NTNU Cyber Security Research &

Testimon Digital Forensics Group

2017 Interpol Cyber Research Seminar
15.09.2017 NISLab Seminar

Carl Stuart Leichter, PhD

Carl.leichter@ntnu.no
15.09.2017
 Overview

● Motivation for Research

● NTNU Cyber Science
● Testimon Digital Forensics Group Research
● Topic Modelling Research for DFI and CTIS

2
 Cyber Related Productivity - Cybercrime Losses

10 % increase in digitisation
6.000.000.000 S$/year
(0.75% GDP)
Loses due to cybercrime: vs
5.000.000.000 S$/year
(0.64% GDP)

2014 World Economic forum;

The Norwegian Security Council's Darkness Survey 3
NTNU Department of Information Security &
Communication Technology
• 80 Full Time Employees (Gjøvik & Trondheim)

4
NTNU Department of Information Security &
Communication Technology
• Testimon Digital Forensics Group
• Norwegian Biometrics Laboratory (NBL)
• Norwegian Information Security Laboratory (NISlab)
• NTNU Applied Cryptography Laboratory (NaCl)
• NTNU Quantitative modelling of dependability and
performance (QAUM) Laboratory
• NTNU Intelligent Transportation Systems (ITS)
Laboratory
• Centre for Cyber and Information Security (CCIS)

5
Critical Infrastructure Security & Resilience
Risk Assessment

● Cyber security in
○ the oil and gas domain
○ The maritime industry, including autonomous ships
○ Internet of things

● Modeling of critical infrastructures, interdependencies,

attacks, and vulnerabilities
○ CyFor
○ Cyber-Range 6
Critical Infrastructure Security and
Resilience Projects at NTNU

○ Safeguarding Home IoT Environments

○ Internet of Energy

○ Secure Micro-Grids

○ Intrusion Detection in Process Control Networks

○ Training on cyber security on energy process control

○ ISO Security and Attack Models

7
New NTNU PhD Research (2017)
● Navigation System Security in Unmanned Autonomous Marine
Vessels
● Security of the Cyber Enabled Ship
● Understanding Resilience of Software-Defined Industrial Control
Networks
● Cybersecurity, Safety and Resilience of Smart Cities
● Post Quantum Cryptography
● Blockchain Analytics and Transactions Tracking
● Chatroom Security
● Gamification of Information Security Education and Training
● Modelling and Analyzing Attack-Defence Scenarios for Cyber
Ranges
● Information Security Economics

8
 CCIS: Bridges Built Between.....
CCIS: Centre for Cyber and Information Security

InfoSEC
Management

Cyber
Defence
Cyber Security
of Critical
Infrastructure
e-Health,
COINS Wellbeing
Research School
of Information
Security

Norwegian
Biometrics
NTNU Digital Laboratory
Forensics
Group

9
 NTNU Testimon Digital Forensics Group
Forensic Reliability in Machine Learning,
Pattern Recognition & Artificial Intelligence

○ High-performance, fault-tolerant search through terabytes of data

○ Context-aware outlier and abnormality detection

○ Data-driven feature selection and algorithm design

○ Large-scale multinomial statistical analysis and classification

○ Behavioural malware analysis

○ Generation of human-understandable / verbatim processing /

decision results, e.g. for judges

10
 NTNU Digital Forensics Group
Joint Research Projects
○ ARS Forensica - Computational Forensics for Large-Scale Fraud
Detection, Crime Investigation and Prevention

○ Hansken(NFI) - Digital Forensic as a Service for Norway POD

○ Essential - Evolving Security Science through Networked

Technologies, Information Policy and Law,

11
 ArsForensica Research Project:

‘Gather and analyse massive amounts of data

in a forensically sound manner’

Digital Evidence Analysis and Linkages

 Digital Forensics, Network Analysis, etc

Cyber Threat Intelligence and Security Operations

 Malware, IDS, et

Public Sector partners

ØKOKRIM, KRIPOS, CYFOR, etc
Private Sector partners
Telenor, NorSIS, mnemonic, KMPG, PWC, etc
12
Testimon ArsForensica Team

13
 Some Topics of Interest

 Big Data Forensics

 Cyberthreat Intelligence

 Dark Web Analytics

 Adversary Social Network Discovery and Analysis

 Advanced Intrusion Detection

14
 Big Data Topics
 Machine Learning for Digital Forensics
 Expedited DF Examination and Analysis

 Semantic analysis of MASSIVE document corpora

 Topic Modeling

 Realtime Analysis of V2 Data Streams

 Cybervision

 Advanced Statistical Analysis Methods

 Data Sketching

15
Explosion of Digital Evidence in
Conventional Law Enforcement
??! !
??! !
?!

16 etc)
Many conventional cases (murder, robbery,
Big Data Scenarios in Law Enforcement
• Many conventional cases (murder, robbery, etc)
– Oslo Police District
• Many small data seizures can add up to
many TB of data stored as evidence
• Analysis for each case is not complex
– Prefer analysis interface directly with front line investigators

• A few unconventional cases

– ØKOKRIM
– A single case can result in large data seizures equal to many TB
• Millions of documents
– Analysis for each case can take years

Both Scenarios = Many TBs of Data

Need More Advanced Tools for ØKOKRIM
17
ØKOKRIM Type of Big Data Problem in DF:
Panama Papers
• Enron e-mail corpus (from 2002) 160 GB with 1,7 mill messages
• Documents from 40 years of business in Law Firm Mossack Fonseca
• 11.5 million documents (2.6TB)
• Head office in Panama City with 35 branch offices all around the world
• 376 journalist from 100 media partners in 80 countries speaking 25 different
languages spent one year identifying 214.000 offshore companies in 21
offshore jurisdictions

18
Panama Papers in Size Perspective

19
International statistics - numbers

Across the "Relativity universe", separate percentages are tracked for each grouping.
Assessing the percentages over the past five years reveals that approximately two thirds of
cases fall in the Normal group, approximately a quarter of cases in the Large group, and
around 8% in the Very Large group. These percentages have held fairly constant over the
past five years with the exception of the Ridiculous cases, which first appeared in 2013, and
now, while increasing, account for less than 1% of the overall case size make up

Source: © kCura - Manufacturer of Relativity One of the Leading E-Discovery Tools

20
ØKOKRIMs Largest Ongoing Investigation

(2.6Tb Panama Papers)

= 20 x Panama Papers!
21
 DFaaS Platform for
Conventional Policing

• Numerous separate criminal investigations.

• Remote access to police all over the country.

• Provide suite of useful Digital Investigation tools

• Preservation of Digital Evidence integrity

• Preservation of Digital Evidence confidentiality

• Compliance with all requisite laws

22
Same DFaaS For Complex Cases?

23
 Testimon Digital Forensics Group
Academic Staff (Gjøvik)

Prof Katrin Franke (Testimon Digital Forensics Group Leader)

katrin.franke@ntnu.no

Assoc Prof Marius Nowostawski (Blockchain Technology)

mariusz.nowostawski@ntnu.no
Assoc Prof Geir Olav Dyrkolbotn (Malware)
geir.dyrkolbotn@ntnu.no
Dr Carl Stuart Leichter (Data Analysis)
carl.leichter@ntnu.no
Dr Edgar Alonso Lopez Rojas (Forensic Data Simulations)
edgar.lopez@ntnu.no

24
 Testimon Adjunct Staff

Assoc Prof Thomas Walmann (ØKOKRIM)

Assoc Prof André Årnes (Telenor)

Lecturer Jeff Hamm (Mandiant)

25
 Testimon DFG PhD Candidates

Andrii Shalaginov: Adv. Neuro-Fuzzy Algorithm for Digital Forensics

Dmytro Piatkivskyi : Blockchain (Lightning)

Ambika Chitrakar: Approximate Search in IDS

Kyle Porter: Approximate Search in DF

Jan William Jensen: Criminal Network Analysis and Financial Fraud

Sergii Banin: Machine Level Analysis of Malware

Gunnar Allendale (KRIPOS): Security Vulnerabilities for DF

Jens-Petter Sandvik (KRIPOS): IoT Forensics

Stig Anderson (OPD): DF Investigation Processes

Jul Fredrik Kaltenborn(PHS): DF and the Rule of Law 26

Simulating Fraudulent Transactions
(Dr Edgar Lopez)

27
 Adversarial Network Analysis
(PhD Candidate: Jan William Jensen)

Feasibility Study of Social Network Analysis on Loosely Structured Communication Networks, Jan William Johnsen and
Katrin Franke, Procedia Computer Science

28
 Improve Approximate Search for Digital
Investigation and Intrusion Detection
(PhD Candidate: Kyle Porter)

• Improve precision
– Find more of what we want, without losing significant accuracy
– Good for beginning of investigation

29
NFA With Greater Flexibility in
Types of Errors

30
 Constrained approximate search in Network IDS
(PhD Candidate: Ambika Shrestha Chitrakar)

31
 Malware Classification Based on Analysis of Low-Level
H/W Activity
(PhD Candidate: Sergii Banin)

• Signature-based malware detection is not robust

against simple obfuscation techniques.
• Malware developers try to conceal malware’s
functionality.
• It is impossible to avoid execution on the hardware.
• Can low-level features alone provide better detection rates?
• Can we use low-level features for malware classification?
• Can low-level features provide stealthy malware detection?

32
 Topic Modelling Research
• Latent Dirichlet Allocation (LDA)
• Topic Modelling in Digital Forensics Investigations (DFI)
• Topic Modelling for Cyber-Threat Intelligence (CTI)

33
 Dirichlet Allocation:
A Generative Model

Steyvers, Mark, and Tom Griffiths. "Probabilistic topic models." Handbook of

latent semantic analysis 427.7 (2007): 424-440

34
Graphic Representation of
Document Generation

35
Co-Occurrence Matrix Representation of
Document Corpus

36
Matrix Analysis of
Document Corpus

37
 Topic Modelling for DFI
(Enron Corpus)
From Eirik Lintho Bue . Probabilistic Topic Modeling for Document
Corpus Exploration in Digital Forensics.

– Enron Accounting Scandal

– California Energy Crisis

38
Ten Topics Extracted From Enron Corpus

39
Topic 4: Author Participation Over Time

40
 Topic 4: Author Participation Over Time
SN

SM
SL
SK
SJ
SH
SG
SF
SE
SD
SC
SB
SA

41
Adversarial Network Analysis

42
 Topic Modelling for CTI
Hacker Forum Data

From Deliu, Isuf. Extracting Cyber Threat Intelligence

From Hacker Forums. MS thesis. NTNU, 2017.

– Nulled.IO
– http://leakforums.net/thread-719337
– 3,495,596 posts

43
Nulled.IO Hacker Forum Data
(16,000 Posts)

44
Nulled.IO Hacker Forum Posts

45
Estimated Topics (16K Posts)

46
1000K Posts [Security Relevant Only]
 Future Work:
DarkWeb Jihadi Forums
100002 11290 WALLAHI-laylatul Qadr is the 27th Night- Helping Everyone Out-
1283 Mu7aaribah Why do we tend to act the worst in this blessed month of
ramadhaan?
In the last 10 days of ramadhaan?Wallaahi we are so being tested here
by Allaah and some of you are just falling right into the trap. Subhan'AIIaah.
Please think, think, think and then act. 2006 1 O 17 2006-10-17 14:48:00.000
99629

1 00002 1283 2006-10-17 14:48:00.000 Why do we tend to act the worst in

this blessed month of ramadhaan In the last days of ramadhaan Wallaahi we are so
being tested here by Allaah and some of you are just falling right into the trap
SubhanAIIaah Please think think think and then act

48
Thank You!

Questions?

49