SFS Master's Paper Abstracts

Students admitted to the AZSecure SFS Fellowship Program in 2016 and before were required to produce a Master's Paper. Students admitted in 2017 and later are required to produce a Master's Thesis.

  • Afarin, Cyrus, “Does Shodan Keep Up With The Times?" 2017. Dr. Mark Patton.
    • Through security visualizations, Shodan data can be utilized to understand SCADA and ICS devices for any given IP range. The relationship between ports and IP addresses can be displayed in a manner to obtain valuable information and to understand Shodan as a tool. An analysis of Shodan data will be performed over a specified period for a specific region. These efforts are framed to accurately identify SCADA/ICS devices for said region and understand Shodan’s consistency over the evaluated time frame.
  • Barreras, Calvin, “Automating the Identification of Internet Resources for Healthcare Organizations using Shodan,” 2017. Dr. Mark Patton.
  • Chinn, Ryan, “Botnet Detection: Honeypots and the Internet of Things,” 2015. Dr. Hsinchun Chen.
    • With the growing trend of Internet-enabled devices and the emergence of the Internet of Things (IoT), cybercrimes such as those carried out by botnets becomes a major issue. Previous research has attempted to estimate botnet population size, locate command and control servers, and utilize network security scanners. However, little work has been done that studies the characteristics of compromised devices belonging to botnets. In this research, we use data from several passive detection techniques including honeypots, VirusTotal, and Shodan to gain insights into these devices.
  • Dolan, Stephen, “Image-Based Password Usability Study,” 2016. Dr. Jesse Bockstedt and Dr. Matthew Hashim.
    • Online authentication methods have long been considered insecure and vulnerable to theft and attack. Previous research has identified password creation habits, semantics in passwords, and the effects of password creation policies on user behavior. Additionally, studies have measured password strength using cracking algorithms and developed adaptive password-strength models. However, little work has been done to identify a method of online user authentication that differs from traditionally accepted passwords. In this research, we develop a new way to create a password, using images instead of ASCII characters. We also gather data from multiple password creation interfaces to analyze the usability of image-based passwords.
  • El, Malaka, “Benchmarking Vulnerability Scanners: An Experiment on SCADA Devices and Scientific Instruments,” 2017. Dr. Hsinchun Chen.
    • Cybersecurity is a critical concern in society today. One common avenue of attack for malicious hackers is exploiting vulnerable websites. It is estimated that there are over one million websites that are attacked daily. Two emerging targets of such attacks are Supervisory Control and Data Acquisition (SCADA) devices and scientific instruments. Vulnerability assessment tools can provide owners of these devices with the knowledge on how to protect their infrastructure. However, owners face difficulties in identifying which tools are ideal for their assessments. This research aims to benchmark two state-of-the-art vulnerability assessment tools, Nessus and Burp Suite (Burp), in the context of SCADA devices and scientific instruments. We specifically focus on identifying the accuracy, scalability, and vulnerability results of the scans. Results of our study indicate that both tools together can provide a comprehensive assessment of the vulnerabilities in SCADA devices and scientific instruments.
  • Ercolani, Vincent, “A Survey of Shodan Data,” 2017. Dr. Mark Patton.
  • Forbis, Samantha, “Integration of ZMap with Shodan for Comprehensive Internet of Things Research,” 2015. Dr. Hsinchun Chen.
    • The perpetuation of devices that populate the Internet of Things (IoT) continues to increase at a furious pace. The state of the security of these devices has not followed suit. This situation is continuously overlooked by manufacturers, to whom the bottom line is most important, and by consumers, to whom convenience and device features are most important. The dual neglect has led to an increasingly dubious state of insecurity amongst all types of Internet-facing devices. From consumer devices to industrial control devices, security and convenience continue to clash. Tools have emerged to locate these highly visible Internet-facing devices and highlight the depth to which the security problem goes. Academic research aims to identify these vulnerable devices to aid in the mitigation and remediation of this issue.
  • Grisham, John, “Identifying Mobile Malware and Key Threat Actors in Online Hacker Forums for Proactive Cyber Threat Intelligence,” 2017. Dr. Hsinchun Chen.
    • Cyber-attacks are constantly increasing and can prove difficult to mitigate, even with proper cybersecurity controls. Currently, cyber threat intelligence (CTI) efforts focus on internal threat feeds such as antivirus and system logs. While this approach is valuable, it is reactive in nature as it relies on activity which has already occurred. CTI experts have argued that an actionable CTI program should also provide external, open information relevant to the organization. By finding information about malicious hackers prior to an attack, organizations can provide enhanced CTI and better protect their infrastructure. Hacker forums can provide a rich data source in this regard. This research aims to proactively identify mobile malware and associated key authors. Specifically, the usage of a state-of-the-art neural network architecture, recurrent neural networks, to identify mobile malware attachments followed by social network analysis techniques to determine key hackers disseminating the mobile malware. Results of this study indicate that many identified attachments are zipped Android apps made by threat actors holding administrative positions in hacker forums. The identified mobile malware attachments are consistent with some of the emerging mobile malware concerns as highlighted by industry leaders.
  • Gross, Eric, “Critical Infrastructure Security: Locating and Securing SCADA Devices on the Internet of Things,” 2015. Dr. Hsinchun Chen.
    • Placing devices on the Internet of Things (IoT) has become commonplace, where everything from refrigerators to solar panels can be connected to increase the usability and accessibility of different devices. When devices are connected to the Internet of Things they become easily locatable using search tools such as Shodan, an online database of visible internet devices, which may create a potential security concern. Because these devices can control critical infrastructure, such as with Supervisory Control and Data Acquisition (SCADA) devices, these should be located and tested for potential vulnerabilities in an automated fashion. Ensuring the confidentiality, integrity, and availability of these devices can be done through the use of Shodan and custom made vulnerability assessment tools.
  • Ireson, Ashley, “A Typology Based on Self-Identity & Explanatory Factors of Cybercriminal Behavior,” 2017. Dr. Sue Brown and Dr. Jesse Bockstedt.
    • Cybercrime is a top national security threat, higher than terrorism, espionage, and weapons of mass destruction (Mickelberg 2014), but more research is necessary to further understand and define it. This study developed a theoretical model and survey instrument in an attempt to close some of the gaps in knowledge by discovering types of skilled technologists based on selfidentity. Additional factors, attributes known to be correlated with cybercriminal propensity, were included to further differentiate these types. We expected to find groupings of individuals that have been described in previous literature, but with our innovative approach, the discovery of new types of technologists was possible. Following a clustering analysis, our respondents were grouped into four different types. We preliminarily named and defined each group: heroes, eccentrics, hacking professionals, and conservatives. A multinomial logistical regression was performed to provide additional explanatory factors for each type. Future research is suggested.
  • Jicha, Arthur, “SCADA Honeypots – An In-depth Analysis of Conpot,” 2016. Dr. Hsinchun Chen.
    • SCADA honeypots are key tools in determining not only threats which pertain to SCADA devices in the wild, but also as an early detection mechanism of potential malicious tampering within a SCADA device network. An analysis of one such SCADA honeypot, Conpot, will be conducted to determine its viability as an effective SCADA emulating device. A long term analysis is conducted and a simple scoring mechanism is leveraged to evaluate Conpot.
  • Jicha, Ryan, “Identifying Devices Across the IPv4 Address Space,” 2016. Dr. Mark Patton.
    • Many devices today are internet-enabled. This results in more threat vectors in the IPv4 space. In order to determine the scale of vulnerabilities being introduced to the internet, a new methodology of scanning must be implemented to allow the entire internet to be scanned for types of devices. Currently, network scans can be connection-oriented, where the connections to ports are tracked, or connectionless, where packets are sent as fast as possible while a separate process listens for server responses. Connection-oriented scanners result in more accurate scanning while connectionless scanners are magnitudes faster. At the University of Arizona, SCADA devices have been identified based on their banners by using Shodan. Shodan is an online search engine of monthly scan results that are conducted by the sites owner, John Matherly. Not every port is scanned by Shodan; therefore there is a lack of information for identifying all device types based on their port information. In the past, security tools have been combined to improve the accuracy of service scanning, but there are no mentions of combining tools to improve the speed of scans across the entire IPv4 range. The goal of this research was to create a framework to allow scanning of the entire IPv4 range based on port profiles for device types. This was done by using a connectionless scanner to determine if ports relating to a port profile. The results from the framework were an improvement of speed from several hours to just three minutes for scanning a device and completing a detailed service scan. After testing the framework on a controlled network, several SCADA devices were found and confirmed to be SCADA using the framework.
  • Kaufer, Ian, “Human Exploits in Cybersecurity: A Social Engineering Study,” 2016. Dr. Jesse Bockstedt and Dr. Matthew Hashim
    • Social engineering is an information security threat that continues to plague organizations today. As much as organizations can invest in technical security products and services to protect their networks, the human element in security is weak. Social engineers are malicious attackers who exploit the vulnerabilities in human behavior to gain access or retrieve information. In the realm of information security research, there is quite a lot of research on technical security products and services. However, there have been no direct, field experiments to test the factors that make social engineering more or less successful in a physical, non-technical environment. The purpose of this report is to discuss the details going into our social engineering experiment, the Institutional Review Board (IRB) process, literature review, experiment and design, hypotheses, analysis, motivation, and discussion for why we conducted this research.
  • McDermott, Brendan, “Factors enabling Fraud: A Study of Social engineering and Identity Theft,” 2016. Dr. Mark Patton.
    • In this paper we investigate a number of factors that make people vulnerable to social engineering and identity theft in particular. We do this by conducting a behavioral field experiment on the campus of the University of Arizona in Tucson, Arizona. Between May and December 2015, a group of eight confederates engaged over 600 potential subjects and collected a wealth of personally identifiable information.
  • Rohrmann, Rodney, “Large Scale Anonymous Port Scanning,” 2017. Dr. Mark Patton.
    • As computers become faster and more efficient, the ability to port scan large portions of the IPv4 range increases. Organizations such as the University of Michigan and Shodan have both created tools and open sourced their scan results, allowing researchers to use scan data to map and understand the IPv4 range. Though such sources exist, there are benefits of running scans internally to collect data. When sourcing port scans internally, there is a risk of the source scanning a target that may retaliate maliciously. The practice of openly scanning ports, and allowing sites which are scanned to request an opt-out of future scans, is not always effective. Some individuals and organizations will attempt to retaliate if they detect a scan through malicious activities. To combat these retaliatory actions, I have developed a methodology to run port scans through Tor, which anonymizes the scans and mitigates the risk of retaliation. When scanning new portions of the IPv4 range, anonymous port scanning has been successfully achieved and is currently in use. The goal of this research project was to identify a combination of anonymization methods and port scanning tools that successfully hide the source’s IP address while providing an accurate port scan of the target. Further efforts were placed on the scalability and accuracy of such scanning methods when used on a large portion of the IPv4 range. The research proved to be successful and I now have a tool that can be used to scan any port/IP combination in the IPv4 range while remaining anonymous. As scalability was a concern of the project, significant efforts were put into decreasing throughput time. This was achieved and I reduced the scan time of the test bed from an average of 10 hours down to an average of 5 minutes
  • Walker, Leon, “Continuous IT System Auditing,” 2015. Dr. Mark Patton.
    • Continuous auditing systems are designed to provide real-time assurance on the quality and credibility of information. The adoption of continuous auditing systems is typically driven by regulation, industry, and cost. Continuous auditing systems help by reducing the amount of field work involved and reducing the number of repetitive tasks an auditor needs to perform. Even though industry is being driven toward continuous auditing systems, not all systems are integrated within the organization at the same level. Continuous systems offer many benefits and can increase security, decrease inefficiencies, and reduce errors. However, the returns from the benefits seem to be tied to the amount of planning and re-engineering an organization is willing to commit to. This survey paper covers the multiple dimensions of continuous auditing systems while filling in weaknesses in previous works, concluding with a discussion on the viability of automating controls.