Centre for Doctoral Training in Cyber Security

Current DPhil Projects

Following the first year of taught modules and mini-projects our students move on to a variety of DPhil projects. Some examples of current areas of research are:


CDT 2013 Cohort

Applying Software Defined Networking (SDN) Capabilities for Active Malware Detection

Bushra AlAhmadi (CDT2013)

Sophisticated cyber-attacks leverage malware that could have financial, privacy, or human life consequences. Current network intrusion detection solutions are often incapable of detecting malware, as they are built on the assumption that threats are observed as they enter the network at specific perimeter points: an assumption that is no longer valid in modern networks. Attacks have also grown in sophistication and use stealthy malware that are very discrete, traversing the network slowly, taking days, weeks or months to accomplish their objectives to avoid detection. Although Security Information and Event Management (SIEM) systems help deliver a comprehensive analysis, the huge amount of data makes searching for malicious activities like ‘looking for a needle in a haystack‘. It requires large amounts of storage and processing to perform the required data correlations. To overcome these limitations, we propose to leverage Software Defined Networking (SDN) for the active monitoring, detection and response to malware. We believe that an SDN-based malware detection system offers centralized network-wide visibility. This allows incremental network events correlation, active evidence collection, and supports fast detection and reaction to malware attacks.


Post-compromise security

Katriel Cohn-Gordon (CDT2013)

We have recently been thinking about what guarantees could be achieved when communicating with a party whose keys have already been compromised. At first sight, it may seem impossible to provide any type of security in this scenario. However, under some conditions, practically relevant guarantees can still be achieved. We call such guarantees “post-compromise security”, provide its first informal and formal definitions and show that it can be achieved in several scenarios. At a technical level, we instantiate our informal definitions in the setting of authenticated key exchange (AKE) protocols, and develop two new strong security models for two different threat models. We show that both of these security models can be satisfied, by proposing two concrete protocol constructions and proving they are secure in the models.  Our work leads to crucial insights on how post-compromise security can (and cannot) be achieved, paving the way for applications in other domains.


Cyber power and the use of force: Strategic implications for security and international relations theory

Graham Fairclough (CDT2013)

The use of force as a strategic lever of national policy, in the form of hard or soft power, for the pursuit of international security has, since the emergence of the Westphalian State model, been monopolised by a small number of state actors within the international system. However, the nature and characteristics of cyberspace, through the agency of cyber power are empowering a growing set of new, non-traditional actors who possess the ability to utilise force in pursuit of their own strategic goals. This empowerment is directly impacting upon the security and stability of the international environment. Within states it is changing the relationship between the military lever and the other levers of national power through its diffusion of capability and its enablement of “smart power”. The reported activities of political hacktivists in the Estonian and Georgian conflicts in 2007 and 2008 respectively in support of defence objectives, the 2014 cyber attack on the Sony Corporation in furtherance of political messaging and China’s use of cyberspace to conduct economic warfare serve to illustrate this transference of power. Inchoate actors include emerging states, multinational corporations, criminal organisations, terrorist groups, politically driven activists and “lone wolfs” – individuals who utilise the environment of cyberspace to champion their own cause.  This thesis will examine, through literature review, examination of case studies, empirical analysis and key leader engagement the impact of cyber power on international relations theory and security. It will consider: existing models of international relations theory and their continued suitability in an enabled, multipolar international environment; the impact of the dispersion of power on security and the use of force as a lever of national policy and the consequences for future military strategy and the utilisation of military capability, as the State’s agent for the exercising of force. Key deliverables are: a definition and taxonomy of cyber power; identification of those actors that are empowered by cyber power; the construction of a cyber power index that illustrates the relative power relationships between actors and evaluation of the military lever of national power from a strategy and capability perspective. Output will inform debate on international relations theory in the cyber age, contribute to national and defence policy development and provide a framework for the generation of appropriate military capability to exercise the use of force in a new, multi-actor strategic environment.


Cybersecurity aesthetics

David Mellor (CDT2013)

Working beyond disciplinary conventions, my project is about establishing an alternative premise for cybersecurity, one that runs parallel to those concerned with technical and strategic matters. This involves de-familiarising the very notion of cyber and its securities, using literary and artistic methods, while drawing on resources from European philosophy and the visual arts. The aim of these traversals is to illuminate how cybersecurity is a matter of the present politics of subjectivity, that is, the on-going formation of people and their communities in times characterised by rapidly unfolding, entwined technological and social developments. My core problematic then, is ‘the contemporary’: the dense now, in all its complexity, heterogeneity, technicity, and insecurity, and how the human can be understood in these digital times. Orientated by these objectives, my method is the composition of a ‘cybersecurity aesthetics’, where aesthetics is taken widely as being about feeling and sensibility in general, and where political communities are grounded in and moved through shared feelings, which in turn convey or foreclose potential futures. It is within the economy of sensibility that cyber-technics shape and are shaped at the creative and political core of subjectivities. For this reason, I look to contemporary art, which is originally engaged with these political questions – especially conceptual and post-conceptual work – to frame and invigorate this theoretical and ethical project of dis-integrating and refounding the securities of cyber. Utilised in this way, art is a tool for dissensus: contesting the governance of the world of sensibility through the production of rival configurations. I trace aesthetics across four interlaced themes – technology, emergency, utopia, and futurity – using each to compose an element of this alternative rendering of cybersecurity. I ask, what comprises technology and how do contemporary cyber-technics function politically and socially? How are subjectivities formed in relation to these technics and how does this interface with forms of power? What are the timescapes – the places and relations, durations and tempos – where the economy of sensibility consists? What ethics are possible and desirable in this context, once we recognise the aesthetic dimension of cybersecurity? My project is a theoretical and artistic engagement with these questions.


Small-scale cyber security

Emma Osborn (CDT2013)

The growing concern over the standard of cyber security of individuals and small organisations highlights an imbalance in the way cyber security has developed to favour government and large companies. This study will evaluate the small-scale cyber security ecosystem, who the stakeholders are and how they interact to achieve a level of security. The aim is to understand the different drivers within the system to establish what the need for cyber security is, where that need isn’t being met and what measures might be best suited to improving the security of this sector.


CDT 2014 Cohort

Sonification for Network Monitoring

Louise Axon (CDT2014)

In Security Operations Centres (SOCs), security analysts generally monitor computer networks using a combination of anomaly detection techniques, Intrusion Detection Systems and data presented in

visual and text-based forms. In the last two decades significant progress has been made in developing novel sonification systems (in which data are mapped to sound) to further support network monitoring tasks. A range of systems has been proposed in prior work in which sonified network data is presented

for incorporation into the network monitoring process; however many of these have not been sufficiently validated and there is a lack of uptake in Security Operations Centres. The aims of this research are to refine sonification design for the network monitoring context, and to validate, through user testing, the usefulness of sonification for improving monitoring capabilities in SOCs.


Malware Ecologies: Geographical Encounters in Cyber Security

Andrew Dwyer (CDT2014)

Malware, or malicious software, is a lively, sometimes self-propagating, simultaneously singular and plural object that affects our everyday technological encounters as humans. They lie ‘hidden’ in packages, everyday documents and websites in an unexpected, unexplored sociality. Although the internet is an essential space, these malicious softwares work across different cyberspaces, tracing uneven geographies in their movements and collaborations. These generate tangible affects across bodies, finance, capta, psychological states, centrifuges, harddrives, bitcoins, and so on. Humans try to make sense of malware ecologies through classification, a biologically driven attempt to provide order, but this is as much a fallacy applied to malware as when it is applied to ‘nature’. In addition, medical analogies that infect cyber security shape understandings and ecologies of malware. Such narratives are deployed in malware analysis to detect and generate norms across ‘big data’ to reveal anomalies in constant modulation. Hence malware becomes paradigmatic of broader conceptualisations of security. Pre-emption, resilience and prediction are essential for governance of modern neoliberal life, which includes the apparently ‘ungoverned’ digital spaces we inhabit with our more-than-human compatriots.

In this research, I intend to sketch an incomplete picture of the twists, turns, and challenges that malware endures in its propagation and exploitation through journeys, collaborations and translations. Malware journeys are sketched with a web crawler to generate an archive, developing knowledges of malware agency, embracing blogs, comments, reports and internet articles. I trace collaborations through ethnographic observation of, and provide translations through interviews with, malware artists (generators of human malware knowledges). This triad aids exploration of malware’s atmospheric tendencies to ensnare humans, more-than-humans (such as computers, programs, international diplomacy), and technologies in its grasp – albeit with varying success. I explore the parasitic natures of both cyber security and malwares in which they exist to the side, within and without, devouring their guest. This requires forms of touching and deceptive closeness that end in a destructive, even productive, encounter between malwares and systems in our contemporary moment.


Investigating Security in Air Traffic Management

Matt Smith (CDT2014)

As with many areas of transport, aviation has been increasing its reliance on technology gradually. Over the next 30 years, a significant program of improvement within the area of Air Traffic Management (ATM) is planned – this is referred to as SESAR JU in Europe and NextGen in the US. As part of this, avionic systems will become key parts in the safe, efficient and low-cost operation of airspace. Some of these systems were designed many years ago and as such faced a significantly different threat model to wireless communications today. My work focuses on these systems in an effort to understand how vulnerable they are, and how we might handle their security issues without having to implement a new system entirely.


What’s Wrong with the CMA?: Computer (Mis)use and the Criminal Law

Kristopher Wilson (CDT2014)

The Computer Misuse Act 1990 (the ‘CMA’) is evolving to become the primary ‘technology-specific’ criminal legislation used within the UK to respond to the growing cyber threat landscape. The CMA was developed in the late 1980s and, despite subsequent amendment and review, continues to be comprised of a framework based on understandings of computer use and operation as existed at that time of creation, despite the technology evolving rapidly and becoming ever more ubiquitous. There is, therefore, an open question as to how appropriate and adapted the CMA is in addressing technology-related crimes, and whether such a distinction in criminal conduct was ever indeed necessary. Due to the dearth of successful prosecutions for the vast majority of the 25 years the CMA has been in force, these questions have been largely addressed with speculative assertions, rather than evidence. However, coinciding with changing investigative priorities and capacities within law enforcement agencies, the past three years have seen an exponential increase in prosecutions brought under the wide-sweeping provisions of the CMA. This thesis therefore seeks to explore the circumstances surrounding prosecutions made under the CMA throughout the year 2015, exploring what kinds of conduct were captured and addressed, and how those prosecutions under the CMA were carried out vis-à-vis other criminal law offences, in order to build an evidence base to begin to answer the fundamental question: is the CMA fit for purpose?


The Privacy Paradox and the Internet of Things

Meredydd Williams (CDT2014)

Whilst opinion polls and surveys suggest that the public care about privacy, there is much evidence to the contrary. Individuals share sensitive details on Facebook, neglect privacy-protective tools and make use of free services which sell their personal data. This presents the Privacy Paradox, where individuals claim to value their privacy but do not act accordingly. Previous research has suggested a large number of factors may contribute to the paradox, including poor user interface design, obfuscated privacy settings and a lack of risk saliency. Whilst the proliferation of “smart” Internet of Things (IoT) devices, such as wearables and connected appliances, offer innumerable benefits to our society, they also place privacy under increasing pressure. Through my doctoral research, I posit that IoT idiosyncrasies intersect with those factors contributory to the paradox, further exacerbating the situation. For example, whilst user interfaces might be complex on conventional computing devices such as desktops and tablets, they are likely more familiar and homogeneous than those found on a miscellany of IoT gadgets. In my PhD I look to explore the intricacies of the Privacy Paradox, analyse the security properties of smart devices, and understand why individuals disclose sensitive data with such regularity. Through this, I hope to better protect the general public as the Internet of Things continues to proliferate.