Supervisor: Dr Biju Issac and Co-supervisor: Dr Longzhi Yang
Ransomware is a type of malicious software designed to deny access to a computer system or data until a ransom is paid. This project will try to tackle two aspects of ransomware. First, we will investigate and implement a ransomware tweet detection scheme. In this research, we will initially analyse multiple families of ransomware over a period. A deep learning architecture will be used to categorize ransomware tweets to their corresponding family. The social media data can be monitored by the method proposed which will be able to alert about ransomware spreads. This will help the incident management to better plan the resources to mitigate the attack. Second, we will investigate and implement an intelligent ransomware attack detection scheme, for the attacks identified in the first stage, as well as for the new variants. The number of ransomware variants has increased rapidly, and the way ransomware works need to be differentiated from malware so as to protect against ransomware‐based attacks. Though ransomware is like malware in some respects, they are clearly different. Ransomware generally focuses on many file‐related operations in a short burst of time to encrypt files and lock the victim’s computer. The signature‐based malware detection methods will not be able to detect zero‐day and unknown ransomware. Thus a novel protection mechanism for ransomware detection is needed and it should focus on ransomware‐specific operations to differentiate ransomware from other malware and benign files. This project will use a ransomware detection method using an optimized version of deep learning through bio-inspired metaheuristics algorithms to achieve that purpose. Optimized versions of deep learning architectures like convolutional neural networks (CNNs) or other variants, can detect malware or ransomware efficiently simply by looking at the raw bytes of Windows Portable Executable files.
Project #2: Deep Learning-based Network Forensic Methods for Investigating Botnets in the IoT (Application Ref: SF19/EE/CIS/ASLAM) - https://www.findaphd.com/phds/project/?p115194
Supervisor: Dr Nauman Aslam and Co-supervisor: Dr Biju Issac
The process of designing IoT protocols and sensors and the lack of standards are the main reasons why the IoT is an easy target for botnets. Network Forensics is the branch of Digital Forensics, where the evidence is network-related and exists in the form of logs, packets and network flows. Popular methods of investigating botnets include Honeypot, Network flow analysis, Intrusion detection systems, Visualization of Network traffic, Deep Packet Analysis etc. Multiple deep learning solutions have been proposed for application in the field of Network Forensics in recent years. Niyaz et al. (2016) used stacked auto-encoders in their implementation of a DDoS detection system for software-defined networks. The multiple auto-encoders were greedily trained layer-by-layer, with the output of one layer being the input of the next. Then the entire network was fine-tuned as a classifier. Reported accuracy for distinguishing between normal and attack traffic was 99.82%, outperforming other classification methods such as shallow NN, while individual types of DDoS attacks were identified with an accuracy of 95.65%. Lotfollahi et al. (2017) used a combination of a one-dimensional CNN and stacked auto-encoders for automatic feature extraction and classification of network traffic, achieving both application identification and traffic characterization in either encrypted or unencrypted traffic. This project will explore the use of Recurrent Neural Network (RNN), Convolutional Neural Networks (CNN), Deep Auto Encoder (DAE), Deep Boltzmann Machine (DBM) and Deep Belief Network (DBN), alongside some of the network forensics methods, whereby botnets in IoT can be effectively mitigated. For example, some ways of enhancing Honeypot implementations might include, making them more resilient against anti-forensics mechanisms, increasing the number of supported protocols thus increasing the range of mimicked IoT devices and handling the massive quantities of incoming traffic which could be generated by an IoT Botnet (N. Koroniotis et al., 2019)
Project #3: Zero-Shot Cyber Event Detection (Application Ref: SF19/EE/CIS/YANG) - https://www.findaphd.com/phds/project/?p115190
Supervisor: Dr Longzhi Yang and Co-supervisor: Dr Biju Issac
Adverse cyber events, either distributed/spreading attacks or targeted one-off attacks, are happening all the time in the cyberspace, leading to a tremendous loss economically and socially. Intensive research efforts have been dedicated to fighting such attacks, but most of the existing approaches are only able to detect known threats, commonly using the signature of known attacks. In order to detect unknown attacks, the anomaly detection approaches were designed which identify the behaviour of the network traffic that does not conform to any expected pattern. However, these approaches are only able to detect abnormal events, but cannot determine their types in order to prevent their occurrences.
This proposed project aims to address this by developing and evaluating an unknown cyber threat detection and interpretation system. A model based on the core technology adaptive sparse deep fuzzy inference will be proposed to address this challenge. Compared to other AI approaches, this approach has the following unique advantages: 1) the rule base used in a fuzzy inference system can be readily transferred to linguistic rules, which are transparent, readily comprehensible and interpretable for human experts for intelligence acquisition; 2) with the support of the recent development in adaptive sparse fuzzy rule base generation and deep learning, concise, neat but expressively powerful rules can be generated to highly summarise big streaming data in real-time; and 3) fuzzy inference systems usually require less computational resources, making it possible to be deployed in embedded systems or IoT devices, in addition to high-end servers. The method will be evaluated extensively by publicly available data set and experiments in our recently built modern computer network and cybersecurity labs to ensure its high-grade performance.