Cybersecurity

The Internet has provided humanity with many great benefits, but it has also introduced new risks and dangers. E-commerce and other web portals have become large industries with big data. Criminals and other bad actors constantly seek to exploit these web properties through web attacks. Being able to properly detect these web attacks is a crucial component in the overall cybersecurity landscape. Machine learning is one tool that can assist in detecting web attacks. However, properly using machine learning to detect web attacks does not come without its challenges. Classification algorithms can have difficulty with severe levels of class imbalance. Class imbalance occurs when one class label disproportionately outnumbers another class label. For example, in cybersecurity, it is common for the negative (normal) label to severely outnumber the positive (attack) label. Another difficulty encountered in machine learning is models can be complex, thus making it difficult for even subject matter experts to truly understand a model’s detection process. Moreover, it is important for practitioners to determine which input features to include or exclude in their models for optimal detection performance. This dissertation studies machine learning algorithms in detecting web attacks with big data. Severe class imbalance is a common problem in cybersecurity, and mainstream machine learning research does not sufficiently consider this with web attacks. Our research first investigates the problems associated with severe class imbalance and rarity. Rarity is an extreme form of class imbalance where the positive class suffers extremely low positive class count, thus making it difficult for the classifiers to discriminate. In reducing imbalance, we demonstrate random undersampling can effectively mitigate the class imbalance and rarity problems associated with web attacks. Furthermore, our research introduces a novel feature popularity technique which produces easier to understand models by only including the fewer, most popular features. Feature popularity granted us new insights into the web attack detection process, even though we had already intensely studied it. Even so, we proceed cautiously in selecting the best input features, as we determined that the “most important” Destination Port feature might be contaminated by lopsided traffic distributions.

Healthcare organizations, realizing the potential of the Internet of Things (IoT)
technology, are rapidly adopting the technology to bring signi cant improvements in
the quality and e ectiveness of the service. However, these smart and interconnected
devices can act as a potential \back door" into a hospital's IT network, giving attack-
ers access to sensitive information. As a result, cyber-attacks on medical IoT devices
have been increasing since the last few years. It is a growing concern for all the
stakeholders involved, as the impact of such attacks is not just monetary or privacy
loss, but the lives of many patients are also at risk. Considering the various kinds of
IoT devices one may nd connected to a hospital's network, traditional host-centric
security solutions (e.g. antivirus, software patches) are at odds with realistic IoT
infrastructure (e.g. constrained hardware, lack of proper built-in security measures).
There is a need for security solutions which consider the challenges of IoT devices like
heterogeneity of technology and protocols used, limited resources in terms of battery
and computation power, etc. Accordingly, the goals of this thesis have been: (1) to
provide an in-depth understanding of vulnerabilities of medical IoT devices; (2) to in-
troduce a novel approach which uses a microservices-based framework as an adaptive and agile security solution to address the issue. The thesis focuses on OS Fingerprint-
ing attacks because of its signi cance for attackers to understand a target's network.
In this thesis, we developed three microservices, each one designed to serve a speci c
functionality. Each of these microservices has a small footprint with RAM usage of
approximately 50 MB. We also suggest how microservices can be used in a real-life
scenario as a software-based security solution to secure a hospital's network consisting
of di erent IoT devices.

In this research, a new reputation-based model is utilized to disincentivize collusion
of defenders and attackers in Software Defined Networks (SDN), and also, to disincentivize
dishonest mining strategies in Blockchain. In the context of SDN, the model uses the
reputation values assigned to each entity to disincentivize collusion with an attacker. Our
analysis shows that not-colluding actions become Nash Equilibrium using the reputationbased
model within a repeated game setting. In the context of Blockchain and mining,
we illustrate that by using the same socio-rational model, miners not only are incentivized
to conduct honest mining but also disincentivized to commit to any malicious activities
against other mining pools. We therefore show that honest mining strategies become Nash
Equilibrium in our setting.
This thesis is laid out in the following manner. In chapter 2 an introduction to
game theory is provided followed by a survey of previous works in game theoretic network
security, in chapter 3 a new reputation-based model is introduced to be used within the
context of a Software Defined Network (SDN), in chapter 4 a reputation-based solution
concept is introduced to force cooperation by each mining entity in Blockchain, and finally,
in chapter 5, the concluding remarks and future works are presented.