As cyberattacks are rising, Moving Target Defense (MTD) can be a countermeasure to proactively protect a networked system against cyber-attacks. Despite the fact that MTD systems demonstrate security effectiveness against the reconnaissance of Cyber Kill Chain (CKC), a time-based MTD has a limitation when it comes to protecting a system against the next phases of CKC. In this work, we propose a novel hybrid MTD technique, its implementation and evaluation. Our hybrid MTD system is designed on a real SDN testbed and it uses an intrusion detection system (IDS) to provide an additional MTD triggering condition. This in itself presents an extra layer of system protection. Our hybrid MTD technique can enhance security in the response to multi-phased cyber-attacks. The use of the reactive MTD triggering from intrusion detection alert shows that it is effective to thwart the further phase of detected cyber-attacks. We also investigate the performance degradation due to more frequent MTD triggers.This work contributes to (1) proposing an ML-based rule classification model for predicting identified attacks which helps a decision-making process for security enhancement; (2) developing a hybrid-based MTD integrated with a Network Intrusion Detection System (NIDS) with the consideration of performance and security; and (3) assessment of the performance degradation and security effectiveness against potential real attacks (i.e., scanning, dictionary, and SQL injection attack) in a physical testbed.

Network Reconnaissance - Through communication reconnaissance, the code stream of mobile communication cell users is obtained, and the code stream of single user are separated from the mixed code stream, which is vital for the behavior analysis and intelligent management of mobile terminals. In this process, the Cell Radio Network Temporary Identifier (C-RNTD is a specific sign of the user terminal, and is also the key to identify and separate different users code stream. However, there are few related studies on CRNTI and acquisition of code stream. To overcome the problem, the combining method about comprehensive searching of the 4th Generation Mobile Communication Technology (4G) Physical Downlink Control Channel (PDCCH), and interception of Sth Generation Mobile Communication Technology (5G) Physical Random Access Channel (PRACH) is proposed, to obtain the users C-RNTI effectively. According to the corresponding downlink control information (DCI), Physical Downlink Shared Channel (PDSCH) are correctly demodulated, descrambled and decoded to obtain the code stream within it. Finally, the communication reconnaissance receiver is used to carry out a real reconnaissance experiment on the actual 4G/5G\_ mobile communication system. The results, i.e. the obtained C-RNTI and code stream verify the correctness and efficiency of the proposed method. It lays an important technical foundation for the accurate identification and management of mobile communication user terminals.

Network Reconnaissance - With increasing number of data thefts courtesy of new and complex attack mechanisms being used everyday, declaring the internet as unsafe would be the understatement of the century. For current security experts the scenario is equivalent to an endless cat-and-mouse game across a constantly changing landscape. Hence relying on firewalls and anti-virus softwares is like trying to fight a modern, well-equipped army using sticks and stones. All that an attacker needs to successfully breach our system is the right social networking or the right malware used like a packing or encoding technique that our tools won’t detect. Therefore it is the need of the hour to shift our focus beyond edge defense, which largely involves validating the tools, and move towards identification of a breach followed by an appropriate response. This is achieved by implementing an ethereal network which is an end-to-end host and network approach that can actually scale as well as provide true breach detection. The objective is not just blocking; it is significant time reduction. When mundane methods involving firewalls and antiviruses fail, we need to determine what happened and respond. Any industry report uses the term weeks, months, and even years to determine the time of response, which is not good enough. Our goal is to bring it down to hours. We are talking about dramatic time reduction to improve our response, hence an effective breach detection approach is mandatory. A MHN (Modern Honey Network) with a honeypot system has been used to make management and deployment easier and to secure the honeypots. We have used various honeypots such as Glastopf, Dionaea honeypots, Kippo. The dubious activity will be recorded and the attacks details detected in MHN server. The final part of our research is reconnaissance. Since it can be awfully complicated we simplify the process by having our main focus on reconnaissance. Because if a malware or an insider threat breaks into something, they don’t know what they now have access to. This makes them feel the need to do reconnaissance. So, focusing on that behaviour provides us a simple way to determine that we have some unusual activity - whether it is an IOT device that has been compromised or whatever it may be, that has breached our network. Finally we deploy MHN, deploy Dionaea, Kippo, Snort honeypots and Splunk integration for analyzing the captured attacks which reveals the service port under attack and the source IP address of the attacker.

Network Reconnaissance - Multi-UAV cooperative reconnaissance for target search, localization, and tracking has attracted much attention in both civil and military applications, where strategies need to be designed for UAVs to finish the reconnaissance task cooperatively and in the time optimal manner. Different from the state-of-theart of recent research where all the UAVs involved are equipped with homogeneous payloads, this work exploits payload diversity to enhance the time efficiency of the cooperation and proposes a fast multi-UAV cooperative reconnaissance (FMUCR) method. FMUCR groups UAVs in pairs. In each pair, one UAV is equipped with a passive positioning radar, referred to as p-UAV, while another is equipped with an active positioning radar, referred to as a-UAV. FMUCR exploits the large detection range and rough target location detection of passive radar to enable fast search and directional tracking of a target, while the precise target position calculation of active radar to enable accurate tracking of a target. Specifically, the task area is partitioned into subareas according to the number of UAV pairs. Each UAV pair conducts target search, localization, and tracking in one subarea, where the p-UAV leads searching and preliminary tracking of targets, while accurate tracking of targets are taken over by the a-UAV. Algorithms for off-line path planning and on-line path planning are designed, respectively, for target search and target tracking. The comparative simulation demonstrates that, FMUCR can greatly shorten the target discovery time with little loss in target tracking accuracy.

Network Reconnaissance - Web applications are frequent targets of attack due to their widespread use and round the clock availability. Malicious users can exploit vulnerabilities in web applications to steal sensitive information, modify and destroy data as well as deface web applications. The process of exploiting web applications is a multi-step process and the first step in an attack is reconnaissance, in which the attacker tries to gather information about the target web application. In this step, the attacker uses highly efficient automated scanning tools to scan web applications. Following reconnaissance, the attacker proceeds to vulnerability scanning and subsequently attempts to exploit the vulnerabilities discovered to compromise the web application. Detection of reconnaissance scans by malicious users can be combined with other traditional intrusion detection and prevention systems to improve the security of web applications. In this paper, a method for detecting reconnaissance scans through analysis of web server access logs is proposed. The proposed approach uses an LSTM network based deep learning approach for detecting reconnaissance scans. Experiments conducted show that the proposed approach achieves a mean precision, recall and f1-score of 0.99 over three data sets and precision, recall and f1-score of 0.97, 0.96 and 0.96 over the combined dataset.

Network Reconnaissance - Reconnaissance (Recon) is an essential step in exploring an area to steal information gathering, and it also plays a crucial role in penetration testing. This paper aims to automate the reconnaissance process of bug hunting on a target using python programming. Information gathering is an essential step for any recon process, and it helps us to identify the targets as well as helps us to list out the areas where the user can work to exploit them. The main emphasis of this paper is on bug bounty and bug hunting – the former being the result/reward of performing the latter. This paper is purposely written for penetration testers to make it easy for them and automate the process of Information gathering, which is the very crucial phase of Penetration testing.

Network Reconnaissance - Footprinting and Reconnaissance is a vital part of every process that has existed existing on earth. The report introduces footprinting and reconnaissance, the types of footprinting and reconnaissance methods, their impacts, and ways to prevent the risks to raise awareness for possible threats from footprinting and reconnaissance. Comparison has been made between the different types of footprinting and reconnaissance and discussions on scenarios that should be used is being made as well. Examples of different types of footprinting and reconnaissance methods and tools have been listed for better understandings of the difference in types. Real-life scenarios and examples are being provided to show the impacts of footprinting and reconnaissance. The report contains demonstrations of two simple passive reconnaissance tools, theHarvester and Wayback Machine. Discussions and analysis of how the tools could be used to gain precious information from their targets and the possible impacts from information gained through the tools are being made. Possible solutions to protect the users from footprinting and reconnaissance have been provided and discussed. Critical analysis of the report and the topic by the author is being made right by the end of the conclusion. Conclusion of how the author has thought about footprinting and reconnaissance and information through researching about the topic had been mentioned in the end.

Network Reconnaissance - For the evaluation of UAV reconnaissance effectiveness under multiple conditions, an UAV reconnaissance effectiveness evaluation method based on rough set and neural network is proposed. In the method, the influencing factors are determined to construct the UAV reconnaissance effectiveness index system, then the redundant factors are removed combined with rough set theory, finally on the basis of the simplified factors BP neural network optimized through genetic algorithm is used to build an evaluation model of UAV reconnaissance effectiveness for improving the prediction accuracy. The simulation result shows that the method can not only overcome the shortcomings of the traditional BP neural network, such as poor fault tolerance and slow convergence speed, but also better evaluate the UAV reconnaissance effectiveness.

Network Reconnaissance - Network reconnaissance is a core security functionality, which can be used to detect hidden unauthorized devices or to identify missing devices. Currently, there is a lack of network reconnaissance tools capable of discovering Internet of Things (IoT) devices across multiple protocols. To bridge this gap, we introduce IoT-Scan, an extensible IoT network reconnaissance tool. IoT-Scan is based on softwaredefined radio (SDR) technology, which allows for a flexible implementation of radio protocols. We propose passive, active, multi-channel, and multi-protocol scanning algorithms to speed up the discovery of devices with IoT-Scan. We implement the scanning algorithms and compare their performance with four popular IoT protocols: Zigbee, Bluetooth LE, Z-Wave, and LoRa. Through experiments with dozens of IoT devices, we demonstrate that our implementation experiences minimal packet losses, and achieves performance near a theoretical benchmark.

Network Reconnaissance - Short-wave band signal density, complex electromagn-etic environment and relatively limited detection equipment often lead to low detection efficiency. Aiming at this situation, a scheduling method of short-wave detection equipment based on Hopfield neural network is proposed to carry out cooperative detection of short-wave signals. In this paper, the definition of effective detection probability is given, the constraints of effective detection are sorted out, and the mathematical model of detection equipment scheduling is designed, which is realized by Hopfield neural network. This method uses the global optimization technology to schedule multiple detection sensors, so that different detection sensors can cooperate reasonably and maximize the overall benefit of detection system. Simulation results show the feasibility and effectiveness of the proposed method.

Network Reconnaissance - In the battlefield reconnaissance and monitoring environment, the application of Wireless Sensor Network (WSN) requires high timeliness and reliability of data transmission. To meet the battlefield demand, a transmission protocol is designed in this paper. This protocol combines network coding technology to fully play the function of node collaboration in the transmission process and use the channel broadcast characteristics. The data is transmitted in real-time and reliably through the aggregation node to the command control center, providing a real-time update database for the battlefield commander. Through theoretical and simulation analysis, this protocol can meet the requirements of the battlefield reconnaissance and monitoring environmental log, and the system can still maintain better network performance in the condition of low probability of transmission of battlefield environment.

Many organizations process and store classified data within their computer networks. Owing to the value of data that they hold; such organizations are more vulnerable to targets from adversaries. Accordingly, the sensitive organizations resort to an ‘air-gap’ approach on their networks, to ensure better protection. However, despite the physical and logical isolation, the attackers have successfully manifested their capabilities by compromising such networks; examples of Stuxnet and Agent.btz in view. Such attacks were possible due to the successful manipulation of human beings. It has been observed that to build up such attacks, persistent reconnaissance of the employees, and their data collection often forms the first step. With the rapid integration of social media into our daily lives, the prospects for data-seekers through that platform are higher. The inherent risks and vulnerabilities of social networking sites/apps have cultivated a rich environment for foreign adversaries to cherry-pick personal information and carry out successful profiling of employees assigned with sensitive appointments. With further targeted social engineering techniques against the identified employees and their families, attackers extract more and more relevant data to make an intelligent picture. Finally, all the information is fused to design their further sophisticated attacks against the air-gapped facility for data pilferage. In this regard, the success of the adversaries in harvesting the personal information of the victims largely depends upon the common errors committed by legitimate users while on duty, in transit, and after their retreat. Such errors would keep on repeating unless these are aligned with their underlying human behaviors and weaknesses, and the requisite mitigation framework is worked out.

Conpot is a low-interaction SCADA honeypot system that mimics a Siemens S7-200 proprietary device on default deployments. Honeypots operating using standard configurations can be easily detected by adversaries using scanning tools such as Shodan. This study focuses on the capabilities of the Conpot honeypot, and how these competences can be used to lure attackers. In addition, the presented research establishes a framework that enables for the customized configuration, thereby enhancing its functionality to achieve a high degree of deceptiveness and realism when presented to the Shodan scanners. A comparison between the default and configured deployments is further conducted to prove the modified deployments' effectiveness. The resulting annotations can assist cybersecurity personnel to better acknowledge the effectiveness of the honeypot's artifacts and how they can be used deceptively. Lastly, it informs and educates cybersecurity audiences on how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals.

The military operations in low communications infrastructure scenarios employ flexible solutions to optimize the data processing cycle using situational awareness systems, guaranteeing interoperability and assisting in all processes of decision-making. This paper presents an architecture for the integration of Command, Control, Computing, Communication, Intelligence, Surveillance and Reconnaissance Systems (C4ISR), developed within the scope of the Brazilian Ministry of Defense, in the context of operations with Unmanned Aerial Vehicles (UAV) - swarm drones - and the Internet-to-the-battlefield (IoBT) concept. This solution comprises the following intelligent subsystems embedded in UAV: STFANET, an SDN-Based Topology Management for Flying Ad Hoc Network focusing drone swarms operations, developed by University of Rio Grande do Sul; Interoperability of Command and Control (INTERC2), an intelligent communication middleware developed by Brazilian Navy; A Mission-Oriented Sensors Array (MOSA), which provides the automatization of data acquisition, data fusion, and data sharing, developed by Brazilian Army; The In-Flight Awareness Augmentation System (IFA2S), which was developed to increase the safety navigation of Unmanned Aerial Vehicles (UAV), developed by Brazilian Air Force; Data Mining Techniques to optimize the MOSA with data patterns; and an adaptive-collaborative system, composed of a Software Defined Radio (SDR), to solve the identification of electromagnetic signals and a Geographical Information System (GIS) to organize the information processed. This research proposes, as a main contribution in this conceptual phase, an application that describes the premises for increasing the capacity of sensing threats in the low structured zones, such as the Amazon rainforest, using existing communications solutions of Brazilian defense monitoring systems.

Exploring the efficient vulnerability scanning and detection technology of various tools is one fundamental aim of network security. This network security technique ameliorates the tremendous number of IoT security challenges and the threats they face daily. However, among various tools, Shodan Eye scanning technology has proven to be very helpful for network administrators and security personnel to scan, detect and analyze vulnerable ports and traffic in organizations' networks. This work presents a simulated network scanning activity and manual vulnerability analysis of an internet-connected industrial equipment of two chosen industrial networks (Industry A and B) by running Shodan on a virtually hosted (Oracle Virtual Box)-Linux-based operating system (Kali Linux). The result shows that the shodan eye is a a promising tool for network security and efficient vulnerability research.

The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker’s actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator.

Most of the recent high-profile attacks targeting cyber-physical systems (CPS) started with lengthy reconnaissance periods that enabled attackers to gain in-depth understanding of the victim’s environment. To simulate these stealthy attacks, several covert channel tools have been published and proven effective in their ability to blend into existing CPS communication streams and have the capability for data exfiltration and command injection.In this paper, we report a novel machine learning feature engineering and data processing pipeline for the detection of covert channel attacks on CPS systems with real-time detection throughput. The system also operates at the network layer without requiring physical system domain-specific state modeling, such as voltage levels in a power generation system. We not only demonstrate the effectiveness of using TCP payload entropy as engineered features and the technique of grouping information into network flows, but also pitch the proposed detector against scenarios employing advanced evasion tactics, and still achieve above 99% detection performance.