums of
money, terrorists can place it in an online gambling site. Small bids are made to ensure activity, while
the rest of the money is safely stored and hidden (Whelpton 2009). Alternatively, any winnings can be
cashed in and transferred electronically to bank accounts specifically created for this purpose
(Jacobson 2009).
Stolen credit cards can help to fund many terrorist activities. For example, Irhabi 007 and his
accomplice accumulated 37 000 stolen credit card numbers, making more than $3.5 million in charges
(Jacobson 2009). In 2005, stolen credit card details were used to purchase domain space with a
request stemming from Paris. When a similar request for nearby domain space was requested, shortly
after the initial request, through another name in Britain, it was detected as fraud and the backup files
of the initial site was investigated. Although the files were mostly Arabic, video footage includes
insurgent forces clashing with American forces, depicting Iraqi conflict from the attacker’s point of view
(Labi 2006).
Drug trafficking is considered a large income source for terrorist groups. Fake Internet drugs are
trafficked, containing harmful ingredients such as arsenic, boric acid, leaded road paint, polish, talcum
265

Namosha Veerasamy and Marthie Grobler
powder, chalk and brick dust. In an elaborate scheme, Americans were tricked in believing they are
buying Viagra, but instead they received fake drugs. The money paid for these drugs is used to fund
Middle Eastern terrorism. The UK Medicine and Healthcare Regulatory Agency reports that up to 62%
of the prescription medicine on sale on the Internet, without requiring a prescription, are fake
(Whelpton 2009).
3.5 Other examples of the exploitation of the ICT infrastructure
Kovner (in (Lachow, Richardson 2007)) discusses one of al Qaeda’s goals of using the Internet to
create resistance blockades to prevent Western ideas from corrupting Islamic institutions. In some
instances, Internet browsers designed to filter out content from undesirable Western sources were
distributed without users being aware of it. Brachman also discusses jihadi computer programmers
launching browsing software, similar to Internet Explorer that searches only particular sites and thus
restricts the freedom to navigate to certain online destinations (2006).
Another technique from the infamous terrorist Irhabi 007 was to exploit vulnerabilities in FTP servers,
reducing risk from exposure and saving money. Irabhi dumped files (with videos of Bin Laden and
9/11 hijackers) onto an FTP server at the Arkansan State Highway and Transport Department and
then posted links warning users of the limited window of opportunity to download (Labi 2006).
SITE (in (Brachman 2006)) discovered a guide for jihadis to use the Internet safely and anonymously.
This guide explains how governments identify users, penetrate their usage of software chat programs
(including Microsoft Messenger and Paltalk), and advise readers not to use Saudi Arabian based
email addresses (ending with .sa) due to its insecure nature. Readers are advised to rather register
from anonymous accounts from commercial providers like Hotmail or Yahoo!.
Cottrell in 2006 (in (Dizard 2006)) discusses the following emerging cloaking trends:
Terrorist organisations host bogus websites that mask their covert information or provide
misleading information to users they identify as federal employees or agents;
Criminal and terrorist organisations are increasingly blocking all traffic from North America or from
IP addresses that point back to users who rely on the English language;
Another cloaking practice is the provision of fake passwords at covert meetings. When one of the
fake passwords are detected, the user is flagged as a potential federal intelligence agent who has
attended the meetings, which in turn makes them vulnerable to being kidnapped or becoming the
unwitting carriers of false information; and
Another method was used in a case in which hackers set a number of criteria that they all shared
using the Linux operating system and the Netscape browser, among other factors. When federal
investigators using computers running Windows and using Internet Explorer visited the hackers'
shared site, the hackers' system immediately mounted a distributed denial-of-service attack
against the federal system.
Sometimes communication between terrorists occurs through a special code developed by the group
itself. By using inconspicuous word and phrases, it is possible to deliver these messages in a public
forum without attracting untoward attention. For example, Mohammed Atta’s final message to the
other eighteen terrorists who carried out the attacks of 9/11 is reported to have read: “The semester
begins in three more weeks. We’ve obtained 19 confirmations for studies in the faculty of law, the
faculty of urban planning, the faculty of fine arts, and the faculty of engineering.” The reference to the
various faculties is code for the buildings targeted in the attacks (Weimann 2005).
Defacing websites are a popular way for terrorist groups to demonstrate its technical capability and
create fear. These defacements often take the form of public alterations of a website that are visible to
a large audience. An example of such an attack took place in 2001, when a group known as the
Pentaguard defaced a multitude of government and military websites in the UK, Australia, and the
United States. “This attack was later evaluated as one of the largest, most systematic defacements of
worldwide government servers on the Web”. Another example is pro-Palestinian hackers using a
coordinated attack to break into 80 Israel-related sites and deface them, and when al Qaeda
deposited images of the murdered Paul Marshall Johnson, Jr. on the hacked website of the Silicon
Valley Landsurveying, Inc (Brunst 2010).
266

4. Conclusion
Namosha Veerasamy and Marthie Grobler
The use of the Internet by terrorist groups has expanded to both traditional Internet usage and the
more innovative usage of both traditional and new Internet functions. Global terrorist groups can now
electronically target an enormous amount of potential recipients, recruitees and enemies. Terrorist
groups often embrace the opportunities that technology innovation brings about in order to advance
their own terrorist workings.
This paper is informative in nature, aiming to make the public aware of the potential that ICT
infrastructure has in assisting terrorist groups in their operations and normal functions. These
functions include all the processes from recruitment and training of new members, communicating
with existing members, planning and executing operations, distributing propaganda, fund raising and
carrying out psychological warfare. Due to the unique nature of the Internet, many of these traditional
and innovative Internet uses can be carried out in either a uni-directional or bi-directional fashion,
depending on the nature of the communication required.
Based on this research, in can be seen that international terrorist groups can use the Internet in most
of its daily functions to facilitate the growth and operation of the groups. In a sense, terrorist groups
can actively exploit the existing ICT infrastructure to advance their groups. This paper discussed
specific instances and provided examples of this exploitation through web literature use, socialnetworking
tools, anti-forensic techniques and novel fundraising methods. In conclusion, further
research may be done to identify ways on how these innovative uses of the Internet can be used to
counter terrorism attacks, and not only support their activities.
References
Atwan, A. (2006), The secret history of al Qaeda, 1st edn, University of California Press, California.
Bass, R. & Ho, S.M. 2007, AP: 1M archived pages removed post-9/11.
Brachman, J.M. (2006), "High-tech terror: Al-Qaeda's use of new technology", Fletcher Forum of World Affairs,
vol. 30, pp. 149.
Brunst, P.W. (2010), "Terrorism and the Internet: New Threats Posed by Cyberterrorism and Terrorist Use of the
Internet" in , ed. P.W. Brunst, Springer, A war on terror?, pp. 51-78.
Carr, J. (2007), Anti-Forensic Methods Used by Jihadist Web Sites.
Coll, S. & Glasser, S.B. (2005), "Terrorists turn to the Web as base of operations", The Washington Post, vol. 7,
pp. 77–87.
Conway, M. (2006), "Terrorist Use' of the Internet and Fighting Back", Information and Security, vol. 19, pp. 9.
Dizard, W.P. (2006), Internet "cloaking" emerges as new Web security threat, Government Computer News.
Goodman, S.E., Kirk, J.C. & Kirk, M.H. (2007), "Cyberspace as a medium for terrorists", Technological
Forecasting and Social Change, vol. 74, no. 2, pp. 193-210.
Internet World Stats 2010, May 27, 2010-last update, Internet usage statistics - The internet big picture: World
internet users and population stats. Available: http://www.internetworldstats.com/stats.htm [2010, 06/08] .
Jacobson, M. (2009), "Terrorist financing on the internet", CTC Sentinel, vol. 2, no. 6, pp. 17-20.
Jamestown Foundation, (2006), Next Stage in Counter-Terrorism: Jihadi Radicalization on the Web.
Kimmage, D. & Ridolfo, K. (2007), "Iraqi Insurgent Media. The War of Images and Ideas. How Sunni Insurgents
in Iraq and Their Supporters Worldwide are Using the Media", Washington, Radio Free Europe/Radio
Liberty.
Labi, N. (2006), "Jihad 2.0", The Atlantic Monthly, vol. 102.
Lachow, I. & Richardson, C. (2007), "Terrorist use of the Internet: The real story", Joint Force Quarterly, vol. 45,
pp. 100.
Lau, S. (2003), " An analysis of terrorist groups' potential use of electronic steganography ", Bethesda, Md.:
SANS Institute, February, , pp. 1-13.
Noguchi, Y. & Goo, S. (2006), Terrorists’ Web Chatter Shows Concern About Internet Privacy, Wash.
Nordeste, B. & Carment, D. (2006), " Trends in terrorism series: A framework for understanding terrorist use of
the internet ", ITAC, vol. 2006-2, pp. 1-21.
Piper, P. (2008), Nets of terror: Terrorist activity on the internet. Searcher, vol.16, issue 10.
Tibbetts, P.S. (2002), "Terrorist Use of the Internet and Related Information Technologies", Army Command And
General Staff Coll Fort Leavenworth Ks School Of Advanced Military Studies, pp. 1-67.
Weimann, G. (2009), "Virtual Terrorism: How Modern Terrorists Use the Internet", Annual Meeting of the
International Communciation Association, Dresden International Congress Centre, Dresden.
Weimann, G. (2005), "How modern terrorism uses the internet", The Journal of International Security Affairs, vol.
Spring 2005, no. 8.
West, D. & Latham, C.( 2010), "The extremist Edition of Social Networking: The Inevitable Marriage of Cyber
Jihad and Web 2.0", Proceedings of the 5th International Conference on Information Warfare and Security,
ed. L. Armistead, Academic Conferences, .
Whelpton, J. (2009), "Psychology of Cyber Terrorism" in Cyberterrorism 2009 Seminar Ekwinox, South Africa.
267

Evolving an Information Security Curriculum: New
Content, Innovative Pedagogy and Flexible Delivery
Formats
Tanya Zlateva, Virginia Greiman, Lou Chitkushev and Kip Becker
Boston University, USA
zlateva@bu.edu
ggreiman@bu.edu
ltc@bu.edu
kbecker@bu.edu
Abstract: In the last ten years information security has been recognized as a most relevant new trend by
academia, government and industry. The need for educating information security professionals has increased
dramatically and is not being met despite recent growth of cyber security programs. The challenge is to design
and evolve multi-disciplinary curricula that provide theoretical as well as hands-on experience and are also
available to a broad student audience is of strategic importance for the future of reliable and secure systems. We
present our experience in designing and evolving information security programs that have grown to over 650
students per year since their inception eight years ago and have graduated more than 250 students. We discuss
three major directions in the evolution of the program: the increased focus of the core and growth of
concentration electives, the design of cyber law curriculum and coordination with the business continuity
programs, and the introduction of new educational technologies such as virtualization and video-collaboration
and flexible online and blended delivery formats. The rapid growth of the program, the changes in the discipline
and the great diversity of professional interests of our students required broadening of the curriculum with
courses and modules on emerging technologies such as digital forensics, biometrics, security policies and
procedures, privacy and security in health care, cyber law, as well as the coordination of the curriculum with
existing programs in business continuity. Special efforts were expended to the introduction of more participatory
pedagogy, more specifically by developing a series of virtual laboratories that brought real world situations into
the class room and through video-collaboration tools that encourage team building. The accessibility of the
programs was increased through the introduction of flexible delivery formats. After establishing the programs in
the traditional classroom, we added an blended and online version that rapidly found a national audience.
Keywords: information security education, digital forensics, cyber law, virtualization, business continuity, online
and blended learning
1. Introduction
The strong and steadily increasing reliance on a globally distributed computational infrastructure in
virtually all areas of human endeavor—business , industry, government, defense, health care, and
even the individual’s social interactions—has made security and reliability of vital importance and has
sharply increased the need for information security professionals. This need is not being met despite
the recent growth of cyber security programs. The reasons lie in the complexity of the task that
requires building an interdisciplinary curriculum that integrates knowledge domains as diverse
cryptography, ethics, engineering, management and law. An additional challenge is the unusually
large gap between theory, (e.g. cryptographic algorithms), and practical skills, (e.g. setting up a fire
wall), that calls for an imaginative and effective way to bring real world experience into the classroom.
This paper presents and discusses our experience in establishing and growing the information
security concentrations in the Master’s programs in Computer Science, Computer Information
Systems, and Telecommunication at Boston University that are offered through BU’s Metropolitan
College. The programs are certified by the Committee on National Security Systems. Since the
introduction of the security curriculum in 2002 enrollments in our security courses grew to over 650
per year and more than 250 students have completed their Master’s degree with a concentration in
security. We trace the evolution of the programs in three major directions: the broadening and
diversification of the curriculum, developing a cyber law course and coordinating the curriculum with
programs in business continuity , and introducing new educational technologies, (more specifically
virtualization and video-collaboration), and flexible online and blended delivery formats.
2. Design principles, structure, and initial curriculum
We started introducing information security themes in the curriculum in the late 1990-ies and formally
introduced an information security concentration in the Master’s programs of Computer Science,
268

Tanya Zlateva et al.
Computer Information Systems and Telecommunication in 2002. The central goal of the program was
to draw upon the resources of a large research university and to give students the academic
knowledge and technical skills as well as to develop their ability to identify and solve security
problems in their multi-disciplinary complexity taking into account technical, managerial, legal, and
ethical aspects of information security. We emphasized from the outset an interdisciplinary design
approach with strong laboratory and experiential components; a program scope that embraces
contributions from multiple fields; and a program structure that integrates information assurance
concepts, topics, and methods throughout the curriculum as opposed to predominantly in specialized
courses (Zlateva et al., 2003). The integration of information assurance topics across the curriculum is
conducted at three levels (Table 1):
First, the fundamental information assurance topics are taught within the existing core courses at
the undergraduate and graduate level. This ensures that all students are equipped with the basic
knowledge of information security that is currently indispensable for any professional working in
computer software, hardware, systems, or networks.
Second, specialized semester long courses—such as information security, network security,
database security, cryptography, biometrics, digital forensics, etc. —provide in-depth analysis of
different security aspects. These courses provide the core for concentrators in information
security and are available as electives to students outside the information security concentration.
Third, advanced specialized courses—such as web applications, web services, enterprise
computing, mobile applications, data mining etc. —include cyber security topics and modules.
Our Master’s programs consists of ten four-credit courses and a concentration requires the
completion of four courses, typically three specialized that provide depth and one related high level
elective for breadth. When first introduced in 2002 the security concentrations in the MS in CS, CIS,
and TC were based on five specialized courses— cryptography, computer networks and security,
information systems security, database security, and network management and computer security
(Table 1).
The programs were well received and grew rapidly. From a curriculum point of view we soon
recognized two related trends both of which required the introduction of new security topics and
further development of the curriculum both in depth and breadth. From the point of view of pedagogy
and access it became clear that novel online technologies such as virtualization and videocollaboration
can increase the impact of content presentation and that new delivery formats, such as
hybrid or distance learning, can make the program available to students at remote locations or who
are unable to attend on-campus classes due to demanding work schedules. In the following we first
discuss the evolution of the curriculum and then the novel teaching approaches.
The large majority of students in our programs are information technology professionals and a
considerable number are already involved in information security. From the very beginning of the
programs their interests ranged from biometrics to digital forensics on the technical side, and from
security policies to legal and regulatory issues on the managerial and organizational side. At the same
time the information security field was rapidly evolving, maturing, and its importance was becoming
widely recognized. Both these factors required us to deepen the theoretical and applied knowledge of
the core, to updated and broaden the curriculum with topics and/or courses on emerging
technologies, and to seek synergies with programs that focus on related and complementary fields.
Depth was achieved by restructuring the teaching of security fundamentals and adding a course on
network security in recognition of the central importance that global networks play in the modern
world. Breadth was achieved by introducing a four-course certificate in digital forensics, a new course
in biometrics and a number of specialized content modules in the advanced courses. In collaboration
with the administrative sciences department we are currently exploring synergies with the
concentration in Business Continuity, Security, and Risk Management and the introduction of new
course on cyber law.
269

Tanya Zlateva et al.
Table 1: Structure and evolution of the security curriculum (the middle box shows the initial
concentration courses on the right and the new courses are on the left, courses that are
currently offered are in italics)
Information security modules in core undergraduate and graduate courses
(intro programming and data structures, operating systems, data communications and networks,
databases, algorithms, software engineering)
Information Security Concentration Courses
Computer and Network Security
(CS654)
Information Systems Security (CS684)
Database Security (CS674)
Cryptography (CS786)
Network Management and Computer
Security (TC685)
Enterprise Information Security (CS695)
Network Security (CS690)
IT Security Policies and Procedures (CS684)
Electives
3. Evolving the information security curriculum
Advanced Cryptography (CS799)
Biometrics (CS599)
Digital Forensics and Investigations (CS693)
Network Forensics (CS703)
Advanced Digital Forensics (CS713)
1. Network Performance and Management
(CS685)
Information security modules in high-level courses (web application development, web services,
enterprise computing, mobile applications, data mining, biomedical information technology,
electronic health records)
3.1 Focusing and expanding the concentration courses
Initially we provided the security fundamentals in a single course that came in two flavors—a
Computer and Network Security course for the MS in CS and CIS programs and a Network
Management and Computer Security course tailored to the needs of the telecommunication program.
Two years into the program this structure became insufficient for accommodating the growing body of
knowledge in security models and protocols and especially in network security. We restructured the
curriculum by consolidating enterprise security topics into a single course required for all
concentrations and dedicating a full course on network security. The Network Management and
Computer Security course of the telecommunication degree was revised to a Network Performance
and Management which retained an emphasis on security and was moved into the core. (Table 1
shows the evolution of the curriculum and the program and course descriptions are available at the
web site of Boston University (2010a).
The new Enterprise Information Security course lays a solid academic basis for the understanding of
security issues in computer systems, networks, and applications. It discusses formal security models
and their application in operating systems; application level security with focus on language level
270

Tanya Zlateva et al.
security and various security policies; introduction to conventional and public keys encryption,
authentication, message digest and digital signatures, and an overview of Internet and intranet topics.
The Network Security course expands on the fundamentals (security services, access controls,
vulnerabilities, threats and risk, network architectures and attacks) through a discussion on network
security capabilities and mechanisms (access control on wire-line and wireless networks), IPsec,
firewalls, deep packet inspection and transport security. It then addresses network application security
(email, ad-hoc, XML/SAML and Services Oriented Architecture security).
A new course on IT Security Policies and Procedures evolved from and replaced the Information
System Security course by shifting the focus to methodologies for identifying, quantifying, mitigating
and controlling security risks, the development of IT risk management plans, standards, and
procedures that identify alternate sites for processing mission-critical applications, and techniques to
recover infrastructure, systems, networks, data and user access.
3.2 Adding security electives
Elective courses on specialized security topics were added based on student interests and emerging
technologies. In response to an early and sustained interest in digital forensics we developed first a
course and then a Graduate Certificate in Digital Forensics (Boston University 2010a) that can be
taken as a stand-alone or as part of the MS degree. The certificate consists of a required Business
Data and Communication Network course and three forensics courses that build on each other:
Digital Forensics and Investigations (CS693) introduces the investigative process, available
hardware and software tools, digital evidence controls, data acquisition, computer forensic
analysis, e-mail investigations, image file recovery, investigative report writing, and expert witness
requirements.
Network Forensics (CS703) explores the relationship between network forensic analysis and
network security technologies, identification of network security incidents and potential sources of
digital evidence, basic network data acquisition and analysis.
Advanced Digital Forensics (CS713) discusses malicious software, reverse engineering
techniques for conducting static and dynamic forensic analysis on computer systems and
networks, legal considerations, digital evidence controls, and documentation of forensic
procedures.
A Biometrics (CS599) course was developed in response to increased significance of biometrics
approaches and their integration in traditional security schemes. The course presents fundamental
methods for designing applications based on various biometrics, (fingerprints, voice, face, hand
geometry, palm print, iris, retina), multimodal approaches, privacy aspect relating to using of
biometrics data, and system performance issues.
Based on industry demand from high-tech Boston area companies we developed an Advanced
Cryptography (CS713) elective course that expanded the coverage of cryptographic algorithms to
include elliptic curves, block ciphers, the data encryption standard (DES) and double and triple DES,
the advanced encryption standard (AES), cryptographic hash functions (SHA-512 and WHIRLPOOL),
and key management issues
In addition to these new courses we developed security modules in the high level elective including
web application development, web services, enterprise computing, mobile applications, data mining,
and most recently in the courses on biomedical information technology and electronic health records
of our new concentration in Health Informatics.
4. Relating technological aspects to cyber law and business continuity
The importance of protecting information for achieving business success has always been recognized
by the business community but it has reached a new dimension since cyberspace became the
preferred medium for business transactions. Expenses for information security systems continue to
grow and it has been found that quality of information security impacts the financial value of
companies. According to McAfee (2006) United States companies spend as much on information
technology annually as they do on offices, warehouses and factories combined and these
expenditures tend to increase. According to Cavusoglu et al. (2004) firms that experienced internet
271

Tanya Zlateva et al.
security breaches lose an average of 2.1% of their market value within two days and subsequent
studies confirmed the sensitivity of financial performance from security breaches.
The threat of cyber espionage and cyber war is not anymore restricted to expert forums but has
become part of the public discussion. The increased number and sophistication of cyber-attacks
clearly indicate that these attacks originate from professionally run business and government
organizations. Estimates about the degree of the threat may vary—Clarke (2010) posits that cyber
armies are being set up in Russia, China Israel, North Korea and Iran while others believe the goal is
espionage not cyber . However, no one disputes the large negative impact an information security
breach can cause to the economy, government, or the individual.
These development trends clearly indicate that cyber law, business continuity and risk management
provide an indispensable context for framing information security problems and are an integral part of
finding effective solutions. A collaborative effort between the BU MET Computer Science and
Administrative Sciences Department is currently under way for developing a new course in cyber law
and for coordinating the curriculum of the information security concentrations in the MS program in
CS, CIS, and TC with an existing graduate certificate and specialization in Business Continuity,
Security and Risk Management (Boston University 2010b).
4.1 Law and regulation of information security
As technology evolves so must the law. The alleged obsolescence of legal rules in computers and the
Internet among other technologically advanced fields is well recognized in legal scholarship (Moses
2007; Downing 2005). Because the resolution of legal problems are typically left to the chosen dispute
resolution bodies, it is most important to identify in advance the types of legal problems that frequently
follow technological change (Moses 2007; Lessig 1995). Some of the more important questions
arising in relation to information security include:
Defining the technological advancements needed to secure greater protections to the citizens and
communities from cyber-attacks;
Determining who can best regulate the Internet environment and control activity in cyberspace in
a sovereign world;
Constructing with law enforcement and the intelligence communities, an effective means of
sharing actionable information with the private sector (Chander 2002);
Establishing an ethics and conflict policy governing cyber activity and information security to
address cultural change; and
Understanding the ways in which the rise of online interaction alters the balance of power among
individuals, corporations, and government, and how our choice of legal regime should be
influenced by these changes (Chander 2002).
We approach the development of the new information security course by framing a course
methodology and structuring the topics around the areas of the global regulatory environment,
computer crime regulations in the US, jurisprudence over cyber space, culture and information
security, cyber forensics and internet evidence, and international responsibility.
Framing an Information Security Law Curriculum Methodology.
Significantly, the global economy has expanded our vulnerability to manipulation of our software and
hardware through a new phenomena known as "the global supply chain" which increases the number
of actors and the complexity of understanding the legal environment from both a domestic and global
perspective. Technology today passes through many hands including design, manufacture,
distribution, transportation, wholesaler, retailer, installer, repair service and firmware update. To
prevent these vulnerabilities we must focus on better system design, supply chain management,
information security practices, public private partnerships, law enforcement, intelligence and most
important the education of users, employees and management.
The primary pedagogical approach to teaching security information law at Boston University is
through the Socratic method. Diverse Socratic methodologies are used to develop critical thinking
skills including inquiry and debate, examination of complex real-life cybersecurity problems and
ethical concerns, and conflict and contractual analysis, The case studies are derived primarily from
272

Tanya Zlateva et al.
court opinions both domestic and foreign, and are used to provoke discussion, develop problem
solving skills, introduce the importance of team work and assist in attitudinal development. The goal is
to extract and apply important principles of law as well as practical knowledge needed to prevent,
track and enforce cybersecurity laws across jurisdictions. A critical component of the course is the
development of a research project by the students that will highlight emerging topics which will draw
not only upon class discussions but will require the development of a proposal that will advance
innovation and improvement in our current technological and legal structures to combat breaches of
cybersecurity.
The curriculum allows students to progress from a basic understanding of the complex legal system
governing cybersecurity to an overview of the methodologies, technological forensics and
enforcement tools that governments need to fight cybersecurity violations both domestically and
globally. The module includes analyzing legal authorities and boundaries in engaging adversarial
cyber activitities, examining cybersecurity forensics and issues in global prosecution and
enforcement, understanding the advantages and the limitations of private v. public regulation in the
cybersecurity field and identifying ethical, political and cultural concerns in the legal systems of
various countries and developing recommendations for the improvement and harmonization of global
cybersecurity legal systems. A few examples of the key topics incorporated into the module include:
the ability of law enforcement to access stored communications controlled by a third party such as a
service provider or an employer; whether an interception can include acquisition of stored
communications; the definition of electronic storage; the use of surveillance in national security
investigations; the application of the federal Computer Fraud and Abuse Act (CFAA) extraterritorially;
the collection of data from online transactions; the admissibility of electronic evidence; expedited
preservation of computer data; and cross border searches and seizures.
The above topics are of immediate significance for all industries, government academia as internet
technologies have become an operational standard in our professional and private life. Knowledge of
the essentials of information security law is an important requirement for all students today to be
effective and successful in their chosen professions. Teaching security information law is about
awareness, prevention and understanding the risks inherent in cyber attacks and cyberterrorism as
illustrated recently by the denial of access by the U.S. Military Organizations to websites carrying
classified documents released by Wikileaks and leading news organizations. Cyberspace is regulated
through a complex network involving various modalities of constraint that include the legal and
regulatory process, societal norms, markets such as price structures, and finally through the
architecture of cyberspace, or its code (Lessig 1999; Lessig 1995; Bellia et al., 2007).
The role of private entities in cyberspace as a source of regulatory control continues to create
controversy. For example, domain names are controlled by a privately owned entity, the Internet
Corporation for Assigned Names and Numbers (ICANN), that has been making policy for the past ten
years in cooperation with the U.S. Department of Commerce (DoC) (Froomkin 2000). Important
questions arise concerning government oversight and whether any constitutional norms might be
applied to check the activities of these private entities, or whether oversight mechanisms could be
adopted by legislatures (Bellia et al., 2007).
The U.S. Government surveillance under the Wiretap Act, the Electronic Communications Privacy Act
and under the Foreign Intelligence Surveillance Act (FISA) are critical topics for information security
and the case law provides excellent basis for discussing the question when a particular conduct
constitutes a violation of national security. Some scholars believe that all current contracts should
require defense contractors to protect their IT infrastructure to allow DOD evaluation assessments of
the compliance in this area. Others have suggested that Congress should enact a national defenseoriented
statute that mirrors the Department of Homeland Security (DHS) statutes related to our
domestic security (Brown 2009).
In the leading case of Ashcroft v. ACLU, Justice Thomas concluded that website operators should be
responsible for standards of conduct that exist wherever the site is accessible (Ashcroft v. ACLU
2002). This is a significant decision considering that most websites have servers in many locations
around the world.
International Responsibility.
273

Tanya Zlateva et al.
In addition to our students understanding U.S. information security law, to the extent that cyber
terrorists commit cross-border attacks, international law will be at the forefront of responding to these
attacks (Lentz 2010). An international law duty that requires all states to prevent and respond to cyber
terrorist acts has been created by the passage of the United Nations Security Council Resolution
1373, which requires States among other actors to take necessary steps to prevent the commission of
terrorist acts, deny safe havens to those who finance, plan, support or commit terrorist acts, ensure
that any person who participates in the financing, planning, or perpetration of terrorists acts is brought
to justice, and afford one another the greatest measure of assistance in connection with criminal
investigation or proceedings.
4.2 Business continuity, security, and risk management
Business continuity traditionally focuses on the organizational processes that evaluate risks, develop
plans at the strategic, tactical and operational level that ensure the uninterrupted continuation of the
business process. It is a broad management domain distinct from information security but one that
has substantive relationships with issues of information classification and preservation as well as the
sources system vulnerabilities and threats. The specialization in Business Continuity, Security and
Risk Management includes three required courses and a related elective (Boston University, 2010b).
The core curriculum builds an academically solid foundation through discussions of specific industry
needs. The required courses proceed from an overview of central issues and assessment approaches
to details of risk planning and strategy and the development of emergency response plans as follows:
Introduction to Business Continuity, Security, and Risk Management (AD610) is an overview
course that examines management issues involved in assessing the security and risk
environments in both the private and public sectors in order to assure continuous system-wide
operations. The course studies the elements of risk assessment and operational continuity and
exposes the role of the firm in crisis response and management as well as the terms, systems,
and interactions necessary to assure continuous operations.
System-Wide Risk Planning, Strategy, and Compliance (AD613) explores issues relating to
corporate and organizational security and risk from both the perspective of systems designed to
protect against disasters and aspects of emergency preparedness should systems fail. The
course discusses proactive risk assessment, designing and implementing a global assurance
plan, including control measures to assess the plan’s degree of success. The course also
provides explanations of legal/regulatory, auditing, and industry-specific requirements related to
compliance, control, and reporting issues in business risk management. The role of establishing
and maintaining standards by local, national, and international agencies is discussed, as is the
importance of these agencies in certifying operations.
Incident Response and Disaster Recovery (AD614) builds on the concepts introduced in the
previous two courses and applies them in more detail mainly to the corporate-private sector
environment. The focus is on organization and processes necessary to effectively respond to and
manage incidents, including the transition from emergency response and incident management to
business recovery. Disaster recovery is discussed with an emphasis on technology recovery.
The elective course gives students flexibility to pursue their individual interests in one of three areas:
emergency management, project risk and cost management and IT security policies and procedures
though the following courses:
COO-Public Emergency Management (AD612) examines emergency management from national,
state, local, and family perspectives of prevention, preparedness, response, and recovery. The
course encompasses knowledge of the specific agencies, organizations, and individual behaviors
in emergency management as well as the interlinking partnerships between these groups. Areas
of discussion include: responsibilities at federal, state, community and individual levels; guidelines
and procedures for operations and compliance such as the National response Plan; Incident
Command Systems (ICS); plan development, command, and control; communication; partnership
development and maintenance; leadership;
Project Risk and Cost Management (AD644) presents approaches to managing the components
of a project to assure it can be completed through both general and severe business disruptions
on local, national, and international levels. Important aspects include cost management, early cost
estimation, detailed cost estimation, and cost control using earned value method.
IT Security Policies and Procedures (CS684) that was discussed in section 2.
274

Tanya Zlateva et al.
5. Pedagogy, educational technologies and flexible delivery formats
The maturing of the field and the great diversity of student backgrounds naturally led to the need of
more imaginative and more participatory pedagogy. We were especially concerned with teaching our
students how to relate concepts from different areas and apply them on real world applications. To
achieve this we developed a series of virtual laboratories that provided an environment for applying
theoretical concepts, testing different approaches, and assuming alternative roles in various
scenarios.
(Zlateva et al., 2008, Hylkema et al, 2010). The student reflections indicate that the new technologies
enhance understanding and further communication and team building.
Finally we needed also to address the problem of making our programs accessible through flexible
delivery formats. We have considerable experience with flexible delivery formats: first with a blend of
in-class and online in 2000 (Zlateva et al., 2001), and since 2003 a fully online MS in CIS program.
The online version of the security concentration was introduced in 2005. There are significant
differences in the preparation and the delivery of an face-to-face and an online course. One of the
most important factors for successful teaching and learning online is the ability to create a meaningful
and close student-teacher and student-student interaction. Towards this goal we introduced videoconferencing
tools that were used for discussion and review sessions with the instructor, and also by
student teams working on a project. The feedback from students and faculty is overwhelmingly
positive and we are currently developing use cases that reflect the best practices for these
technologies.
6. Conclusions and future work
For the last eight years we developed a comprehensive curriculum for security education. The core
ensures an in-depth discussion of security of operating systems, software, networks as well as
security policies and procedures. This core is complemented by concentration electives in digital
forensics, biometrics, advanced cryptography, and security modules in high-level courses such as
web technologies, enterprise computing, data mining, health informatics. The information security
programs are linked to the programs of business continuity that provide much needed management
context. From a methodological point of view great care is taken to relate abstract theory to practical
skills and team work by using virtual laboratories and video-collaboration tools. Overall the curriculum
introduces analytical dialogue, creative concepts and critical pedagogical methodologies to advance
student learning.
References
Ashcroft v. ACLU 542 U.S. 656 (2004).
Boston University (2010a) Information Security Programs (http://www.bu.edu/csmet/academic-programs/ ) and
Course Descriptions (http://www.bu.edu/csmet/academic-programs/courses/)
Boston University (2010b) Business Continuity, Security and Risk Management
http://www.bu.edu/online/online_programs/graduate_degree/master_management/emergency_managemen
t/courses.shtml
Bellia, P.L., Berman, P.S. & Post, D.G. (2007). Cyberlaw: Problems of Policy and Jurisprudence in the
Information Age, 4-10, St. Paul, MN: Thompson/West.
Brown, T.A. (Lt. Col.) (2009). Sovereignty in Cyberspace: Legal Propriety of Protecting Defense Industrial Base
Information Infrastructure, 64 A.F.L. Rev. 21, 256-257.
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004)."The effect of Internet security breach announcements on
market value: capital market reactions for breached firms and Internet security developers," International
Journal of Electronic Commerce, Vol. 9, Number 1, pp. 69-104.
Chabinsky, S. R. (2010). Cybersecurity Strategy: A Primer for Policy Makers and Those on the Front Line, 4 J.
Nat'l Security L. & Pol'y 27, 38.
Chander, A. (2002). Whose Republic? 69 U. Chi. L. Rev. 1479.
Clarke, R.A. (2010). Cyber War, New York: Harper Collins.
Cohen, A. (2010). Cyberterrorism: Are we Legally Ready? 9 J. Int'l bus. & L. 1, 40.
Downing ,R. W. (2005). Shoring up the Weakest Link: What Lawmakers Around the World Need to Consider in
Developing Comprehensive Laws to Combat Cybercrime, 43 Colum. J. Transnat’l L. 705, 716-19.
Hylkema, M., Zlateva, T., Burstein, L. and Scheffler, P (2010). Virtual Laboratories for Learning Real World
Security - Operating Systems. Proc. 14th Colloquium for Information Systems Security Education,
Baltimore, MD June 7 – 9.
Kerr, O.S. (2003). Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes, 78
NYU Law Review No. 5, 1596, 1621 (citing various state and federal statutes defining "access").
Lentz, C.I. (2010). A State's Duty to Prevent and Respond to Cyberterrorist Acts, 10 Chi. J. Int'l L. 799, 822-823.
275

Tanya Zlateva et al.
Lessig, L. (1995). The Path of Cyberlaw, 104 Yale L.J. 1743, 1743-45.
Lessig, L. (1999). The Law of the Horse: What Cyberlaw Might Teach, 113 Harv. L. Rev. 501, 509.
Moses, L.B. (2007). Recurring Dilemmas: The Law’s Race to Keep Up With Technological Change, University of
Illinois Journal of Law, Technology & Policy, The Board of Trustees of the University of Illinois, 7 U. Ill. J.L.
Tech. & Policy 239, 241-243.
Zlateva, T., Burstein, L., Temkin, A., MacNeil, A. and Chitkushev, L. (2008): Virtual Laboratories for Learning
Real World Security. Proceedings of the Colloquium for Information Systems Security Education, Society for
Advancing Information Assurance and Infrastructure Protection, Dallas, Texas, June 2-4, 2008.
Zlateva, S.; Kanabar, V. , Temkin, A. , Chitkushev, L. and Kalathur, S. (2003): Integrated Curricula for Computer
and Network Security Education, Proceedings of the Colloquium for Information Systems Security
Education, Society for Advancing Information Assurance and Infrastructure Protection, Washington, D.C.,
June 3-5, 2003.
Zlateva, T.; J. Burstein: "A Web-Based Graduate Certificate for IT Professionals - Design Choices and First
Evaluation Results". Proceedings of the 2001 Annual Conference of the American Society for Engineering
Education(ASEE), June 24-27, Albuquerque, New Mexico. http://soa.asee.org/paper/conference/paperview.cfm?id=16617
276

PhD
Research
Papers
277

Towards Persistent Control over Shared Information in a
Collaborative Environment
Shada Alsalamah, Alex Gray and Jeremy Hilton
Cardiff University, UK
S.A.Salamah@cs.cardiff.ac.uk
W.A.Gray@cs.cardiff.ac.uk
Jeremy.hilton@cs.cardiff.ac.uk
Abstract: In a complex collaborative environment, such as healthcare, where Multi-Disciplinary care Team
(MDT) members and information come from independent organisational domains, there is a need for informationsharing
across the organizations’ information systems in order to achieve the overall goal of collaboration.
Inability to provide a secure communication method, giving local/global protection is affecting inter-professional
communications and hindering sharing among MDT members. This research aims to facilitate a secure
collaborative environment enabling persistent control over shared information across boundaries of the
organisations that own the data. This paper is based on the early stages of the research and its results will feed
into following stages. It looks at the structure of a healthcare system to understand the types of inter-professional
communication and information exchange that occur in practice. Additionally it presents an initial assessment
identifying the Information Security (IS) needs and challenges faced in providing persistent control in a shared
collaborative environment by using conceptual modelling of a selected medical scenario (breast cancer in
Wales). The results show that a considerable number of professionals are involved in a patient’s treatment. Each
plays a well-defined role, but often uses different Healthcare Information Systems (HIS) to store sensitive and
confidential patient medical information. These HIS cannot provide secure multi-organisational informationsharing
to support collaboration among the MDT members. This causes inter-professional communication issues
among team members that inhibit decision-making using the information. The findings from this study show how
to improve information support from HIS stored information for MDT members. Also the resulting IS functions will
be described which facilitate establishing secure collaborative environments guaranteeing persistent control over
shared information.
Keywords: information security, information system, Information sharing, multi-disciplinary team, persistent
control, secure collaborative environment
1. Introduction
Current innovation in Information and Communication Technology (ICT) has encouraged collaboration
within and among different fields, including healthcare. This has introduced novel inventions or
tackled large-scale scientific problems. Such collaboration often demands extensive sharing of
different resources among collaborating organisations in order to achieve an overall goal (Park and
Sandhu, 2002; Wasson and Humphrey, 2003; Yau and Chen, 2008). Such collaboration may involve
information in distributed resources being used and shared by users from geographically and
administratively distributed physical organisations that own the resources. On all sites, these
collaborations form Virtual Organisations (VOs) (Wasson and Humphrey, 2003; Yau and Chen, 2008).
Therefore, a key characteristic of a VO is that users and information may come from different
organisations, and thus various administrative domains (Thompson et al., 2003) with each applying
local Information Security (IS) rules to protect its own information. As a result, when these
organisations come together in a VO, they demand a Secure Collaborative Environment (SCE) for
sharing resources, mainly information and data. However, there are three possible levels of protection
when user(a) in domain(a) needs to share information with user(b) in domain(b) outside its secured
administrative domain(a).
Level 1 is local to domain(a) - user(a) loses control over the information once it is shared as the
protection level applied inside domain(a) using IS rules(a) is not guaranteed outside this domain
(once it has passed to domain(b) where IS rules(a) are not applied).
Level 2 allows user(a) to have static control over the shared information when its protection is
assured by user(b) using IS rules(b) when inside domain(b). (Here user(a) passes control to
user(b), and although the information will still be protected, the rules applied change once the
information is received, since user(a) has no control over domain(b)’s protection authority. Thus if
the protection level of original information changes in domain(a), there is no guarantee that
user(b) will also change it on the shared version of this information in domain(b). Additionally, if
user(b) changes the protection on the shared version, user(a) cannot retain control).
278

Shada Alsalamah et al.
Level 3 allows dynamic control. It enables persistent control over information anywhere outside
domain(a), including domain(b), using the rules(a) by communicating rules(a) along with the
shared information. Furthermore, persistent control, in this context, enables synchronisation of
any changes made regarding the protection level of the original information in domain(a) with the
shared version of the information in domain(b). This guarantees full control of user(a) at all times
by sustaining the original information protection level outside its domain, making it remotely
editable. In this context, only the final protection level creates an SCE in a VO, therefore, a
collaborative environment, with multiple independent domains, is referred to as an SCE, when
each domain has persistent control over its shared information.
Based on this, we can differentiate between level 2 and 3, in that the dynamic control creates an SCE,
whereas the static control does not. This is because the latter leaves the information out of both
users’ control at the point when it leaves domain(a) and before being received at domain(b), although
it is secured otherwise.
In fact, static and dynamic levels of information protection could suit different scenarios based on the
information protection level required. This paper explores the need for SCEs in VOs and the
challenges in implementing this environment by investigating a representative example of a VO,
namely the healthcare scenario. This paper is based on a study-case scenario carried out in this
naturally complex environment where healthcare professionals from different organisations critically
need to collaborate and have control over exchanged medical information when treating a patient with
breast cancer in Wales, UK. The paper is now divided into five main sections, which cover the
problem statement, method for understanding the problem, results, a discussion of the results and
conclusion.
2. Problem statement
In this scenario, the patient treatment delivery model is shifting from a disease-centric approach
towards one that is patient-centric (Allam, 2006; Al-Salamah et al., 2009), and considers the patient’s
medical condition as a whole rather than by managing patients as having separate diagnosed
diseases, each treated by different professionals (Department of Health, 1997; Pirnejad, 2008; Al-
Salamah et al., 2009). In a patient-centric approach, the patient is the central focus and is treated by a
Multi-Disciplinary care Team (MDT) (Allam, 2006; Al-Salamah et al., 2009). This team consists of
different healthcare professionals coming from different healthcare organisations to form a VO for
patient treatment. This MDT, and hence the VO, evolves over time in response to the patient’s
changing medical condition. In addition, in order to organise the MDT work and assist the delivery of
patient treatment, a visual and structured care plan, called an Integrated Care Pathway (ICP), is
followed. This plan reflects an ideal, evidence-based patient treatment journey for the condition
(Zander, 2002; Al-Salamah et al., 2009; Map of Medicine, 2010e). In the UK, ICPs are based on
having regular MDT meetings to discuss the patient’s case and provide recommendations for the
treatment management plan. This new approach is increasing the need for sharing medical
information among MDT members as they work together on treating the patient. Consequently, this
will possibly require the information to leave the systems where each member stores patient
information (Smith and Eloff, 1999; Thompson et al., 2003; Beale, 2004; Pirnejad, 2008). The
distributed nature of this collaboration demands an effective SCE, that facilitates secure interprofessional
communication among members, to exchange often-sensitive information.
HISs currently used in patient treatment are hindering inter-professional communication among MDT
members in the health environment. The literature shows that healthcare is suffering from poor interprofessional
communication (Pirnejad, 2008) and this is a key factor contributing to medical errors
(Mohyuddin et al., 2008; Al-Salamah et al., 2009). Indeed, research estimates an annual figure of
850,000 medical errors occurring in NHS hospitals (Department of Health, 2000). These can lead to
death, life-threatening illness, disability, admission to hospital, or prolongation of a hospital stay, as
well as inevitable complications in treatment in some cases which might have been avoided in most
cases if the patient had received ordinary standards of care (Department of Health, 2000; Aylin et al.,
2004). Furthermore, the NHS spends around £400 million annually in settlement of clinical negligence
claims, and has a potential liability of around £2.4 billion for existing and expected claims (Department
of Health, 2000). However, a prime reason behind communication issues and medical errors in the
healthcare environment is the limitation of HIS and ICT used in patient treatment (Smith and Eloff,
1999; Commission for Health Improvement and Audit Commission, 2001; Anderson, 2008;
Mohyuddin et al., 2008; Pirnejad, 2008; Al-Salamah et al., 2009; Skilton et al., 2009). These cause
problems in data processing and representation, the amount of information they are capable of
279

Shada Alsalamah et al.
providing (Mohyuddin et al., 2008), and in communication at departmental, organisational, and even
national levels (Al-Salamah et al., 2009). This is because some of these HISs were designed over 50
years ago (Department of Health, 1997) and thus were tailored to meet the requirements of the
disease-centric approach prevailing at that time (Al-Salamah et al., 2009; Skilton et al., 2009).
Although legacy systems may be capable of providing local and static protection, in the new patientfocused
approach, they hinder communication and information-sharing since protection is not
guaranteed outside secured domains. As a result, information is only accessible within secured
domains where such HISs exist (Lillian, 2009) and the only method of sharing is verbally or by printing
on paper for posting. In addition, despite the fact that ICT is used in some healthcare organisations to
improve communication, in practice, the results did not meet expectations, because either the HIS
failed to be implemented in the healthcare environment or could not achieve implementation
objectives (Commission for Health Improvement and Audit Commission, 2001; Pirnejad, 2008).
Finally, according to Anderson (2008: 3-11), although the security requirements of these systems vary
in terms of the collection of authentication, transaction integrity and accountability, message secrecy,
and covertness they use, many fail because system designers protect either the wrong information, or
the right information but in the wrong way. See reported incidents and concerns in (Blackhurst, 2010;
NursingTimes, 2010a; NursingTimes, 2010b; Sturcke and Campbell, 2010).
Nevertheless, implementation of the new patient-centric approach demands an SCE. The HIS is not
like any other information system because of the “patient” entity. It holds extensive information
combining patient’s biological details and social complexity (Beale, 2004). This information may
contain personal (Office of Public Sector Information, 1998; Department of Health, 2003),
embarrassing (Sturcke and Campbell, 2010), and critical medical information (National Institute for
Healthcare and Clinical Excellence, 2002; Beale, 2004; Meystre, 2007). The nature of a customer or
traveller’s information stored in a bank or airline system decays with age and normally once this
information is published or exposed, protection is no longer required. Patient information, on the other
hand, has a longevity characteristic (Beale, 2004) that will always render it highly sensitive (Smith and
Eloff, 1999) and confidential (Department of Health, 2003); indeed, it is the type of information that will
never expire even after the patient’s death. It is therefore critical to have constant protection with
persistent control and the assurance that it will only be disclosed to the right person for permitted
medical purposes (Department of Health, 2003). Since legacy HISs are not designed to achieve this,
an SCE is essential to help members of MDTs share this information securely with persistent control.
Most of the existing solutions attempt to protect information as long as it exists within the secured
domain and when this information is shared across boundaries, it is no longer secured or controlled
(Park and Sandhu, 2002; Burnap and Hilton, 2009; Nene and Swanson, 2009). Further examples are
in (Chadwick, 2002; Alfieri, 2003). Furthermore, although several solutions are able to protect
electronic information across domains such as Digital Rights Management and Usage Control (Park
and Sandhu, 2002), they are either constrained by the number of uses and/or users (Nene and
Swanson, 2009) or the control policy associated with the content cannot be modified by the
information owner once disseminated (Thompson, et al., 2003). In fact, this is a vital issue that would
prevent adapting to the dynamic nature of the VO environment, such as healthcare, where the need
to protect the information is as important as the need for sharing it. For example, when members of
the VO change their roles or one of the participating organizations goes out of existence, there will be
a need to deny access to information previously shared (Burnap and Hilton, 2009). Therefore, these
solutions are restricted and incapable of providing full protection with the flexibility of persistent
control.
However, enabling information-sharing across organisations with persistent control raises a number of
IS issues and challenges that limit the effectiveness, dynamism, and potential of this collaborative
working (Beale, 2004; Burnap and Hilton, 2009). Firstly, MDT members and information resources
come from different organisations and administrative domains (Thompson et al., 2003). Although
organisations adopt national good-practice guidelines and IS policies to protect in-house medical
information, they adapt them to fit local needs and circumstances (Cancer Services Expert Group,
2008). In other words, MDT members and the systems they use do not speak the same IS language
either at the human or machine level. This makes interoperability difficult since there are no clear and
precise IS policies and practice guidelines at a national level governing a VO-wide exchange of
information. This may result in direct conflicts in terms of information access requirements between
software applications of multiple vendors in use (Beale, 2004). Consequently, negotiating VO-wide
agreements across organisations is often a lengthy and complex process (Thompson et al., 2003).
Secondly, the collaboration demands extensive information-sharing among MDT members in order to
280

Shada Alsalamah et al.
assure the availability of relevant information in a continually changing scene. However, sharing
sensitive information requires a focus on the person’s role in the treatment process, since different
roles have different information requirements. This necessitates a careful balance between the
availability of life-critical data and confidentiality of patient information so that it supports prompt
reliable care without privacy violation. According to Beale (2004) and Anderson (2008: 3-11), these
two requirements are in direct conflict, which make it hard to achieve, even using the current
traditional computer security mechanisms. Thirdly, the human side in the collaborative environment
increases the complexity. In each organisation, professionals and other employees involved with the
management, use, or operation of the resources within the domain are normally mandated to attend
annual organisation-wide IS training sessions to inform personnel of IS risks associated with their
activities and their responsibilities in complying with organisation policies and procedures designed to
reduce such risk, as well as, to manage resources and protect information. However, the absence of
a VO-wide IS awareness means MDT members are unaware of the overall required IS needs of all
involved organisations, and their responsibility to ensure information received from different
organisations is protected and that its use is fit for purpose in the treatment. Fourthly, relevant medical
information should be available across organisations seamlessly (Yau and Chen, 2008). Finally, there
are additional existing technical, economic, political, ethical and logistical information ownership
issues and barriers that hinder sharing across organisations (Smith and Eloff, 1999; Mandl et al.,
2001; Beale, 2004; Cross, 2006).
This research aims to address some of these issues and challenges by defining and implementing an
approach that would help provide a SCE with persistent control. This should provide seamless remote
access to information, that reflects the changing role of MDT members, as the treatment progresses
along the ICP and provides only relevant information to the team members based on their current role
in the treatment process. In addition, it should offer a common user-friendly set of IS rules to be used
by MDT members from all involved organisations. These rules should be embedded in the information
being shared in order to sustain the rules as defined by the information owner. Finally, having
common IS rules will ease raising MDT members awareness of their responsibilities towards the
protection of exchanged information. This will need to be developed in different research stages,
starting with an understanding of the healthcare system and the information exchanges occurring in
practice, to the investigation of the current information systems’ issues and MDT IS needs for the
collaboration, and ending with a solution that would facilitate this secure sharing of information with
persistent control.
3. Method
We believe it is important to gain an understanding of the inter-professional communication and
information exchange in practice through the study of a real-life scenario. The breast cancer scenario
in Wales was selected as a healthcare system whose structure would be examined to understand:
how MDT members communicate; how HISs are used by the MDT to achieve the overall treatment
goal; how the information is generated and stored; and how it can be used to support collaboration. In
addition, it will allow an initial assessment that will help identify the IS needs for the SCE with
persistent control.
Our reference scenario’s conceptual model is the ICP treatment journey for breast cancer treatment in
Wales. It is divided into six parts (Map of Medicine, 2010a; Map of Medicine, 2010b; Map of Medicine,
2010c; Map of Medicine, 2010d; Map of Medicine, 2010g; Map of Medicine, 2010h), which are taken
from the Map of Medicine (2010i, 2010f, 2010e) and so follow its recommended ICP for this disease.
Using conceptual modelling, we investigated the different healthcare professionals involved in the
treatment of patients, as they carried out their tasks defined by their roles in the six parts of the ICP,
the different HISs used to serve the patient’s treatment at each step, the medical information
generated and stored in these HISs for each task, the IS policies applied, and the inter-professional
communication between the MDT members. Part of the conceptual model that was derived from the
breast cancer ICP (Map of Medicine, 2010h) is shown in Figure1.
281

Shada Alsalamah et al.
Figure 1: Part of breast cancer treatment conceptual model
4. Results
Although the investigation is still under way, the following results have been found.
First, according to the National Institute for Healthcare and Clinical Excellence (NICE) (2002), breast
cancer diagnosis and treatment is a co-operative activity that involves a range of professionals, both
within and outside the breast cancer unit. We found that there are at least 16 healthcare professionals
involved in the treatment of a patient in this process in Wales. Although each plays a well-defined but
different role, they are increasingly working in teams (Commission for Health Improvement and Audit
Commission, 2001). Annually, each MDT diagnoses and treats 100 new breast cancer patients
(NICE, 2002). The provision of a high quality service requires close co-operation between specialists
from several disciplines and it is essential that care is provided by a breast cancer MDT in a specialist
breast unit (Cancer Services Expert Group, 2008). In addition, there are at least two professionals for
each role in the core breast care team (NICE, 2002). The different MDT members’ roles can be
categorised into three different groups:
Primary care personnel: GP, district nurse, and practice nurse.
Principal specialist personnel (core breast cancer team): breast cancer nurse specialists, clinical
and medical oncologists, radiologists, pathologists, and surgeons.
Affiliated personnel: liaison psychiatrist and/or clinical psychologist, palliative care specialists and
teams, physiotherapists and occupational therapists, surgeons experienced in breast
reconstruction, clinical genetics, pharmacists, and haematologists.
Second, there are at least seven HISs holding information about the patient with each having its own
patient health record. This record stores sensitive and confidential personal and medical information.
Although the HISs collectively adopt and adapt national guidelines, each applies its own and different
policies and guidelines locally. These meet local needs and circumstances (Cancer Services Expert
Group, 2008). The seven HISs found in this scenario and the different types of medical records they
might contain are listed in Table1 in appendix A.
Finally, a crucial feature of the breast cancer MDT is its composition, the way it works, and the
coordinated care it offers. This team functions in the context of a cancer unit or centre, which may
consist of one or more sites using shared facilities (NICE, 2002). NICE (2002) and the Commission
282

Shada Alsalamah et al.
for Health Improvement and Audit Commission (CHIAC) (2001) revealed audit and anecdotal
evidence of problems in inter-professional communication and a failure to plan care in a systematic
way between the different professionals involved. Such problems have been linked with complaints
and litigation (NICE, 2002). For example, GPs sometimes lose track of patients during the treatment
period or become unable to discuss the diagnosis and prognosis with patients due to lack of
information from consultants. Furthermore, primary personnel can be unaware that a patient has been
discharged, sometimes without necessary services or equipment being arranged. It can be unclear
whether the GP or consultant is responsible for patient follow-up after treatment. Furthermore, the
HISs are poor in their support of day to day working arrangements, including communication,
appointment systems and shared protocols (CHIAC, 2001). Indeed, even if the care team is ready to
share medical information (CHIAC, 2001), the current HISs are not supporting this sharing of
information (CHIAC, 2001; Skilton et al., 2009). Finally, although many trusts do not have agreed
policies for the management of cancers, where policies do exist, it is unclear whether they are
followed because practice is not audited (CHIAC, 2001). Furthermore, formal policies and plans
cannot ensure that services are provided in a patient-centred way, without a change in the attitudes
and behaviour of those working with patients (CHIAC, 2001).
5. Discussion and future work
These results identify the different roles of MDT members involved in the treatment of patients with
breast cancer in Wales, the HISs involved, the types of health records created in these systems, and
medical information stored in these different records. This information helped the development of an
understanding of the emerging need for the SCE for MDT members involved in treating patients with
breast cancer. For example, some of the tasks carried out as the patient proceeds through the breast
cancer’s ICP show a clear redundancy in some of the information collected, including, but not limited
to, a clinical assessment and patient history check. It can save time and resources if this information
was available for the healthcare professional in charge at the point of treatment. In addition, data
redundancy can cause data inconsistency issues and having a single shared data record (i.e. patient
history) guarantees the availability of up-to-date information for all MDT members. Another example is
that GPs should support patients undergoing diagnosis, treatment and follow-up leading either to cure
or to eventual death. This means GPs should follow patients from the very start of the ICP. Although
patients may start their ICP at different stages, the GP should have direct contact with other breast
cancer MDT members treating the patient in order to be informed about all of the patient’s current
relevant medical information at all times. This would enable effective consultation and follow-up. In
addition, there can be different professionals playing the same role and also one professional playing
different roles. Furthermore, privacy violations can be expected if all of the members can see every
patient’s records (Anderson, 2008). This emphasises the need for effective SCE with systems that
can ensure the availability of life-critical information about the patient’s medical condition based on the
professional’s role at the time of treatment. Also, the breast cancer MDT checks 100 patients
annually. Each of these patients will be following different directions in the same ICP, and in some
cases, following multiple ICPs as well, if the patient suffers from more than one disease. This will be
difficult to manage without the support of an HIS that considers the patient condition as a whole.
Therefore, good inter-professional communication is essential to co-ordinate the activities of all those
involved, and ensure effective communication between professionals working in the primary,
secondary and tertiary sectors of care. For that reason, the breast care MDT must develop and
implement systems that ensure rapid and effective communication between all healthcare
professionals involved in each patient’s treatment management. This would facilitate the provision of
adequate means for communicating information on referral, diagnosis and treatment, follow-up, and
supportive/palliative care throughout the stages of the ICP.
The HISs identified in this research can be studied to identify the IS issues in these systems that
hinder inter-professional communication. This can be achieved by investigating the IS rules applied in
these HISs to protect medical information. This is an important step to take before speaking to all
involved parties in order to know their IS needs to facilitate the SCE with others involved in the
treatment. This can help identify and define the best way to have persistent control over the
information accessed in a distributed environment when it will be moved outside the HIS’s locally
controlled environment. This can be achieved either by agreeing on a set of common rules for all
involved HISs to apply in a neutral administrative domain used for the sharing process, or by
changing the way they work internally by standardising the IS rules. It may be that sharing in either of
these ways is not possible at this point in time. The main aim of this research at the moment is to
facilitate an SCE that can support collaboration among MDT members while guaranteeing persistent
283

Shada Alsalamah et al.
control over shared patient medical information in the future. This would be hard to achieve without
the identification of the IS issues and emerging needs in this dynamic environment through the study
of a real-life scenario.
6. Conclusion
There is a shift today towards collaboration among different healthcare organisations for a common
goal of better patient treatment through moving to a patient centric control. In achieving this, an IS is
essential to the effectiveness, dynamism, and potential of collaborative working if the full potential is
to be realised. The provision of an SCE for multiple organisations has proved to be a challenge. This
paper presents the results of a study into the inter-professional communication needs of a secure
cross organisation’s information-sharing system in the healthcare domain. The findings in this paper
provide the initial results from the first stage of the project and they will be used to inform further
investigation in the ensuing stages to identify the key IS issues affecting inter-professional
communication, as well as the IS needs in this environment which facilitate the sharing of information
throughout the distributed domain.
7. Appendix A
The following table contains redundancy due to the information type appearing in more than one
record type. This is indicated by [-] with numbers inside were the number refers to the other HIS
record type containing this information. This redundancy has two causes, either the information is
copied from another record to this system in which case the original should be the accurate
information, or it can be due to separate readings being taken and the results being stored in these
different systems. All records hold administrative/demographic data for each patient and Table 1 only
lists non-administrative information.
Table 1: HISs used in treating patients with breast cancer in Wales, UK
HIS Health Record Type Information Stored
1. GP-System GP-records Clinical presentation report
Clinical assessment report
Clinical history report-[2]
Physical examination report-[2]
Filled referral form (include patient details, referring doctor
details, medical context, and referral information)-[2]
Information about referred patients’ diagnosis (by the end of
Triple Assessment path way)-[2]
MDT recommendations and treatment plans-[2,6,7]
Given treatment plan-[2]
Given medication-[2]
Follow-up plan-[2]
2. Secondary-
Care-System
Follow-up visits report-[2]
Secondary-care-records Referral form-[1]
Clinical history report-[1]
Clinical examination code-[1]
Tests requests (e.g. blood, ultrasound, X-ray test)-[3,4]
Blood test results report-[3]
X-ray and Ultrasound results report-[4]
Pathologists reports-[5]
Radiologists and oncologists results reports-[6]
Surgeons reports-[7]
General patient case notes including: (BC diagnostic, staging,
pathology information, histology reports, and tests’ result
reports)-[1,3,4,5,6,7]
General information addressing the patient’s specific situation
(in leaflets, audio or video CDs format)
MDT recommendations and treatment plans-[1,6,7]
Given treatment plan
Follow-up plan
Follow-up visits report
284

3. Hematology
Laboratory
System
Whole Blood samples (for
FBC)
Blood for grouping, antibody
screening and saving and/or
cross-matching
Request forms for grouping,
antibody screening and crossmatching
Results of grouping, antibody
screening and cross-matching
Lab file cards/working records
of test results
Shada Alsalamah et al.
Tests requests-[2]
General patient case notes-[1,2,4,5,6,7]
Blood test results report
FBC report
Renal and liver function test report
Blood Calcium test report
HIS Health Record Type Information Stored
4. X-ray-System X-ray films records
X-ray reports (including
reports for all imaging
modalities)
Breast screening X-rays
records
Ultrasound records
5. Pathology-
Laboratory-
System
6. Oncologysystem
7. Surgicalsystem
References
Pathology records
Human tissue
Lab file cards/ working
records of test results
Oncology records
Radiation dose records for
classified persons
Operating theatre registers
Surgical records
Test requests-[2]
General patient case notes-[1,2,3,5,6,7]
Mammography report
X-ray images
Ultrasound report
Ultrasound images
MRI report
MRI images
Isotope bone scan
CT report and CXR image
Abdomen ultrasound image
Echocardiogram scan report and scan image
DEXA scanning report and image
Administrative information/ Demographic data-[1,2,3,4,6,7]
Test requests from Oncologist-[6]
General patient case notes-[1,2,3,4,6,7]
Biopsy report with diagnosing code
FNA report with diagnosing code
Tissue samples
The cancer tumour size, nodes, metastasis (TNM) staging
code
Tumour grade
Histology report with biopsy diagnosing code
Test requests-[2]
General patient case notes-[1,2,3,4,5,7]
MDT recommendations and treatment plan-[1,2,7]
Test requests to Pathologist
Cancer TNM staging code-[5]
Tumour grade-[5]
Neo-adjuvant endocrine therapy report
Neo-adjuvant chemotherapy therapy report
Chemotherapy drugs list and dose
Radiotherapy report
Adjuvant chemotherapy report (include the risk analysis)
Hormonal therapy report
Endocrine therapy report
Bisphosphonates report
Surgical report
General patient case notes-[1,2,3,4,5,6]
MDT recommendations and treatment plans-[1,2,6]
Al-Salamah, H., Gray, A., Allam, O. and Morrey, D., (2009). Change Management along the Integrated Care
Pathway. In: the 14th International Symposium on Health Information Management Research. Bath P,
Petersson G, AND Steinschaden T editors. Kalmar, Sweden. pp. 53- 66.
Alfieri, R. et al., (2003). VOMS, an Authorization System for Virtual Organizations. In: the 1st European Across
Grids Conference. Santiago de Compostela. pp. 33-40.
Allam, O., (2006). A Holistic Analysis Approach to Facilitating Communication between General Practitioners and
Cancer Care Teams. Thesis. Department of Computer Science & Informatics. Cardiff University. Cardiff. pp.
182.
Anderson, R. J., (2008). Security Engineering 2nd ed. Indianapolis: Wiley Publishing.
285

Shada Alsalamah et al.
Aylin, P., Tanna, S., Bottle, A. and Jarman, B., (2004). How often are adverse events reported in English hospital
statistics? BMJ, 329, (7462) 369.
Beale, T., (2004). The Health Record - Why is it so hard? IMIA Yearbook of Medical Informatics 2005. Ubiquitous
Health Care Systems. Haux R, Kulikowski C, editors. Stutt-gart: Schattauer. pp. 301-304.
Burnap, P. and J. Hilton., (2009). Self Protecting Data for De-perimeterised Information Sharing. In: The Third
International Conference on Digital Society, ICDS '09. Cancun, Mexico. pp. 65-70.
Blackhurst, D., (2010). GPs fear breach of secret patient data, [online]. Available from:
http://www.thisisstaffordshire.co.uk/news/GPs-fear-breach-secret-patient-data/article-772149detail/article.html
[Accessed: 02 November 2010].
Cancer Services Expert Group, (2008). Breast Cancer Task Group Report, The Cameron report, Cardiff: NHS
Wales.
Chadwick, D. W. and Otenko, A., (2002). The PERMIS X.509 role based privilege management infrastructure. In:
Proceedings of the seventh ACM symposium on Access control models and technologies. Monterey,
California, USA: ACM.
Commission for Health Improvement and Audit Commission (CHIAC), (2001). National Service Framework
Assessments No. 1: NHS Cancer Care in England and Wales. London: Commission for Health
Improvement.
Cross, M., (2010). Patients, not the state, own medical records, says GP, [online]. Guardian online. Available
from: http://www.guardian.co.uk/technology/2006/jul/06/epublic.guardianweeklytechnologysection
[Accessed: 01 March 2010].
Department of Health, (1997). The new NHS: modern, dependable. London: HMSO.
Department of Health, (2000). An organisation with a memory. London: HMSO.
Department of Health, (2003). Confidentiality: NHS Code of Practice. London: HMSO.
Department of Health, (2006). Records management: NHS code of practice. London: HMSO.
Mandl, K. D.et al., (2001). Public standards and patients' control: how to keep electronic medical records
accessible but private Commentary: Open approaches to electronic patient records Commentary: A
patient's viewpoint. BMJ, 322, (7281) 283- 287.
Map of Medicine, (2010a). Breast cancer - advanced, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer6.html [Accessed: 12 January 2010].
Map of Medicine, (2010b). Breast cancer - local recurrence, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer5.html [Accessed: 12 January 2010].
Map of Medicine, (2010c). Breast Cancer- suspected, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer1.html [Accessed: 12 January 2010].
Map of Medicine, (2010d). Initial multidisciplinary team (MDT) review, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer3.html [Accessed: 12 January 2010].
Map of Medicine, (2010e). Map of Medicine, [online]. Available from: http://mapofmedicine.com/ [Accessed: 12
January 2010].
Map of Medicine, (2010f). Map of Medicine Healthguides, [online]. Available from:
http://www.mapofmedicine.com/solution/patientaccess/ [Accessed: 12 January 2010].
Map of Medicine, (2010g). Postsurgical multidisciplinary team (MDT) review, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer4.html [Accessed: 12 January 2010].
Map of Medicine, (2010h). Secondary care - triple assessment clinic, [online]. Available from:
http://healthguides.mapofmedicine.com/choices/map/breast_cancer2.html [Accessed: 12 January 2010].
Map of Medicine, (2010i). See what your doctor can see with Map of Medicine Healthguides, [online]. Available
from: http://healthguides.mapofmedicine.com/choices/map/index.html [Accessed: 12 January 2010].
Meystre, S., (2007). Electronic Patient Records: Some Answers to the Data Representation and Reuse
Challenges. IMIA Yearbook 2007: Biomedical Informatics for Sustainable Health Systems, (1) 47- 48.
Mohyuddin, Gray, W. A. et al., (2008). Wireless Patient Information Provision and Sharing at the Point of Care
using a Virtual Organization Framework in Clinical Work. In: sixth Annual IEEE International Conference on
Pervasive Computing and Communications. IEEE Computer Society. pp. 710 - 714.
Nene, B. and Swanson, T., (2009). Information Rights Management Application Patterns, report: Microsoft
Corporation.
National Institute for Healthcare and Clinical Excellence (NICE), (2002). Improving Outcomes in Breast Cancer -
Manual Update, report, London.
Nursingtimes, (2010a). Data protection warning as more trusts lose patient records, [online]. Available from:
http://www.nursingtimes.net/whats-new-in-nursing/acute-care/data-protection-warning-as-more-trusts-losepatient-records/5004097.article
[Accessed: 01 June 2010].
Nursingtimes, (2010b). Loss of patient details prompts warning for five trusts, [online]. Available from:
http://www.nursingtimes.net/whats-new-in-nursing/acute-care/loss-of-patient-details-prompts-warning-forfive-trusts/5004422.article
[Accessed: 01 June 2010].
Office of Public Sector Information, (2010). Access to Medical Reports Act 1988 (1988 CHAPTER 28), [online].
Available from: http://www.opsi.gov.uk/acts/acts1988/Ukpga_19880028_en_1.htm [Accessed: 01 June
2010].
Park, J. and Sandhu, R., (2002). Towards usage control models: beyond traditional access control. In: the
seventh ACM symposium on Access control models and technologies, SACMAT '02. Monterey, California,
USA: ACM. pp. 57-64.
286

Shada Alsalamah et al.
Pirnejad, H., (2008). Communication in Healthcare: Opportunities for information technology and concerns for
patient safety. Thesis. Erasmus University. Rotterdam. pp. 164.
Røstad, L. and Alsos, O. A., (2009). Patient-Administered Access Control: A Usability Study. In: International
Conference on Availability, Reliability and Security 2009. ARES '09. IEEE Computer Society. pp. 877- 881.
Skilton, A. et al., (2009). Role Based Access in a Unified Electronic Patient Record. In: The 14th International
Symposium on Health Information Management Research. Bath P, Petersson G, AND Steinschaden T
editors. Kalmar, Sweden. pp. 217- 222.
Smith, E. and Eloff, J. H. P., (1999). Security in Health-care information systems - current trends. International
Journal of Medical Informatics, 54, (1) pp. 39-54.
Sturcke, J. and Campbell, D., (2010). NHS database raises privacy fears, say doctors, [online]. Available from:
http://www.guardian.co.uk/society/2010/mar/07/nhs-database-doctors-warning?CMP=twt_gu [Accessed: 12
November 2010].
Thompson, M. R., Essiari, A. and Mudumbai, S., (2003). Certificate-based authorization policy in a PKI
environment. ACM Trans. Inf. Syst. Secur., 6, (4) pp. 566-588.
Wasson, G. and Humphrey, M., (2003). Policy and Enforcement in Virtual Organizations. In: The fourth
International Workshop on Grid Computing, IEEE/ACM IEEE Computer Society. pp.125.
Yau, S. S. and Chen, Z., (2008). Security Policy Integration and Conflict Reconciliation for Collaborations among
Organizations in Ubiquitous Computing Environments. In: Ubiquitous Intelligence and Computing, UIC.
Springer Berlin/ Heidelberg. pp. 3- 19.
Zander, K., (2002). Integrated Care Pathway: eleven international trends. Journal of Integrated Care Pathways,
6, pp. 101-107.
287

3D Execution Monitor (3D-EM): Using 3D Circuits to Detect
Hardware Malicious Inclusions in General Purpose
Processors
Michael Bilzor
U.S. Naval Postgraduate School, Monterey, California, USA
mbilzor@nps.edu
Abstract: Hardware malicious inclusions (MIs), or "hardware trojans," are malicious artifacts planted in
microprocessors. They present an increasing threat to computer systems due to vulnerabilities at several stages
in the processor manufacturing and acquisition chain. Existing testing techniques, such as side-channel analysis
and test-pattern generation, are limited in their ability to detect malicious inclusions. These hardware attacks can
allow an adversary to gain total control over a system, and are therefore of particular concern to high-assurance
customers like the U.S. Department of Defense. In this paper, we describe how three-dimensional (3D) multilayer
processor fabrication techniques can be used to enhance the security of a target processor by providing
secure off-chip services, monitoring the execution of the target processor's instruction set, and disabling
potentially subverted control circuits in the target processor. We propose a novel method by which some
malicious inclusions, including those not detectable by existing means, may be detected and potentially mitigated
in the lab and in fielded, real-time operation. Specifically, a target general-purpose processor, in one layer, is
joined using 3D interconnects to a separate layer, which contains an Execution monitor for detecting deviations
from the target processor's specified behavior. The Execution monitor layer is designed and fabricated separately
from the target processor, using a trusted process, whereas the target processor may be fabricated by an
untrusted source. For high-assurance applications, the monitor layer may be joined to the target layer, after each
has been separately fabricated. In the context of existing computer security theory, we discuss the limits of what
an Execution monitor can do, and describe how one might be constructed for a processor. Specifically, we
propose that the signals which carry out the target processor's instruction set actions may be described in a
stateful representation, which serves as the input for a finite automata-based Execution monitor, whose
acceptance predicate indicates when the target processor's behavior violates its specification. We postulate a
connection between Execution monitor theory and the proposed 3D processor monitoring system, which can be
used to detect a specific class of malicious inclusions. Finally, we present the results of our first monitor
experiment, in which we designed and tested (in simulation) a simple Execution monitor for a small open-source
32-bit processor design known as the ZPU. We analyzed the ZPU processor to determine which signals must be
monitored, designed a system of monitor interconnects in the hardware description language (HDL)
representation, developed a stateful representation of the microarchitectural behavior of the ZPU, and designed
an Execution monitor for it. We demonstrated that the Execution monitor identifies correct operation of the
original, unmodified ZPU, as it executed arbitrary code. Having introduced some minor deviations to the ZPU
processor's microarchitectural design, we then showed in simulation that the Execution monitor correctly
detected the deviations, in the same way that it might detect the presence of some malicious inclusions in a
modern processor.
Keywords: processor, security, trojan, subversion, detection
1. The threat to microprocessors
Today's Defense Department relies on advanced microprocessors for its high-assurance needs.
Those applications include everything from advanced weaponry, fighter jets, ships, and tanks, to
satellites and desktop computers for classified systems. Much attention and resources have been
devoted to securing the software that runs these devices and the networks on which they
communicate. However, two significant trends make it increasingly important that we also focus on
securing the underlying hardware that runs these high-assurance devices. The first is the U.S.'
greater reliance on processors produced overseas. The second is the increasing ease with which
hardware may be maliciously modified and introduced into the supply chain.
Every year, more microprocessors destined for U.S. Department of Defense (DoD) systems are
manufactured overseas, and fewer are made inside the U.S. As a result, there is a greater risk of
processors being manufactured with malicious inclusions (MIs), which could compromise highassurance
systems. This concern was highlighted in a 2005 report by the Defense Science Board,
which noted a continued exodus of high-technology fabrication facilities from the U.S. (Defense
Science Board 2005). Since this report, "more U.S. companies have shifted production overseas,
have sold or licensed high-end capabilities to foreign entities, or have exited the business."
(McCormack 2008) One of the Defense Science Board report's key findings reads, "There is no longer
288

Michael Bilzor
a diverse base of U.S. integrated circuit fabricators capable of meeting trusted and classified chip
needs." (Defense Science Board 2005)
Today, most semiconductor design still occurs in the U.S., but some design centers have recently
developed in Taiwan and China (Yinung 2009). In addition, major U.S. corporations are moving more
of their front-line fabrication operations overseas for economic reasons:
"Press reports indicate that Intel received up to $1 billion in incentives from the Chinese
government to build its new front-end fab in Dalian, which is scheduled to begin production in
2010." (Nystedt 2007)
"Cisco Systems has pronounced that it is a 'Chinese company,' and that virtually all of its products
are produced under contract in factories overseas." (McCormack 2008)
"Raising even greater alarm in the defense electronics community was the announcement by IBM
to transfer its 45-nanometer bulk process integrated circuit technology to Semiconductor
Manufacturing International Corp., which is headquartered in Shanghai, China. There is a concern
within the defense community that it is IBM's first step to becoming a 'fab-less' semiconductor
company." (McCormack 2008)
Since modern processors are designed in software, the processor design plans become a potential
target of attack. Malicious logic can also be inserted after a chip has been manufactured, such as with
focused ion beam milling (Adee 2009).
Though reports of actual malicious inclusions are often classified or kept quiet for other reasons,
some reports do surface, like this unverified account (Adee 2009):
According to a U.S. defense contractor who spoke on condition of anonymity, a
'European chip maker' recently built into its microprocessors a "kill switch" that could be
accessed remotely. French defense contractors have used the chips in military
equipment, the contractor told IEEE Spectrum. If in the future the equipment fell into
hostile hands, 'the French wanted a way to disable that circuit,' he said.
According to the New York Times, such a "kill switch" may have been used during the 2007 Israeli
raid on a suspected Syrian nuclear facility under construction (Markoff 2009).
2. Characterizing processor malicious inclusions
Several academic research efforts have demonstrated the insertion of MIs into general-purpose
processor designs. In one example, King, et al., show how a very small change in the design of a
processor facilitates "escalation-of-privilege" and "shadow mode" attacks, each of which can allow an
adversary to gain arbitrary control over the targeted system (King 2009). In another example, Jin, et
al., show how small, hard-to-detect MIs can allow an adversary to gain access to a secret encryption
key (Jin 2009). Researchers have created various taxonomies of MIs, based on their characteristics.
One example comes from Tehranipoor and Koushanfar (Tehranipoor 2010), from which the following
simplified diagram (Figure 1) is derived:
The components of a simple general-purpose processor are generally classifiable according to their
function. For example, a circuit in a microprocessor may participate in control-flow execution
(participate in fetch-decode-execute-retire), be part of a data path (like a bus), execute storage and
retrieval (like a cache controller), assist with control, test and debug (as in a debug circuit), or perform
arithmetic and logic computation (like an arithmetic-logic circuit, or ALU). This list may not be
exhaustive, and some circuits' functions may overlap, but broadly speaking we can subdivide the
component circuits in a processor using these classifications.
The main focus of our research is the detection of malicious inclusions which target the first category,
control flow circuits. In considering processor malicious inclusions, it is worth noting that in some
cases a detection strategy is warranted, and in others a mitigation strategy may be preferable. Table
1 lists each of the circuit functional types mentioned above, and pairs it with a potential 3D detection
and/or mitigation strategy.
289

Michael Bilzor
Figure 1: A taxonomy of malicious inclusions, modified slightly from (Tehranipoor 2010)
Table 1: Processor circuit type, with some associated MI mitigation and detection techniques
Circuit Type Detection/Mitigation Technique
Control Flow Control Flow Execution Monitor
(subject of our experiments)
Chip Control, Test, and Debug Keep-Alive Protections
Data Paths Datapath Integrity Verification
Memory Storage and Retrieval Load/Store Verification
Arithmetic and Logic Computation Arithmetic/Logic Verification
In Figure 2, we update the malicious inclusion taxonomy from Figure 1, and associate each MI action
type with a matching detection or mitigation technique:
Figure 2: Malicious inclusion taxonomy, with associated mitigation and detection methods
290

Michael Bilzor
In our current experiments, we intend to demonstrate an implementation of the execution monitor,
which governs the operation of the instruction set of a general-purpose processor, and should detect
MIs from the fourth action category, "Modify Functionality." MIs from this category might, for example,
be designed to allow an adversary to leak secret information or to gain privileged access in system.
3. Limits of existing processor tests
General-purpose processor designs go through verification testing before fabrication begins. Designphase
verification usually involves construction of a verification environment using tools like
SystemVerilog and the Open Verification Methodology (OVM) (Iman 2008). There are several
shortfalls with verifying processor designs, with respect to malicious inclusions:
Not all processor designs, or portions of designs, undergo formal verification. Processor designs
also may incorporate reused sub-components, as well as unverified open-source or third-party
components.
Processor design verification tends to ensure that the processor correctly executes its intended
functions, but usually is not designed to verify the absence of additional, possibly malicious
functionality, such as an MI.
Processor design verification usually cannot be exhaustive, due to the exponential number of
possible internal configurations of a processor. Modern functional verification often focuses on
generating a sufficient number of random test cases to be reasonably confident of a design's
correctness; as a result, rare-event malicious triggers may not be detected.
Once a processor has been fabricated, some sample dies may be examined, destructively or
nondestructively, for the presence of MIs. Using destructive methods, a processor's top layers may be
removed and its metal layers examined for anomalies, using specialized imagers. Since processors
cannot be used operationally after destructive testing, it is limited to a small sample set, and not a
complete solution.
Non-destructive processor tests include various power and timing "fingerprinting" techniques.
Essentially, using sensitive measuring equipment, a tester can drive a processor's inputs with test
patterns and measure current and timing delays at the outputs. The results from the device under test
are statistically compared with the results from presumed-good, or "golden," sample processors. The
principal limitations of nondestructive fingerprint-based testing include: (Agrawal 2007, Jin 2008, Jin
2009, Rad 2008)
Such tests rely on the existence of a presumed-good "golden" sample. Therefore, if the
subversion occurred in the design phase, and hence was cast into all the fabricated processors,
the subversion will not be detected through these comparisons.
Very small MIs, involving fewer than around .1% of the transistors on a die, are generally not
detectable using these techniques, and it is not very difficult for an attacker to design a subversion
which remains below this threshold.
4. 3D fabrication and potential security applications
Because feature sizes are shrinking very near to their theoretical limits, processor manufacturers are
constrained in improving performance through the use of traditional methods on a single-layer design.
As a result, manufacturers and designers have been rapidly advancing the technologies needed to
make "3D" processors. In a 3D processor design, two or more silicon layers are joined together face
to face or face to back, using a variety of interconnection methods. As a result, off-chip resources, like
extra cache memory or another processor, which might normally be elsewhere on the printed circuit
board, are physically much closer to the primary processing layer, resulting in shorter communication
delays, and hence better performance (Mysore 2006). Though the development of 3D interconnect
technology has been driven by performance, several security-relevant applications have also been
suggested (Valamehr 2010):
3D security services, such as those that might be found in a security coprocessor, could be made
available to the primary processor layer.
A 3D layer acting as a "control plane" could monitor and restrict the behavior of a target processor
in the "computation plane." For example, the control plane processor could facilitate the
segregation of multi-level data by partitioning the cache lines inside the target.
291

Michael Bilzor
Another potential security-relevant application of 3D is the Execution monitor, or 3D-EM. With a 3D-
EM, key control signals of the target processor, or computation plane, are monitored, through 3D
interconnects, by another processor in the control plane. The EM's sole purpose is to monitor the
execution of the target processor, and identify when the sequences of observed signal values deviate
from those sequences allowed by the target processor's design. Design and construction of a 3D-EM
alongside a target processor could occur as follows:
The target processor's architectural design is developed and translated into hardware design
language (HDL).
From the design documents and HDL specification, the processor's design undergoes normal
functional verification (e.g., formal methods, OVM, simulation, FPGA test), to determine:
Correctness of the expected functionality (as normal).
Absence of any malicious additional functionality (additional steps for MI detection).
Once the target's HDL design is finalized, the target's execution control signals (those which must
be monitored) are identified. An HDL version of the monitor is constructed. One of our research
goals is to develop a "recipe" for these two steps.
During floorplanning (including power, area, and heat optimizations) of the target, the appropriate
3D monitoring interconnects are physically laid out, from the target layer to the monitor layer.
The target's final floorplanned design is transferred to a set of fabrication masks and sent to the
foundry for production. The target processors may be fabricated at either a trusted or an untrusted
foundry.
Target processors which are not destined for high-assurance applications are finished and
assembled onto printed circuit boards.
Target processors which are destined for monitored, high-assurance applications are shipped for
further assembly.
The monitors are fabricated at a trusted facility.
The target processors and monitors are then joined, assembled onto printed circuit boards, and
tested again.
Adding the extra steps to co-design a monitor will slow the overall development process; one goal of
our research is to find ways to automate or semi-automate the monitor co-design portion. The target
processors could still be produced in large volume for non-high-assurance customers, where
monitoring is not required, in order to keep their unit cost down. Only the high-assurance customers
need to go through the extra steps of designing, fabricating, and joining the monitor layer. The monitor
layer might be placed above or below the target layer. One possible arrangement is shown in Figure
3:
Figure 3: A possible 3D arrangement of the monitor and target layers, adapted from (Puttaswamy
2006)
292

5. Execution monitor theory
Michael Bilzor
Several of the important characteristics of an EM were described by Schneider (Schneider 2000). A
brief summary of some of the conclusions is listed below (see source for formal definitions of safety
property and security automata).
The target's execution is characterized by (finite or infinite) sequences, where Ψ denotes a
universe of all possible sequences, and a target S defines a subset ΣS of Ψ corresponding to the
executions of S. The sequences may be comprised of atomic actions, events, or system states,
for example.
A security policy is specified by giving a predicate on sets of executions. A target S satisfies
security policy P if an only if P(ΣS) equals true.
If the set of executions for a security policy P is not a safety property, then an enforcement
mechanism from an EM does not exist for P.
EM-enforceable security policies are composable: when multiple EMs are used in tandem, the
policy enforced by the aggregate is the conjunction of the policies enforced by each in isolation.
A security automata can serve as the basis for an enforcement mechanism in EM.
Consider a set of signals A which are dependent on the value of an instruction opcode in a processor.
We assume that, within the set A, all the signals change values synchronously, as they would in a
common clock domain. The possible values of a single member a ∈ A may be described by a set of
finite, discrete values V (e.g., logic low, logic high, high impedance, etc.). These physical values are
represented discretely in an HDL description, as well. For example, a VHDL "standard logic" signal is
nine-valued: V = {U, X, 0, 1, Z, W, L, H, -}. If set A contains n signals, we can denote them a1, a2, ...
an. For a target processor S, containing the signals of A (and others), the state of A at time t may be
denoted At, and the execution trace of the signals in A of processor S may be described as an
ordered set of states ΣS = {A0, A1, ... }. Here, Ψ represents the universe of all possible execution
traces.
We hypothesize that, in terms of instruction set execution:
The signals comprising A may be systematically identified,
The permitted and prohibited sequences of signal states, defining P(ΣS) = True and P(ΣS) = False,
may be inferred from the processor's specification and HDL definition, and
A 3D-EM developed using our construction meets the criteria of a security automata, enforcing a
safety property.
One goal of our research is to demonstrate that a 3D processor Execution monitor can be developed
which satisfies the conditions of (Schneider 2000) and is able to detect a certain class of MI -
specifically, an MI which causes the processor's instruction-control signals, comprising the
microarchitectural state of the machine, to deviate from their allowable control flow.
6. Experimental evaluation
The ZPU is a simple general-purpose, open-source processor, whose VHDL design we obtained from
OpenCores.org (OpenCores 2010). The ZPU uses 32-bit operands and a subset of the MIPS
instruction set. It has a stack-based architecture, without an accumulator, and no internal processor
registers. It is an unpipelined, single-core design, supporting interrupts, but with no privilege rings or
other complex features. It is intended primarily for system-on-chip implementations in FPGAs.
The top level design of the ZPU (Figure 4) contains a processor core, a timer, a CPU-to-memory I/O
unit, and a DRAM (memory) unit:
We created and added a monitor entity for the processor core. The units communicated as below, in
Figure 5:
From the VHDL design of the ZPU core, we manually identified the control-type signals, i.e., the
signals directly carrying out the instruction-set execution. Some examples of these include
memory_read_enable and memory_write_enable, an interrupt signal, an operand_immediate signal,
etc. The ZPU VHDL design explicitly characterizes the internal state of the processor with named
293

Michael Bilzor
states, from which we constructed a full finite state machine (of control signal states) and identified all
the legal state-to-state transitions. Some of the ZPU's internal states and are shown in Figure 6.
Figure 4: Processor and system configuration without execution monitor
Figure 5: Processor and system configuration with execution monitor added
Figure 6: Some of the ZPU processor internal control states
The ZPU monitor accesses the identified control signals through VHDL "ports". In a physical 3D
design, these signals would transit from the target layer to the monitor layer by through-silicon vias
(TSVs) or some other 3D joining method. This mapping might occur at the 3D floorplanning stage,
before the netlist files have been synthesized into mask database files for each layer. Since this ZPU
294

Michael Bilzor
design was run in simulation but not physically synthesized, the physical 3D translation is notional.
However, the circuit delay (one full clock cycle) for interlayer signal transmission and the number of
3D posts - approximately 50, in this case - are reasonable, given the current state of 3D interconnect
design (Mysore 2006).
The monitoring logic actually makes two checks. The first check consults a lookup table that contains
the state transition logic. For example, if the monitor detects that the ZPU went from state A to state
B, and that the signal set was S at the completion of the clock cycle when it was in state A, the
monitor looks to see if a matching legal transition exists in the table. The construction of the table is
such that each transition must be unique; the processor can't choose nondeterministically among
several available choices. If the monitor detects that no legal transition from state A with signal set S
to state B existed, then it sets the output "predicate" to false to flag a violation.
The second check verifies that any changes to the signal set S, in state A, to the new signal set S', in
state B, were legal, according to the transition table. Using the transition that was selected in the
previous step, the monitor evaluates each signal in S' to see if it violated any of the post-conditions of
the transition. If not, it again signals the appropriate predicate to false.
The monitor was evaluated using Mentor Graphics' Model Sim tool. In the first test, the unmodified
ZPU processor executes code with the monitor observing. The ZPU software program used for these
particular tests included a broad mix of all of the ZPU instruction set opcodes. In the first test, the
execution of the unmodified ZPU did not cause the monitor to flag any transitions or signal
modifications as illegal. Next, we made small modifications to the ZPU core, then recompiled the
design and ran the simulation again.
Some of the small deviations we introduced in the ZPU processor design included:
When visiting the internal "No-op" state, the ZPU increments a counter which ticks up to 5 "No-op"
instructions, then on the next one sets the "inInterrupt" signal to 1, causing a violation to be
observed by the monitor.
In another modification, the ZPU tries to go straight from the internal "No-op" state to the "Resync"
state (which is not allowed by the design specification), and again a violation is observed by the
monitor.
The HDL code for these example deviations is below:
when State_Nop =>
begin_inst

Michael Bilzor
Figure 7: The processor executed normally, and no anomalies were detected
Figure 8: The first processor anomaly was active, and was detected by the monitor
Figure 9: The second processor anomaly was active, and was detected by the monitor
The monitor's transition table had 112 records in it, to cover the 112 allowable transitions among the
23 unique internal processor states. These are reasonably small numbers to implement in a monitor,
but we are also interested in the growth of the size of the monitor, as the target processor becomes
more complex.
Recall from Section 5 that a standard circuit's voltage, as described in VHDL, can represent one of 9
discrete values. For n circuits, then, we would expect 9 n possible signal permutations - an
impractically large number, if the state machine must have 9 n states, one for each permutation. We
will explore in future research whether the actual number of required signal permutations, and hence
monitor states, is typically much smaller, as was the case in this example.
We synthesized the design, using a Virtex-5 FPGA target, in two different configurations - the
processor architecture alone, and the processor architecture with the monitor. In both cases, the
maximum design speed was 228Mhz, indicating that adding the monitor did not impose a speed
performance limit on the processor.
8. Conclusions
The following are some of the limitations of this research:
The techniques illustrated are focused on only one of the categories of malicious inclusion from
the taxonomy described earlier; detection and mitigation techniques should be developed for the
other types as well, and this is an open research area.
The Execution monitor's performance must not limit the performance of the target processor
which it monitors. For example, the maximum clock speed of the EM should be at least as fast as
the maximum intended clock speed of the target processor. The power, area, and heat
requirements of the monitor should not exceed the practical limits of the overall 3D design. Also,
the clock-cycle latency between MI activation and detection should be small enough to permit
effective correction. We plan to evaluate 3D-EM designs further, using these performance
measures, in the future.
From our preliminary work on the ZPU 3D-EM design, we reached the following conclusions:
Designing and simulating the operation of a basic 3D monitor for a simple processor design is
feasible. However, the physical design space for 3D monitors needs further exploration, and
monitors for more complex processors should be developed.
As expected, simple deviations from the processor's specified instruction-control behavior can be
detected at runtime.
The 3D Execution monitor is the first hardware-based approach with the potential for identifying
processor MIs both during testing and during real-time, fielded operation - an important advantage
296

Michael Bilzor
over testbench methods, since delayed triggers may cause an MI to be inactive during
predeployment testing.
9. Future work
For this demonstration, we selected the control signals and developed the stateful representation
manually. In future experiments, we hope to work on methods whereby the microarchitectural control
signals can be automatically identified, and the monitor constructed automatically or semiautomatically
(or identify any reasons why the process cannot be automated). We would like to design
a monitor for a register-based processor with one or more data buses, in order to compare it with
monitoring a stack-based processor like the ZPU. We would also like to design processor anomalies
which accomplish some more meaningful subversions. Finally, we wish to test whether the monitor
can detect unknown MIs, designed by third parties unfamiliar with the monitor construction.
It would be useful to scale up the 3D Execution monitor experiments to more complex processor
designs, with modern features like pipelined and speculative execution, multithreading, vector
operations, virtualization support, and multi-core.
Acknowledgements
This research was funded in part by National Science Foundation Grant CNS-0910734.
References
Adee, S., (2008) "The Hunt for the Kill Switch", [online] IEEE Spectrum, May 2008,
http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch
Agrawal, D., Baktir, S., Karakoyunlu, D., Rohatgi, P., and Sunar, B. (2007) "Trojan Detection Using IC
Fingerprinting", 2007 IEEE Symposium on Security and Privacy.
Defense Science Board (2005). Report of the 2005 Defense Science Board Task Force on High Performance
Microchip Supply, Office of the Undersecretary of Defense for Acquisition, Technology, and Logistics.
Iman, S. (2008) Step-by-Step Functional Verification with SystemVerilog and OVM, Hansen Brown Publishing,
San Francisco.
Jin, Y. and Makris, Y. (2008) "Hardware Trojan Detection Using Path Delay Fingerprint", Proceedings of the 2008
IEEE International Workshop on Hardware-Oriented Security and Trust.
Jin, Y., Kupp, N., and Makris, Y. (2009) "Experiences in Hardware Trojan Design and Implementation",
Proceedings of the IEEE International Workshop on Hardware-Oriented Security and Trust.
King, S., Tucek, J., Cozzie, A., Grier, C. Jiang, W., and Zhou, Y. (2009) "Designing and Implementing Malicious
Hardware", Proceedings of the IEEE International Workshop on Hardware Oriented Security and Trust.
Markoff, J. (2009) "Old Trick Threatens Newest Weapons", [online], New York Times, 27 October.
http://www.nytimes.com/2009/10/27/science/27trojan.html?_r=2.
McCormack, Richard (2008) "DoD Broadens 'Trusted' Foundry Program to Include Microelectronics Supply
Chain", Manufacturing & Technology News, Thursday, 28 February.
Mysore, S., Agrawal, B., Srivastava, N., Lin, S., Banerjee, K., and Sherwood, T. (2006) "Introspective 3D Chips",
2006 International Conference on Architectural Support for Programming Languages and Operating
Systems.
Nystedt, D. (2007) "Intel Got its New China Fab for a Bargain, Analyst Says", [online] CIO.com,
http://www.cio.com/article/101450/Intel_Got_Its_New_China_Fab_for_a_Bargain_Analyst_Says
OpenCores.org (2010), [online] http://opencores.org.
Pellerin, D., and Taylor, D. (1997) VHDL Made Easy, Prentice Hall, Upper Saddle River, NJ.
Puttaswany, K., and Loh, G., (2006) "Implementing Register Files for High-Performance Microprocessors in a
Die-Stacked (3D) Technology", Proceedings of the 2006 Emerging VLSI Technologies and Architectures,
Vol. 00, March.
Rad, R., Plusquellic, J., and Tehranipoor, M. (2008) "Sensitivity Analysis to Hardware Trojans Using Power
Supply Transient Signals", 2008 IEEE International Workshop on Hardware Oriented Security and Trust.
Schneider, F. (2000) "Enforceable Security Policies", ACM Transactions on Information and System Security,
Vol. 3, No. 1, February, pp 30-50.
Tehranipoor, M. and Koushanfar, F. (2010) "A Survey of Hardware Trojan Taxonomy and Detection", IEEE
Design and Test of Computers, vol. 27, issue 1, January/February, pp10-24.
Valamehr, J., Tiwari, M., Sherwood, T., Kastner, R., Huffmire, T., Irvine, C., and Levin, T., (2010) Hardware
Assistance for Trustworthy Systems through 3-D Integration, Proceedings of the 2010 Annual Computer
Security Applications Conference (ACSAC), Austin, TX, December.
Yinung, F. (2009) "Challenges to Foreign Investment in High-Tech Semiconductor Production in China", United
States International Trade Commission, Journal of International Commerce and Economics, May.
297

Towards an Intelligent Software Agent System as Defense
Against Botnets
Evan Dembskey and Elmarie Biermann
UNISA, Pretoria, South Africa
French South African Institute of Technology CPUT, Cape Town, South Africa
Dembsej@unisa.ac.za
bierman@xsinet.co.za
Abstract: Computer networks are targeted by state and non-state actors and criminals. With the
professionalization and commoditization of malware we are moving into a new realm where off-the-shelf and
time-sharing malware can be bought or rented by the technically unsophisticated. The commoditization of
malware comes with all the benefits of mass produced software, including regular software updates, access to
fresh exploits and the use of hack farms. To an extent defense is out of the hands of the government, and in the
hands of commercial and private hands. However, the cumulative effect of Information Warfare attacks goes
beyond the commercial and private spheres and affects the entire state. Thus the responsibility for defense
should be distributed amongst all actors within a state. As malware increases and becomes more sophisticated
and innovative in their attack vectors, command & control structures and operation, more sophisticated,
innovative and collaborative methods are required to combat them. The current scenario of partial protection due
to resource constraints is inadequate. It is thus necessary to create defence systems that are robust and resilient
against known vectors and vectors that have not previously been used in a manner that is easy and cheap to
implement across government, commercial and private networks without compromising security. We argue that a
significant portion of daily network defence must be allocated to software agents acting in a beneficent botnet
with distributed input from human actors, and propose a framework for this purpose. This paper is based the
preliminary work of a PhD thesis on the topic of using software agents to combat botnets, and covers the
preliminary literature survey and design of the solution. This includes a crowd sourcing component that uses
information about malware gained from software agents and from human users. Part of this work is based on
previous research by the authors. It is anticipated that the research will result in a clearer understanding of the
role of software agents in the role of defence against computer network operations, and a proof-of-concept
implementation.
Keywords: information warfare, Botnet, software agent
1. Introduction
We propose to use distributed software agents (SA) as a method for overcoming botnets and other
malware in the area of Information Warfare (IW). This area of research is important due to the growing
threat posed by malware. This research addresses some of the long term research goals identified by
the US National Research Council (National Research Council (U.S.). Committee on the Role of
Information Technology in Responding to Terrorism et al. 2003) and four of the ten suggested
research areas in (Denning, Denning 2010). It is an extension and refinement of research undertaken
to determine if an IW SA agent framework is viable (Dembskey, Biermann 2008).
Malware is a reality of networked computers and is being increasingly used by state, criminal and
terrorist actors as weapons, vectors for crime and tools of coercion. While it is debatable whether a
digital Pearl Harbour is a genuine possibility (Smith 1998), it is agreed that malware is on the increase
and is being commoditized (Knapp, Boulton 2008, Microsoft 2010, Dunham, Melnick 2009), though
there is some dissent on this point (Prince 2010). Technically unsophisticated users can purchase
time on existing botnets to accomplish some goal, e.g. phishing attacks, spamming, or the denial,
destruction or modification of data.
A botnet is a distributed group of software agent-like bots that run autonomously and automatically,
usually without the knowledge of the computers owner. Botnets are usually, but not necessarily,
malicious. The purpose of botnets is not necessarily destructive; it is often financial gain, which results
in a very different approach to development and Command & Control. An effective process of
prevention, detection and removal will mitigate botnets regardless of their purpose.
IW is warfare that explicitly recognises information as an asset. Computer Network Operations (CNO)
is a form of IW that uses global computer networks to further the aims of warfare. CNO is divided into
Computer Network Attack (CNA) and Computer Network Defence (CND). Increasingly, politically
motivated cyber attacks are focusing on commercial and not government infrastructure (Knapp,
298

Evan Dembskey and Elmarie Biermann
Boulton 2008). Also, money from online scams may be used to fund terrorist and further criminal
activity. SA are a form of software that have the properties of intelligence, autonomy and mobility. We
define SA as programs that autonomously and intelligently acquire, manipulate, distribute and
maintain information on behalf of a user or another software agent.
Intrusion prevention is the Holy Grail of security. This goal is currently unobtainable; there will be
intrusions. The literature shows that traditional defences such as firewalls, antivirus and intrusion
prevention are not effective against botnets (Ollmann 2010). Some researchers believe that antimalware
software is less effective than in the past (Oram, Viega 2009). Researchers at Microsoft
(Microsoft 2010) assert that malware activity increased 8.9% from first to second half of 2009. This is
probably an overly conservative figure. Some researchers estimate that botnet infections are up to
4000% higher than reported (Dunham, Melnick 2009). One major problem in prevention is that social
engineering (Bailey et al. 2009) is a major cause of infection, which defeats many prevention systems
and undermines detection.
One development that will likely impact the malware threatscape is the arrival of broadband access to
Africa. For an analysis of the impact see (Jansen van Vuuren, Phahlamohlaka & Brazzoli 2010). It is
estimated that there are 100 million computers available for botnet herders to use (Carr, Shepherd
2010). However, we are of the opinion that, due to a range of socio-economic factors, Africa may be a
source of volunteers for botnets similar to Israel’s Defenderhosting.
2. Malware
Malware is a term encompassing all the different categories of malicious software, which include
amongst others Trojans, viruses, worms and spyware. The advancements in technology and
especially the ability to be 24/7 connected to people and resources across the globe have hugely
increased the volumes of malware circulating global networks. This is evident from the large amount
of spam constantly and increasingly being delivered to mailboxes. According to Damballa (2009) the
success of spamming botnets has led to the commoditization of spam in which volume has become
the primary means to generate cash.
Malware are created and initiated in countries across the globe with different websites listing different
statistics regarding the country of origin, on a weekly basis. For example the USA, China and Russia
are being listed by The Spamhaus Project (http://www.spamhaus.org/statistics/countries.lasso) as the
countries where the largest percentage of spam are created and exported, while M86 Security Labs
(http://www.m86security.com/labs/spam_statistics.asp) list the US, India and Brazil as the recent
largest contributors.
Creating or obtaining malware has become relatively easy with the evolution of technology and
especially the commoditization of malicious code. Different types of malware can be obtained via
malware kits or through specialists offering their services to design and develop unique pieces of
malicious code for different platforms or forums. Some of the more famous examples include
Webattacker, Smeg, Fragus, Zeus and Adpack.
The evolution and spread of malware is directly related to the number of entities being connected,
with the increase in not only the amount but also the different types of malware being evident today.
With the increase in malware also came constant research and development to combat these
unwanted software, which in turn leads to the creators of malware to be more innovative. According to
Chiang & Lloyd (2007), the traditional method of using the Internet Relay Chat (IRC) protocol for
command and control made way for new methods of hiding the command and control communication
such as HTTP based communications, encryption and peer-to-peer networks as it became easier to
detect and block IRC traffic. This became evident in the creation and re-invention of botnets such as
Agobot (Wang, 2009), Rustock (Chiang & Lloyd, 2007) and Conficker (Porras, 2009).
The impact of the advances, commoditization and the DIY culture for the creation of malware on
global networks and especially global security is huge. Malware is being used to amongst others steal
personal data, conduct espionage, harm government and business operations, deny user access to
information and services and according to the report conducted by the International Organization for
Economic co-operation and Development (OECD, 2007) poses a serious threat to the Internet
economy. Securing networks is not only depended on security vendors and security specialists but
also rely on normal users of the networks to protect their stations. The increasing use of social
299

Evan Dembskey and Elmarie Biermann
networks such as Facebook, Twitter and MySpace as well as mobile generation provide increasing
grounds for malware to access contact details and personal information.
It is vital for the Internet economy that robust and resilient counter systems needs to be constantly in
operation, while adapting to changing conditions.
3. Current malware detection techniques
The first hint of a malware infection may be the receipt of an email stating that a system appears to be
infected and has abused a different system; the convention is that administrative contacts of some
form are listed at global regional information registry sites such as AfriNIC, ARIN, APNIC, LAPNIC
and RIPE to assist in communication. The abuse may take the form of spam, scanning activity, DDoS
attacks, phishing or harassment ((Schiller, Binkley & Harley 2007).
It is a poor security method indeed that relies on informants only. A better approach is the use of
network-monitoring tools such as wireshark or tcpdump as malware activity results in data that can be
analysed. Examples of prevalent data types are (Bailey et al. 2009):
DNS Data: Data regarding name resolution can be obtained by mirroring data to and from DNS
servers and can be used to detect both botnet attack behaviour.
Netflow Data: Netflow data represents information gathered from the network by sampling traffic
flows and obtaining information regarding source and destination IP addresses and port numbers.
This is not available on all networks.
Packet Tap Data: Packet tap data, while providing a more fine grained view than netflow but is
generally more costly in terms of hardware and computation. Simple encryption reduces this
visibility back to the same order as netflow.
Address Allocation Data: Knowing where hosts and users are in the network can be a powerful
tool for identifying malware reconnaissance behaviour and rapid attribution.
Honeypot Data: Placed on a network with the express intention of them being turned into botnet
members, honeypots can be a powerful tool for gaining insight into botnet means and motives.
Host Data: Host level data, from OS and application configurations, logs and user activity
provides a wealth of security information and can avoid the visibility issues with encrypted data.
An even better method is an Intrusion Detection System (IDS). An IDS can either be host-based
(HIDS) or network-based (NIDS). Both of these are further categorised by the type of algorithm used,
namely anomaly- and signature-based detection. Anomaly–based techniques develop an
understanding of what normal behaviour is on a system, and reports any deviation. Signature-based
techniques use representations of known malware to decide if software is indeed malicious. A
specialised form of anomaly-based detection, called specification-based detection makes use of a
rule set to decide if software is malicious. Violation of these rules indicates possible malicious
software.
A NIDS sees protected hosts in terms of the external interfaces to the rest of the network, rather than
as a single system, and gets most of its results by network packet analysis. Much of the data used is
the same as discussed using the manual methods above. A HIDS focuses on individual systems.
That doesn’t mean each host runs its own HIDS application, they are generally administered centrally,
rather it means that the HIDS monitors activity on a protected host. It can pick up evidence of
breaches that have evaded outward-facing NIDS and firewall systems or have been introduced by
other means, such internal attacks, direct tampering from internal users and the introduction of
malicious code from removable media (Schiller, Binkley & Harley 2007).
Malware can also be detected forensically. Though this occurs after damage has been incurred, it is
important for a number of reasons including legal purposes. Forensic aims can include identification,
preservation, analysis, and presentation of evidence. Digital investigations that are or might be
presented in a court of law must meet the applicable standards of admissible evidence. Admissibility
is a concept that varies according to jurisdiction (Schiller, Binkley & Harley 2007).
Two techniques that are essentially forensic in nature are darknets and honeynets, though the
knowledge gained from their use helps to prevent, detect and remove botnets. A darknet is a closed
private network used for file sharing. However, the term has been extended in the security sphere to
apply to IP address space that is routed but which no active hosts and therefore no legitimate traffic.
300

Evan Dembskey and Elmarie Biermann
Darknets are most useful as global resource for sites and groups working against botnets on an
Internet-wide basis (Schiller, Binkley & Harley 2007). A honeypot is a decoy system set up to attract
attackers and study their methods and capabilities. A honeynet is usually defined as consisting of a
number of honeypots in a network, offering the attacker real systems, applications, and services to
work on and monitored transparently by a Layer 2 bridging device (honeywall). A static honeynet can
quickly be spotted and blacklisted by attackers, but distributed honeynets attempt to address that
issue and are likely to capture richer, more varied data (Schiller, Binkley & Harley 2007). In contrast to
honeynets, darknets do not advertise themselves.
Botnets, the malware we are interested in, are difficult to combat for the following reasons (Bailey et
al. 2009):
All aspects of the botnet’s life-cycle are all evolving constantly.
Each detection technique comes with its own set of tradeoffs with respect to false positives and
false negatives.
Different types of networks approach the botnet problem with differing goals, with different
visibility into the botnet behaviours, and different sources of data with which to uncover those
behaviours.
A successful solution for combating botnets will need to cope with each of these realities and their
complex interactions with each other.
4. Software agents
A software agent is a program that autonomously acquires, manipulates, distributes and maintains
information on behalf of some entity. We reject the trend of labeling software utilities such as
aggregators and download managers as SA; we base our definition on the properties of the software.
The literature defines a large number of agent properties. Not all properties are found in all agents,
but an in order to be termed Agent software must satisfy some minimum set of these properties. Bigus
and Bigus (Bigus, Bigus 2001) suggest that these are autonomy, intelligence and mobility. These
properties are defined as follows:
Autonomy - The autonomous agent exercises control over its own actions and has some degree
of control over its internal state. It displays judgment when faced with a situation requiring a
decision, and makes a decision without direct external intervention.
Intelligence - This does not imply self-awareness, but the ability to behave rationally and pursue a
goal in a logical and rational manner. Intelligence varies between simple coded logic and complex
AI-based methods such as inferencing and learning.
Mobility- Mobility is the degree to which agents move through the network. Some may be static
while others may migrate as the need arises. The decision to move should be made by the agent
(Murch, Johnson 1999), thus ensuring the agent has the property of autonomy.
From these properties we can judge that SA have potential applications in dealing with tasks that are
ill-defined or less structured. It is also apparent that SA interact with their task environments locally;
the implication of this is that the same agent can exhibit different behaviour in different environments
(Liu 2001). Padgham & Winikoff ((Padgham, Winikoff 2004)) provide a list of reasons why agents are
useful, including loose coupling, decentralisation, persistence, better functioning in open and complex
systems and reactiveness as well as proactivness. The use of SA to combat botnets is not
unprecedented. It had already been suggested that AF.MIL should be purposely made part of a
botnet ((Williams 2008)). Some researchers see botnets as types of SA ((Bigus, Bigus 2001)). Other
researchers ((Stytz, Banks 2008)) have begun to work on the problem of implementing such an
approach.
5. Proposed system
Vulnerabilities are introduced in software deliberately or accidently during development, or via
software or configuration changes during operation. Botnets are not typically introduced during
software development and thus require later introduction, and usually unintentionally. Possible vectors
of infection are viruses, worms and Trojans. These may be introduced via email, download, drive-by
download, network worm or some external storage device. According to (Cruz 2008) the majority of
infections occur due to downloads (53%) and infection via other malware (43%). Email and
removable drives account for 22% of infections. Instant Messaging, vulnerabilities, P2P, iFrame
301

Evan Dembskey and Elmarie Biermann
compromises, other infected files and other vectors account for 27% (the total is higher than 100%
because some malware uses multiple vectors). The vast majority of infections are as a result of
downloads, suggesting this should be the primary threat to mitigate. This is the attitude adopted in this
research, with the recognition that this could change at any time, temporarily or permanently, thus
necessitating a system that is flexible enough to cope with this change.
Several methods to detect and deter botnets have been proposed such as incorporating data mining
techniques as well as incorporating methods to detect communication between the bot and the
master (Massud et al., 2008).
Massive multiplayer online role playing games (MMORPG) battle to differentiate between human and
bot players. Yampolskiy & Govindaraju (2008) studied running processes and network traffic as a
method to distinguish between humans and bots. Chen et al (2009) identified bots in MMORPG
through traffic analysis. They showed amongst others that traffic is distinguishable by (1) the regularity
in the release time of the client command; (2) the trend and magnitude of traffic burstiness in multiple
time scales; and (3) the sensitivity to different network connections. Thawonmas et al (2008), conduct
behaviour analysis within this gaming environment and implement methods focusing on resource
gathering and trading behavior. Traffic classification is also proposed and done by Li et al (2009), with
Lu et al (2009) proposing a hierarchical framework to automatically discover botnets. They first
classify network traffic into different application communities by using payload signatures.
Virtual bots are also introduced as a method to create uncertainties in the botnet market. Li et al
(2008) followed a different perspective by looking at botnet disabling mechanisms from an economic
perspective. This links to methods looking at collective behavior of bots, i.e. studying the focus and
deriving solutions from there (Pathak et al., 2009; Stone-Gross et al., 2009). Xie et al (2008)
characterize botnets by leveraging spam payload and spam server traffic properties. They identify
botnet hosts by generating botnet spam signatures from emails. Ramachandran. & Feamster (2008)
studied the network level behavior of spammers. They identified specific characteristics, such that
spam is being sent from a few regions of IP address space. They also propose that developing
algorithms to identify botnet memberships need to be based on network level properties. Staying on
the network level, Villamarín-Salomón & Brustoloni (2009) propose a Bayesian approach for detecting
bots based on the similarity of their DNS traffic to that of known bots.
A detailed look into the solutions summarized above, led us to propose a design incorporating the use
of intelligent SA as a counter to botnets. Our design incorporates the different aspects and required
characteristics as detailed in literature. Our design is also a next step in detailing our proposed
framework (Dembskey, Biermann 2008) As stated in (Dembskey, Biermann 2008), we propose three
layers, namely IDS, Observer and Communication.
Figure 1: Three layers
IDS
Observer
Communication Layer
302

Evan Dembskey and Elmarie Biermann
Using these layers as our starting point we introduce sub-layers and descriptions as depicted in
Figure 2. We only focus on the Observer and IDS layers.
The observer layer consists of five sub-layers all focusing on gathering information:
Collective Behaviour
Communication Analysis
Resource Gathering
Spreading & Growth Patterns
Network Traffic Analysis
Each of these sub-layers focuses on particular aspects of gathering information through observation.
This observation is conducted through a focused software agent network.
Within network traffic analysis, intensive signature analyses are conducted in order to provide data to
the IDS layer. From these analyses, information on spreading and growth patterns is gathered and
models proposed. Resource gathering focused on observing specifics such as bandwidth depletion
and resource utilizations. Communication analysis refers to the communications taking place between
bots and masters and the analysis thereof. This will assist in determining the collective behaviour or
focus of the botnet as well as assist in detailing the economic focus.
The information gathered within the observer layer is used as input to the IDS layer. The IDS layer will
function as both a HIDS and a NIDS; that is, it will have operational agents on hosts and servers. The
IDS layer includes the following:
Infiltrate and disable
Spawn Intelligent Software Agent Network
Classification
The information gathered within the observer level are use to classify the botnet and according to the
classification an intelligent software agent network is spawned to infiltrate and ultimately disable the
botnet.
Agentification of email client and server software, host and server monitoring software, host and
server firewall and AV software, network monitoring software, user monitoring software is required, or
at least, the capability to interface with these applications.
It is anticipated that the crowd sourcing component will function on two layers. Firstly, SA from
different organizations will communicate threats amongst themselves with minimal supervision.
Secondly, information will be sourced from human beings. Both open and proprietary sources should
be used, but the following two points must be kept in mind. The use of proprietary systems will have a
cost implication and the use of that data may not legally be allowed to propagate through the entire
SA system. Secondly, the possibility of attack vectors being introduced is a real concern – if crowd
sourcing results in false positives through the means of concerted and purposeful false reporting, then
a DoS attack may occur, with the system’s SA falsely identify normal activity as malicious and halt it.
A robust and up-to-date system that can share data on the safety of web sites and software will
mitigate the risk from the primary sources of infection discussed above. The CYBEX (X.1500) is in the
opinion of the authors the correct path to follow to implement this system.
As part of this research we will implement and test a model of the proposed system against a variety
of botnets. The model will not be comprehensive and will focus on mitigating threats launched via
drive-by downloads and locally installed software. The network of NIDS and HIDS with the crowd
sourcing component will be implemented.
We must also consider the impact of virtualization and the trend towards cloud and grid computing,
which we think will continue. It is also not the intention that this system is entirely automated, as the
effect of systemic failure may be worse than anticipated and human intervention may serve to mitigate
this risk.
303

Evan Dembskey and Elmarie Biermann
In summary, we propose to model and implement a proof-of-concept of an integrated SA botnet
defense system. Some challenges of developing such a system are its complexity and human privacy
requirements and laws. Rather than be daunted by this, we instead believe that the effort will be well
rewarded and will identify future areas of research.
IDS Level
Observer Level
Figure 2: Observer and IDS layers
References
Infiltrate and Disable
Spawn Intelligent Software Agent Network
Classification
Collective Behavior
Communication Analysis
Resource Gathering
Spreading & Growth Patterns
Network Traffic Analysis
Bailey, M., Cooke, E., Jahanian, F., Xu, Y. & Karir, M. 2009, "A survey of botnet technology and defenses",
Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security-
Volume 00, IEEE Computer Society, pp. 299.
Bigus, J.P. & Bigus, J. 2001, Constructing intelligent agents using Java, Wiley New York.
Carr, J. & Shepherd, L. 2010, Inside cyber warfare, 1st edn, O'Reilly Media, Inc., Sebastopol, Calif.
304

Evan Dembskey and Elmarie Biermann
Chen, K., Jiang, J., Huang, P., Chu, H., Lei, C. & Chen, W. 2009. Identifying MMORPG Bots: A Traffic Analysis
Approach. EURASIP Journal on Advances in signal Processing. Volume 2009, Article 3.
Chiang, K. & Lloyd, L. 2007. A Case Study of the Rustock Rootkit and Spam Bot. Proceedings of the First
Workshop on Hot Topics in Understanding Botnets, Cambridge, MA.
Cruz, M. 2008, , Most Abused Infection Vector. Available: http://blog.trendmicro.com/most-abused-infectionvector/
[2010, 9/27/2010].
Damballa Inc. 2009. Upate on the Enemy: A deconstruction of who profits from botnets. Available:
http://www.damballa.com/downloads/d_pubs/WP%20Update%20on%20the%20Enemy%20(2009-05-
13).pdf
Dembskey, E. & Biermann, E. 2008, "Software agent framework for computer network operations in IW",
Proceedings of the 3rd International Conference On Information Warfare And Security, ed. L. Armistead,
ACL, pp. 127.
Denning, P.J. & Denning, D.E. 2010, "Discussing cyber attack", Commun.ACM, vol. 53, no. 9, pp. 29-31.
Dunham, K. & Melnick, J. 2009, Malicious Bots: An Inside Look Into the Cyber-Criminal Underground of the
Internet, Auerbach Publications.
Jansen van Vuuren, J., Phahlamohlaka, J. & Brazzoli, M. 2010, "The Impact of the Increase in Broadband
Access on South African National Security and the Average citizen", Proceedings of the 5th International
Conference on Information Warfare and Security, ed. L. Armistead, ACL , pp. 171.
Knapp, K.J. & Boulton, W.R. 2008, "Ten Information Warfare Trends" in Cyber Warfare and Cyber Terrorism,
eds. Kenneth Knapp & William Boulton, IGI Global, US; Hershey, PA, pp. 17-25.
Li, Z., Liao, Q & Striegel, A. 2008. Botnet Economics: Uncertainty Matters. Workshop on the Economics of
Information Security (WEIS 2008), London, England.
Li, Z., Goyal, A., Chen, Y. & Paxson, V. 2009. Automating Analysis of Large-Scale Botnet Probing Events.
Proceedings of the 4 th International Symposium on Information, Computer and Communications Security.
Sydney, Australia.
Liu, J. 2001, Autonomous agents and multi-agent systems: explorations in learning, self-organization, and
adaptive computation, World Scientific.
Liu, J., Xiao, Y., Ghaboosi, K., Deng, H. & Zhang, J. 2009. Botnet: Classification, Attacks, Detection, Tracing and
Preventive measures. EURASIP Journal on Wireless Communications and Networking, Volume 2009.
Hindawi Publishing Corporation.
Lu, W. Tavallaee, M. & Ghorbani, AA. 2009. Automatic Discovery of Botnet Communities on Large-Scale
Communication Networks. Proceedings of the 4 th International Symposium on Information, Computer and
Communications Security. Sydney, Australia.
Masud, MM., Gao, J., Khan, L., Han, J. & Thuraisingham, B. 2008. Peer to Peer Botnet Detection for Cyber-
Security: A Data Mining Approach. In: Proceedings of the 4 th annual workshop on Cyber security and
information intelligence research: developing strategies to meet the cyber security and information
intelligence challenges ahead. Oak ridge, Tennessee.
Microsoft, 2010. Download details: Microsoft Security Intelligence Report volume 8 (July - December 2009).
Available: http://www.microsoft.com/downloads/details.aspx?FamilyID=2c4938a0-4d64-4c65-b951-
754f4d1af0b5&displaylang=en [7/21/2010].
Murch, R. & Johnson, T. 1999, Intelligent software agents, prentice Hall PTR.
National Research Council (U.S.). Committee on the Role of Information Technology in Responding to Terrorism,
Hennessy, J.L., Patterson, D.A., Lin, H. & National Academies Press 2003, Information technology for
counterterrorism: immediate actions and future possibilities, National Academies Press, Washington, D.C.
OECD (Organization for Economic Co-operation and Development). 2007. Malicious Software (Malware): A
Security Threat to the Internet Community. Ministerial Background Report [Online]. Available:
http://www.oecd.org/dataoecd/53/34/40724457.pdf
Ollmann, G. 2010, "Asymmetrical Warfare: Challenges and Strategies for Countering Botnets", The 5th
International Conference on Information-Warfare & SecurityACI, Reading, England, pp. 507.
Oram, A. & Viega, J. 2009, Beautiful security, 1st edn, O'Reilly, Sebastopol, CA.
Padgham, L. & Winikoff, M. 2004, Developing intelligent agent systems: a practical guide, Wiley.
Pathak, A., Qian, F., Hu, Y.C., Mao, ZM. & Ranjan, S. 2009. Botnet Spam Campaigns Can Be Long Lasting:
Evidence, Implications, and Analysis. Proceedings of the 11 th International Joint Conference on
Measurement and Modeling of Computer Systems. SIGMETRICS / Performance'09, June 15-19, 2009,
Seattle, WA.
Porras, P. 2009. Reflections on Conficker: An insider's view of the analysis and implications of the Conficker
conundrum. CACM 52 (10). October.
Prince, B. 2010,, Russian Cybercrime: Geeks, Not Gangsters | eWEEK Europe UK. Available:
http://www.eweekeurope.co.uk/knowledge/russian-cybercrime-geeks-not-gangsters-9182/2 [2010,
8/30/2010].
Ramachandran, A. & Feamster, N. 2006. Understanding the Network Level Behavior of Spammers. Proceedings
of the 2006 Conference on Applications, Technologies, Architectures and Protocols for Computer
Communications, SIGCOMM’06, September 11-15, 2006, Pisa, Italy.
Schiller, C.A., Binkley, J. & Harley, D. 2007, Botnets: the killer web app, Syngress Media Inc.
Smith, G. 1998,, Issues in S and T, Fall 1998, An Electronic Pearl Harbor? Not Likely. Available:
http://www.issues.org/15.1/smith.htm [2010, 8/16/2010].
305

Evan Dembskey and Elmarie Biermann
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B. & Szydlowski, M. 2009. Your Botnet is My Botnet: Analysis
of a Botnet Takeover. Proceedings of the 16 th ACM Conference on Computer and Communications
Security. CCS’09, November 9–13, 2009, Chicago, Illinois, USA.
Stytz, M.R. & Banks, S.B. 2008, Toward Intelligent Agents For Detecting Cyberattacks
Thawonmas, R. Kashifuji, Y. & Chen, K. 2008. Detection of MMORPG Bots Based on Behavior Analysis.
Proceedings of the 2008 International Conference on Advances in Computer Entertainment Technology.
Yokohama, Japan.
Villamarín-Salomón, R. & Brustoloni, JC. 2009. Bayesian Bot Detection Based on DNS Traffic Similarity.
Proceedings of the 2009 ACM symposium on Applied Computing, SAC’09, March 8-12, 2009, Honolulu,
Hawaii, U.S.A.
Wang, Y., Gu, D., Xu, J. & Du, H. 2009. Hacking Risk Analysis of Web Trojan in Electric Power System. In:
Proceedings of the International Conference on Web Information Systems and Mining. Shanghai, China.
Williams, C.W. 2008,, Carpet bombing in cyberspace - May 2008 - Armed Forces Journal - Military Strategy,
Global Defense Strategy. Available: http://www.armedforcesjournal.com/2008/05/3375884 [2010,
7/20/2010].
Yampolskiy, RV. & Govindaraju, V. 2008. Embedded Non-interactive Continuous Bot Detection. ACM Computers
in Entertainment, Vol. 5, No. 4, Article 7. Publication Date: March 2008.
Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G. & Osipkov, I. 2008. Spamming Botnets: Signatures and
Characteristics. Proceedings of th 2008 Conference on Applications, Technologies, Architectures and
Protocols for Computer Communications,SIGCOMM’08, August 17–22, 2008, Seattle, Washington.
306

Theoretical Offensive Cyber Militia Models
Rain Ottis
Cooperative Cyber Defence Centre of Excellence, Tallinn, Estonia
rain.ottis@ccdcoe.org
Abstract. Volunteer based non-state actors have played an important part in many international cyber conflicts of
the past two decades. In order to better understand this threat I describe three theoretical models for volunteer
based offensive cyber militias: the Forum, the Cell and the Hierarchy. The Forum is an ad-hoc cyber militia form
that is organized around a central communications platform, where the members share information and tools
necessary to carry out cyber attacks against their chosen adversary. The Cell model refers to hacker cells, which
engage in politically motivated hacking over extended periods of time. The Hierarchy refers to the traditional
hierarchical model, which may be encountered in government sponsored volunteer organizations, as well as in
cohesive self-organized non-state actors. For each model, I give an example and describe the model’s attributes,
strengths and weaknesses using qualitative analysis. The models are based on expert opinion on different types
of cyber militias that have been seen in cyber conflicts. These theoretical models provide a framework for
categorizing volunteer based offensive cyber militias of non-trivial size.
Keywords: cyber conflict, cyber militia, cyber attack, patriotic hacking, on-line communities
1. Introduction
The widespread application of Internet services has given rise to a new contested space, where
people with conflicting ideals or values strive to succeed, sometimes by attacking the systems and
services of the other side. It is interesting to note that in most public cases of cyber conflict the
offensive side is not identified as a state actor, at least not officially. Instead, it often looks like citizens
take part in hactivist campaigns or patriotic hacking on their own, volunteering for the cyber front.
Cases like the 2007 cyber attacks against Estonia are a good example where an informal non-state
cyber militia has become a threat to national security. In order to understand the threat posed by
these volunteer cyber militias I provide three models of how such groups can be organized and
analyze the strengths and weaknesses of each.
The three models considered are the Forum, the Cell and the Hierarchy. The models are applicable to
groups of non-trivial size, which require internal assignment of responsibilities and authority.
1.1 Method and limitations
In this paper I use theoretical qualitative analysis in order to describe the attributes, strengths and
weaknesses of three offensively oriented cyber militia models. I have chosen the three plausible
models based on what can be observed in recent cyber conflicts. The term model refers to an abstract
description of relationships between members of the cyber militia, including command, control and
mentoring relationships, as well as the operating principles of the militia.
Note, however, that the description of the models is based on theoretical reasoning and expert
opinion. It offers abstract theoretical models in an ideal setting. There may not be a full match to any
of them in reality or in the examples provided. It is more likely to see either combinations of different
models or models that do not match the description in full. On the other hand, the models should
serve as useful frameworks for analyzing volunteer groups in the current and coming cyber conflicts.
In preparing this work, I communicated with and received feedback from a number of recognized
experts in the field of cyber conflict research. I wish to thank them all for providing comments on my
proposed models: Prof Dorothy Denning (Naval Postgraduate School), Dr Jose Nazario (Arbor
Networks), Prof Samuel Liles (Purdue University Calumet), Mr Jeffrey Carr (Greylogic) and Mr
Kenneth Geers (Cooperative Cyber Defence Centre of Excellence).
2. The forum
The global spread of the Internet allows people to connect easily and form „cyber tribes“, which can
range from benign hobby groups to antagonistic ad-hoc cyber militias. (Williams 2007, Ottis 2008,
Carr 2009, Nazario 2009, Denning 2010) In the case of an ad-hoc cyber militia, the Forum unites likeminded
people who are “willing and able to use cyber attacks in order to achieve a political goal.“
307

Rain Ottis
(Ottis 2010b) It serves as a command and control platform where more active members can post
motivational materials, attack instructions, attack tools, etc. (Denning 2010)
This particular model, as well as the strengths and weaknesses covered in this section, are based on
(Ottis 2010b). A good example of this model in recent cyber conflicts is the stopgeorgia.ru forum
during the Russia-Georgia war in 2008 (Carr 2009).
2.1 Attributes
The Forum is an on-line meeting place for people who are interested in a particular subject. I use
Forum as a conceptual term referring to the people who interact in the on-line meeting place. The
technical implementation of the meeting place could take many different forms: web forum, Internet
Relay Chat channel, social network subgroup, etc. It is important that the Forum is accessible over
Internet and preferably easy to find. The latter condition is useful for recruiting new members and
providing visibility to the agenda of the group.
The Forum mobilizes in response to an event that is important to the members. While there can be a
core group of people who remain actively involved over extended periods of time, the membership
can be expected to surge in size when the underlying issue becomes “hot“. Basically, the Forum is
like a flash mob that performs cyber attacks instead of actions on the streets. As such, the Forum is
more ad-hoc than permanent, because it is likely to disband once the underlying event is settled.
The membership of the Forum forms a loose network centered on the communications platform,
where few, if any, people know each other in real life and the entire membership is not known to any
single person (Ottis 2010b). Most participate anonymously, either providing an alias or by remaining
passive on the communication platform. In general, the Forum is an informal group, although specific
roles can be assumed by individual members. For example, there could be trainers, malware
providers, campaign planners, etc. (Ottis 2010b) Some of the Forum members may also be active in
cyber crime. In that case, they can contribute resources such as malware or use of a botnet to the
Forum.
The membership is diverse, in terms of skills, resources and location. While there seems to be
evidence that a lot of the individuals engaged in such activities are relatively unskilled in cyber attack
techniques (Carr 2009), when supplemented with a few more experienced members the group can be
much more effective and dangerous (Ottis 2010a).
Since most of the membership remains anonymous and often passive on the communications
platform, the leadership roles will be assumed by those who are active in communicating their intent,
plans and expertise. (Denning 2010) However, this still does not allow for strong command and
control, as each member can decide what, if any, action to take.
2.2 Strengths
One of the most important strengths of a loose network is that it can form very quickly. Following an
escalation in the underlying issue, all it takes is a rallying cry on the Internet and within hours or even
minutes the volunteers can gather around a communications platform, share attack instructions, pick
targets and start performing cyber attacks.
As long as there is no need for tightly controlled operations, in terms of timing, resource use and
targeting, there is very little need for management. The network is also easily scalable, as anyone can
join and there is no lengthy vetting procedure.
The diversity of the membership means that it is very difficult for the defenders to analyze and counter
the attacks. The source addresses are likely distributed globally (black listing will be inefficient) and
the different skills and resources ensure heterogeneous attack traffic (no easy patterns). In addition,
experienced attackers can use this to conceal precision strikes against critical services and systems.
While it may seem that neutralizing the communications platform (via law enforcement action, cyber
attack or otherwise) is an easy way to neutralize the militia, this may not be the case. The militia can
easily regroup at a different communications platform in a different jurisdiction. Attacking the Forum
directly may actually increase the motivation of the members. (Ottis 2010b)
308

Rain Ottis
Last, but not least, it is very difficult to attribute these attacks to a state, as they can (seem to) be a
true (global) grass roots campaign, even if there is some form of state sponsorship. Some states may
take advantage of this fact by allowing such activity to continue in their jurisdiction, blaming legal
obstacles or lack of capability for their inactivity. It is also possible for government operatives to
“create” a “grass roots” Forum movement in support of the government agenda. (Ottis 2009)
2.3 Weaknesses
A clear weakness of this model is the difficulty to command and control the Forum. Membership is not
formalized and often it is even not visible on the communication platform, because passive readers
can just take ideas from there and execute the attacks on their own. This uncoordinated approach can
seriously hamper the effectiveness of the group as a whole. It may also lead to uncontrolled
expansion of conflict, when members unilaterally attack third parties on behalf of the Forum.
A problem with the loose network is that it is often populated with people who do not have experience
with cyber attacks. Therefore, their options are limited to primitive manual attacks or preconfigured
automated attacks using attack kits or malware. (Ottis 2010a) They are highly reliant on instructions
and tools from more experienced members of the Forum.
The Forum is also prone to infiltration, as it must rely on relatively easily accessible communication
channels. If the communication point is hidden, the group will have difficulties in recruiting new
members. The assumption is, therefore, that the communication point can be easily found by both
potential recruits, as well as infiltrators. Since there is no easy way to vet the incoming members,
infiltration should be relatively simple.
Another potential weakness of the Forum model is the presumption of anonymity. If the membership
can be infiltrated and convinced that their anonymity is not guaranteed, they will be less likely to
participate in the cyber militia. Options for achieving this can include “exposing” the “identities” of the
infiltrators, arranging meetings in real life, offering tools that have a phone-home functionality to the
members, etc. Note that some of these options may be illegal, depending on the circumstances. (Ottis
2010b)
3. The cell
Another model for a volunteer cyber force that has been seen is a hacker cell. In this case, the
generic term hacker is used to encompass all manner of people who perform cyber attacks on their
own, regardless of their background, motivation and skill level. It includes the hackers, crackers and
script kiddies described by Young and Aitel (2004). The hacker cell includes several hackers who
commit cyber attacks on a regular basis over extended periods of time. Examples of hacker cells are
Team Evil and Team Hell, as described in Carr (2009).
3.1 Attributes
Unlike the Forum, the Cell members are likely to know each other in real life, while remaining
anonymous to the outside observer. Since their activities are almost certainly illegal, they need to trust
each other. This limits the size of the group and requires a (lengthy) vetting procedure for any new
recruits. The vetting procedure can include proof of illegal cyber attacks.
The command and control structure of the Cell can vary from a clear self-determined hierarchy to a
flat organization, where members coordinate their actions, but do not give or receive orders. In theory,
several Cells can coordinate their actions in a joint campaign, forming a confederation of hacker cells.
The Cells can exist for a long period of time, in response to a long-term problem, such as the Israel-
Palestine conflict. The activity of such a Cell ebbs and flows in accordance with the intensity of the
underlying conflict. The Cell may even disband for a period of time, only to reform once the situation
intensifies again.
Since hacking is a hobby (potentially a profession) for the members, they are experienced with the
use of cyber attacks. One of the more visible types of attacks that can be expected from a Cell is the
website defacement. Defacement refers to the illegal modification of website content, which often
includes a message from the attacker, as well as the attacker’s affiliation. The Zone-H web archive
309

Rain Ottis
lists thousands of examples of such activity, as reported by the attackers. Many of the attacks are
clearly politically motivated and identify the Cell that is responsible.
Some members of the Cell may be involved with cyber crime. For example, the development,
dissemination, maintenance and use of botnets for criminal purposes. These resources can be used
for politically motivated cyber attacks on behalf of the Cell.
3.2 Strengths
A benefit of the Cell model is that it can mobilize very quickly, as the actors presumably already have
each other’s contact information. In principle, the Cell can mobilize within minutes, although it likely
takes hours or days to complete the process.
A Cell is quite resistant to infiltration, because the members can be expected to establish their hacker
credentials before being allowed to join. This process may include proof of illegal attacks.
Since the membership can be expected to be experienced in cyber attack techniques, the Cell can be
quite effective against unhardened targets. However, hardened targets may or may not be within the
reach of the Cell, depending on their specialty and experience. Prior hacking experience also allows
them to cover their tracks better, should they wish to do so.
3.3 Weaknesses
While a Cell model is more resistant to countermeasures than the Forum model, it does offer potential
weaknesses to exploit. The first opportunity for exploitation is the hacker’s ego. Many of the more
visible attacks, including defacements, leave behind the alias or affiliation of the attacker, in order to
claim the bragging rights. (Carr 2009) This seems to indicate that they are quite confident in their skills
and proud of their achievements. As such, they are potentially vulnerable to personal attacks, such as
taunting or ridiculing in public. Stripping the anonymity of the Cell may also work, as at least some
members could lose their job and face law enforcement action in their jurisdiction. (Carr 2009) As
described by Ottis (2010b), it is probably not necessary to actually identify all the members of the Cell.
Even if the identity of a few of them is revealed or if the corresponding perception can be created
among the membership, the trust relationship will be broken and the effectiveness of the group will
decrease.
Prior hacking experience also provides a potential weakness. It is more likely that the law
enforcement know the identity of a hacker, especially if he or she continues to use the same affiliation
or hacker alias. While there may not be enough evidence or damage or legal base for law
enforcement action in response to their criminal attacks, the politically motivated attacks may provide
a different set of rules for the local law enforcement.
The last problem with the Cell model is scalability. There are only so many skilled hackers who are
willing to participate in a politically motivated cyber attack. While this number may still overwhelm a
small target, it is unlikely to have a strong effect on a large state.
4. The hierarchy
The third option for organizing a volunteer force is to adopt a traditional hierarchical structure. This
approach is more suitable for government sponsored groups or other cohesive groups that can agree
to a clear chain of command. For example, the People’s Liberation Army of China is known to include
militia type units in their IW battalions. (Krekel 2009) The model can be divided into two generic submodels:
anonymous and identified membership.
4.1 Attributes
The Hierarchy model is similar in concept to military units, where a unit commander exercises power
over a limited number of sub-units. The number of command levels depends on the overall size of the
organization.
Each sub-unit can specialize on some specific task or role. For example, the list of sub-unit roles can
include reconnaissance, infiltration/breaching, exploitation, malware/exploit development and training.
Depending on the need, there can be multiple sub-units with the same role. Consider the analogy of
310

Rain Ottis
an infantry battalion, which may include a number of infantry companies, anti-tank and mortar
platoons, a reconnaissance platoon, as well as various support units (communications, logistics), etc.
This specialization and role assignment allows the militia unit to conduct a complete offensive cyber
operation from start to finish.
A Hierarchy model is the most likely option for a state sponsored entity, since it offers a more
formalized and understandable structure, as well as relatively strong command and control ability. The
control ability is important, as the actions of a state sponsored militia are by definition attributable to
the state.
However, a Hierarchy model is not an automatic indication of state sponsorship. Any group that is
cohesive enough to determine a command structure amongst them can adopt a hierarchical structure.
This is very evident in Massively Multiplayer Online Games (MMOG), such as World of Warcraft or
EVE Online, where players often form hierarchical groups (guilds, corporations, etc.) in order to
achieve a common goal. The same approach is possible for a cyber militia as well. In fact, Williams
(2007) suggests that gaming communities can be a good recruiting ground for a cyber militia.
While the state sponsored militia can be expected to have identified membership (still, it may be
anonymous to the outside observer) due to control reasons, a non-state militia can consist of
anonymous members that are only identified by their screen names.
4.2 Strengths
The obvious strength of a hierarchical militia is the potential for efficient command and control. The
command team can divide the operational responsibilities to specialized sub-units and make sure that
their actions are coordinated. However, this strength may be wasted by incompetent leadership or
other factors, such as overly restrictive operating procedures.
A hierarchical militia may exist for a long time even without ongoing conflict. During “peacetime“, the
militia’s capabilities can be improved with recruitment and training. This degree of formalized
preparation with no immediate action in sight is something that can set the hierarchy apart from the
Forum and the Cell.
If the militia is state sponsored, then it can enjoy state funding, infrastructure, as well as cooperation
from other state entities, such as law enforcement or intelligence community. This would allow the
militia to concentrate on training and operations.
4.3 Weaknesses
A potential issue with the Hierarchy model is scalability. Since this approach requires some sort of
vetting or background checks before admitting a new member, it may be time consuming and
therefore slow down the growth of the organization.
Another potential issue with the Hierarchy model is that by design there are key persons in the
hierarchy. Those persons can be targeted by various means to ensure that they will not be effective or
available during a designated period, thus diminishing the overall effectiveness of the militia. A
hierarchical militia may also have issues with leadership if several people contend for prestigious
positions. This potential rift in the cohesion of the unit can potentially be exploited by infiltrator agents.
Any activities attributed to the state sponsored militia can further be attributed to the state. This puts
heavy restrictions on the use of cyber militia “during peacetime“, as the legal framework surrounding
state use of cyber attacks is currently unclear. However, in a conflict scenario, the state attribution is
likely not a problem, because the state is party to the conflict anyway. This means that a state
sponsored offensive cyber militia is primarily useful as a defensive capability between conflicts. Only
during conflict can it be used in its offensive role.
While a state sponsored cyber militia may be more difficult (but not impossible) to infiltrate, they are
vulnerable to public information campaigns, which may lead to low public and political support,
decreased funding and even official disbanding of the militia. On the other hand, if the militia is not
state sponsored, then it is prone to infiltration and internal information operations similar to the one
considered at the Forum model.
311

Rain Ottis
Of the three models, the hierarchy probably takes the longest to establish, as the chain of command
and role assignments get settled. During this process, which could take days, months or even years,
the militia is relatively inefficient and likely not able to perform any complex operations.
5. Comparison
When analyzing the three models, it quickly becomes apparent that there are some aspects that are
similar to all of them. First, they are not constrained by location. While the Forum and the Cell are by
default dispersed, even a state sponsored hierarchical militia can operate from different locations.
Second, since they are organizations consisting of humans, then one of the more potent ways to
neutralize cyber militias is through information operations, such as persuading them that their
identities have become known to the law enforcement, etc.
Third, all three models benefit from a certain level of anonymity. However, this also makes them
susceptible for infiltration, as it is difficult to verify the credentials and intent of a new member.
On the other hand, there are differences as well. Only one model lends itself well to state sponsored
entities (hierarchy), although, in principle, it is possible to use all three approaches to bolster the
state’s cyber power.
The requirement for formalized chain of command and division of responsibilities means that the initial
mobilization of the Hierarchy can be expected to take much longer than the more ad-hoc Forum or
Cell. In case of short conflicts, this puts the Hierarchy model at a disadvantage.
Then again, the Hierarchy model is more likely to adopt a “peace time” mission of training and
recruitment in addition to the “conflict” mission, while the other two options are more likely to be
mobilized only in time of conflict. This can offset the slow initial formation limitation of the Hierarchy, if
the Hierarchy is established well before the conflict.
While the Forum can rely on their numbers and use relatively primitive attacks, the Cell is capable of
more sophisticated attacks due to their experience. The cyber attack capabilities of the Hierarchy,
however, can range from trivial to complex.
It is important to note that the three options covered here can be combined in many ways, depending
on the underlying circumstances and the personalities involved.
Conclusion
Politically motivated cyber attacks are becoming more frequent every year. In most cases the cyber
conflicts include offensive non-state actors (spontaneously) formed from volunteers. Therefore, it is
important to study these groups.
I have provided a theoretical way to categorize non-trivial cyber militias based on their organization.
The three theoretical models are: the Forum, the Cell and the Hierarchy. In reality, it is unlikely to see
a pure form of any of these, as different groups can include aspects of several models. However, the
strengths and weaknesses identified should serve as useful guides to dealing with the cyber militia
threat.
Disclaimer: The opinions expressed here should not be interpreted as the official policy of the
Cooperative Cyber Defence Centre of Excellence or the North Atlantic Treaty Organization.
References
Carr, J. (2009) Inside Cyber Warfare. Sebastopol: O'Reilly Media.
Denning, D. E. (2010) “Cyber Conflict as an Emergent Social Phenomenon.” In Holt, T. & Schell, B. (Eds.)
Corporate Hacking and Technology-Driven Crime: Social Dynamics and Implications. IGI Global, pp 170-
186.
Krekel, B., DeWeese, S., Bakos, G., Barnett, C. (2009) Capability of the People’s Republic of China to Conduct
Cyber Warfare and Computer Network Exploitation. Report for the US-China Economic and Security
Review Commission.
Nazario, J. (2009) “Politically Motivated Denial of Service Attacks.” In Czosseck, C. & Geers, K. (Eds.) The Virtual
Battlefield: Perspectives on Cyber Warfare. Amsterdam: IOS Press, pp 163-181.
312

Rain Ottis
Ottis, R. (2008) “Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective.”
In Proceedings of the 7th European Conference on Information Warfare and Security. Reading: Academic
Publishing Limited, pp 163-168.
Ottis, R. (2009) ”Theoretical Model for Creating a Nation-State Level Offensive Cyber Capability.” In Proceedings
of the 8th European Conference on Information Warfare and Security. Reading: Academic Publishing
Limited, pp 177-182.
Ottis, R. (2010a) “From Pitch Forks to Laptops: Volunteers in Cyber Conflicts.” In Czosseck, C. and Podins, K.
(Eds.) Conference on Cyber Conflict. Proceedings 2010. Tallinn: CCD COE Publications, pp 97-109.
Ottis, R. (2010b) “Proactive Defence Tactics Against On-Line Cyber Militia.” In Proceedings of the 9th European
Conference on Information Warfare and Security. Reading: Academic Publishing Limited, pp 233-237.
Williams, G., Arreymbi, J. (2007) Is Cyber Tribalism Winning Online Information Warfare? In Proceedings of
ISSE/SECURE 2007 Securing Electronic Business Processes. Wiesbaden: Vieweg. On-line:
http://www.springerlink.com/content/t2824n02g54552m5/n
Young, S., Aitel, D. (2004) The Hacker’s Handbook. The Strategy behind Breaking into and Defending Networks.
Boca Raton: Auerbach.
313

314

Work
in
Progress
Papers
315

316

Large-Scale Analysis of Continuous Data in Cyber-Warfare
Threat Detection
William Acosta
University of Toledo, USA
william.acosta@utoledo.edu
Abstract: Combating cyber/information warfare threats requires analyzing vast quantities of diverse data. The
data required to detect attacks as they occur (on-line analysis of live data) and predict future threats (forensic
analysis/data mining) is not only large, but is growing at a staggering rate. Data such as network traffic logs,
emails, and social networking posts, SMS message, and cell phone call logs are, by nature, continuous and
growing. The problem addressed in this research is that current systems are not designed to handle either the
scope or nature of the analysis or the data itself. For example, distributed data processing systems like Google’s
Map-Reduce provide the ability to process large data sets, but they are not designed to easily support processing
of changing data sets or data-mining algorithms. In light of this, Google has itself recently stopped using
MapReduce for building its web-index, opting instead for a custom mechanism that can more quickly respond to
and process new content. Non-traditional databases, like vertically-partitioned/column-store databases, can
efficiently support analysis algorithms on large quantities of data, but they are not designed to support
continuously changing data sets. The goal of this research is to explore and design new data management
system that can handle large quantities of incrementally growing data as well as direct support for data mining
and analysis algorithms. Specifically, this research proposes a new distributed data processing system that
exploits the parallel and distributed resources/computation of cloud computing infrastructures. It makes use of
summary data structures that can be updated incrementally and continuous queries to support analysis and data
mining algorithms natively. This approach allows for larger-scale and more robust analysis on continuously
growing data that can help detect, predict and respond to cyber-warfare threats.
Keywords: data-mining, databases, text-search, cloud computing, data integration
1. Introduction
Protection against cyber/information warfare threats requires understanding the nature, methods, and
patterns of those attacks. Such understanding can allow for early detection and, possibly prediction,
of attacks. Gaining an understanding of the patterns and mechanisms used in cyber/information
warfare attacks requires analyzing large amounts of diverse data such as server logs (Myers et al.
2010), emails, SMS messages, and social-networking data. Not only is the data diverse, but it is also
continuous; new data gets generated every day. Furthermore, analysis of this data can require
equally diverse approaches: graph-theoretic algorithms (detecting patterns in social-networking), data
mining algorithms (associations between events), statistical models, clustering algorithms, etc. The
diverse nature of the data and analysis algorithms as well as the large quantity of data to be analyzed
poses problems to both traditional databases and storage systems. In order to provide the analysis of
diverse and continuous data required for cyber-warfare threat detection, a new system is needed for
managing large quantities of diverse data that can support equally diverse analysis algorithms.
The need to incrementally process large quantities of data is applicable to wide range of applications.
For example, Google replaced MapReduce (Dean & Ghemawat 2004), its current web-indexing
system, in order to enable faster updates of its index (Metz 2010, Peng & Dabek 2010). Similarly,
detecting and responding to information security threats requires a mechanism that cannot only
manage large quantities of data, but also provide for fast response time of complex, continuous
analysis. This paper proposes a new distributed data-analysis framework that is designed to meet the
needs of applications that require analysis of continuous data. Next, Section 2 presents the design of
the proposed system in the context of related work. Section 3 then provides concluding remarks.
2. Design and requirements of a continuous data analysis system
Cyber-warfare threat detection requires analyzing large quantities of diverse data that is continuously
generated. The properties of the raw data in this type of application impose some constraints on the
analysis and data storage systems. These applications require analyzing not only current data, but
also prior/historical from many heterogeneous sources. Because the raw data is continuously
generated, old data must be kept for analysis while new data is integrated into the storage and
analysis framework. Because old data must be kept and not changed, the system need not support
updates of raw data. Effectively, raw data is append-only. This can be leveraged to improve storage
efficiency and performance; it is easier to implement and support distributed storage as no write-
317

William Acosta
locking of existing data is necessary. It also allows for the analysis framework to make use novel
summary data structures and algorithms that can incorporate the changes made to the data without
requiring analysis of the full dataset.
2.1 Storage and data management
The large quantity of data makes a centralized storage solution unfeasible; instead, a distributed
storage solution Is favored. The parallel nature of many of the algorithms makes a distributed solution
not only more feasible, but also desirable. Distributed storage systems such as Google’s BigTable
(Chang et al. 2006), Yahoo’s PNUTS (Cooper et al. 2008), and Amazon’s Dynamo (DeCandia et al.
2007) provide the low-level mechanisms for storing, and managing large quantities of data. These
systems were designed to support coordinated reads and updates of data in a distributed
environment. To support the needs of applications like cyber-warfare threat detection, a distributed
storage system should provide efficient, low-level support for append-only writes of raw data, as well
as efficient tracking of incremental additions and updates of the dataset.
2.2 Distributed processing of data
Recently, there has been a great deal of research in Google’s MapReduce (Dean & Ghemawat 2004)
distributed computing software framework for processing large datasets. However, its batch-oriented
nature was not designed to deal with incremental or continuous data updates. This makes it
unsuitable for a variety of applications including cyber-warfare threat analysis and detection. Systems
like Haloop (Bu et al. 2010) and MapReduce Online (Condie et al. 2010) have sought to add
continuous query support to MapReduce. To achieve this, these systems had to make fundamental
changes to the API and underlying architecture of MapReduce. This paper argues that what is
needed instead is a system designed from the ground-up to support the demands of analysis and
mining algorithms on large sets of continuously generated data.
2.3 Data management and analysis
The problem of analyzing continuous data has been explored by stream databases (Abadi et al. 2005,
Shah et al. 2004). Similarly, continuous queries in databases have been proposed with systems such
as TelegraphCQ (Chandrasekaran et al. 2003) and CQL (Arasu et al. 2006). These systems can
handle processing queries on streams of data with long-running/continuous queries. However, they
lack the ability to support analytic algorithms over a large and diverse dataset. In contrast, verticallypartitioned
databases such as C-Store (Stonebraker et al. 2005) excel at fast and efficient support of
complex analytics. Unfortunately, vertically-partitioned databases suffer from poor performance on
writes. In essence, insertions and updates require that the index be rebuilt. Although performance of
reads is very fast once the index is built, building the index is very expensive. What is needed is a
system that can perform complex analytics on continuous data without requiring a complex index to
be completely rebuilt as a result of data updates. This paper proposes a new, incremental indexing
system that keeps track of summarized historical data while allowing for many small [incremental]
updates to be incorporated. The key difference is that, unlike traditional database indexes, the new
incremental index would not be build off-line (batch-process). Instead, the index would incorporate the
many incremental updates on-line so that the index of past data is always active and valid.
In addition to the storage and distributed computing framework, it is also important to consider the
needs of the algorithms that will be used in the system. Applications with such diverse data require
equally diverse analysis. For example, detecting hidden correlations and associations between events
seen in server logs requires mining association rules (Agrawal & Srikant 1994) whereas detecting
interaction of attackers in a network may involve graph theoretic algorithms.
3. Conclusion
This paper presents a case for a new distributed computing system that is explicitly designed to meet
the unique needs of applications such as cyber-warfare threat detection. The system should support
large quantities of diverse data such as server logs, emails, social-network data, etc. It should allow
for a variety of mining and analysis algorithms and support for those algorithms to be processed in a
parallel and distributed manner. The system must not only meet these needs, but also do so in a way
that can efficiently support continuous analysis of data that is continuously generated.
318

References
William Acosta
Abadi, D. J., Ahmad, Y., Balazinska, M., Cherniack, M., hyon Hwang, J., Lindner, W., Maskey, A. S., Rasin, E.,
Ryvkina, E., Tatbul, N., Xing, Y. & Zdonik, S. (2005), The design of the borealis stream processing engine,
in ‘CIDR ’05: Proceedings of the second biennial Conference on Innovative Data Systems Research’, pp.
277–289.
Agrawal, R. & Srikant, R. (1994), Fast algorithms for mining association rules, in J. B. Bocca, M. Jarke & C.
Zaniolo, eds, ‘Proc. 20th Int. Conf. Very Large Data Bases, VLDB’, Morgan Kaufmann, pp. 487–499.
Arasu, A., Babu, S. & Widom, J. (2006), ‘The cql continuous query language: semantic foundations and query
execution’, The VLDB Journal 15(2), 121–142.
Bu, Y., Howe, B., Balazinska, M. & Ernst, M. D. (2010), Haloop: Efficient iterative data processing on large
clusters, in ‘Proceedings of the VLDB Endowment’, Vol. 3.
Chandrasekaran, S., Cooper, O., Deshpande, A., Franklin, M. J., Hellerstein, J. M., Hong, W., Krishnamurthy, S.,
Madden, S., Raman, V., Reiss, F. & Shah, M. (2003), Telegraphcq: Continuous dataflow processing for an
uncertain world, in ‘CIDR ’03: Proceedings of the first biennial Conference on Innovative Data Systems
Research’.
Chang, F., Dean, J., Ghemawat, S., Hsieh, W. C., Wallach, D. A., Burrows, M., Chandra, T., Fikes, A. & Gruber,
R. E. (2006), Bigtable: A distributed storage system for structured data, in ‘Proceedings of the 7th
symposium on Operating systems design and implementation (OSDI ’06)’, Seattle, WA.
Condie, T., Conway, N., Alvaro, P., Elmeleegy, J. M. H. K. & Sears, R. (2010), Mapreduce online, in
‘Proceedings of the Seventh USENIX Symposium on Networked System Design and Implementation (NSDI
2010)’, San Jose, CA.
Cooper, B. F., Ramakrishnan, R., Srivastava, U., Silberstein, A., Bohannon, P., arno Jacobsen, H., Puz, N.,
Weaver, D. & Yerneni, R. (2008), Pnuts: Yahoo!s hosted data serving platform, in ‘Proceedings of the 34th
International Conference on Very Large Data Bases (VLDB ’08)’, Auckland, New Zealand.
Dean, J. & Ghemawat, S. (2004), Mapreduce: simplified data processing on large clusters, in ‘OSDI’04:
Proceedings of the 6th conference on Symposium on Operating Systems Design & Implementation’,
USENIX Association, Berkeley, CA, USA, pp. 10–10.
DeCandia, G., Hastorun, D., Jampani, M., Kakulapati, G., Lakshman, A., Pilchin, A., Sivasubramanian, S.,
Vosshall, P. & Vogels, W. (2007), Dynamo: amazon’s highly available key-value store, in ‘SOSP ’07:
Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles’, ACM, New York,
NY, USA, pp. 205–220.
Metz, C. (2010), ‘Google search index splits with mapreduce’. URL: http: // www. theregister. co. uk/ 2010/ 09/
09/ google_ caffeine_ explained/
Myers, J., Grimaila, M. & Mills, R. (2010), Insider threat detection using distributed event correlation of web
server logs, in ‘ICIW ’10: Proceedings of the 5th International Conference on Information-Warfare and
Security’.
Peng, D. & Dabek, F. (2010), Large-scale incremental processing using distributed transactions and notifications,
in ‘OSDI ’10: Proceedings of the Ninth USENIX Symposium on Operating Systems Design and
Implementation’.
Shah, M. A., Hellerstein, J. M. & Brewer, E. (2004), Highly available, fault-tolerant, parallel dataflows, in
‘SIGMOD ’04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data’,
ACM, New York, NY, USA, pp. 827–838.
Stonebraker, M., Abadi, D. J., Batkin, A., Chen, X., Cherniack, M., Ferreira, M., Lau, E., Lin, A., Madden, S.,
O’Neil, E., O’Neil, P., Rasin, A., Tran, N. & Zdonik, S. (2005), C-store: a column-oriented dbms, in ‘VLDB
’05: Proceedings of the 31st international conference on Very large data bases’, VLDB Endowment, pp.
553–564.
319

A System and Method for Designing Secure Client-Server
Communication Protocols Based on Certificateless PKI
Natarajan Vijayarangan
Tata Consultancy Services Limited (TCS), Chennai, India
n.vijayarangan@tcs.com
Abstract: Client-server networking is a distributed application architecture that partitions tasks or work loads
between service providers (servers) and service requesters (clients), where the network communication is not
necessarily secure. A number of researchers and organizations have produced innovative methods to ensure a
secure communication in the client-server set up. However, in this paper, TCS has brought out a system of novel
network security protocols for a generic purpose. Let us take a look into the brief history of client-server
communication. In 1993 Bollovin and Merritte patented a strong Password-based Authentication Key Exchange
(PAKE), an interactive method for two or more parties to establish cryptographic keys based on one or more
party's knowledge of a password. Later, Standford University patented Secure Remote Protocol (SRP) used for a
new password authentication and key-exchange mechanism over an untrusted network. Then Sun Microsystems
implemented the Elliptic Curve Cryptography (ECC) technology which is well integrated into the OpenSSL-
Certificate Authority. This code enables secure TLS/SSL handshakes using the Elliptic curve based cipher suites.
In this paper, we proposed a set of client-server communication protocols using certificateless Public Key
Infrastructure (PKI) based on ECC. Then the protocols have identity based authentication without using bilinear
maps, session key exchange and secure message transfer. Moreover, we showed that the protocols are
lightweight and are designed to serve multiple applications.
Keywords: certificateless public key cryptography, elliptic curve cryptography, jacobi identity, message
preprocessing, lie algebras, challenge-response
1. Introduction
In the existing network operating systems, communication between the client and server takes place
using File Transfer Protocol mode which is not a secure medium. The more secure medium for
communication, Hypertext Transfer Protocol Secure, also does not ensure the security of messages,
but the connection. For instance, some of the problems that users access with a set-top box unit
would be data loss, content modification and so on. TCS has designed a set of novel network security
protocols to avoid these issues and ensure robust communication between the client and server.
Theoretically and practically, the proposed protocols have been analyzed that these protocols are
secure against replay and rushing attacks. In this design, the certificateless PKI concept based on
ECC (Al-Riyami and Paterson 2003, Hankerson et al 2004) is introduced to strengthen the protocols.
Hence TCS filed up a patent application for this invention.
2. Objectives of the invention
The objectives of the invention are to provide: 1) a secure communication between client and server
2) a robust, tamper-proof and lightweight authentication mechanism, 3) non-repudiation for clients and
4) no password-based negotiation between client and server.
3. Overview of the invention
In the existing network security protocols, certificate-based public key cryptography and Identitybased
cryptography have been widely used. These Crypto methods face the costly and complex key
management problem and the key escrow problem in the real-life deployment. A few years ago,
Certificateless Public Key Cryptography (CL-PKC) was introduced to address these problems, which
have not been solved fully. Sometimes, CL-PKC uses bilinear pairings (Adi Shamir 1984) and inverse
operations which will slowdown the performance of authentication process.
TCS' new approach towards the network security protocols will solve the common problems between
customers and network service providers or agents. Many researchers and organizations have
developed innovative client-server communication protocols based on certificates which require a lot
of computation, power consumption and memory space. TCS has designed a lightweight protocol that
will overcome these issues.
TCS has introduced CL-PKC with no bilinear pairings in the proposed set of network security
protocols. These protocols are efficient and effective against common attacks and have applications
in client-server set up over Transmission Control Protocol and User Datagram Protocol networks, Set-
320

Natarajan Vijayarangan
top box units and Telecommunication. Hence the three different Network Security Protocols (NSP 1, 2
and 3) that TCS has developed are explained in the following sections.
4. Description of NSP 1
TCS has designed a network security protocol in a generic manner to ensure secure communication
between client and server. This protocol initially allows the server to act as a Key Generation Center
(KGC) for distributing public and private keys to clients. Later, every client has to generate a pair of
public and private keys for authentication and session key generation. No certificate is exchanged in
this protocol. Robust and well-proven algorithms, ECDSA (Elliptic Curve Digital Signature Algorithm)
and ECDH (Elliptic Curve Diffie-Hellman) Key Exchange (Certicom Research 2000), are used in this
protocol for authentication and session key generation respectively.
Following is the workflow of NSP1:
(Pre-Shared Key Mechanism) Every client has a pair of Public and Private keys generated by the
server which acts as a Key Generation Center (KGC).
Client initiates the communication to server by sending a message ‘Client Hello!’.
Server generates Random Challenge (RC) of n-bits using Pseudo Random Number Generator
(PRNG). Further, Server encrypts RC with client's public key using Elliptic Curve Encryption
(ECE) method.
Client decrypts the encrypted RC with its private key using ECE.
Client generates Public and Private keys on NIST Elliptic curve-256 / 384 /512. Client signs the
challenge and sends the signature to Server.
Server verifies the signature and generates a key pair on the SAME curve. Server sends its public
key to Client.
Client and server negotiate an m-bit shared secret key using ECDH algorithm.
Client and server have Session key of m bits for Encryption. Client and server have a cipher suite.
A secure communication is established between Client and Server.
5. Description of NSP 2
There is no initial set up on generating a pair of public and private keys for client and server for
network security protocol 2. But the client and the server have a unique Message Preprocessing (MP)
function (Vijayarangan 2009), a bijective mapping, which helps to ensure no modification taken place,
when a random challenge has been sent in plain. As a part of communication setup, each client
receives a unique MP function and ID (an Identity number of a client) supplied by the server. It is
important to know that an MP algorithm (consisting of 3 operations in a sequential manner- Shuffling,
T-function and LFSR) converts a message into a randomized message. It has been analyzed that
NSP 2 stands better than NSP 1 due to an MP function if an attacker predicts RC values during the
communication.
Following is the workflow of NSP 2:
Client initiates the communication to server by sending a message ‘Client Hello!’.
Server generates Random Challenge (RC) of n-bits using Pseudo Random Number Generator
(PRNG) and computes the message preprocessing of RC. Client receives the RC and MP(RC). It
verifies MP(RC).
Client generates Public and Private keys on NIST Elliptic curve-256 / 384 / 512. Client signs the
message = {RC || ID} and sends the signature with its public key and MP(public key) to Server.
Server verifies the signature and generates a key pair on the SAME curve. Server sends its public
key to Client.
321

Natarajan Vijayarangan
Client and Server negotiate an m-bit shared secret key using ECDH algorithm.
Client and Server have Session key of m bits for Encryption. Client and Server have a cipher
suite.
A secure communication is established between Client and Server.
6. Description of NSP 3
It is similar to Network security protocol 1 and the difference can be seen in Signature generation.
Client uses Jacobi identity, a special product on Lie algebras [8], to authenticate server. The Jacobi
identity (Jacobson 1979) performs on a random challenge RC = x || y ||z (divide into 3 parts -
trifurcation) and satisfies the relationship [[x,y],z] + [[y,z],x] + [[z,x],y] = 0. It is important to know that
Lie product (Lie bracket) has a special property: [x, y] = -[y, x].
Following is the workflow of NSP 3:
(Pre-Shared Key Mechanism) Every client has a pair of Public and Private keys generated by the
server which acts as a Key Generation Center (KGC).
Client initiates the communication to server by sending a message ‘Client Hello!’.
Server generates Random challenge (RC) of n-bits using Pseudo Random Number Generator
(PRNG). Further, Server encrypts RC with client's public key using Elliptic Curve Encryption
(ECE) method.
Client decrypts the encrypted RC with its private key using ECE.
Client computes Jaboci identity on RC = x||y||z and sends the Lie product [[x,y],z] to server.
Server verifies the relationship [[x,y],z] + [[y,z],x] + [[z,x],y] = 0. Server sends its public key using
ECC to Client.
Client and server negotiate an m-bit shared secret key using ECDH algorithm.
Client and server have Session key of m bits for Encryption. Client and server have a cipher suite.
A secure communication is established between Client and Server.
7. Analysis
The proposed network security protocols do not allow replay and rushing attacks. An attacker cannot
guess a random challenge (RC) in NSP 1, since it traverses in an encrypted form. It is safe to use
NSP 1 in different nodes/channels.
Considering NSP 2 that is different from NSP 1 and sends RC in plain with MP(RC). It is interesting to
see the notion of bijective property in MP where an attacker can change RC, but not MP(RC). Given
two distinct random challenges RC1 and RC2, MP(RC1) is not the same as MP(RC2). If the attacker
tries to insert another random challenge, then server could detect this fraud by verifying a client's
signature. Since MP function has Shuffling, T-function and LFSR operations that are invertible
(Vijayarangan and Vijayasarathy 2005, Vijayarangan 2009), the inverse operations of MP -1 { MP(RC1)}
and MP -1 { MP(RC2)} are performed through a primitive polynomial of LFSR, T -1 -function and deshuffling
and their values RC1 and RC2 must be distinct.
In NSP 3, the server will not satisfy Jacobi identity if an attacker changes RC. The rationale behind on
using Jacobi identity is that a Lie product computed on RC from client end must match with the server.
Then the server checks Jacobi identity and ensures that the same client has sent the Lie product. If
the attacker alters a Lie product, then the server could detect this fraud by verifying Jaboci identity. It
is important to know that Abelian Lie algebras (for every x and y , [x,y] = 0 ) should not be considered.
From the above protocols, we can make out a proposition that dishonest clients can be eliminated in a
Mesh Topology Network (MTN) based on NSP 1,2 and 3. Thus, a system of protocols 1,2,3 can be
plugged into an MTN which brings out a strong and secure network.
322

Natarajan Vijayarangan
The proposed Mesh Topology Network (MTN) is a network where all the protocols (NSP 1, 2 and 3)
are connected to each other and is an integrated network – illustrated in Figure 1. In the topology
network, every protocol is connected to other protocols on the network through hops and each
protocol itself acts as a node (mote). Some are connected through single-hop networks and some
may be connected with more than one hop. It has been designed that the entire mesh network is
continuously connected. Even if one node fails in the mesh network, the network finds an alternate
route to transfer the data.
Network security protocol 1
A group of network
security protocols based
on certificateless PKI
Network security protocol 2
MTN
Network security protocol 3
Figure 1: A cluster of network security protocols supporting MTN
Normally, attackers can break a network using RF direction finding, traffic rate analysis and timecorrelation
monitoring. Whereas, in the proposed MTN, one may not find easily roles played by nodes,
the existence and location of nodes and the current location of specific functions (MP or Lie). Further,
the MTN has been classified into different models (Star, Ring and Hybrid) for serving different
applications. Star-MTN is a collection of communication protocols connected to a central hub which
distributes NSP 1,2 and 3 to nodes. All communication lines traverse to the central hub. The
advantage of this topology is the simplicity of adding additional nodes. This method has applications
in VSAT terminals. In local area network / wide area network where Ring-MTN could be used, each
system is connected to the network in a closed loop or ring. Basically, all systems in the ring are
connected to each other by NSP={NSP 1, MP & Lie functions}. It has the ability to switch over from
NSP 1 into NSP 2 or 3. Hybrid-MTN is proportional to the exponent of the number of nodes. If there
are 'n' nodes in a hybrid communication, it will require n(n-1)/2 network paths to make a full mesh
network. In this model, NSP 1 can be converted to NSP 2 or NSP 3 by exchanging MP or Lie
functions between nodes. This model is widely applicable to telecommunication paths like mobile
roaming and International SMS.
NSP
1
NSP
2
NSP
2
Network
Security
Protocols 1,2,3
NSP 3
NSP
NSP
3
NSP
NSP
NSP
NSP 1
NSP 2
NSP 3
NSP 3
Figure 2: Star-MTN Figure 3: Ring-MTN Figure 4: Hybrid-MTN
323
NSP 2
NSP 1

8. Conclusion
Natarajan Vijayarangan
The network security protocols produced by the system and method in accordance with this invention
described above finds a number of applications in Information Security and Communication channels.
Particularly, they are directly applied in remote sensing, keyless entry, access control and defense
systems. Since these protocols are secure and less computational complexity (compared with
certificate based PKC), they can be together used in MTN to improve the efficiency. In terms of
memory and space, Protocols 1,2 and 3 with ECC-256 bits are suitable for tiny devices. Hence we
conclude that the proposed protocols could be used for multiple applications.
References
Adi Shamir (1984) “Identity-Based Cryptosystems and Signature Schemes”, Advances in Cryptology:
Proceedings of CRYPTO 84, Lecture Notes in Computer Science, vol 7, pp 47-53.
Al-Riyami, S.S. and Paterson, K.G. (2003), “Certificateless Public Key Cryptography”, Advances in Cryptology -
Proceedings of ASIACRYPT -2003.
Bellare, M. and Rogaway, P. (1993) “Random oracles are practical: A paradigm for designing efficient protocols”,
In ACM CCS 93: 1st Conference on Computer and Communications Security, pp 62–73, USA.
Bellovin, S.M. and Merritt, M. (1992) “ Encrypted key exchange: Password-based protocols secure against
dictionary attacks”, IEEE Symposium on Security and Privacy, pp 72–84, Oakland, California, USA.
Certicom Research (2000), Standards for efficient cryptography, SEC 1: Elliptic Curve Cryptography, Ver. 1.0,
[Online], Available: http://www.secg.org/download/aid-385/sec1_final.pdf
Diffie, W. and Hellman, M.E. (1976) “New directions in cryptography”, IEEE Transactions on Information Theory,
22(6):644–654.
Hankerson, D., Menezes, A. and Vanstone, S.A. (2004), Guide to Elliptic Curve Cryptography, Springer-Verlag.
Jacobson, Nathan (1979), Lie algebras, Dover Publications, Inc., New York.
MacKenzie, P.D. (2002) The PAK suite: Protocols for password-authenticated key exchange, Contributions to
IEEE P1363.2.
Needham, R.M. and Schroeder, M.D. (1978) “Using encryption for authentication in large networks of
computers”, Communications of the Association for Computing Machinery, 21(21):993– 999.
Vijayarangan, Natarajan (2009) “Design and analysis of Message Pre processing functions for reducing Hash
collisions”, Proceedings of ISSSIS, Coimbatore, India.
Vijayarangan, Natarajan (2009), “Method for preventing and detecting hash collisions of data during the data
transmission”, USPTO Patent Pre-grant No. 20090085780.
Vijayarangan, N. and Kasilingam, S. (2004), “Random number generation using primitive polynomials”,
Proceedings of SSCCII, Italy.
Vijayarangan, N. and Vijayasarathy, R. (2005), “Primitive polynomials testing methodology”, Jour. of Discrete
Mathematical Sciences and Cryptography, vol 8(3), pp 427-435.
324