Ali Dehghantanha

Amin Azmoodeh, Ali Dehghantanha

According to the 2020 cyber threat defence report, 78% of Canadian organizations experienced at least one successful cyberattack in 2020. The consequences of such attacks vary from privacy compromises to immersing damage costs for individuals, companies, and countries. Specialists predict that the global loss from cybercrime will reach 10.5 trillion US dollars annually by 2025. Given such alarming statistics, the need to prevent and predict cyberattacks is as high as ever. Our increasing reliance on Machine Learning(ML)-based systems raises serious concerns about the security and safety of these systems. Especially the emergence of powerful ML techniques to generate fake visual, textual, or audio content with a high potential to deceive humans raised serious ethical concerns. These artificially crafted deceiving videos, images, audio, or texts are known as Deepfakes garnered attention for their potential use in creating fake news, hoaxes, revenge porn, and financial fraud. Diversity and the widespread of deepfakes made their timely detection a significant challenge. In this paper, we first offer background information and a review of previous works on the detection and deterrence of deepfakes. Afterward, we offer a solution that is capable of 1) making our AI systems robust against deepfakes during development and deployment phases; 2) detecting video, image, audio, and textual deepfakes; 3) identifying deepfakes that bypass detection (deepfake hunting); 4) leveraging available intelligence for timely identification of deepfake campaigns launched by state-sponsored hacking teams; 5) conducting in-depth forensic analysis of identified deepfake payloads. Our solution would address important elements of the Canada National Cyber Security Action Plan(2019-2024) in increasing the trustworthiness of our critical services.

Ehsan Nowroozi, Samaneh Ghelichkhani, Imran Haider et al.

Convolutional neural networks (CNNs) models play a vital role in achieving state-of-the-art performances in various technological fields. CNNs are not limited to Natural Language Processing (NLP) or Computer Vision (CV) but also have substantial applications in other technological domains, particularly in cybersecurity. The reliability of CNN's models can be compromised because of their susceptibility to adversarial attacks, which can be generated effortlessly, easily applied, and transferred in real-world scenarios. In this paper, we present a novel and comprehensive method to improve the strength of attacks and assess the transferability of adversarial examples in CNNs when such strength changes, as well as whether the transferability property issue exists in computer network applications. In the context of our study, we initially examined six distinct modes of attack: the Carlini and Wagner (C&W), Fast Gradient Sign Method (FGSM), Iterative Fast Gradient Sign Method (I-FGSM), Jacobian-based Saliency Map (JSMA), Limited-memory Broyden fletcher Goldfarb Shanno (L-BFGS), and Projected Gradient Descent (PGD) attack. We applied these attack techniques on two popular datasets: the CIC and UNSW datasets. The outcomes of our experiment demonstrate that an improvement in transferability occurs in the targeted scenarios for FGSM, JSMA, LBFGS, and other attacks. Our findings further indicate that the threats to security posed by adversarial examples, even in computer network applications, necessitate the development of novel defense mechanisms to enhance the security of DL-based techniques.

Ali Dehghantanha, Sajad Homayoun

Recent AI systems combine large language models with tools, external knowledge via retrieval-augmented generation (RAG), and even autonomous multi-agent decision loops. This agentic AI paradigm greatly expands capabilities - but also vastly enlarges the attack surface. In this systematization, we map out the trust boundaries and security risks of agentic LLM-based systems. We develop a comprehensive taxonomy of attacks spanning prompt-level injections, knowledge-base poisoning, tool/plug-in exploits, and multi-agent emergent threats. Through a detailed literature review, we synthesize evidence from 2023-2025, including more than 20 peer-reviewed and archival studies, industry reports, and standards. We find that agentic systems introduce new vectors for indirect prompt injection, code execution exploits, RAG index poisoning, and cross-agent manipulation that go beyond traditional AI threats. We define attacker models and threat scenarios, and propose metrics (e.g., Unsafe Action Rate, Privilege Escalation Distance) to evaluate security posture. Our survey examines defenses such as input sanitization, retrieval filters, sandboxes, access control, and "AI guardrails," assessing their effectiveness and pointing out the areas where protection is still lacking. To assist practitioners, we outline defensive controls and provide a phased security checklist for deploying agentic AI (covering design-time hardening, runtime monitoring, and incident response). Finally, we outline open research challenges in secure autonomous AI (robust tool APIs, verifiable agent behavior, supply-chain safeguards) and discuss ethical and responsible disclosure practices. We systematize recent findings to help researchers and engineers understand and mitigate security risks in agentic AI.

Keerthana Madhavan, Abbas Yazdinejad, Fattane Zarrinkalam et al.

As AI systems integrate into critical infrastructure, security gaps in AI compliance frameworks demand urgent attention. This paper audits and quantifies security risks in three major AI governance standards: NIST AI RMF 1.0, UK's AI and Data Protection Risk Toolkit, and the EU's ALTAI. Using a novel risk assessment methodology, we develop four key metrics: Risk Severity Index (RSI), Attack Potential Index (AVPI), Compliance-Security Gap Percentage (CSGP), and Root Cause Vulnerability Score (RCVS). Our analysis identifies 136 concerns across the frameworks, exposing significant gaps. NIST fails to address 69.23 percent of identified risks, ALTAI has the highest attack vector vulnerability (AVPI = 0.51) and the ICO Toolkit has the largest compliance-security gap, with 80.00 percent of high-risk concerns remaining unresolved. Root cause analysis highlights under-defined processes (ALTAI RCVS = 033) and weak implementation guidance (NIST and ICO RCVS = 0.25) as critical weaknesses. These findings emphasize the need for stronger, enforceable security controls in AI compliance. We offer targeted recommendations to enhance security posture and bridge the gap between compliance and real-world AI risks.

Havva Alizadeh Noughabi, Julien Serbanescu, Fattane Zarrinkalam et al.

Despite recent advances, Large Language Models remain vulnerable to jailbreak attacks that bypass alignment safeguards and elicit harmful outputs. While prior research has proposed various attack strategies differing in human readability and transferability, little attention has been paid to the linguistic and psychological mechanisms that may influence a model's susceptibility to such attacks. In this paper, we examine an interdisciplinary line of research that leverages foundational theories of persuasion from the social sciences to craft adversarial prompts capable of circumventing alignment constraints in LLMs. Drawing on well-established persuasive strategies, we hypothesize that LLMs, having been trained on large-scale human-generated text, may respond more compliantly to prompts with persuasive structures. Furthermore, we investigate whether LLMs themselves exhibit distinct persuasive fingerprints that emerge in their jailbreak responses. Empirical evaluations across multiple aligned LLMs reveal that persuasion-aware prompts significantly bypass safeguards, demonstrating their potential to induce jailbreak behaviors. This work underscores the importance of cross-disciplinary insight in addressing the evolving challenges of LLM safety. The code and data are available.

Ali Dehghantanha, Hadis Karimipour, Amin Azmoodeh

The Cyber Science Lab (CSL) and Smart Cyber-Physical System (SCPS) Lab at the University of Guelph conduct a market study of cybersecurity technology adoption and requirements for smart and precision farming in Canada. We conducted 17 stakeholder/key opinion leader interviews in Canada and the USA, as well as conducting extensive secondary research, to complete this study. Each interview generally required 15-20 minutes to complete. Interviews were conducted using a client-approved interview guide. Secondary and primary research focussed on the following areas of investigation: Market size and segmentation Market forecast and growth rate Competitive landscape Market challenges/barriers to entry Market trends/growth drivers Adoption/commercialization of the technology

Ehsan Nowroozi, Ali Dehghantanha, Reza M. Parizi et al.

Image forensic plays a crucial role in both criminal investigations (e.g., dissemination of fake images to spread racial hate or false narratives about specific ethnicity groups) and civil litigation (e.g., defamation). Increasingly, machine learning approaches are also utilized in image forensics. However, there are also a number of limitations and vulnerabilities associated with machine learning-based approaches, for example how to detect adversarial (image) examples, with real-world consequences (e.g., inadmissible evidence, or wrongful conviction). Therefore, with a focus on image forensics, this paper surveys techniques that can be used to enhance the robustness of machine learning-based binary manipulation detectors in various adversarial scenarios.

Jacob Sakhnini, Hadis Karimipour, Ali Dehghantanha et al.

The integration of sensors and communication technology in power systems, known as the smart grid, is an emerging topic in science and technology. One of the critical issues in the smart grid is its increased vulnerability to cyber threats. As such, various types of threats and defense mechanisms are proposed in literature. This paper offers a bibliometric survey of research papers focused on the security aspects of Internet of Things (IoT) aided smart grids. To the best of the authors' knowledge, this is the very first bibliometric survey paper in this specific field. A bibliometric analysis of all journal articles is performed and the findings are sorted by dates, authorship, and key concepts. Furthermore, this paper also summarizes the types of cyber threats facing the smart grid, the various security mechanisms proposed in literature, as well as the research gaps in the field of smart grid security.

Hossein Mohammadi Rouzbahani, Hadis Karimipour, Ali Dehghantanha et al.

Power systems are growing rapidly, due to the ever-increasing demand for electrical power. These systems require novel methodologies and modern tools and technologies, to better perform, particularly for communication among different parts. Therefore, power systems are facing new challenges such as energy trading and marketing and cyber threats. Using blockchain in power systems, as a solution, is one of the newest methods. Most studies aim to investigate innovative approach-es of blockchain application in power systems. Even though, many articles published to support the research activities, there has not been any bibliometric analysis which specifies the research trends. This paper aims to present a bibliographic analysis of the blockchain application in power systems related literature, in the Web of Science (WoS) database between January 2009 and July 2019. This paper discusses the research activities and performed a detailed analysis by looking at the number of articles published, citations, institutions, research areas, and authors. From the analysis, it was concluded that there are several significant impacts of research activities in China and the USA, in comparison to other countries.

Jacob Sakhnini, Hadis Karimipour, Ali Dehghantanha

False Data Injection (FDI) attacks are a common form of Cyber-attack targetting smart grids. Detection of stealthy FDI attacks is impossible by the current bad data detection systems. Machine learning is one of the alternative methods proposed to detect FDI attacks. This paper analyzes three various supervised learning techniques, each to be used with three different feature selection (FS) techniques. These methods are tested on the IEEE 14-bus, 57-bus, and 118-bus systems for evaluation of versatility. Accuracy of the classification is used as the main evaluation method for each detection technique. Simulation study clarify the supervised learning combined with heuristic FS methods result in an improved performance of the classification algorithms for FDI attack detection.

Reza M. Parizi, Sajad Homayoun, Abbas Yazdinejad et al.

Blockchains are turning into decentralized computing platforms and are getting worldwide recognition for their unique advantages. There is an emerging trend beyond payments that blockchains could enable a new breed of decentralized applications, and serve as the foundation for Internet's security infrastructure. The immutable nature of the blockchain makes it a winner on security and transparency; it is nearly inconceivable for ledgers to be altered in a way not instantly clear to every single user involved. However, most blockchains fall short in privacy aspects, particularly in data protection. Garlic Routing and Onion Routing are two of major Privacy Enhancing Techniques (PETs) which are popular for anonymization and security. Garlic Routing is a methodology using by I2P Anonymous Network to hide the identity of sender and receiver of data packets by bundling multiple messages into a layered encryption structure. The Onion Routing attempts to provide lowlatency Internet-based connections that resist traffic analysis, deanonymization attack, eavesdropping, and other attacks both by outsiders (e.g. Internet routers) and insiders (Onion Routing servers themselves). As there are a few controversies over the rate of resistance of these two techniques to privacy attacks, we propose a PET-Enabled Sidechain (PETES) as a new privacy enhancing technique by integrating Garlic Routing and Onion Routing into a Garlic Onion Routing (GOR) framework suitable to the structure of blockchains. The preliminary proposed GOR aims to improve the privacy of transactions in blockchains via PETES structure.

Sajad Homayoun, Ali Dehghantanha, Reza M. Parizi et al.

The dramatic growth in smartphone malware shows that malicious program developers are shifting from traditional PC systems to smartphone devices. Therefore, security researchers are also moving towards proposing novel antimalware methods to provide adequate protection. This paper proposes a Blockchain-Based Malware Detection Framework (B2MDF) for detecting malicious mobile applications in mobile applications marketplaces (app stores). The framework consists of two internal and external private blockchains forming a dual private blockchain as well as a consortium blockchain for the final decision. The internal private blockchain stores feature blocks extracted by both static and dynamic feature extractors, while the external blockchain stores detection results as blocks for current versions of applications. B2MDF also shares feature blocks with third parties, and this helps antimalware vendors to provide more accurate solutions.

Reza M. Parizi, Ali Dehghantanha, Kim-Kwang Raymond Choo et al.

The emerging blockchain technology supports decentralized computing paradigm shift and is a rapidly approaching phenomenon. While blockchain is thought primarily as the basis of Bitcoin, its application has grown far beyond cryptocurrencies due to the introduction of smart contracts. Smart contracts are self-enforcing pieces of software, which reside and run over a hosting blockchain. Using blockchain-based smart contracts for secure and transparent management to govern interactions (authentication, connection, and transaction) in Internet-enabled environments, mostly IoT, is a niche area of research and practice. However, writing trustworthy and safe smart contracts can be tremendously challenging because of the complicated semantics of underlying domain-specific languages and its testability. There have been high-profile incidents that indicate blockchain smart contracts could contain various code-security vulnerabilities, instigating financial harms. When it involves security of smart contracts, developers embracing the ability to write the contracts should be capable of testing their code, for diagnosing security vulnerabilities, before deploying them to the immutable environments on blockchains. However, there are only a handful of security testing tools for smart contracts. This implies that the existing research on automatic smart contracts security testing is not adequate and remains in a very stage of infancy. With a specific goal to more readily realize the application of blockchain smart contracts in security and privacy, we should first understand their vulnerabilities before widespread implementation. Accordingly, the goal of this paper is to carry out a far-reaching experimental assessment of current static smart contracts security testing tools, for the most widely used blockchain, the Ethereum and its domain-specific programming language, Solidity to provide the first...

Sajad Homayoun, Ali Dehghantanha, Marzieh Ahmadzadeh et al.

Emergence of crypto-ransomware has significantly changed the cyber threat landscape. A crypto ransomware removes data custodian access by encrypting valuable data on victims' computers and requests a ransom payment to reinstantiate custodian access by decrypting data. Timely detection of ransomware very much depends on how quickly and accurately system logs can be mined to hunt abnormalities and stop the evil. In this paper we first setup an environment to collect activity logs of 517 Locky ransomware samples, 535 Cerber ransomware samples and 572 samples of TeslaCrypt ransomware. We utilize Sequential Pattern Mining to find Maximal Frequent Patterns (MFP) of activities within different ransomware families as candidate features for classification using J48, Random Forest, Bagging and MLP algorithms. We could achieve 99% accuracy in detecting ransomware instances from goodware samples and 96.5% accuracy in detecting family of a given ransomware sample. Our results indicate usefulness and practicality of applying pattern mining techniques in detection of good features for ransomware hunting. Moreover, we showed existence of distinctive frequent patterns within different ransomware families which can be used for identification of a ransomware sample family for building intelligence about threat actors and threat profile of a given target.

Gregory Epiphaniou, Petros Karadimas, Dhouha Kbaier Ben Ismail et al.

The physical attributes of the dynamic vehicle-to-vehicle (V2V) propagation channel can be utilised for the generation of highly random and symmetric cryptographic keys. However, in a physical-layer key agreement scheme, non-reciprocity due to inherent channel noise and hardware impairments can propagate bit disagreements. This has to be addressed prior to the symmetric key generation which is inherently important in social Internet of Things (IoT) networks, including in adversarial settings (e.g. battlefields). In this paper, we parametrically incorporate temporal variability attributes, such as three-dimensional (3D) scattering and scatterers mobility. Accordingly, this is the first work to incorporate such features into the key generation process by combining non-reciprocity compensation with turbo codes. Preliminary results indicate a significant improvement when using Turbo Codes in bit mismatch rate (BMR) and key generation rate (KGR) in comparison to sample indexing techniques.

Andrii Shalaginov, Sergii Banin, Ali Dehghantanha et al.

Malware analysis and detection techniques have been evolving during the last decade as a reflection to development of different malware techniques to evade network-based and host-based security protections. The fast growth in variety and number of malware species made it very difficult for forensics investigators to provide an on time response. Therefore, Machine Learning (ML) aided malware analysis became a necessity to automate different aspects of static and dynamic malware investigation. We believe that machine learning aided static analysis can be used as a methodological approach in technical Cyber Threats Intelligence (CTI) rather than resource-consuming dynamic malware analysis that has been thoroughly studied before. In this paper, we address this research gap by conducting an in-depth survey of different machine learning methods for classification of static characteristics of 32-bit malicious Portable Executable (PE32) Windows files and develop taxonomy for better understanding of these techniques. Afterwards, we offer a tutorial on how different machine learning techniques can be utilized in extraction and analysis of a variety of static characteristic of PE binaries and evaluate accuracy and practical generalization of these techniques. Finally, the results of experimental study of all the method using common data was given to demonstrate the accuracy and complexity. This paper may serve as a stepping stone for future researchers in cross-disciplinary field of machine learning aided malware forensics.

Mauro Conti, Ali Dehghantanha, Tooska Dargahi

The ever increasing number of cyber attacks requires the cyber security and forensic specialists to detect, analyze and defend against the cyber threats in almost realtime. In practice, timely dealing with such a large number of attacks is not possible without deeply perusing the attack features and taking corresponding intelligent defensive actions, this in essence defines cyber threat intelligence notion. However, such an intelligence would not be possible without the aid of artificial intelligence, machine learning and advanced data mining techniques to collect, analyse, and interpret cyber attack evidences. In this introductory chapter we first discuss the notion of cyber threat intelligence and its main challenges and opportunities, and then briefly introduce the chapters of the book which either address the identified challenges or present opportunistic solutions to provide threat intelligence.

Hamish Haughey, Gregory Epiphaniou, Haider Al-Khateeb et al.

Darknet technology such as Tor has been used by various threat actors for organising illegal activities and data exfiltration. As such, there is a case for organisations to block such traffic, or to try and identify when it is used and for what purposes. However, anonymity in cyberspace has always been a domain of conflicting interests. While it gives enough power to nefarious actors to masquerade their illegal activities, it is also the cornerstone to facilitate freedom of speech and privacy. We present a proof of concept for a novel algorithm that could form the fundamental pillar of a darknet-capable Cyber Threat Intelligence platform. The solution can reduce anonymity of users of Tor, and considers the existing visibility of network traffic before optionally initiating targeted or widespread BGP interception. In combination with server HTTP response manipulation, the algorithm attempts to reduce the candidate data set to eliminate client-side traffic that is most unlikely to be responsible for server-side connections of interest. Our test results show that MITM manipulated server responses lead to expected changes received by the Tor client. Using simulation data generated by shadow, we show that the detection scheme is effective with false positive rate of 0.001, while sensitivity detecting non-targets was 0.016+-0.127. Our algorithm could assist collaborating organisations willing to share their threat intelligence or cooperate during investigations.

Dennis Kiwia, Ali Dehghantanha, Kim-Kwang Raymond Choo et al.

Malware such as banking Trojans are popular with financially-motivated cybercriminals. Detection of banking Trojans remains a challenging task, due to the constant evolution of techniques used to obfuscate and circumvent existing detection and security solutions. Having a malware taxonomy can facilitate the design of mitigation strategies such as those based on evolutionary computational intelligence. Specifically, in this paper, we propose a cyber kill chain based taxonomy of banking Trojans features. This threat intelligence based taxonomy providing a stage-by-stage operational understanding of a cyber-attack, can be highly beneficial to security practitioners and the design of evolutionary computational intelligence on Trojans detection and mitigation strategy. The proposed taxonomy is validated by using a real-world dataset of 127 banking Trojans collected from December 2014 to January 2016 by a major UK-based financial organisation.

Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo

The pervasive nature of cloud-enabled big data storage solutions introduces new challenges in the identification, collection, analysis, preservation and archiving of digital evidences. Investigation of such complex platforms to locate and recover traces of criminal activities is a time-consuming process. Hence, cyber forensics researchers are moving towards streamlining the investigation process by locating and documenting residual artefacts (evidences) of forensic value of users activities on cloud-enabled big data platforms in order to reduce the investigation time and resources involved in a real-world investigation. In this paper, we seek to determine the data remnants of forensic value from Syncany private cloud storage service, a popular storage engine for big data platforms. We demonstrate the types and the locations of the artefacts that can be forensically recovered. Findings from this research contribute to an in-depth understanding of cloud-enabled big data storage forensics, which can result in reduced time and resources spent in real-world investigations involving Syncany-based cloud platforms.

Opeyemi Osanaiye, Kim-Kwang Raymond Choo2, Ali Dehghantanha et al.

Increasing interest in the adoption of cloud computing has exposed it to cyber-attacks. One of such is distributed denial of service (DDoS) attack that targets cloud bandwidth, services and resources to make it unavailable to both the cloud providers and users. Due to the magnitude of traffic that needs to be processed, data mining and machine learning classification algorithms have been proposed to classify normal packets from an anomaly. Feature selection has also been identified as a pre-processing phase in cloud DDoS attack defence that can potentially increase classification accuracy and reduce computational complexity by identifying important features from the original dataset, during supervised learning. In this work, we propose an ensemble-based multi-filter feature selection method that combines the output of four filter methods to achieve an optimum selection. An extensive experimental evaluation of our proposed method was performed using intrusion detection benchmark dataset, NSL-KDD and decision tree classifier. The result obtained shows that our proposed method effectively reduced the number of features from 41 to 13 and has a high detection rate and classification accuracy when compared to other classification techniques.

James Baldwin, Ali Dehghantanha

Ransomware is a significant global threat, with easy deployment due to the prevalent ransomware-as-a-service model. Machine learning algorithms incorporating the use of opcode characteristics and Support Vector Machine have been demonstrated to be a successful method for general malware detection. This research focuses on crypto-ransomware and uses static analysis of malicious and benign Portable Executable files to extract 443 opcodes across all samples, representing them as density histograms within the dataset. Using the SMO classifier and PUK kernel in the WEKA machine learning toolset it demonstrates that this methodology can achieve 100% precision when differentiating between ransomware and goodware, and 96.5% when differentiating between 5 cryptoransomware families and goodware. Moreover, 8 different attribute selection methods are evaluated to achieve significant feature reduction. Using the CorrelationAttributeEval method close to 100% precision can be maintained with a feature reduction of 59.5%. The CFSSubset filter achieves the highest feature reduction of 97.7% however with a slightly lower precision at 94.2%.

Omar M. K. Alhawi, James Baldwin, Ali Dehghantanha

Ransomware has become a significant global threat with the ransomware-as-a-service model enabling easy availability and deployment, and the potential for high revenues creating a viable criminal business model. Individuals, private companies or public service providers e.g. healthcare or utilities companies can all become victims of ransomware attacks and consequently suffer severe disruption and financial loss. Although machine learning algorithms are already being used to detect ransomware, variants are being developed to specifically evade detection when using dynamic machine learning techniques. In this paper, we introduce NetConverse, a machine learning analysis of Windows ransomware network traffic to achieve a high, consistent detection rate. Using a dataset created from conversation-based network traffic features we achieved a true positive detection rate of 97.1% using the Decision Tree (J48) classifier.

Mauro Conti, Ali Dehghantanha, Katrin Franke et al.

The Internet of Things (IoT) envisions pervasive, connected, and smart nodes interacting autonomously while offering all sorts of services. Wide distribution, openness and relatively high processing power of IoT objects made them an ideal target for cyber attacks. Moreover, as many of IoT nodes are collecting and processing private information, they are becoming a goldmine of data for malicious actors. Therefore, security and specifically the ability to detect compromised nodes, together with collecting and preserving evidences of an attack or malicious activities emerge as a priority in successful deployment of IoT networks. In this paper, we first introduce existing major security and forensics challenges within IoT domain and then briefly discuss about papers published in this special issue targeting identified challenges.

James Baldwin, Omar M. K. Alhawi, Simone Shaughnessy et al.

The emergence of cloud computing technologies has changed the way we store, retrieve, and archive our data. With the promise of unlimited, reliable and always-available storage, a lot of private and confidential data are now stored on different cloud platforms. Being such a gold mine of data, cloud platforms are among the most valuable targets for attackers. Therefore, many forensics investigators have tried to develop tools, tactics and procedures to collect, preserve, analyse and report evidences of attackers activities on different cloud platforms. Despite the number of published articles there is not a bibliometric study that presents cloud forensics research trends. This paper aims to address this problem by providing a comprehensive assessment of cloud forensics research trends between 2009 and 2016. Moreover, we provide a classification of cloud forensics process to detect the most profound research areas and highlight remaining challenges.

Milda Petraityte, Ali Dehghantanha, Gregory Epiphaniou

Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cybersecurity compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.

Yee-Yang Teing, Ali Dehghantanha, Kim-Kwang Raymond Choo

The issue of increasing volume, variety and velocity of has been an area of concern in cloud forensics. The high volume of data will, at some point, become computationally exhaustive to be fully extracted and analysed in a timely manner. To cut down the size of investigation, it is important for a digital forensic practitioner to possess a well-rounded knowledge about the most relevant data artefacts from the cloud product investigating. In this paper, we seek to tackle on the residual artefacts from the use of CloudMe cloud storage service. We demonstrate the types and locations of the artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation activities from the computer desktop and mobile clients. Findings from this research will pave the way towards the development of data mining methods for cloud-enabled big data endpoint forensics investigation.

Ben Blakeley, Chris Cooney, Ali Dehghantanha et al.

In today society where we live in a world of constant connectivity, many people are now looking to cloud services in order to store their files so they can have access to them wherever they are. By using cloud services, users can access files anywhere with an internet connection. However, while cloud storage is convenient, it also presents security risks. From a forensics perspective, the increasing popularity of cloud storage platforms, makes investigation into such exploits much more difficult, especially since many platforms such as mobile devices as well as computers are able to use these services. This paper presents investigation of hubiC as one of popular cloud platforms running on Microsoft Windows 8.1. Remaining artefacts pertaining different usage of hubiC namely upload, download, installation and uninstallation on Microsoft Windows 8.1are presented.

Tooska Dargahi, Ali Dehghantanha, Mauro Conti

Voice over Internet Protocol (VoIP) applications (apps) provide convenient and low cost means for users to communicate and share information with each other in real-time. Day by day, the popularity of such apps is increasing, and people produce and share a huge amount of data, including their personal and sensitive information. This might lead to several privacy issues, such as revealing user contacts, private messages or personal photos. Therefore, having an up-to-date forensic understanding of these apps is necessary. This chapter presents analysis of forensically valuable remnants of three popular Mobile VoIP (mVoIP) apps on Google Play store, namely: Viber, Skype, and WhatsApp Messenger, in order to figure out to what extent these apps reveal forensically valuable information about the users activities. We performed a thorough investigative study of these three mVoIP apps on smartphone devices. Our experimental results show that several artefacts, such as messages, contact details, phone numbers, images, and video files, are recoverable from the smartphone device that is equipped with these mVoIP apps.

Bernard Chukwuemeka Ogazi-Onyemaechi, Ali Dehghantanha, Kim-Kwang Raymond Choo

Recovering deleted or hidden data is among most important duties of forensics investigators. Extensive utilisation of smartphones as subject, objects or tools of crime made them an important part of residual forensics. This chapter investigates the effectiveness of mobile forensic data recovery tools in recovering evidences from a Samsung Galaxy S2 i9100 Android phone. We seek to determine the amount of data that could be recovered using Phone image carver, Access data FTK, Foremost, Diskdigger, and Recover My File forensic tools. The findings reflected the difference between recovery capacities of studied tools showing their suitability in their specialised contexts only.

Tooska Dargahi, Ali Dehghantanha, Mauro Conti

Due to the flexibility, affordability and portability of cloud storage, individuals and companies envisage the cloud storage as one of the preferred storage media nowadays. This attracts the eyes of cyber criminals, since much valuable informa- tion such as user credentials, and private customer records are stored in the cloud. There are many ways for criminals to compromise cloud services; ranging from non-technical attack methods, such as social engineering, to deploying advanced malwares. Therefore, it is vital for cyber forensics examiners to be equipped and informed about best methods for investigation of different cloud platforms. In this chapter, using pCloud (an extensively used online cloud storage service) as a case study, and we elaborate on different kinds of artefacts retrievable during a forensics examination. We carried out our experiments on four different virtual machines running four popular operating systems: a 64 bit Windows 8, Ubuntu 14.04.1 LTS, Android 4.4.2, and iOS 8.1. Moreover, we examined cloud remnants of two different web browsers: Internet Explorer and Google Chrome on Windows. We believe that our study would promote awareness among digital forensic examiners on how to conduct cloud storage forensics examination.

Teing Yee Yang, Ali Dehghantanha, Kim-Kwang Raymond Choo et al.

Cloud computing has been regarded as the technology enabler for the Internet of Things (IoT). To ensure the most effective collection of IoT-based evidence, it is vital for forensic practitioners to possess a contemporary understanding of the artefacts from different cloud services. In this paper, we seek to determine the data remnants from the use of BitTorrent Sync version 2.0. Findings from our research using mobile and computer devices running Windows 8.1, Mac OS X Mavericks 10.9.5, Ubuntu 14.04.1 LTS, iOS 7.1.2, and Android KitKat 4.4.4 suggested that artefacts relating to the installation, uninstallation, log-in, log-off, and file synchronisation could be recovered, which are potential sources of IoT forensics. We also present a forensically sound investigation methodology for BitTorrent Sync.

Michael Hopkins, Ali Dehghantanha

The annual cost of Cybercrime to the global economy is estimated to be around 400 billion dollar in support of which Exploit Kits have been providing enabling technology.This paper reviews the recent developments in Exploit Kit capability and how these are being applied in practice.In doing so it paves the way for better understanding of the exploit kits economy that may better help in combatting them and considers industry preparedness to respond.

Mohd Najwadi Yusoff, Ali Dehghantanha, Ramlan Mahmod

Mobile devices are increasingly utilized to access social media and instant messaging services, which allow users to communicate with others easily and quickly. However, the misuse of social media and instant messaging services facilitated conducting different cybercrimes such as cyber stalking, cyber bullying, slander spreading and sexual harassment. Therefore, mobile devices are an important evidentiary piece in digital investigation. In this chapter, we report the results of our investigation and analysis of social media and instant messaging services in Firefox OS. We examined three social media services (Facebook, Twitter and Google+) as well as three instant messaging services (Telegram, OpenWapp and Line). Our analysis may pave the way for future forensic investigators to trace and examine residual remnants of forensics value in FireFox OS.

Mohd Najwadi Yusoff, Ali Dehghantanha, Ramlan Mahmod

Development of mobile web-centric OS such as Firefox OS has created new challenges, and opportunities for digital investigators. Network traffic forensic plays an important role in cybercrime investigation to detect subject(s) and object(s) of the crime. In this chapter, we detect and analyze residual network traffic artefacts of Firefox OS in relation to two popular social networking applications (Facebook and Twitter) and one instant messaging application (Telegram). We utilized a Firefox OS simulator to generate relevant traffic while all communication data were captured using network monitoring tools. Captured network packets were examined and remnants with forensic value were reported. This paper as the first focused study on mobile Firefox OS network traffic analysis should pave the way for the future research in this direction.

Milda Petraityte, Ali Dehghantanha, Gregory Epiphaniou

This paper uses a scenario-based role-play experiment based on the usage of QR codes to detect how mobile users respond to social engineering attacks conducted via mobile devices. The results of this experiment outline a guided mobile phone forensics investigation method which could facilitate the work of digital forensics investigators while analysing the data from mobile devices. The behavioural response of users could be impacted by several aspects, such as impulsivity, smartphone usage and security or simply awareness that QR codes could contain malware. The findings indicate that the impulsivity of users is one of the key areas that determine the common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. As a result, an investigative framework for mobile phone forensics is proposed based on the impulsivity and common mistakes of mobile device users. It could help the forensics investigators by potentially shortening the time spent on investigation of possible breach scenarios.

Teing Yee Yang, Ali Dehghantanha, Kim-Kwang Raymond Choo et al.

Instant messaging applications (apps) are one potential source of evidence in a criminal investigation or a civil litigation. To ensure the most effective collection of evidence, it is vital for forensic practitioners to possess an up-to-date knowledge about artefacts of forensic interest from various instant messaging apps. Hence, in this chapter, we study America Online Instant Messenger (version 7.14.5.8) with the aims of contributing to an in-depth understanding of the types of terrestrial artefacts that are likely to remain after the use of instant messaging services and app on Windows 8.1 devices. Potential artefacts identified during the research include data relating to the installation or uninstallation, log-in and log-off information, contact lists, conversations, and transferred files.

M. Amine Chelihi, Akintunde Elutilo, Imran Ahmed et al.

Mobile phones have been playing a very significant role in our daily activities for the last decade. With the increase need for these devices, people are now more reliant on their smartphone applications for their daily tasks and many prefer to save their mobile data on a cloud platform to access them anywhere on any device. Cloud technology is the new way for better data storage, as it offers better security, more flexibility, and mobility. Many smartphones have been investigated as subjects, objects or tools of the crime. Many of these investigations include analysing data stored through cloud storage apps which contributes to importance of cloud apps forensics on mobile devices. In this paper, various cloud Android applications are analysed using the forensics tool XRY and a forensics taxonomy for investigation of these apps is suggested. The proposed taxonomy reflects residual artefacts retrievable from 31 different cloud applications. It is expected that the proposed taxonomy and the forensic findings in this paper will assist future forensic investigations involving cloud based storage applications.

Lek Christopher, Kim-Kwang Raymond Choo, Ali Dehghantanha

The increasing pervasiveness of internet-connected systems means that such systems will continue to be exploited for criminal purposes by cybercriminals (including malicious insiders such as employees and vendors). The importance of protecting corporate system and intellectual property, and the escalating complexities of the online environment underscore the need for ongoing information security awareness and education training and the promotion of a culture of security among employees. Two honeypots were deployed at a private university based in Singapore. Findings from the analysis of the honeypot data are presented in this paper. This paper then examines how analysis of honeypot data can be used in employee information security awareness and education training. Adapting the Routine Activity Theory, a criminology theory widely used in the study of cybercrime, this paper proposes a conceptual Engaging Stakeholders, Acceptable Behavior, Simple Teaching method, Yardstick (EASY) training model, and explains how the model can be used to design employee information security awareness and education training. Future research directions are also outlined in this paper.

SeyedHossein Mohtasebi, Ali Dehghantanha, Kim-Kwang Raymond Choo

STorage as a Service (STaaS) cloud platforms benefits such as getting access to data anywhere, anytime, on a wide range of devices made them very popular among businesses and individuals. As such forensics investigators are increasingly facing cases that involve investigation of STaaS platforms. Therefore, it is essential for cyber investigators to know how to collect, preserve, and analyse evidences of these platforms. In this paper, we describe investigation of three STaaS platforms namely SpiderOak, JustCloud, and pCloud on Windows 8.1 and iOS 8.1.1 devices. Moreover, possible changes on uploaded and downloaded files metadata on these platforms would be tracked and their forensics value would be investigated.

Teing Yee Yang, Ali Dehghantanha, Kim-Kwang Raymond Choo et al.

Instant messaging (IM) has changed the way people communicate with each other. However, the interactive and instant nature of these applications (apps) made them an attractive choice for malicious cyber activities such as phishing. The forensic examination of IM apps for modern Windows 8.1 (or later) has been largely unexplored, as the platform is relatively new. In this paper, we seek to determine the data remnants from the use of two popular Windows Store application software for instant messaging, namely Facebook and Skype on a Windows 8.1 client machine. This research contributes to an in-depth understanding of the types of terrestrial artefacts that are likely to remain after the use of instant messaging services and application software on a contemporary Windows operating system. Potential artefacts detected during the research include data relating to the installation or uninstallation of the instant messaging application software, log-in and log-off information, contact lists, conversations, and transferred files.