Governmental adminstrative domains can potentially benefit from a wide variety of currently available big data analysis methods. The tax administration is such an area that requires massive data processing to identify hidden patterns and trends of possible tax evasion. The use of supervised methods can be effective in these cases, but the lack of available labeled data limits their practical application in real-world scenarios. An alternative is the use of unsupervised methods, which have potential benefits in certain cases. In this sense, unsupervised methods are considered to be feasible as a decision support tool in tax evasion risk management systems. This paper proposes an unsupervised approach to identify signs of tax evasion by detecting, possible, tax underreporting. The proposed strategy is evaluated on a data set associated with individual income tax statistics of the United States. The results achieved are considered to be useful in decision-making and preventive actions on cases reported as suspicious.@en

With the rising of Internet in early ’90s, many fraudulent activities have migrated from physical to digital: one of them is phishing. Phishing is a deceptive practice focused on exploiting the human factor, which is the most vulnerable aspect of any security process. In this scam, social engineering techniques are extensively utilized, specifically focusing on the principles of persuasion, to deceive individuals into disclosing sensitive information or engaging in malicious actions. This research explores the use of message subjectivity for detecting phishing attacks. It does so by assessing the impact of various data representations and classifiers on automatically identifying principles of persuasion. Furthermore, it investigates how these detected principles of persuasion can be leveraged for identifying phishing attacks. The experiments conducted revealed that there is no universal solution for data representation and classifier selection to effectively detect all principles of persuasion. Instead, a tailored combination of data representation and classifiers is required for detecting each principle. The Machine Learning models created automatically detect principles of persuasion with confidence levels ranging from 0.7306 to 0.8191 for AUC-ROC. Next, principles of persuasion detected are used for phishing detection. This study also emphasizes the need for user-friendly and comprehensible models. To validate the proposal presented, several families of classifiers were tested, but among all of them, tree-based models (and Random Forest in particular) stand out as preferred option. These models achieve similar level of effectiveness as alternative methods while offering improved clarity and user-friendliness, with an AUC-ROC of 0.859842.@en

Persuasion is a human activity of influence. In marketing, persuasion can help customers find solutions to their problems, make informed choices, or convince someone to buy a useful (or useless) product or service. In computer crimes, persuasion can trick users into revealing sensitive information, or even performing actions that benefit attackers. Phishing is one of the most common and dangerous forms of persuasion-based attacks, as it exploits human vulnerabilities rather than technical ones. Therefore, an intelligent system capable of detecting and classifying persuasion attempts might be useful in protecting users. In this work, an approach that uses Machine Learning to analyze messages based on principles of persuasion and different data representations is presented. The aim of this research is to detect which data representation and which classification algorithm obtain the best results in detecting each principle of persuasion as a prior step to detecting phishing attacks. The results obtained indicate that among the combinations tested, there is one combination of data representation and classification algorithm that performs best. The related classification models obtained can detect the principles of persuasion at a rate that varies between 0.78 and 0.86 of AUC-ROC.@en

Decision trees are one of the most popular structures for decision-making and the representation of a set of rules. However, when a rule set is represented as a decision tree, some quirks in its structure may negatively affect its performance. For example, duplicate sub-trees and rule filters, that need to be evaluated more than once, could negatively affect the efficiency. This paper presents a novel algorithm based on Shannon’s expansion, which guarantees that the same rule filter is not evaluated more than once, even if repeated in other rules. This fact increases efficiency during the evaluation process using the induced decision tree. Experiments demonstrated the viability of the proposed algorithm in processing-intensive scenarios, such as in intrusion detection and data stream analysis.@en

Telecommunications services have become a constant in people’s lives. This has inspired fraudsters to carry out malicious activities causing economic losses to people and companies. Early detection of signs that suggest the possible occurrence of malicious activity would allow analysts to act in time and avoid unintended consequences. Modeling the behavior of users could identify when a significant change takes place. Following this idea, an algorithm for online behavior change detection in telecommunication services is proposed in this paper. The experimental results show that the new algorithm can identify behavioral changes related to unforeseen events.@en

We live in a world that is being driven by data. This leads to challenges of extracting and analyzing knowledge from large volumes of data. An example of such a challenge is intrusion detection. Intrusion detection data sets are characterized by huge volumes, which affects the learning of the classifier. So there is a need to reduce the size of the training sets. Fortunately, inspection and analysis of available intrusion detection data sets showed that many instances are very similar and do not provide relevant information to the classification process. This prompted to look for possibilities to use a fast algorithm that, as much as possible, removes similar instances in intrusion detection data sets while enforcing the detection rate. In this work, a new fast instance reduction algorithm is presented. The proposed algorithm provides greater efficiency during the training stage, without significantly affecting the efficacy during the intrusion detection task.

@en

Every day the number of devices interacting through telecommunications networks grows resulting into an increase in the volume of data and information generated. At the same time, a growing number of information security incidents is being observed including the occurrence of unauthorized accesses, also named intrusions. As a consequence of these two developments, Information and Communications services providers require automated processes to detect and solve such intrusions, and this should done quickly in order to keep the related cybersecurity risks at acceptable levels. However, the presence of large volumes of data negatively interferes with the performance of classifiers used in intrusion detection tasks, which limits their applicability in practical cases. The research reported in this paper focuses on proposing a novel feature selection algorithm for intrusion detection scenarios. To this end, an extensive literature review was executed to first discover issues in the feature selection algorithms reported. Based on the insights obtained, the new multi-measure feature selection algorithm was designed that uses qualitative information provided by multiple feature selection measures, and reduces the dimensionality of the training data set. The algorithm proposed was next extensively tested using various data sets. It provides greater efficacy than other feature selection algorithms used for intrusion detection purposes. We finalize by providing some ideas on future research in order to further improve the algorithm.

@en

For most people, cybersecurity is a difficult notion to grasp. Traditionally, cybersecurity has been considered a technical challenge, and still many specialists understand it as information security, with the notions of confidentiality, integrity, and availability as its foundation. Although many have searched for different and broader perspectives, the complexity and ambiguity of the notion still thwarts a common understanding. While the author was developing and executing a MSc cybersecurity program for professionals with a wide variety of backgrounds and widely differing views on cybersecurity, the lack of a common understanding of cybersecurity was clearly evident. Based on these observations, the author began seeking and defining a new, transdisciplinary conceptualization of cybersecurity that can be widely agreed upon. It resulted in the publication of three scientific papers. This paper is an amalgam of the contents of the three supplemented with some extensions. It turned out that the previously introduced description of two key notions, cyberspace and cybersecurity, is still an adequate starting point. Described here is a set of additional mental models elaborating on these key notions and providing more detail on their meanings. The research suggests that this set of mental models strongly supports the description and analysis of current cybersecurity challenges and helps people understand how everyone, in his or her various roles, can contribute to reducing the related cyber risks. These claims are supported by presenting the modeling and analysis approaches of various MSc-thesis research projects executed by students when working on practical cybersecurity problems both within and outside their organisations. The author further discovered that, for a limited set of cybersecurity challenges, it was not yet possible to identify adequate mental models; this defines the agenda for future research.@en

Cyber operations are relatively a new phenomenon of the last two decades. During that period, they have increased in number, complexity, and agility, while their design and development have been processes well kept under secrecy. As a consequence, limited data(sets) regarding these incidents are available. Although various academic and practitioner public communities addressed some of the key points and dilemmas that surround cyber operations (such as attack, target identification and selection, and collateral damage), still methodologies and models are needed in order to plan, execute, and assess them in a responsibly and legally compliant way. Based on these facts, it is the aim of this article to propose a model that i)) estimates and classifies the effects of cyber operations, and ii) assesses proportionality in order to support targeting decisions in cyber operations. In order to do that, a multi-layered fuzzy model was designed and implemented by analysing real and virtual realistic cyber operations combined with interviews and focus groups with technical – military experts. The proposed model was evaluated on two cyber operations use cases in a focus group with four technical – military experts. Both the design and the results of the evaluation are revealed in this article.

@en

Cyber Operations stopped being utopia or Sci-Fi based scenarios: they became reality. When planning and conducting them, military actors encounter difficulties since they lack methodologies and models that support their actions and assess their effects. To address these issues by tackling the underlying scientific and practical gap, this article proposes an assessment methodology for the intended and unintended effects of Cyber Operations, labeled as Military Advantage, Collateral Damage and Military Disadvantage, and aims at supporting the targeting process when engaging targets in Cyber Operations. To arrive at this methodology, an extensive review on literature, military doctrine and methodologies was conducted combined with two series of interviews with military commanders and field work in joint military exercises. The assessment methodology is proposed considering multidimensional factors, phases and steps in a technical - military approach. For validation, one realistic Cyber Operation case study was conducted in a focus group with nine military experts plus four face-to-face meetings with another four military experts.

@en

For most people, cybersecurity is a hard to grasp notion. Traditionally, cybersecurity has been considered as a technical challenge and still many specialists view it equivalent with information security, with the notions of confidentiality, integrity and availability as starting points of thinking. And although others searched for a broader perspective, the complexity and ambiguity of the notion still thwarts a common understanding. While developing and executing a MSc cybersecurity program for professionals, the lack of a common understanding of what cybersecurity entails was again observed. Stimulated by this, we started to look for and define a new, transdisciplinary conceptualization of cybersecurity that everyone can agree upon. It resulted in two scientific papers published. This paper describes the outcomes of the continuation of our research journey. It turned out that the earlier introduced description of two key notions, namely that of cyberspace and that of cybersecurity, can still be considered as adequate starting points. Here, we describe a set of additional mental models that elaborates them and provides more detail to the meaning of the two key notions. In practice, it turned out that the additional mental models strongly support the description and analysis of existing and upcoming cybersecurity challenges and helps to understand how everybody, in his or her various roles, can or should contribute to reducing the related cyber risks to adequate levels. We further discovered that for certain cybersecurity challenges, especially those related to efficient cyber risk mitigation, we could not yet identify an adequate sub-set of mental models. This defines the agenda for near future cybersecurity research.

@en

In the last few years, the telecommunications scenario has experienced an increase in the volume of information generated, as well as in the execution of malicious activities. In order to complement Intrusion Detection Systems (IDSs), data mining techniques have begun to play a fundamental role in data analysis. On the other hand, the presence of useless information and the amount of data generated by telecommunication services (leading to a huge dimensional problem), can affect the performance of traditional IDSs. In this sense, a data preprocessing strategy is necessary to reduce data, but reducing data without affecting the accuracy of IDSs represents a challenge. In this paper, we propose a new data preprocessing strategy which reduces the number of features and instances in the training collection without greatly affecting the achieved accuracy of IDSs. Finally, our proposal is evaluated using four different rule-based classifiers, which are tested on real scan and backscatter data collected by a network telescope.

@en

Due to the advancement of technology and continuing emergence of international conflict situations, wars are now also conducted into the official new battlefield: Cyberspace. Although several incidents have been characterized in terms of cyber operations, there is an important gap in the existing body of knowledge concerning the definition of this concept, and a formal mechanism of representing such operations is lacking. This can produce dissonance and disturbance in the decision making processes and communication in cyber operations, for instance, when planning or assessing their effects. In order to understand what cyber operations represent and to make communication more effective, this article proposes a multidisciplinary definition and a knowledge base for cyber operations implemented as a computational ontology. This article follows a design science approach and grounds its sources in extensive literature review, reports, military doctrine, case studies, evaluation interviews and direct participation and observation in joint military operations exercises and experience in writing cyber operations scenarios. The computational ontology has been designed to reflect the understanding of and the necessary communication in cyber operations based on the abovementioned sources. Its upper classes are: Context, Actor, Type, MilitaryObjective, Phase, Target, Cyber Weapon, Asset, Geolocation, Action and Effect. The ontology has been developed in Protégé by using the Ontology Engineering Methodology, and contains 140 classes, 37 individuals and 94 properties. This ontology makes possible the classification of the essential entities of a cyber operation: Military objective, target, cyber weapon/capability and effect. The proposed ontology has been exemplified and evaluated on two case studies conducted on Operation Olympic Games/Stuxnet and Georgia and with the help of two military experts with international experience. The validation results show that the proposed ontology is effective in representing cyber operations accurately, clearly and concisely. To increase its applicability, future research will focus on assessing the effects of Cyber Operations.

@en

Cyber operations lack models, methodologies, and mechanisms to describe relevant data and knowledge. This problem is directly reflected when cyber operations are conducted and their effects assessed, and it can produce dissonance and disturbance in corresponding decision-making processes and communication between different military actors. To tackle these issues, this article proposes a knowledge model for cyber operations implemented as a computational ontology following a design science approach grounded on extensive technical-military research. This model classifies the essential entities of cyber operations and is exemplified in three case studies. Validation results show that this model can be used to describe cyber operations clearly and concisely. @en

Low-voltage distribution grids experience a rising penetration of inverter-based, distributed generation. In order to not only contribute to but also solve voltage problems, these inverters are increasingly asked to participate in intelligent grid controls. Communicating inverters implement distributed voltage droop controls. The impact of cyber-attacks to the stability of such distributed grid controls is poorly researched and therefore addressed in this article. We characterize the potential impact of several attack scenarios by employing the positivity and diagonal dominance properties. In particular, we discuss measurement falsification scenarios where the attacker corrupts voltage measurement data received by the voltage droop controllers. Analytical, control-theoretic methods for assessing the impact on system stability and voltage magnitude are presented and validated via simulation.@en

The 2013 National Security Agency revelations of pervasive monitoring have led to an "encryption rush" across the computer and Internet industry. To push back against massive surveillance and protect users' privacy, vendors, hosting and cloud providers have widely deployed encryption on their hardware, communication links, and applications. As a consequence, most web connections nowadays are encrypted. However, there is still a significant part of Internet traffic that is not encrypted. It has been argued that both costs and complexity associated with obtaining and deploying X.509 certificates are major barriers for widespread encryption, since these certificates are required to establish encrypted connections. To address these issues, the Electronic Frontier Foundation, Mozilla Foundation, the University of Michigan and a number of partners have set up Let's Encrypt (LE), a certificate authority that provides both free X.509 certificates and software that automates the deployment of these certificates. In this paper, we investigate if LE has been successful in democratizing encryption: we analyze certificate issuance in the first year of LE and show from various perspectives that LE adoption has an upward trend and it is in fact being successful in covering the lower-cost end of the hosting market.@en

Connected- en de autonoom rijdende auto’s communiceren constant met hun omgeving. Deze rijdende computers zijn nooit ontworpen om kwaadwillende hackers buiten te houden. Het is tijd om de ICT architectuur in onze auto’s grondig te herzien om ervoor te zorgen dat de fysieke consumentenveiligheid gegarandeerd wordt. Onderzoek vanuit de Cyber Security Academy in samenwerking met Universiteit Delft en Universiteit Leiden laat zien welke stappen er genomen kunnen worden om de cyber security van personenauto’s te verbeteren.@en

Today’s increasing connectivity creates cyber risks at personal, organizational up to societal level. Societal cyber risks require mitigation by all kinds of actors where government should take the lead due to its responsibility to protect its citizens. Since no formal global governance exists, the governmental responsibility should start at the national level of every country. To achieve successful management of global cyber risks, appropriate alignment between these sovereignly developed strategies is required, which concerns a complex challenge. To create alignment, getting insight into differences between national cyber strategies, is the first step. This, in turn, requires an appropriate analysis approach that helps to identify the key differences. In this article, we introduce such an analysis approach based on social contract theory. The resulting analysis model consists of both a direct and an indirect type of social cyber contract between governments, citizens and corporations, within and between sovereign nations. To show its effectiveness, the proposed social cyber contract model is validated through an illustrated case examining various constitutional rights to privacy, their embedding in the national cyber strategies and how their differences could cause potential barriers for alignment across sovereignties.@en

Bayesian game theory is an interesting field within cyber security. Applying it to bank transfer systems can be very useful in finding risks in time and to dynamically adapt to them. It can not only provide insight about the best threat control methods, but also gives insights in how confidential certain core information and actions within the system are. By defining key points for bank transfer systems, an abstract 'meta model' is created. Due to the key constraints and the relation with 'classic' Bayesian game theory, the validity of the abstract model can be proven for the more specific models.

@en

In the last decades we witnessed the creation of a virtual world: cyberspace, which offers plenty of opportunities and challenges. Meanwhile, we are confronted with many conflict situations between different groups of people or countries. In the last years, several events have been described in terms of cyber warfare or the use of cyber weapons, leading to critical international security concerns. At the same time, there is little research on the definitions of what constitutes a cyber weapon and how it can be profiled.The present article gives an answer to the question “How to define cyber weapons?” and proposes a conceptual framework that defines and profiles cyber weapons from a multidisciplinary perspective: cyber and military, considering legal aspects as well. This framework establishes the context of use and the life cycle of cyber weapons, defines them, presents their structure and proposes a way to profile them. The aim of this article is to support decision makers and academia that have to deal with the implications and consequences of cyber weapons. Therefore, to evaluate our framework, we propose a profiling matrix for Stuxnet, Operation Orchard and Black Energy and we conduct an exploratory case study on Stuxnet based on the existing literature@en