This PDF file contains the front matter associated with SPIE Proceedings Volume 11011 including the Title Page, Copyright information, Table of Contents, Introduction, and Conference Committee listing.

With an increase in demand for cybersecurity professionals, more effective cybersecurity training methods are needed to consistently build student proficiency to the level required by industry. Traditional computer science education methods do not adequately prepare students for the challenges, tools and work environments they face in the cybersecurity industry. A hands-on cyber range education method developed in 2018 addresses the need for a blended system design to support gamified education and training programs. The implemented method, entitled Gamification, Education, and System Engineering Design (GESED), requires an extensible integrated cyber range. In the second class offering using the cyber range, host-based intrusion detection systems and network monitors are being added into the cyber range and curriculum. Offering students the ability to use these systems and monitors hands-on offers additional distinct learning advantage over conventional education methods. The research, presented in this paper, shows an increase in knowledge retention across multiple learning domains for the course when using the cyber range approach versus conventional methods. Course exam outcomes indicate that students are more likely to pass industry certification exams after training with our cyber range versus conventional methods. The learning outcomes from the implementation of network monitors and host-based intrusion detection systems into the cyber range environment will also be discussed. The GESED method was implemented using extensible design principles that were designed to allow enrolment growth. The paper will report on the efficacy of using the system for a class offering with double the original run’s student enrollment.

Combatting the intentional injection of misinformation is an ongoing battle at the forefront of modern social media. Misinformation can be difficult for even human reviewers to detect and the costs of and time delay associated with human review are prohibitive. To help combat the problem, an algorithm to classify the accuracy of content could be integrated directly into social media platforms if it achieved a threshold accuracy to be trusted by the general public. This paper proposes a hierarchy of trained and pre-trained neural networks for the classification of news articles as fake or real. Since datasets available for fake news are limited, training a network solely with the fundamental data would be challenging. In the solution presented, the lead net relies on a hierarchy of pre-trained subnets to assemble a set of high-level features to use as inputs in classification. The advantage lies in that the subnets can be trained on other datasets for which more information is available. For example, a subnet may be able to recognize equivocation and flag its occurrence in an article. The lead net can then account for equivocation in its final fake or real classification. Some of the high-level inputs are generated with methods other than neural networks. The lead net also accounts for general information associated with the articles such as average word length, number of nouns, number of semicolons, date and more. The technique of using externally trained subnets fed into a lead net could be extended to other domains.

Presenting, in near real time, a common operating picture (COP) for cyber-hybrid operations (operations that combine cyberspace and real world actors) is a significant problem. Part of this problem is a data association issue that arises from the challenges associated with accurately correlating data related to cyber-physical and purely electronic activities and presenting them in a format that can be easily and quickly understood. While models exist for real world activities, similar models do not exist for correlating them with cyber actors and actions, making this a particularly difficult data organization problem. In particular, there is a notable lack of a unifying cyber-physical conflict model that describes how actors, actions, and artifacts interact to produce cyber-effects. This paper presents a maritime cyber model to address the multi-domain battle (MDB) data organization problem. The model extends Corbitt’s maritime conflict model into the cyberspace and information warfare domains. Cobbitt’s original model considered how commerce and information flowed across the primary media of his day, the sea, and the impact of certain maritime activities on both civilian life and military readiness and activities. The model presented in this paper describes and organizes cyber actors, actions, conflicts, and effects into a simplified framework. Mixed-methods research approaches are used to inductively construct the maritime cyber model using data from recent cyber-physical events. The maritime cyber model also clarifies MDB challenge understanding. We close the paper with examples of how the maritime cyber model can be used to address traditional COP MDB system design challenges.

The popularity of public cloud services continues to grow with Gartner predicting the total worldwide revenue to almost double from $145 billion in 2017 to $278 billion in 2021¹ . Many cloud service types are components of this growth including Software-as-a-Service (SAAS), Platform-as-a-Service (PAAS) and Infrastructure-as-a-Service (IAAS). The use of cloud services brings many possible benefits such as scalability, high performance and availability, flexibility, cost effectiveness and security 2 . However; each of these benefits comes with some responsibilities and requires a detailed knowledge of the specific cloud services used. For example, in Amazon Web Services (AWS) shared responsibility model for security, AWS is responsible for securing the facilities, physical security of hardware, network infrastructure, and the virtualization infrastructure. The cloud service customer is responsible for securing and managing the applications that run in the cloud, the operating systems, data-at-rest, data-in-transit, policies and other responsibilities. This paper works through several different use cases and provides the details for properly securing the services with which Army Research Laboratory (ARL) researchers interact. The use cases include sample configurations and descriptions required to fulfill the customer security responsibilities in a public cloud environment. Cloud services used include AWS Elastic Computer Cloud (EC2) Windows and Linux instances, Relational Database Services (RDS), Simple Cloud Storage Service (S3), Glacier S3 Storage, and DynamoDB. Challenges and approaches associated with delegating temporary security credentials, Identity and Access Management (IAM) service, and securing data-at-rest and data-in-transit will also be discussed.

The use of involuntary analog side-channel emissions to remotely identify the internal state of digital platforms has recently emerged as a valuable tool in the arsenal of defensive measures against intrusion and malicious attacks, as well as hardware modifications. In particular RF emissions have been shown to be effective in this task. One of the key challenges is identifying and selecting useful features from the noisy signals which simultaneously enable the detection of the internal digital state reliably while minimizing the complexity of this operation. Our team has developed such sensors and we show the ability to optimally select features as well as optimally select bands of operation from which features can be drawn. Optimality here is in the sense of maximizing the mutual information between the features and the true state of the devices under test. In addition to being optimal in the sense of performance and low complexity for the real-time operation, the process of finding the optimal features is parsimonious and amenable to deployment in adaptive real-time sensors. In these proceedings we describe specific examples related to the detection of intended vs unintended programs on IoT devices and FPGAs as well as identification of other internal device settings. We show near-perfect identification of such internal states, achieved in real-time at distances of several feet in challenging environments.

Side-channel analysis covers several methods for determining the state of a device without directly interacting with the device. In previous work, we collected near-field radio frequency emanations from simple programs to assess how various code operations could be differentiated at the instruction level. However, detecting operations in large blocks of instructions in more complicated programs have proven difficult due to the high dimensionality of the data. In this research, we examine methods to differentiate common operations using RF emanations. We use a series of example codes useful for Two Factor Authentication on an Arduino Mega. Some examples are coded with extra operations to simulate malware such as intentionally leaking the key, nuisance operations, or substituting a weaker hash function. After collecting RF data, approximation techniques are used to reduce the data dimensionality and identify motifs in the time series. The motifs are correlated with the operations taking place by use of a uniquely identifiable triggering mechanism. Several exemplary motifs are then used together as templates that can be used to search for a connected series of operations. These templates are compared with an RF time series of unknown operations using a minimum distance metric. We evaluate the quality of templates available from an RF data collection and examine the usefulness of templates as features for classification.

Among various parameters, large scene object detection and classification accuracy depends on image quality. In general, deep neural networks (DNN) are trained to achieve a desired recognition accuracy on a set of targets. However, DNNs become tuned to the training data used and may not generalize to new unseen data artifacts. Classification accuracy of a previously trained DNN is significantly reduced when classification is run on an image altered with additive noise. In this research, we propose image pre-processing to reduce the impact of noise induced low classification accuracy. Our approach consists of applying compressive sensing inspired pre-processing techniques to noisy images. We then compare the object recognition accuracy of a pretrained model on pre-processed noisy images and unprocessed noisy images. We will present our technical method, results, and analysis on relevant synthetic aperture radar data.

Today fabricated information is easily distributed throughout social media platforms and the internet, allowing embellished information to effortlessly slip through, misinform and manipulate the public to an attacker's erroneous execution. Falsified information –also known as "fake news" -- has been around for many centuries, but today it presents a unique challenge because it can affect voting patterns, political careers, new business product roll-outs, and countless other information consumption processes. This paper proposes a method that uses machine learning, and Bayes' theorem to identify “Fake News” stories. We use Bayesian estimators to calculate the conditional probability that a story is fake given the presence of feature predictors inside a news story. We present a concise summary of the qualitative methods used to study Fake News stories followed by the Computational Social Science and Machine Learning methods used to train and tune a classifier to detect Fake News. We expose some of the main linguistic trends identified in social media platforms associated with Fake News. We close the paper proposing a larger integrated system that can be used to identify and autonomously archive falsified content.

Side-channel analysis (SCA) provides an independent, non-invasive remote monitoring solution to determine the digital state of a programmable electronic device. In our work, we have conducted near-field SCA on various devices to determine how well different programs running on devices can be differentiated. We have tested devices ranging from the relatively simple Arduino Uno to the much more complex Samsung Galaxy S8. The antennas used for radio frequency (RF) collection have also varied from the self-contained ~500MHz Riscure probe to a 40mm Triarchy Loop antenna with attached amplifier. Our study implemented various collection techniques; however, all of them relied on the constraint of a trigger signal. The trigger signal was needed to initiate the data collection process and to act as a reference for sequencing the various blocks within a code execution. However, a trigger signal is not always available or even feasible to obtain from a device for remote monitoring applications. This work investigates potential methods for triggerless detection and alignment of digital code blocks on measured analog RF data. Methods for performing the detection range from boosting codes that generate easily aligned RF pulses, to correlation methods for signal alignment. The varying quality of RF data generated between the devices and the amount of noise embedded in the signals from the measurement schemes negatively impact triggerless collection. We estimate our probability of success at aligning signals to exceed 90% for the devices tested.

The low-cost, flexible nature of Internet-of-Things (IoT) hardware has resulted in widespread usage in a variety of applications from smart-home systems to industrial process-regulation controllers. As the number of networkconnected IoT devices has proliferated, they have become increasingly likely to be the target of widespread cyber-attacks. Since these devices are often low-resource, embedded or bare metal systems, conventional profiling techniques used by Personal Computers (PCs) and workstations have become highly impractical means for security. As a result, an IoT device could provide intruders with an unprotected backdoor into a network. Effectively protecting IoT hardware requires that alternative security protocols be developed and utilized to protect the IoT and the networks they are integrated with. One potential way of improving the security of IoT devices is by monitoring their side-channel emissions to observe device behavior. As these devices operate, they will produce multi-spectral phenomenon, or side-channel emissions, that correlate with program execution. By combining spectral analysis techniques with powerful machine learning algorithms, side-channel emissions can be utilized to bolster IoT device security and deny an intruder access to the network. This paper will review current state-of-the-art techniques used to monitor and classify the behavior of IoT devices. The paper will conclude by discussing several real-world applications presented in literature that have been shown to benefit from these techniques.

Monitoring computer system activities on the instruction level provides more resilience to malware attacks because these attacks can be analyzed better by observing the changes on the instruction level. Assuming the source code is available, many training signals can be collected to track the instruction sequence to detect whether a malware is injected or the system works properly. However, training signals have to be collected with high sampling rate to ensure that the significant features of these signals do not vanish. Since the clock frequencies of the current computer systems are extremely high, we need to have a commercial device with high sampling rate, i.e. 10GHz, which either costs remarkably high, or does not exist. To eliminate the deficiencies regarding the insufficient sampling rate, we propose a method to increase the sampling rate with the moderate commercial devices for training symbols. In that respect, we first generate some random instruction sequences which exist in the inspected source code. Then, these sequences are executed in a for-loop, and emanated electromagnetic (EM) signals from the processor are collected by a commercially available device with moderate sampling rate, i.e. sampling rate is much smaller than the clock frequency. Lastly, we apply a mapping of the gathered samples by utilizing modulo of their timings with respect to execution time of overall instruction sequence. As the final step, we provide some experimental results to illustrate that we successfully track the instruction sequence by applying the proposed approach.

Sensor level data fusion allows us to produce more consistent and accurate tracking information from available imagery and cyber data. This paper discusses the approaches we have taken to implement sensor fusion of Electro-Optical and Infrared airborne imagery. Before any sensor fusion is done, the data is processed to generate object detections and a tracking algorithm is utilized to track objects of interest. Possible detections includes vehicles, dismounts, noise, clutter, and unidentified objects. One of the main reasons for sensor fusion of EO and IR imagery is the opportunity to use complimentary information from different sensors especially when detections are incorrect or missed by the tracking algorithm. EO/IR imagery sensor fusion will allow us generate new detection locations for skipped targets and “align” detections in instances where registration fails. In this paper real data analyzed and sensor fusion is performed for two scenarios; when both the EO and IR detections are present or if one of the two is missed by the tracking algorithm.