UWE Bristol researchers develop novel defence against adversarial machine learning attacks on Cyber Security Intrusion Detection Systems

Posted on

As cyber attacks evolve in their sophistication, Intrusion Detection Systems (IDS) have often been seen as a way to mitigate threats on computer networks.

Yet, attackers continue to evade detection and cause disruption through the spread of malicious software and other common attack processes. There is a growing trend of being able to evade machine learning systems to conduct attacks, by effectively compromising the intended functionality of the machine learning system.

Recent work by Andrew McCarthy, a PhD student at UWE Bristol studying cyber security analytics, has been able to demonstrate both the feasibility of conducting such attacks against Intrusion Detection Systems, as well as proposing a novel approach to combat against the vulnerabilities that machine learning classifiers may exhibit.

Whilst the domain of adversarial machine learning often addresses computer vision systems, this cutting-edge research applies these concepts in cyber security, to understand what future threats may look like, and how best to develop Intrusion Detection Systems to avoid such vulnerabilities.

The results of Andrew’s recent PhD work have just been published in the high-ranking Journal of Information Systems and Applications (Elsevier). Andrew is in the final stages of completing his PhD study, working with Professor Phil Legg (Director of Studies) and supported by industry partner Techmodal through the UWE Partnership PhD scheme.

The full paper is available online.

Research success working with the UK Defence Sector to defend our cyber space

Posted on

For the UK Defence Sector, there is an ever-growing need to defend in our cyber space as well as the traditional domains of land, air, space and sea. Understanding the complexities of monitoring cyber space to ensure that an operational mission is a challenging task, that involves collating indicators of compromise and other related sources of information and applying data science skills to aggregate and reason about incoming observations. A team of UWE researchers, led by Professor Phil Legg, are working with Bristol-based TRIMETIS to develop innovation in this domain, and together the team have recently secured £200,000 funding from the Defence Science and Technology Laboratory (DSTL) to support two new research projects that address these problems.

The first project seeks to understand the human-machine teaming aspects of how analysts can interrogate and reason about data observations to inform cyber defence. Furthermore, by developing improved human-machine teaming efforts, underpinning by machine learning techniques, will enable improved decision-making in response to cyber threats, and an improved synergy between how machine learning can help to reason about data and improve a human analyst’s workflow, whilst also developing a model to understand how a human analyst will reason about data, such that this can improve the system interaction further. 

The second project seeks to understand how humans can better serve as sensors about the environment to protect and defend against threats. This involves improved reporting mechanisms of threats, both online and offline, and how this information can be integrated within larger data analytics and reasoning platforms about a given mission. The project will seek to understand the barriers of reporting, and how technology can enable better data collection from observers, such that this information can then be better utilised within human-machine based analysis.

The two projects will both launch in January 2023 and will run for 9 months. The resulting outputs will be shared with the defence communities and through wider academic dissemination. This recent set of projects complement the portfolio of work that UWEcyber has conducted with DSTL and the defence community over a number of years, with previous DSTL-funded UWE projects including ARCD (2022), HASTE (2018), and RicherPicture (2015, 2017).

Measuring the Suitability of Artificial Intelligence in Autonomous Resilience for Cyber Defence

Posted on

Artificial Intelligence has attracted wide use in many aspects of society, from facial recognition and recommendation systems, through to predicting crime rates and autonomous vehicles. AI technologies are widely used in defence, including how agent-based systems can detect and respond to cyber threats when under attack from adversaries.

Whilst this continues to be a ripe area of research, there are important questions to be asked about the suitability of AI within autonomous resilience for cyber defence, relating to the usability of AI, specifically on how end users may utilise the decisions that are generated by an AI defence system, and how an end user can better understand and reason about how the decisions of the AI are formulated.

UWE researchers Professor Phil Legg and Andrew McCarthy are working with TRIMETIS and PA Consulting to address this important research question, supported by QinetiQ and the Defence Science and Technology Laboratory (DSTL). The project is part of the SERAPIS Framework that supports rapid research and innovation to supply into the UK Ministry of Defence.

This programme of research will impact on how the UK can better identify, investigate and respond to threats in the cyber domain, as well as the impact of cyber across traditional defence areas of land, sea, air and space, and understand the role that artificial intelligence and agent-based systems will have in maintaining the defence and security of the UK.

Cyber Security in Connected Places: Attack Detection in RPL-based Internet of Things

Posted on

By Sarfraz Brohi, Senior Lecturer Cyber Security

Connected places such as smart cities have enabled urban planners to improve citizens’ quality of life by collecting, storing, processing and analysing data. Internet of Things (IoT) is one of the driving technologies of connected places. It integrates different city functions such as parking systems, mobility services, waste management, healthcare and emergency services. Unfortunately, IoT has vulnerabilities that attackers could exploit due to the massive processing of sensitive data. Cyber security breaches in IoT-powered connected places could violate citizens’ privacy, endanger life and cause economic disaster.

IoT security encompasses a massive area of research with a wide array of open challenges. Dr Sarfraz Brohi (Senior Lecturer in Cyber Security at CSCT-UWE, Bristol) collaborated with the researchers from Taylor’s University, Malaysia (Dr Noor Zaman: Cluster head for cyber security research, Ms Fatima Zahra and Dr Navid Khan) and Taif University, Saudi Arabia (Dr Mehedi Masud and Dr Mohammed A. AlZain) to address crucial IoT-specific rank and wormhole attacks by creating a machine learning model.

The fundamental components of an IoT-enabled infrastructure usually include sensors, RFIDs, microcontrollers and digital devices. These components are low power and lossy due to their small size and simple architecture. Therefore, they use lightweight routing standards and protocols for data transmission. RPL is one such protocol used in IoT networks. RPL-based IoT networks are vulnerable to two types of attacks: WSN-inherited attacks and RPL-specific attacks. Rank and wormhole attacks are examples of high-impact attacks from these categories where attackers target the protocol and sensor network vulnerabilities to disrupt network functionalities and compromise resources.

F. Zahra, NZ. Jhanjhi, SN. Brohi, NA. Khan, M. Masud, and MA. AlZain, generated a dataset and developed a model for detecting RPL-specific and WSN-inherited attacks in RPL-based IoT: LIoTN-RPL dataset and MC-MLGBM model. The LIoTN-RPL data pool consists of network traffic data extracted from various network models. These network models have been designed considering three scenarios – one benign and two attack scenarios – and simulated based on the number of IoT nodes and state of nodes. The MC-MLGBM classifies three target classes and addresses two attacks. In this research, they have used accuracy, precision and recall to evaluate the proposed model. To avoid accuracy bias, they have also used cross entropy, Cohen’s Kappa, and MCC as performance evaluation metrics. The existing models usually focus on one category of attacks. The proposed model provides a conceptual framework for aggregately addressing both in RPL-based IoT networks.

The results of this research are discussed in the paper “Rank and Wormhole Attack Detection Model for RPL-based Internet of Things using Machine Learning”, published in the MDPI Sensors special issue on Advances in IoT Privacy, Security and Applications. Authors have reviewed recent methodologies for addressing security issues in IoT and techniques used to detect the attacks. Furthermore, they have analysed the data collection methods in the research domain. This research observed the scarcity of publicly available RPL attack datasets and the prevalence of self-generated datasets using simulators like Cooja. The future direction of this research focuses on more experiments by designing and simulating other RPL-specific and WSN-inherited attack models. LIoTN-RPL will be released as an open-source dataset to the research community to facilitate the development of ML models for attack detection in RPL-based IoT networks.

Read the full article.

UWE Bristol research to help uncover and mitigate against hundreds of online public software supply chain vulnerabilities

Posted on

Many software and cloud platforms rely on the use of containerisation, a modern technique of deploying multiple software services quickly, securely and efficiently on large-scale cloud computing resources such as Microsoft Azure and Amazon Web Services (AWS). Platforms such as DockerHub provide an online repository of over 100,000 ready-to-deploy containers that are used widely in many of today’s modern software platforms. Whilst this offers great convenience for development teams, many of these containers may exhibit vulnerabilities, which if not managed, can introduce vulnerabilities into a company software stack. Recent security issues such as the log4j vulnerability and the Solarwinds Orion attack highlight the growing concern around software supply chain security, the dependencies that are made by development teams on third party software, and the implications of identifying and remediating such vulnerabilities later down the line.

As part of our CSC3 research, Alan Mills, Jonathan White and Phil Legg, have developed a suite of docker security visualisation and remediation tools: OGMA and BORVO. The suite of tools enable developer and security teams to quickly identify vulnerabilities against a variety of container security scanning platforms. Results from existing scanning tools can often differ or conflict, and so our aggregated approach helps provide a unified analysis to address conflicts and provide a visual means for thorough examination the results. Our approach also provides a more intuitive risk assessment that considers the true impact of vulnerabilities, such as how easily the vulnerability could actually be exploited by external or internal actors. Furthermore, the suite also provides developers with informed assessment of how to remediate the security issues whilst preserving the intended software functionality that is dependent on the container.

Our research paper “OGMA: Visualisation for Software Container Security Analysis and Automated Remediation” has been peer-reviewed and accepted for the IEEE Conference on Cyber Security and Resilience where the work will be presented and published at the end of July. We will also be sharing our insights in our related presentation on “Securing the Supply Chain – Practicality v Paranoia” at the upcoming BSides Cheltenham conference this weekend, which is a community-organised event for the regional cyber security industry and enthusiasts, and follows our lightning talk on software supply chain security delivered at CYBERUK 2022 earlier this year. OGMA and BORVO are both released as open-source applications that we have made available to the wider research community, to facilitate the examination and remediation of software vulnerabilities in containerised applications. For more details, including how to download and use the tools, please visit our GitHub page.


Posted on

By Professor Phil Legg

Earlier this month saw the UK Government host their flagship annual cyber security conference, CYBERUK 2022, that brings together government, industry and academia. Hosted in Newport, South Wales, there were thousands of attendees from major corporations, global government leaders, and the UK academic communities that work closely with the National Cyber Security Centre to understand the technical, economic and social challenges around modern cyber security and its position in today’s world. 

Ransomware, organised crimes groups, and nation state attacks, were all key agenda items up for debate. We heard talks describing how the average cyber-attack is now estimated to cost £2.2 million in terms of the remediate impact that organisations face, be that information, operational and asset-based losses, reputational damage, legislative costs, and other financial implications. We heard discussion about the recent log4j crisis that has hit businesses around the globe, that emphasises the challenges around software supply chain security, and understanding the different software components, be that open-source or proprietary code bases, that make up an organisation’s platform for conducting business. Perhaps one of the most poignant moments of the event was hearing from victims of cyber crime – specifically those tasked with defending their organisations, their staff, and their customers – and hearing about the human impact of cyber crime and the full range of emotional turmoil that people have been thrown into. The recent events in Ukraine and Russia highlight this further, as we have witnessed cyber attacks as part of warfare. As we live in a connected society, there is no doubt that our online and offline worlds are now as one. 

Education will always sit in the centre of cyber security and cyber crime, since prevention will always be greater than the cure. That is why the work of the Cyber Security and Cyber Crime Research Cluster, coupled with the work of our NCSC Academic Centre of Excellence in Cyber Security Education (ACE-CSE) continues to play a vital role in how we can identify, mitigate, and prevent against criminal activities and the dangers that they pose to our connected society. 

Targeting the Proceeds of Darknet Market Crime: A Familiar Unending Struggle?

Posted on

Dr Matthew Robert Shillito

Leading Darknet markets such as Hydra, World Market, and Cypher have long attracted law enforcement attention. They provide access to illicit goods and services (such as drugs, fake identity documents, and hitmen for hire), under the cover of anonymity afforded by the technology used to access them, namely the Tor browser and Virtual Private Networks (VPNs). To maintain that anonymity throughout the whole process, cryptocurrencies are utilised as the payment method of choice.

So, why is the old-adage of ‘follow-the-money’ so important, in this context? Well, provided there are no human errors prior to accessing Tor, and that the marketplace has not been compromised (e.g. by law enforcement accessing servers), then it is the payment stage where users are potentially most vulnerable and information can be pieced together. Users have placed their faith in the marketplaces’ chosen cryptocurrency, betting that it will sufficiently mask their identity. If it does not, then it can serve to undermine the earlier browsing anonymity achieved by utilising Tor and a VPN. As a result, law enforcement success in this area can prevent crime from paying, and send out a deterrent message to criminals.

Where success is achieved, it is principally due to the public (open) nature of many blockchains and the increasing use of public-private partnerships to harness private sector resources and technology in investigating blockchain transaction data. Further, once law enforcement has a lead, the fact traditional anti-money laundering obligations (such as know-your-customer) have been placed on digital currency exchanges can result in the uncovering of identifying information.

However, whilst there have been some high-profile, successful, Darknet investigations (e.g. Silk Road, Alphabay and Hansa) overall, law enforcement has struggled to consistently get to grips with the challenge these markets present. Indeed, evidence from Chainalysis suggests that other than two small blips, both revenue and total transfers to Darknet Marketplaces have strongly increased year-on-year since 2011.

Why then, has success been so hard to come by? Fundamentally, Darknet investigations can and have taken years to come to fruition. They are impeded by many of the same basic issues that face traditional financial crime investigations, lack of resources and insufficient law enforcement training. When this is coupled with age-old issues surrounding international criminal cooperation, such as: language barriers; cultural & legal differences; and competing priorities; it makes for a particularly difficult albeit entirely predictable challenge.

The challenge is further exacerbated by the techniques criminals use to launder their cryptocurrency. Methods include: operating numerous wallets; use of unlicensed exchanges and buying cryptocurrency ‘locally’ (away from exchanges); use of tumblers / mixers to obscure funds; and switching funds for other payment forms e.g. pre-paid cards, to cash out. Again, if these seem familiar, it’s because they are traditional techniques that we have struggled to overcome, adopted for this new criminal arena.

If that is not tricky enough, darknet criminals do have some unique crypto bows to their string. They are increasingly utilising cryptocurrencies that are more privacy based, such as Monero , as their blockchain’s cannot be searched in as useful a way. Further, Darknet markets are increasingly self-closing in the belief that this makes it harder for law enforcement to establish a paper trail to all criminal activity conducted there. Certainly, given the way the Darknet works, this creates an issue in terms of evidence gathering.

But, perhaps the most significant challenge of all is confiscation. A determined criminal can simply refuse to hand over cryptocurrency and there is little law enforcement can do. Efforts have been made to induce compliance, such as adding additional time to a sentence. But, it can be questioned how persuasive that would actually be.

Whilst the recent announcement by the US Department of Justice that they are forming a specialist ‘digital currency unit’ is to be welcomed. That these challenges are predominantly long-standing unresolved issues suggests they’re not about to be overcome anytime soon. This coupled with tech specific complexities, and the potential impossibility of confiscation means law enforcement face a tall order to deter Darknet marketplace crime.

Welcome to the Cyber Security and Cyber Crime Research Cluster (CSC3 ) blog

Posted on

Welcome to the Cyber Security and Cyber Crime Research Cluster (CSC3 ) blog where we plan to share with you the latest updates from the CSC3.

Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber-attacks. In the “Hidden Cost of Cybercrime” report, McAfee estimates the average cost of cybercrime in 2020 as $945,000,000,000, up from $522,500,000,000 in 2018. Traditional crimes are now widely conducted through online means.

From a cyber crime perspective, there are two classes of attack: cyber-dependent crime (criminal behaviour that is reliant on technology and its use in society, such as ransomware attacks and cryptocurrency money laundering) and cyber-enabled crimes (traditional crimes that have now become more widespread due to technology, such as cyber bullying and online fraud). Such cyber-attacks may originate from “script kiddies” and insider threats, through to sophisticated and professional operations by organised crime groups and enemy nation states.

The Cyber Security and Cyber Crime Cluster (CSC3) will conduct novel multi-disciplinary research relating to both the conduct of, and the mitigation of cyber attacks. As a broad and ever-evolving research domain, this will involve a number of related areas, including understanding the motivations and precursors of criminality, the technical means that enable criminality to be conducted, and appropriate mitigation and best practice to uphold security and defence.

This research cluster will bring together a multi-disciplinary team of academics to promote synergy and new collaborations, with expertise across financial crime, digital forensics, software security exploitation, insider threat detection, cryptocurrencies and online fraud. It will serve to build capacity in this research domain, by involving our postgraduate and undergraduate student communities in paid research opportunities to support our expansion of research in this area.

Students and staff will work with major external partners to combat today’s challenges, in partnership with Avon and Somerset Police, the South West Regional Organised Crime Unit, the South West Cyber Resilience Centre, the Ministry of Defence, Synalogik Innovations, Leonardo MW, and the National Cyber Security Centre (NCSC).

UWE Bristol have rapidly established a reputation within cyber security education, working alongside the National Cyber Security Centre (NCSC) to offer a fully certified MSc Cyber Security and the only certified Degree Apprenticeship in England and Wales. Recognised as an Academic Centre of Excellence in Cyber Security Education (ACE-CSE) in December 2020, we now seek to expand multi-disciplinary research in this domain.

The nature of this cluster is to build capacity across related technical and societal areas of cyber security and cyber crime. Through our working groups, we will be able to address cutting-edge challenges as seen by our partners, and provide research opportunities for our students to collaborate in to build their student experience.

We look forward to sharing with you developments from this research cluster.


This research cluster is funded through the Expanding Research Excellence scheme at UWE Bristol. The scheme aims to support and develop interdisciplinary, challenge-led research across the University. It is designed to bring together research clusters or networks that will work together to respond to challenges (local, regional, national, global) aligned with major research themes.

Back to top