Centre for Doctoral Training in Cyber Security

CDT Technical Paper Series

The CDT Technical paper series highlights the work being undertaken by our students. This list is updated regularly as papers become available.



Optimising the OpenSky Network

William Seymour

In recent years the availability of cheap and readily available radio transceivers has brought the lack of security in modern avionic communication systems into the spotlight. The easiest way to detect attacks on these systems is to use centralised sensor networks (such as OpenSky) to detect discrepancies in data collected by nodes. For large systems such as global air traffic the computational demands can be prohibitive, and can prevent the use of more sophisticated analytics. This report presents three methods for optimising these networks: constraint satisfaction, a greedy approach, and a genetic algorithm. While all solutions produced meaningful optimisations, the speed of the greedy approach means that it is the only solution which can be feasibly run without first clustering data sets, making it the most effective in practice.

Full Paper (Oxford Research Archive)


Multi-stage contest with cheating (working paper)

Oleh Stupak

The paper analyses cheating incentives that arise from the difference in relative position that occurred during the tournament among initially similar competitors. If the gap between contestants is sufficiently large, it will be more tempting for an underdog to cheat. This misbehaviour simply increases her chances of success and, therefore, her expected outcome. In the R&D case, if a luckier research company will be significantly ahead, it will create a strong incentive for a tailing opponent to cheat. In the real world cheating could take the form of industrial espionage, insider threat or just some cyberattack which leads to a data breach. 

Full Paper



Unfair competition in the information environment. Industrial information leakage (working paper)

Oleh Stupak

The purpose of the paper is the study of issues related to the R&D competition in the information era. It has been motivated by the modern methods of corporate espionage, so-called cyber espionage. That is when companies are using information technologies to obtain a competitive advantage unfairly. Specifically, the paper focuses on the information/knowledge leakage in the innovative industry sector.

The dynamic game model developed by Jennifer F. Reinganum is used as a base model. The basic model has been built to study issues related to industrial R&D. However, it has not been developed with unfair competition methods in mind. The paper attempts to present a modified version of a model and introduces an information leakage device, which allows the firm to steal the knowledge needed for the research to outrun its competitors.

Full Paper


Unfair competition in the information environment. DDoS attacks (working paper)

Oleh Stupak

The purpose of this paper is the investigation of issues related to modern competition. It focuses on the situation in which two firms (players) are competing on the market for higher profits using unfair methods of compet

Full Paper

What are the drivers of phishing attack exposure? (study paper)

Oleh Stupak

This report presents the results of work that examines casual relationships between enterprises’ exposure to a concrete cyberattack and basic indices of enterprises’ activity in the information environment.

Full Paper



The future of cyber security capacity in Indonesia

Yudhistira Nugraha

Full Paper (Oxford Research Archive)





An evaluation of the effects of broken cryptographic primitives on Bitcoin

Ilias Giechaskiel


The Bitcoin cryptocurrency relies heavily on a variety of cryptographic functions and operations, which are currently assumed to be secure, but will inevitably be broken in the future. As Bitcoin tries to compete against traditional currencies, it remains to be seen how the Bitcoin protocol will need to change in response to weakened cryptography. To this end, this study systematically evaluates the effects of broken cryptographic primitives on the operation of the Bitcoin network, and the changes to the Bitcoin protocol that will be necessary in response. We conclude that a broken hash function only requires switching over to a new hash function, without the need to re-write the blockchain, and is well serviced by the “checkpoint” mechanisms already built into Bitcoin. However, a vulnerability of the signature scheme cannot be dealt with in the same manner without side-e.ects, as it may lead to lost or stolen coins, even if the process is gradual and is conducted before the cryptographic primitive is broken. We conclude that solving this problem either requires some degree of centralization, or the use of Zero-Knowledge Proofs along or on top of Bitcoin.

Full Paper (Oxford Research Archive)



Privacy-awareness in blockchain-based PKI

Louise Axon

Conventional public key infrastructure (PKI) designs are not optimal and contain security flaws; there is much work underway in improving PKI. The properties given by the Bitcoin blockchain and its derivatives are a natural solution to some of the problems with PKI – in particular, certificate transparency and elimination of single points of failure. Recently-proposed blockchain PKI designs are built as public ledgers linking identity with public key, giving no provision of privacy. We consider the suitability of a blockchain-based PKI for contexts in which PKI is required, but in which linking of identity with public key is undesirable; specifically, we show that blockchain can be used to construct a privacy-aware PKI while simultaneously eliminating some of the problems encountered in conventional PKI.

Full Paper (Oxford Research Archive)



Exploring the use of PLC debugging tools for digital forensic investigations on SCADA systems

Tina Wu

The Stuxnet malware attack on a SCADA system has provided strong evidence of the need for the development of a forensic capability to aid thorough post incident investigations. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. We argue that the program code is an important forensic artefact that can be used to determine the attackers motives and provide threat intelligence that could be shared with other SCADA sites. The main contribution of this paper is the use of existing PLC debugging and communication tools; PLC Logger and Snap 7 Client that can be used to acquire the program code. To explore this we conducted two experiments; firstly, whether the program code can be used to determine the attackers motives. Secondly, we used an existing Computer Forensics Tool Testing Framework (CFFTS) by NIST to explore whether PLC Logger has any forensic properties that could aid in the acquisition of the program code of the PLC. Our results indicate that by acquiring the program code from the PLC, we were able to identify the attacker’s motive. The findings from using NIST’s CFTTF to test PLC Logger showed it failed half of the tests, suggesting that in its current state it has limited potential as an acquisition tool. However, it still has potential as it has direct access to the memory of the PLC, a Snapshot function and as open source software it is possible that it shortcomings can be addressed.

Full Paper (Oxford Research Archive)



Mobile device sensorhistory as a second factor for authentication

Chirstian Vaas

Despite the availability of biometrics like face recognition and finger print scanners passwords are still a common widely accepted way to secure personal computers and business workstations. This stands in contrast with security measures we can find for cloud services like Dropbox and Google that provide their users with two-factor authentication. Although one could argue that the physical machine loses importance with the shift towards having everything in the cloud ranging from software over platforms to infrastructure there is still a need of securing the endpoint at which these services are accessed. For this purpose, often software or hardware tokens are used along the password in a two-factor authentication scenario. Examples are RSA tokens, software tokens like the Google authenticator or NFC smart cards. A common issue with these solutions is that they are vulnerable to relay attacks. We thus propose a second factor which is resilient to these kind of attacks. To do so it is necessary to guarantee the physical co-presence of the authenticating device and the second factor, e.g. a smart phone. This project aims to ensure this property using the gyroscope history of a smart phone and validating it against received signal strength measurements conducted by WiFi checkpoints within the perimeter, e.g. office building, of the authenticating machine. This makes sure that the smart phone wielder actually walked to the machine and the phone is thus present where the user claims.

Full Paper (Oxford Research Archive)



Identifying key-players in online activist groups on Facebook social network

Mariam Nouh

Online social media applications have become an integral part of our everyday life. Not only are they being utilised by individuals and legitimate businesses, but also recently several organised groups, such as activists, hactivists, and cybercriminals have adopted them to communicate and spread their ideas. This represents a new source for intelligence gathering for law enforcement for instance, as it allows them an inside look at the behaviour of these previously closed, secretive groups. One possible opportunity with this online data source is to utilise the public exchange of social-media messages to identify key users in such groups. This is particularly important for law enforcement that wants to monitor or interrogate influential people in suspicious groups. In this paper, we utilise Social Network Analysis (SNA) techniques to understand the dynamics of the interaction between users in a Facebook-based activist group. Additionally, we aim to identify the most influential users in the group and infer their relationship strength. We incorporate sentiment analysis to identify users with clear positive and negative influences on the group; this could aid in facilitating a better understanding of the group. We also perform a temporal analysis to correlate online activities with relevant real-life events. Our results show that applying such data analysis techniques on users online behaviour is a powerful tool to predict levels of influence and relationship strength between group members. Finally, we validated our results against a ground truth and found that our approach is very promising at achieving its aims.

Full Paper (Oxford Research Archive)



Stereoscopic cyber security visualisations

Alastair Janse van Rensburg

Text-based tools are the primary tools of cyber-analysts, despite the potential visual tools have in this field [1]. Currently, analysts rely on command line tools which are favoured for their interoperability and flexibility. While many visualisations for cyber security data exist, they suffer from lack of adoption, due to not fitting in with the workflow of their users [2]. Some of the key challenges for security analysis are well-suited for visual solutions. Security analysts are commonly presented with large quantities of data to process, from many distinct data sources [3]. Using this data, analysts must obtain situational awareness of their networks in order to spot anomalous patterns as they occur.

With this in mind, the aim of this project was to explore new techniques that could have applications in cyber security visualisations. Specifically, the project aimed to explore the use of stereoscopic displays in cyber visualisation. It was hoped that visualisations based on stereoscopic technology would solve many problems for analysts, enabling a greater variety of techniques and putting them in a position where data can be easily presented to them.

First, an examination of existing work on stereoscopic visualisation was undertaken. Second, a collection of techniques was identified that could be utilised in a cyber visualisation. Third, a cyber dashboard proof-of-concept was built, consisting of a number of visualisations that explored the use of the identified techniques. Finally, a short pilot study was conducted to explore what potential the techniques could have in the future.

Despite problems with current hardware and with the designed visualisations, pilot study participants were broadly positive of their experience with the developed system and all felt that the techniques have potential.

Full Paper (Oxford Research Archive)




Eavesdropping on and emulating MIFARE Ultralight and Classic cards using software-defined radio

Ilias Giechaskiel

In this report, we describe a Software-Defined Radio (SDR) approach for eavesdropping on Near Field Communications (NFC) and Radio Frequency Identification (RFID) cards operating at 13.56 MHz. We show that GNU Radio and Python make a great platform for prototyping, while maintaining sufficient performance for passive attacks without extensive optimizations and using only modest processing power. We successfully eavesdrop on real MIFARE Ultralight and Classic 1K cards by capturing the raw radio waves with a home-made antenna. We recover the plaintext of both reader and tag fully by demodulating the incoming radio waves, parsing individual bits and error detection codes into packets, and then decrypting them when necessary. On the transmission side, we achieve full software emulation of the reader and of MIFARE Ultralight and Classic 1K cards (including encryption), and partial hardware emulation, where we correctly modulate the signal, but not within the strict timing limits of the protocol. Our transmissions can also be used to prevent legitimate communication by interfering with the intended reader or tag signals

Full Paper (Oxford Research Archive)



A pilot study investigating the process of risk assessment and re-accreditation in UK public sector systems

Michael Davies

The provision of security of information and its supporting ICT infrastructures within the UK Public Sector is long-standing and well established, underpinned by a wide range of standards and literature. For the many security practitioners that are employed in the sector, a number of important concerns have experientially emerged over several iterations of policy and standards that have been developed over time to govern this activity. The aim of this qualitative pilot study was to explore these concerns from the perspective of security practitioners employed in the sector. Data was collected from six security practitioners via semi-structured interviews. Subsequent transcripts were analysed using a Thematic Analysis approach that identified four significant themes that suggest that re-accreditation rarely occurs outside of the formal accreditation cycle, and point to the underlying reasons why this is the case.

Full Paper (Oxford Research Archive)



Revisiting linkability for vehicular communications: Continuous linkability

Louise Axon

Vehicular communications have important applications for improving the safety of our increasingly populated roads, however they have privacy implications: the broadcast of safety messages can create opportunities for tracking of vehicles and drivers. For several proposed safety applications, it is desirable that nearby vehicles communicate continuously with one another, with the ability to link the sender of any one message to their previous messages – linkability. We observe that in academic literature and in industry, this linkability provision in not optimal. In protocols designed to give time-based linkability for nearby drivers, and unlinkability to prevent tracking, the continuity of communications is disrupted by unlinkable transitions; however for certain safety applications a continuous communication without this disruption in linkability is more fitting. In this light, we review the security requirements for safety messaging in Intelligent Transportation Systems (ITS). We propose a new distance-based approach to providing continuous linkability, and outline solutions for its provision

Full Paper (Oxford Research Archive)



Targeting the University of Oxford by e-mail

Florian Egloff

The paper presents an empirical analysis of e-mail based attacks against the University of Oxford. In particular, it analyses the malicious e-mails received over the period of four months for observable targeting behaviour. It is found that most malicious e-mails are not tailored to their victims. Timing analysis showed that most malicious e-mails are received within the European workday. The paper then introduces a novel way of analysing the distribution of malicious e-mails within an organisation and identifies organisational units that are particularly exposed. Finally, the paper discusses the absence of targeted attacks and suggests an improved way of studying them.

Full Paper (Oxford Research Archive)



Security of Certificate Transparency

Katriel Cohn-Gordon

Certificate Transparency is one of a number of recent proposals to improve the public key infrastructure of the Internet, all based on the use of public, verifiable log servers to store records of certain actions. Whilst it lacks some features of alternative systems, such as handling revocation or permitting distributed verification, Certificate Transparency has the significant advantage of support from the Chromium web browser team, and thus will be enabled for large parts of the Internet by early 2015.

In this report we present an initial, informal security analysis of Certificate Transparency, identifying the implicit assumptions made elsewhere and describing the adversaries which is it designed to resist as well as those which it is not. We also suggest how this analysis could be formalised in future work, linking it to recent research on PKI in Bellare-Rogaway-style security games.

Full Paper (Oxford Research Archive)



Static Protocols and Deniability

Katriel Cohn-Gordon

When designing a security protocol, every choice can have far-reaching repercussions. It is therefore useful to know precisely which security goals may be achievable given the protocol structure, and which are proven impossible. In this work we present some preliminary results about static protocols, whose messages do not depend on the sender’s secret key, and deniable protocols, whose transcripts do not comprise proof of communication. In particular, we sketch proofs that static protocols cannot achieve explicit authentication of their peer, that they achieve deniability “or free”, and that deniable protocols with explicit authentication must use a challenge-response format.
Full Paper (Oxford Research Archive)



Safety to security in emerging ubiquitous computing models

Emma Osborn

The fields of safety and security have often intersected in the past, and are increasingly converging due to the rise in system interconnectivity, automation and dependence on the internet as part of critical national infrastructure.

Research up until this point has mainly focused on safety in the context of large-scale industry, but with the emergence of ubiquitous computing models consumer cyber physical systems (CPS) are entering the home, and attacks on these systems are now being reported. This study evaluates the motivations for industry to implement consumer CPS and why they may want to include new safety and/or security measures. The evaluation of the ecosystem driving consumer CPS development has been used to establish cyber security requirements for this domain, with the aim of these requirements being to maintain safety levels in consumer CPS irrespective of new cyber risks having been introduced. Finally, the interpretation and implementation of the requirements for future work is discussed

Full Paper (Oxford Research Archive)


Business verses Technology: Sources of the Perceived Lack of Cyber Security in SMEs

Emma Osborn

There is increasing concern about the standard of cyber security in SMEs, voiced by governments and the large companies who interface with them, yet many past initiatives seem to have failed to have a significant impact on the sector. In this paper, we report upon a study in which Small and Medium Enterprises (SMEs) were surveyed to establish what barriers they might face in terms of cyber security. The results were combined with publicly available information to identify how stakeholders in the SME cyber security ecosystem interact, and establish whether the perceived lack of uptake of cyber security measures in SMEs was accurate. The paper concludes by discussing how the refined understanding of the barriers faced by SMEs might influence development of future SME security solutions.

Full Paper (Oxford Research Archive)



Online banking malware Ontology

Rodrigo Carvalho

Due to the ever increasing popularity of the Internet, institutions are migrating their services to the digital realm. Banks are among the most representative examples: in order to better meet their clients’ requirements, but also to reduce operational costs, online banking platforms were created and their use stimulated. However, the users’ mass adoption to this novel technology without proper awareness campaigns resulted in a large increase of online banking fraud occurrence rates. This poses great challenges to Law Enforcement Agencies dedicated to cybercrime investigation: in addition to personnel skills training, there is an urgent need for new approaches correlating the horizontally sparse and concealed evidence resulted from such offence. As semantic technologies enable the more intelligent use of computer resources regarding data from a specific domain, this paper proposes the creation of an online banking malware investigation ontology.

Full Paper (Oxford Research Archive)


Visual Analytics for Open Source Intelligence

Rodrigo Carvalho

Enhanced data visualisation technologies can contribute decisively to companies that rely on making sense of a great amount of information as their primary business objective. Graphical techniques often employed to present processed information and findings to the final customer, such as charts and scatter plots, could be improved and customized to aid analysts during the investigation phase. After examining the internal analysis tasks and data storage strategy from a security consultancy company, this work suggests an approach to enhance knowledge extraction, insight generation and hypothesis testing by applying novel techniques of interactive data visualisation and mining.

Full Paper (Oxford Research Archive)


Introducing Survey++ : an extensible platform for testing the usability and security of credential recovery mechanisms

Vincent Taylor, Ivan Flechais

Mainstream authentication procedures have usually relied on knowledge factors for determining whether to allow a user access to resources. Typically, a user is challenged to provide a token that they know to prove that they are authorised. In the case that this token (password, passphrase, personal identification number, etc.) is forgotten, the usual approach has been to provide password hints or password reset questions during credential recovery to help ensure a user is who they claim to be before allowing them to reset the token. Survey++ is a platform designed to test the usability and security of credential recovery mechanisms. Survey++ was built to test a credential recovery mechanism that reminds a user of their password by showing them characters from the password, but it can be easily extended to test other recovery mechanisms or authentication procedures.

Full Paper (Oxford Research Archive)


Android apps and privacy risks : what attackers can learn by sniffing mobile device traffic.

Vincent Taylor, Jason Nurse, Duncan Hodges

Recent years have witnessed significant growth in the mobile device landscape as smartphones and tablet computers have become more affordable and more feature-rich. Users commonly extend the functionality built into these mobile devices by installing add-on applications, called apps. Many popular apps adopt a client-server architecture and communicate with Internet-based services to provide users with a rich and dynamic experience. Worryingly, some of these apps need to access sensitive data such as phonebook entries, appointments, messages, or a user’s geographic location, but precisely how apps use and transmit sensitive data over wireless networks has not been widely studied. We examine the traffic sent from 35 popular Android apps spread over 6 categories to explore what an attacker with a promiscuous wireless receiver could learn about a target. We discovered that the majority of the apps that were tested had a detrimental impact on privacy by sending sensitive data without encrypting it. We also discovered that in some cases, improper application design rendered SSL encryption useless at preventing privacy leaks. We discuss ways in which an attacker can use both active and passive attacks to identify and track a user or invade their privacy. Finally, we suggest and discuss several possible solutions to mitigate the privacy risks that were identified.

Full Paper (Oxford Research Archive)


Controls-based assessment of infrastructure vulnerability

Oliver Farnan, Jason Nurse

Assessing the vulnerability of an enterprise’s infrastructure is an important step in judging the security of a network and the trustworthiness and quality of the information that flows through it. Currently real-world infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing infrastructure vulnerability exist, in practice they are not academically rigorous, having grown organically to meet business requirements. Our aim in this paper therefore is to study infrastructure vulnerability from a more structured perspective. We introduce and explore a novel way of assessing computer network infrastructure vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and look at how one of them, namely the Council on Cyber Security’s Top 20 Critical Security Controls, can be applied.

Full Paper (Oxford Research Archive)


A first look at deep packet inspection employed by the Golden Shield

Oliver Farnan, Joss Wright

We describe a series of tests on the capabilities of the Chinese Golden Shield. These tests focus on the Deep Packet Inspection capabilities of the Golden Shield, aiming to find out what is filtered and what is not. Our tests find that DPI triggering is not as easy to trigger as was expected, in contradiction of earlier research. We believe this is due to filtering optimisation of the Golden Shield in an effort to improve its efficiency given a limited technical capability. Our work joins a growing narrative that the Golden Shield is not able to fully monitor all network traffic in China, and makes sacrifices to focus primarily on key methods of information exchange, such as web traffic.

Full Paper (Oxford Research Archive)