Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1138
Jami Carroll
Cyber Ranges provide an interactive simulated environment of hardware and software for simulation. This closed environment provides a safe and legal environment where cyber warfighters can refine their skills. They enable mock cyber mission rehearsal of operation playbooks. Simulated cyber capabilities in the cyber range parallel the intelligence, surveillance, and reconnaissance (ISR), Order of Battle (OOB), and battle damage assessment (BDA) in a closed, safe environment for experimentation. Scrum has been used in collegial cyber competitions with success because it has allowed Capture-the-Flag cyber games to create quicker simulations. Defense Innovation Units (DIUs) are using agile Scrum processes to numerous warfighting areas in order to make them more agile. This research argues that the agile software development processes could be used to optimize the planning and execution of offensive, defensive, and operation and maintenance (O&M) of cyber warfare simulations within cyber ranges. O&M can be done quicker, new exploitable modules can be includer more rapidly, and the capability can be reconstituted to the appropriate skill level for the next set of trainees quicker. The White team as maintainers of the networks, systems, applications and cyber tools select the CVE exploits and spend an enormous amount of time installing and configuring these capabilities for the next set of trainees. Quite often, there are different skill levels which require multiple builds and the ability to refresh the cyber range with varying levels of cyber trainee complexity. This requirement to restore the cyber range quickly with a variety of builds, varying levels of difficulty, and ensure the experiential learning is maximized with the best availability lends to agile methods such as Scrum could lend to improvements with cyber operations. This research will illustrate how a cyber range could leverage agile Scrum processes to provide an improved cyber range environment quicker and with more capabilities.
{"title":"Agile Methods For Improved Cyber Operations Planning","authors":"Jami Carroll","doi":"10.34190/eccws.22.1.1138","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1138","url":null,"abstract":"Cyber Ranges provide an interactive simulated environment of hardware and software for simulation. This closed environment provides a safe and legal environment where cyber warfighters can refine their skills. They enable mock cyber mission rehearsal of operation playbooks. Simulated cyber capabilities in the cyber range parallel the intelligence, surveillance, and reconnaissance (ISR), Order of Battle (OOB), and battle damage assessment (BDA) in a closed, safe environment for experimentation. Scrum has been used in collegial cyber competitions with success because it has allowed Capture-the-Flag cyber games to create quicker simulations. Defense Innovation Units (DIUs) are using agile Scrum processes to numerous warfighting areas in order to make them more agile. This research argues that the agile software development processes could be used to optimize the planning and execution of offensive, defensive, and operation and maintenance (O&M) of cyber warfare simulations within cyber ranges. O&M can be done quicker, new exploitable modules can be includer more rapidly, and the capability can be reconstituted to the appropriate skill level for the next set of trainees quicker. The White team as maintainers of the networks, systems, applications and cyber tools select the CVE exploits and spend an enormous amount of time installing and configuring these capabilities for the next set of trainees. Quite often, there are different skill levels which require multiple builds and the ability to refresh the cyber range with varying levels of cyber trainee complexity. This requirement to restore the cyber range quickly with a variety of builds, varying levels of difficulty, and ensure the experiential learning is maximized with the best availability lends to agile methods such as Scrum could lend to improvements with cyber operations. This research will illustrate how a cyber range could leverage agile Scrum processes to provide an improved cyber range environment quicker and with more capabilities.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"27 10","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120848437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1221
T. Heverin
In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective. Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs. � �MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings. � �In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.
{"title":"Reconnaissance Techniques and Industrial Control System Tactics Knowledge Graph","authors":"T. Heverin","doi":"10.34190/eccws.22.1.1221","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1221","url":null,"abstract":"In the initial stages of industrial control system (ICS) penetration testing, pentesters conduct reconnaissance by using various tools including Nmap, Shodan, Maltego, Google, Google Hacking Database (GHDB), Recon-ng and more. Testers use various reconnaissance techniques (RTs) within the tools to directly access ICS devices. Many novice ICS-pentesters stop their reconnaissance work upon successfully accessing an ICS device. However, continuing to conduct reconnaissance after initial access can lead to pentesters finding even more information to find more ICS devices, ICS networks, and ways to make ICS exploitation more effective. Our research motivation stems from finding ways to explicitly model the continuation of using RTs once an ICS device is accessed. Knowledge graphs offer an approach for linking RTs together and creating chains of RTs. \u0000 \u0000MITRE ATT&CK ICS provides a matrix of ICS adversarial behaviours. The matrix consists of main exploit tactics and techniques used to accomplish these tactics. Example techniques include ICS alarm suppression, blocking command messages, starting a device, and stopping services. ATT&CK ICS also provides ICS data sources that defenders use to detect the adversarial techniques. Application logs, files, logon sessions, network traffic, and operational databases represent some of the ICS data sources. We reasoned that if adversaries could find the ICS data sources and discover the ability to modify the data sources, then adversaries could cover their tracks to successfully carry out ICS tactics. For example, ICS attackers could modify log entries to hide the attacker’s steps or ICS attackers could delete alarm notifications that showed that ICS attackers changed ICS settings. \u0000 \u0000In this work in progress research, we used knowledge-graph modelling techniques to link together RTs with ICS data sources, the ability to modify the data sources, the ability to then cover tracks of ICS techniques, and the impact of techniques on accomplishing ICS tactics. We named the graph RT-ICS Graph. With knowledge graph queries and shortest-path algorithms run over the RT-ICS graph, we showed how RTs can explicitly lead to impacts on adversaries carrying out ICS tactics. The accomplishment of ICS tactics can cause severe damage or harm.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"470 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129705492","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1180
J. Rajamäki, Tehi Palletvuori
Hybrid threat is a multidimensional and hard-to-detect activity. It includes a wide range of actions, from influencing information to the military means by which the hybrid actor achieves its goals. These goals can include weakening or even destroying the target. Security of supply means preparedness and continuity management actions, which aim to safeguard economic activities and related systems that are necessary for the population’s livelihood, the country’s economic life, and national defense in the event of exceptional conditions and comparable serious disruptions. Both hybrid threat and information influencing can disrupt the realization of the goals of security of supply. This work-in-progress paper proposes a framework, which consists of hybrid threat and its sub-classification, and information influencing as one of the means to implement hybrid threat. The framework also describes the security of supply and elements that are used to combat information influence and maintain the security of supply. In addition, the framework paper discusses what kind of elements measuring the maturity level of an organization’s prevention of information influence could consist of.
{"title":"Hybrid Threat and Information Influence in Connection with Security of Supply","authors":"J. Rajamäki, Tehi Palletvuori","doi":"10.34190/eccws.22.1.1180","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1180","url":null,"abstract":"Hybrid threat is a multidimensional and hard-to-detect activity. It includes a wide range of actions, from influencing information to the military means by which the hybrid actor achieves its goals. These goals can include weakening or even destroying the target. Security of supply means preparedness and continuity management actions, which aim to safeguard economic activities and related systems that are necessary for the population’s livelihood, the country’s economic life, and national defense in the event of exceptional conditions and comparable serious disruptions. Both hybrid threat and information influencing can disrupt the realization of the goals of security of supply. This work-in-progress paper proposes a framework, which consists of hybrid threat and its sub-classification, and information influencing as one of the means to implement hybrid threat. The framework also describes the security of supply and elements that are used to combat information influence and maintain the security of supply. In addition, the framework paper discusses what kind of elements measuring the maturity level of an organization’s prevention of information influence could consist of.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128960260","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1177
Farid Ghareh Mohammadi, Ronnie Sebro
Malware attacks of healthcare institutions are simultaneously becoming more common and more sophisticated. Artificial intelligence (AI) has resulted in the ability to rapidly alter or generate false images, advancing the ease of forgery of digital images. Digital image manipulation and substitution of radiographs are major threats to healthcare institutions because these altered images may affect patient care. Identifying the source (manufacturer, model) of radiology images is one method of validating the origin of radiology images in a healthcare system. In a previous study, researchers demonstrated that features from magnetic resonance imaging (MRI) could be used to trace and authenticate the source of the MRI images. We previously developed and tested the Deep learning for Radiograph Source Identification (Deep-RSI) approach for source identification of radiographs obtained of the upper extremities (hands, wrists, forearms, elbows, and shoulders). In this research, we present an empirical and quantitative investigation using deep learning to validate the source of digital radiographic images of the lower extremities (knees, legs, ankles, and feet). A convolutional neural network (CNN) is employed to extract features, which are then followed by three fully connected layers (FCNN). To ensure that our proposed method is a content-free approach, we added a new layer before the CNN to extract the initial content-free pixels and train the features using the CNN and FCNN layers. This proposed approach was used to identify the source of each digital image of a lower extremity. Adult patients of both sexes who had radiographs of the lower extremities at Mayo Clinic between 01/01/2010 and 12/31/2021 were evaluated. The data was randomly split by patient into training/validation and test datasets. There were 9 radiographic machine models and 6 manufacturers. Deep-RSI had an accuracy of 99.00% (AUC= 0.99) and 97.00% (AUC=0.94) for detecting the manufacturer and model of the radiographic machine for radiographs of the feet respectively, confirming that forensic evaluation of radiographs can be performed. This is the first medical forensics examination of this type to identify and confirm the source origins for radiographs of the lower extremities. This technique may be helpful to detect radiology malware attacks and scientific fraud. � �
{"title":"Radiograph Manufacturer and Model Identification Using Deep-RSI","authors":"Farid Ghareh Mohammadi, Ronnie Sebro","doi":"10.34190/eccws.22.1.1177","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1177","url":null,"abstract":"Malware attacks of healthcare institutions are simultaneously becoming more common and more sophisticated. Artificial intelligence (AI) has resulted in the ability to rapidly alter or generate false images, advancing the ease of forgery of digital images. Digital image manipulation and substitution of radiographs are major threats to healthcare institutions because these altered images may affect patient care. Identifying the source (manufacturer, model) of radiology images is one method of validating the origin of radiology images in a healthcare system. In a previous study, researchers demonstrated that features from magnetic resonance imaging (MRI) could be used to trace and authenticate the source of the MRI images. We previously developed and tested the Deep learning for Radiograph Source Identification (Deep-RSI) approach for source identification of radiographs obtained of the upper extremities (hands, wrists, forearms, elbows, and shoulders). In this research, we present an empirical and quantitative investigation using deep learning to validate the source of digital radiographic images of the lower extremities (knees, legs, ankles, and feet). A convolutional neural network (CNN) is employed to extract features, which are then followed by three fully connected layers (FCNN). To ensure that our proposed method is a content-free approach, we added a new layer before the CNN to extract the initial content-free pixels and train the features using the CNN and FCNN layers. This proposed approach was used to identify the source of each digital image of a lower extremity. Adult patients of both sexes who had radiographs of the lower extremities at Mayo Clinic between 01/01/2010 and 12/31/2021 were evaluated. The data was randomly split by patient into training/validation and test datasets. There were 9 radiographic machine models and 6 manufacturers. Deep-RSI had an accuracy of 99.00% (AUC= 0.99) and 97.00% (AUC=0.94) for detecting the manufacturer and model of the radiographic machine for radiographs of the feet respectively, confirming that forensic evaluation of radiographs can be performed. This is the first medical forensics examination of this type to identify and confirm the source origins for radiographs of the lower extremities. This technique may be helpful to detect radiology malware attacks and scientific fraud. \u0000 \u0000 ","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"69 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128972483","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1448
Allison Wylde
A United Nations’ (UN) public consultation, underway, is reviewing requirements for the Global Digital Compact (GDC) to advance UN goals for an ‘open, free, and secure digital future for all’ (UN, GDC, 2022). Achieving the goals relies on proposed principles, including: connecting everyone; avoiding fragmentation; protecting data; applying human rights; accountability for discrimination and misleading content; regulation of artificial intelligence; digital commons as a public good; and ‘other’ areas. The purpose of this paper is to present an argument that trust must be included as a central ‘other’ principle. Although successful achievement of the GDC goals is contingent on building trust in each principle, a method for trust-building is not provided. Through leveraging well-established organization and conflict management trust-building literature the contribution of this paper presents a fresh conceptual framework, allowing trust and trust-building in the goals to be operationalized and assessed. In, addressing the research gap as to how build trust in the GDC goals as they are implemented, the novel trust-building process as presented helps policymakers, practitioners, and academics better address potential risks to the future internet, such as, increased; state isolation, sovereignty, and internet fragmentation. Limitations and calls for further research highlight that understanding state-level trust-building in policy is not yet mature. Further, scholars needs to better categorize the processes, dynamics and norms involved in state-level trust-building, helping to counter future internet challenges.
{"title":"The UN Global Digital Compact (GDC), Achieving a trusted, free, open, and Secure Internet: Trust-building","authors":"Allison Wylde","doi":"10.34190/eccws.22.1.1448","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1448","url":null,"abstract":"A United Nations’ (UN) public consultation, underway, is reviewing requirements for the Global Digital Compact (GDC) to advance UN goals for an ‘open, free, and secure digital future for all’ (UN, GDC, 2022). Achieving the goals relies on proposed principles, including: connecting everyone; avoiding fragmentation; protecting data; applying human rights; accountability for discrimination and misleading content; regulation of artificial intelligence; digital commons as a public good; and ‘other’ areas. The purpose of this paper is to present an argument that trust must be included as a central ‘other’ principle. Although successful achievement of the GDC goals is contingent on building trust in each principle, a method for trust-building is not provided. Through leveraging well-established organization and conflict management trust-building literature the contribution of this paper presents a fresh conceptual framework, allowing trust and trust-building in the goals to be operationalized and assessed. In, addressing the research gap as to how build trust in the GDC goals as they are implemented, the novel trust-building process as presented helps policymakers, practitioners, and academics better address potential risks to the future internet, such as, increased; state isolation, sovereignty, and internet fragmentation. Limitations and calls for further research highlight that understanding state-level trust-building in policy is not yet mature. Further, scholars needs to better categorize the processes, dynamics and norms involved in state-level trust-building, helping to counter future internet challenges.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"913 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121038269","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1046
P. Duvenage, W. Bernhardt, Sebastian von Solms
While the centrality of cyber power in the safeguarding and advancing nation states’ national interests and objectives is now widely accepted, the academic discourse (on cyber power) is still incipient. In literature reviewed, cyber power is predominantly viewed as comprising of two dimensions, namely offensive and defensive. The exploratory analysis we conducted found that Africa’s unique, contextual factors necessitate an expanded conceptualisation of cyber power. This alternative conceptualisation does not dispute the existing notion that cyber power has offensive and defensive dimensions. The fact that cyber is by its very nature borderless and that African countries function in an interconnected global arena of competition and conflict, are also not contested. What is required is the addition of a third dimension to cyber power, namely developmental power. This paper advances a tentative proposition on a cyber-power triad (with offensive, defensive and developmental dimensions). This proposition, we argue, is more apposite to African countries’ national objectives —strategically and in the allocation of resources. At least on a notional level, the cyber-power triad can guide the leveraging of the asymmetric advantages that cyber space offers African nation states and in a manner that pursues all three (cyber power) dimensions in a complementary manner. Such synergetic wielding of cyber power is one of the keys indispensable to African countries addressing their substantial challenges and unlocking their vast potential.
{"title":"Cyber power in the African context: an exploratory analysis and proposition","authors":"P. Duvenage, W. Bernhardt, Sebastian von Solms","doi":"10.34190/eccws.22.1.1046","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1046","url":null,"abstract":"While the centrality of cyber power in the safeguarding and advancing nation states’ national interests and objectives is now widely accepted, the academic discourse (on cyber power) is still incipient. In literature reviewed, cyber power is predominantly viewed as comprising of two dimensions, namely offensive and defensive. The exploratory analysis we conducted found that Africa’s unique, contextual factors necessitate an expanded conceptualisation of cyber power. This alternative conceptualisation does not dispute the existing notion that cyber power has offensive and defensive dimensions. The fact that cyber is by its very nature borderless and that African countries function in an interconnected global arena of competition and conflict, are also not contested. What is required is the addition of a third dimension to cyber power, namely developmental power. This paper advances a tentative proposition on a cyber-power triad (with offensive, defensive and developmental dimensions). This proposition, we argue, is more apposite to African countries’ national objectives —strategically and in the allocation of resources. At least on a notional level, the cyber-power triad can guide the leveraging of the asymmetric advantages that cyber space offers African nation states and in a manner that pursues all three (cyber power) dimensions in a complementary manner. Such synergetic wielding of cyber power is one of the keys indispensable to African countries addressing their substantial challenges and unlocking their vast potential.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124871129","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1071
Clara Maathuis, Iddo Kerkhof, Rik Godschalk, H. Passier
In its essence, social media is on its way of representing the superposition of all digital representations of human concepts, ideas, believes, attitudes, and experiences. In this realm, the information is not only shared, but also {mis, dis}interpreted either unintentionally or intentionally guided by (some kind of) awareness, uncertainty, or offensive purposes. This can produce implications and consequences such as societal and political polarization, and influence or alter human behaviour and beliefs. To tackle these issues corresponding to social media manipulation mechanisms like disinformation and misinformation, a diverse palette of efforts represented by governmental and social media platforms strategies, policies, and methods plus academic and independent studies and solutions are proposed. However, such solutions are based on a technical standpoint mainly on gaming or AI-based techniques and technologies, but often only consider the defender’s perspective and address in a limited way the social perspective of this phenomenon becoming single angled. To address these issues, this research combines the defenders’ perspective with the one of the offenders by (i) building a hybrid deep learning disinformation generation and detection model and (ii) capturing and proposing a set of design recommendations that could be considered when establishing patterns, requirements, and features for building future gaming and AI-based solutions for combating social media manipulation mechanisms. This is done using the Design Science Research methodology in Data Science approach aiming at enhancing security awareness and resilience against social media manipulation.
{"title":"Design Lessons from Building Deep Learning Disinformation Generation and Detection Solutions","authors":"Clara Maathuis, Iddo Kerkhof, Rik Godschalk, H. Passier","doi":"10.34190/eccws.22.1.1071","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1071","url":null,"abstract":"In its essence, social media is on its way of representing the superposition of all digital representations of human concepts, ideas, believes, attitudes, and experiences. In this realm, the information is not only shared, but also {mis, dis}interpreted either unintentionally or intentionally guided by (some kind of) awareness, uncertainty, or offensive purposes. This can produce implications and consequences such as societal and political polarization, and influence or alter human behaviour and beliefs. To tackle these issues corresponding to social media manipulation mechanisms like disinformation and misinformation, a diverse palette of efforts represented by governmental and social media platforms strategies, policies, and methods plus academic and independent studies and solutions are proposed. However, such solutions are based on a technical standpoint mainly on gaming or AI-based techniques and technologies, but often only consider the defender’s perspective and address in a limited way the social perspective of this phenomenon becoming single angled. To address these issues, this research combines the defenders’ perspective with the one of the offenders by (i) building a hybrid deep learning disinformation generation and detection model and (ii) capturing and proposing a set of design recommendations that could be considered when establishing patterns, requirements, and features for building future gaming and AI-based solutions for combating social media manipulation mechanisms. This is done using the Design Science Research methodology in Data Science approach aiming at enhancing security awareness and resilience against social media manipulation.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"30 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125287652","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1200
Charlotte Donnelly, Marcel Stolz
Military involvement in cyberspace has traditionally been limited to operations in service of “kinetic,” or physical, missions. Military cyberoperations are therefore usually described using traditional “kinetic” descriptors and rarely articulate cyber-related goals that are independent of kinetic operations. Recently, the concepts of “persistence” and “jointness” have been increasingly used by the U.S. Cyber Command to describe cyberoperations. Persistence describes operations that focus on a target over time (in contrast to the episodic “response” concepts articulated in kinetic warfare). “Jointness” describes working across group or agency lines. This paper will investigate the effectiveness of “persistent” and “joint” task forces in accomplishing cyber-related goals by means of a case study of Joint Task Force – ARES (“JTF-ARES”). JTF-ARES was set up as a task force by the U.S. Cyber Command to disrupt ISIS cyberoperations – a singularly cyber (as opposed to kinetic) goal. By contrasting the approach of JTF-ARES with the existing history of US operations in cyberspace, militaries can apply JTF-ARES’ successful approach to accomplish future cyber-related goals that are independent of kinetic military units. After discussing a brief history of the U.S. Cyber Command and defining the terms “persistence” and “jointness,” the paper discusses JTF-ARES’ successful operation and contributing factors, most notably its organization within the U.S. Cyber Command. Next, it explores a counterfactual organization of JTF-ARES, suggesting that alternative organizational structures would likely have ended in failure and highlighting factors that may have influenced its success. Furthermore, the paper discusses the administrative challenges associated with creating a JTF, which include administration hurdles as well as collaboration and training requirements specific to joint operations. Since JTF-ARES deviates from traditional organizational structures within U.S. Cyber Command, this paper articulates criteria for creating a joint, persistent cyber task force, which militaries may find useful when considering how to implement cyber-specific goals. The first criterion concerns the operations required for the mission – namely, are reconnaissance, offensive, and defensive cyberoperations required? The second criterion asks whether the cyberoperation has a uniquely cyber-oriented end state: for missions with non-kinetic goals, it may be helpful to consider a joint, persistent task force.
{"title":"JTF-ARES as a Model of a Persistent, Joint Cyber Task Force","authors":"Charlotte Donnelly, Marcel Stolz","doi":"10.34190/eccws.22.1.1200","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1200","url":null,"abstract":"Military involvement in cyberspace has traditionally been limited to operations in service of “kinetic,” or physical, missions. Military cyberoperations are therefore usually described using traditional “kinetic” descriptors and rarely articulate cyber-related goals that are independent of kinetic operations. Recently, the concepts of “persistence” and “jointness” have been increasingly used by the U.S. Cyber Command to describe cyberoperations. Persistence describes operations that focus on a target over time (in contrast to the episodic “response” concepts articulated in kinetic warfare). “Jointness” describes working across group or agency lines. This paper will investigate the effectiveness of “persistent” and “joint” task forces in accomplishing cyber-related goals by means of a case study of Joint Task Force – ARES (“JTF-ARES”). JTF-ARES was set up as a task force by the U.S. Cyber Command to disrupt ISIS cyberoperations – a singularly cyber (as opposed to kinetic) goal. By contrasting the approach of JTF-ARES with the existing history of US operations in cyberspace, militaries can apply JTF-ARES’ successful approach to accomplish future cyber-related goals that are independent of kinetic military units. After discussing a brief history of the U.S. Cyber Command and defining the terms “persistence” and “jointness,” the paper discusses JTF-ARES’ successful operation and contributing factors, most notably its organization within the U.S. Cyber Command. Next, it explores a counterfactual organization of JTF-ARES, suggesting that alternative organizational structures would likely have ended in failure and highlighting factors that may have influenced its success. Furthermore, the paper discusses the administrative challenges associated with creating a JTF, which include administration hurdles as well as collaboration and training requirements specific to joint operations. Since JTF-ARES deviates from traditional organizational structures within U.S. Cyber Command, this paper articulates criteria for creating a joint, persistent cyber task force, which militaries may find useful when considering how to implement cyber-specific goals. The first criterion concerns the operations required for the mission – namely, are reconnaissance, offensive, and defensive cyberoperations required? The second criterion asks whether the cyberoperation has a uniquely cyber-oriented end state: for missions with non-kinetic goals, it may be helpful to consider a joint, persistent task force.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"108 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115621965","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1015
Ki Beom Kim, Eugene Lim, Hun-Yeong Kwon
Cybercognitive attacks, as witnessed in large and small wars and events along with the recent Russia-Ukraine war, are no longer traditional cyber operations, but are increasingly attacking the psychological weaknesses of targeted members of society and target organizations. Therefore, it is timely to systematically analyse and model cybercognitive attacks. Various definitions and case analyses of cybercognitive attacks are currently being actively conducted, but studies on clear classification and processing models of cybercognitive attacks are almost absent. Accordingly, this paper analyzed cases of cybercognitive attacks. The types derived through case analysis were divided into four categories, and cybercognitive attacks were classified and defined. On such basis, a processing model for cybercognitive attacks was designed, and furthermore, cybercognitive attack layers were classified and presented from the attacker and defender's perspective. The corresponding model and layer presented in this paper model both the countermeasures that can be used to perform cyber operations and the psychological mechanisms hidden in each response process. Specifically, a psychology-based cybercognitive attack processing model was designed to achieve goals by inducing behaviour from collecting information for system managers to inducing response/cognitive processing/decision making/compensation. As such, this paper focused on clarifying the definition of cybercognitive attacks and establishing performance procedures, which are only used as actions using deception by presenting cybercognitive attacks scientifically and logically using psychology descriptions. With that, this paper is expected to serve as the ground for cybercognitive kill chain research that can defend against further cyberattacks using cognitive vulnerabilities.
{"title":"Processing Model and Classification of Cybercognitive Attacks: Based on Cognitive Psychology","authors":"Ki Beom Kim, Eugene Lim, Hun-Yeong Kwon","doi":"10.34190/eccws.22.1.1015","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1015","url":null,"abstract":"Cybercognitive attacks, as witnessed in large and small wars and events along with the recent Russia-Ukraine war, are no longer traditional cyber operations, but are increasingly attacking the psychological weaknesses of targeted members of society and target organizations. Therefore, it is timely to systematically analyse and model cybercognitive attacks. Various definitions and case analyses of cybercognitive attacks are currently being actively conducted, but studies on clear classification and processing models of cybercognitive attacks are almost absent. Accordingly, this paper analyzed cases of cybercognitive attacks. The types derived through case analysis were divided into four categories, and cybercognitive attacks were classified and defined. On such basis, a processing model for cybercognitive attacks was designed, and furthermore, cybercognitive attack layers were classified and presented from the attacker and defender's perspective. The corresponding model and layer presented in this paper model both the countermeasures that can be used to perform cyber operations and the psychological mechanisms hidden in each response process. Specifically, a psychology-based cybercognitive attack processing model was designed to achieve goals by inducing behaviour from collecting information for system managers to inducing response/cognitive processing/decision making/compensation. As such, this paper focused on clarifying the definition of cybercognitive attacks and establishing performance procedures, which are only used as actions using deception by presenting cybercognitive attacks scientifically and logically using psychology descriptions. With that, this paper is expected to serve as the ground for cybercognitive kill chain research that can defend against further cyberattacks using cognitive vulnerabilities.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"36 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114544711","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-06-19DOI: 10.34190/eccws.22.1.1128
Teija Sederholm, Petri Jääskeläinen, Milla Lonka, A. Huhtinen
This research explores how to identify extreme messages during a hybrid media event happening in a small language area by utilizing natural language processing (NLP), a type of artificial intelligence (AI). A hybrid media event gathers attention all sides of the media environment: mainstream media, social media, instant messaging apps and fringe communities. Hybrid media events call attention for participation and activities both in the physical world and online. On the darker side of media events, the media landscape can act as a channel for all kinds of disinformation, hate speech and conspiracy theories. In addition, fringe communities such as 4chan also spread hate speech and duplicated content during hybrid media events. From theoretical point of view, this connection between the physical world and information networks can be seen as rhizomatic in nature, because information spreads without regard to a traditional hierarchy. The result is that when individuals participate in a big media event, there is a viral awareness of different viewpoints and all kind of topics may be posted online for discussion. In addition, in rhizomatic context different kind of arguments can twist each other, “copy and paste”, and create very diversity meanings of new comments. The role of extremist speech in online spaces can have effects in physical world. �The focus of this paper is to present the findings of a case study on messages posted online by three different actor groups who participated in demonstrations organized on Finnish Independence Day. In this research, two data sets were collected from Twitter and Telegram and Natural Language Processing (NLP) was used to classify messages using extremist media index labels. Three actor groups were identified as participating in the demonstrations, and they were labelled as: far-right, antifascists and conspiracists. Computational analysis was done by using NLP to categorize the messages based upon the definitions provided by the extremist media index. The analysis shows how AI technology can help identifying messages which include extremist content and approve the use of violence in a small language area. The model of rhizome was valid in making the connections between fringe, extremist content and moderate discussion visible. This article is part of larger project related to extremist networks and criminality in online darknet environments.
{"title":"Digital Streets of Rage: Identifying Rhizomatic Extremist Messages During a Hybrid Media Event using Natural Language Processing","authors":"Teija Sederholm, Petri Jääskeläinen, Milla Lonka, A. Huhtinen","doi":"10.34190/eccws.22.1.1128","DOIUrl":"https://doi.org/10.34190/eccws.22.1.1128","url":null,"abstract":"This research explores how to identify extreme messages during a hybrid media event happening in a small language area by utilizing natural language processing (NLP), a type of artificial intelligence (AI). A hybrid media event gathers attention all sides of the media environment: mainstream media, social media, instant messaging apps and fringe communities. Hybrid media events call attention for participation and activities both in the physical world and online. On the darker side of media events, the media landscape can act as a channel for all kinds of disinformation, hate speech and conspiracy theories. In addition, fringe communities such as 4chan also spread hate speech and duplicated content during hybrid media events. From theoretical point of view, this connection between the physical world and information networks can be seen as rhizomatic in nature, because information spreads without regard to a traditional hierarchy. The result is that when individuals participate in a big media event, there is a viral awareness of different viewpoints and all kind of topics may be posted online for discussion. In addition, in rhizomatic context different kind of arguments can twist each other, “copy and paste”, and create very diversity meanings of new comments. The role of extremist speech in online spaces can have effects in physical world. \u0000The focus of this paper is to present the findings of a case study on messages posted online by three different actor groups who participated in demonstrations organized on Finnish Independence Day. In this research, two data sets were collected from Twitter and Telegram and Natural Language Processing (NLP) was used to classify messages using extremist media index labels. Three actor groups were identified as participating in the demonstrations, and they were labelled as: far-right, antifascists and conspiracists. Computational analysis was done by using NLP to categorize the messages based upon the definitions provided by the extremist media index. The analysis shows how AI technology can help identifying messages which include extremist content and approve the use of violence in a small language area. The model of rhizome was valid in making the connections between fringe, extremist content and moderate discussion visible. This article is part of larger project related to extremist networks and criminality in online darknet environments.","PeriodicalId":258360,"journal":{"name":"European Conference on Cyber Warfare and Security","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117324933","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: