Read The Attached Paper Carefully And Write A Research Summary Read the attached paper carefully and write a research summary ,in two sections Overall sum
Read The Attached Paper Carefully And Write A Research Summary Read the attached paper carefully and write a research summary ,in two sections Overall summary What you would like to add or change to the conclusion section This assignment should be in APA format, plagiarism free and have to include at least two references other than the paper. 1000 words minimum Journal of Computer and System Sciences 80 (2014) 973–993
Contents lists available at ScienceDirect
Journal of Computer and System Sciences
A survey of emerging threats in cybersecurity
Julian Jang-Jaccard, Surya Nepal ∗
CSIRO ICT Centre, Australia
a r t i c l e i n f o a b s t r a c t
Received 25 September 2012
Received in revised form 15 March 2013
Accepted 27 August 2013
Available online 10 February 2014
Emerging technology trends
Emerging cyber threats
Cyber attacks and countermeasures
The exponential growth of the Internet interconnections has led to a significant growth
of cyber attack incidents often with disastrous and grievous consequences. Malware is the
primary choice of weapon to carry out malicious intents in the cyberspace, either by ex-
ploitation into existing vulnerabilities or utilization of unique characteristics of emerging
technologies. The development of more innovative and effective malware defense mech-
anisms has been regarded as an urgent requirement in the cybersecurity community. To
assist in achieving this goal, we first present an overview of the most exploited vulner-
abilities in existing hardware, software, and network layers. This is followed by critiques
of existing state-of-the-art mitigation techniques as why they do or don’t work. We then
discuss new attack patterns in emerging technologies such as social media, cloud comput-
ing, smartphone technology, and critical infrastructure. Finally, we describe our speculative
observations on future research directions.
Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved.
Our society, economy, and critical infrastructures have become largely dependent on computer networks and information
technology solutions. Cyber attacks become more attractive and potentially more disastrous as our dependence on informa-
tion technology increases. According to the Symantec cybercrime report published in April 2012 , cyber attacks cost
US$114 billion each year. If the time lost by companies trying to recover from cyber attacks is counted, the total cost of
cyber attacks would reach staggering US$385 billion . Victims of cyber attacks are also significantly growing. Based on
the survey conducted by Symantec which involved interviewing 20,000 people across 24 countries, 69% reported being the
victim of a cyber attack in their lifetime. Symantec calculated that 14 adults become the victim of a cyber attack every
second, or more than one million attacks every day .
Why cyber attacks flourish? It is because cyber attacks are cheaper, convenient and less risky than physical attacks .
Cyber criminals only require a few expenses beyond a computer and an Internet connection. They are unconstrained by
geography and distance. They are difficult to identity and prosecute due to anonymous nature of the Internet. Given that
attacks against information technology systems are very attractive, it is expected that the number and sophistication of
cyber attacks will keep growing.
* Corresponding author.
E-mail addresses: email@example.com (J. Jang-Jaccard), firstname.lastname@example.org (S. Nepal).
0022-0000/Crown Copyright © 2014 Published by Elsevier Inc. All rights reserved.
974 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993
Fig. 1. Vulnerabilities and defense strategies in existing systems.
Cybersecurity concerns with the understanding of surrounding issues of diverse cyber attacks and devising defense
strategies (i.e., countermeasures) that preserve confidentiality, integrity and availability of any digital and information tech-
• Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems.
• Integrity is the term used to prevent any modification/deletion in an unauthorized manner.
• Availability is the term used to assure that the systems responsible for delivering, storing and processing information
are accessible when needed and by those who need them.
Many cybersecurity experts believe that malware is the key choice of weapon to carry out malicious intends to breach
cybersecurity efforts in the cyberspace . Malware refers to a broad class of attacks that is loaded on a system, typically
without the knowledge of the legitimate owner, to compromise the system to the benefit of an adversary. Some exemplary
classes of malware include viruses, worms, Trojan horses, spyware, and bot executables . Malware infects systems in a
variety of ways for examples propagation from infected machines, tricking user to open tainted files, or alluring users to visit
malware propagating websites. In more concrete examples of malware infection, malware may load itself onto a USB drive
inserted into an infected device and then infect every other system into which that device is subsequently inserted. Malware
may propagate from devices and equipments that contain embedded systems and computational logic. In short, malware
can be inserted at any point in the system life cycle. Victims of malware can range anything from end user systems, servers,
network devices (i.e., routers, switches, etc.) and process control systems such as Supervisory Control and Data Acquisition
(SCADA). The proliferation and sophistication of fast growing number of malware is a major concern in the Internet today.
Traditionally, malware attacks happened at a single point of surface amongst hardware equipments, software pieces or at
network level exploiting existing design and implementation vulnerabilities at each layer. Rather than protecting each asset,
the perimeter defense strategy has been used predominantly to put a wall outside all internal resources to safeguard every-
thing inside from any unwanted intrusion from outside. The majority of perimeter defense mechanism utilizes firewall and
anti-virus software installed within intrusion prevention/detection systems. Any traffic coming from outside is intercepted
and examined to ensure there is no malware penetrating into the inside resources. General acceptance of this perimeter
defense model has occurred because it is far easier and seemingly less costly to secure one perimeter than it is to secure
a large volume of applications or a large number of internal networks. To give more defined access to certain internal re-
sources, the access control mechanisms have been used in conjunction with the perimeter defense mechanism. On top of
perimeter defense and access control, accountability is added to identify or punish for any misbehaviors, as represented
in Fig. 1. However, the combined efforts of perimeter defense strategy have been found to be increasingly ineffective as the
advancement and sophistication of malware improves. Ever evolving malware always seems to find loopholes to bypass the
perimeter defense altogether. We describe in details the most common exploitations in the three distinct layers of existing
information system at hardware, software and network layers. We then discuss the pros and cons of the most representative
defense mechanisms that have been used in these layers.
Malware evolves through time capitalizing on new approaches and exploiting the flaws in the emerging technologies
to avoid detection. We describe a number of new patterns of malware attacks present in the emerging technologies. In
choosing emerging technologies for illustration, we focus a few that have changed the way we live our daily life. These
include social media, cloud computing, smartphone technology, and critical infrastructure. We discuss unique characteristics
of each of these emerging technologies and how malware utilizes the unique characteristics to proliferate itself. For example,
social media, such as social networking sites and blogs, are now an integral part of our life style as many people are
journaling about their life events, sharing news, as well as making friends. Realizing its potential to connect millions people
at one go, adversaries use social media accounts to befriend unsuspecting users to use as vehicles for sending spam to
the victim’s friends while the victim’s machine is repurposed into a part of botnet. Cloud computing paradigm allows the
J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 975
Fig. 2. Types of malware and mediums to spread them .
use of computer resources like utilities where the users pay only for the usage without having to set up any upfront
expense or requiring any skills in managing complex computing infrastructure. The growing trove of data concentrated in
the cloud storage services is now attracting attackers. In June 2012, attackers compromised Distributed Denial of Service
(DDoS) mitigation service on CloudFlare by using flaws in AT&T’s voicemail service for its mobile users; similarly, Google’s
account-recovery service for its Gmail users . With the subjected growth by 2 billion smartphone users by 2015, a
significant growth in mobile malware has been witnesses in recent times. For example, the number of unique detections of
malware for Android increased globally by 17 times in 2012 from the previous year . There is also growing concerns
in cyber threats to critical infrastructure such as electricity grids and healthcare systems to use in terrorism, sabotage
and information warfare. Apart from investigating exploitations through unique characteristics in the selected emerging
technologies, we also discuss general malware attack patterns appear in them to understand the methods and trends of the
Finally, we provide our speculative observations as where future research directions are heading. These include: (1) pri-
vacy concerns to safeguard increasing volumes of personal information entered in the Internet, (2) requirement to have a
new generation of secure Internet from scratch with careful consideration of the subjected growth and usage patterns which
was not the case with the internet we use today, (3) trustworthy system whose fundamental architecture is different from
their inception to withstand from ever evolving malware, (4) being able to identify and trace the source of attacks assisted
by the development of global scale identity management system and traceback techniques, and (5) a strong emphasis on
usable security to give individuals security controls they can understand and control.
The remainder of the article is organized as follows. Section 2 provides an insight of the malware. Section 3 provides
an overview on how malware penetrates in exiting systems and efforts to mitigate any existing vulnerabilities exploited
by adversaries. Section 4 reviews emerging approaches to malware infiltration and discusses the general attack patterns
and methods. Section 5 discusses future research directions we identified; this will be followed by concluding remarks in
2. Malware as attack tool
In early days, malware was simply written as experiments often to highlight security vulnerabilities or in some cases to
show off technical abilities. Today, malware is used primarily to steal sensitive personal, financial, or business information
for the benefit of others [129,131]. For example, malware is often used to target government or corporate websites to
gather guarded information or to disrupt their operations. In other cases, malware is also used against individuals to gain
personal information such as social security numbers or credit card numbers. Since the rise of widespread broadband
Internet access that is cheaper and faster, malware has been designed increasingly not only for the stealth of information
but strictly for profit purposes . For example, the majority of widespread malware have been designed to take control
of user’s computers for black market exploitation such as sending email spam or monitoring user’s web browsing behaviors
and displaying unsolicited advertisements. Based on Anti-Phishing group report , there was a total of 26 million new
malware reported in 2012. Fig. 2 describes relative proportions of the types of new malware samples identified in the
second half of 2012 reported by the Anti-Phishing group.
According to this report, Trojans continued to account for most of the threats in terms of malware counting as the
number grows spectacularly. In 2009, Trojans were reported to have made up 60 percent of all malware. In 2011, the
number has jumped up to 73 percent. The current percentage indicates that nearly three out of every four new malware
strains created in 2011 were Trojans and shows that it is the weapon of choice for cyber criminals to conduct network
intrusion and data stealing.
976 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993
Fig. 3. Common attacks and examples of countermeasures in existing system.
Malware authors use a number of different intermediaries to spread malware to infect a victim’s system. Traditionally,
spam, phishing and web download have been the most commonly used mediums for the purpose.
– Spam refers to sending irrelevant, inappropriate and unsolicited messages to thousands or millions of recipients. Spam
has turned out to be a highly profitable market since spam is sent anonymously with no costs involved beyond the
management of mailing lists. Due to such low barrier to entry, spammers are numerous, and the volume of unsolicited
mail has grown enormously. In the year 2011, the estimated figure for spam messages is around seven trillion . This
figure includes the cost involved in lost productivity and fraud, and extra capacity needed to cope with the spam. Today,
most widely recognized form of spam is email spam. According to the Message Anti-Abuse Working Group report ,
between 88–92% of email messages sent in the first half of 2010 carried spam.
– Phishing is a way of attempting to acquire sensitive information such as username, password or credit card details by
masquerading as a trustworthy entity. Most phishing scams rely on deceiving a user into visiting a malicious web site
claiming to be from legitimate businesses and agencies. Unsuspecting user enters private information in the malicious
web site which is then subsequently used by malicious criminals. Most methods of phishing use some form of technical
deception designed to make a link in an email (and spoofed website) appear to belong to a legitimate organization, such
as well known bank. Misspelled URLs or the use of sub-domains are common tricks used by phishers. The Anti-Phishing
technical report  stated that, there was a visible trend of phishers in 2011 to hide their intentions by avoiding the
use of obvious IP host to host their fake login pages. Instead the phishers preferred to host on a compromised domain
to avoid detection. It is reported that there was 16 percent drop in the number of phishing URLs containing the spoofed
company name in the URL. These combined trends show how phishers are adapting as users becoming more informed
and knowledgeable about the traits of a typical phish.
– Drive-by Downloads concerns the unintended downloads of malware from the Internet and have been increasingly used
by the attackers to spread malware fast. Drive-by downloads happen in a variety of situations; for example, when a user
visits a website, while viewing an email message by user or when users click on a deceptive pop-up window. However,
the most popular drive-by downloads occur by far when visiting websites. An increasing number of web pages have
been infected with various types of malware. According to Osterman Research survey , 11 million malware variants
were discovered by 2008 and 90% of these malware comes from hidden downloads from popular and often trusted
websites. Before a download takes place, a user is first required to visit the malicious site. To lure the user into visiting
a website with malicious content, attackers would send spam emails that contain links to the site. When unsuspecting
user visits the malicious website, malware is downloaded and installed in the victim’s machine without the knowledge
of the user. For example, the infamous Storm worm makes use of its own network, multiple of infected computers, to
send spam emails containing links to such attack pages .
3. Exploiting existing vulnerabilities
Once malware is carried out to the victim’s system, cyber criminals could utilize many different aspects of existing
vulnerabilities in the victim’s system further to use them in their criminal activities. We examine most commonly exploited
existing vulnerabilities in hardware, software, and network systems. This is followed by the discussion on existing efforts
that have been proposed to mitigate negative impacts from the exploitations. The summary of the common attacks in the
hardware, software and network layers are presented along with the examples of countermeasures in Fig. 3.
Hardware is the most privileged entity and has the most ability to manipulate a computing system. This is the level
where it has the potential to give attackers considerable flexibility and power to launch malicious security attacks if the
hardware is compromised [23,24]. Compare to software level attacks where many security patches, intrusion detection tools,
J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993 977
and anti-virus scanners exist to detect malicious attacks periodically, many of the hardware-based attacks have the ability
to escape such detection. Taking advantage in lack of tools support in hardware detection, the hardware-based attacks have
been reported to be on the rise .
Among different types of hardware misuse, hardware Trojan is the most hideous and common hardware exploits .
The hardware Trojans are malicious and deliberately stealthy modification made to electronic devices such as Integrity
Circuits (IC) in the hardware . The hardware Trojans have a variety of degrees which cause different types of undesirable
effects. A hardware Trojan might cause an error detection module to accept inputs that should be rejected. A Trojan might
insert more buffers in the chip’s interconnections and hence consume more power, which in turn could drain the battery
quickly. In more serious case, Denial-of-Service (DoS) Trojans prevent operation of a function or resource. A DoS Trojan can
cause the target module to exhaust scarce resources like bandwidth, computation, and battery power. It could also physically
destroy, disable, or alter the device’s configuration, for example, causing the processor to ignore the interrupt from a specific
Illegal clones of hardware become source of hardware-based exploitation since the chances of illegally counterfeited
hardware to contain malicious backdoor or hardware Trojans increase. The chance to produce unauthentic hardware has
increased with a new trend in IT companies trying to reduce their IT expense via outsourcing and buying off untrusted
hardware from online sites. Karri et al.  discusses how today’s IT model of outsourcing has contributed to the increased
chance of producing tampered hardware components from untrusted factories in the foreign countries. Similarly, it is also
pointed out that IT companies often buy untrusted hardware such as chipsets and routers from online auction sites or
resellers which in turn may contain harmful hardware-based Trojans. These practices are not only problematic for IT com-
panies operated on the tampered hardware with potential backdoor entry, it also increases the chance that the original
design and the details of internal states of system to be leaked to unauthorized personnel.
Side channel attacks occur when adversaries gain information about a system’s internal states by the examination of
physical information of device such as power consumption, electromagnetic radiation and timing information of data in and
out of CPU. Sensitive data can be leaked via the results of such side channel attacks. An approach has been reported in 
that examines a number of way cryptographic algorithm’s secret key leaked as a result of analyzing radio frequency.
A number of techniques have been proposed to thwart attacks on hardware level. Tamper-resistant hardware devices
have become an important consideration due to its criticality as an entry point to the overall system security. Trusted
Platform Module (TPM) provides cryptographic primitives and protected storage along with the functionality to exchange
tamper resistant evidence with remote servers [29–31,28]. The term Trusted Computing Base (TCB) has been defined to
refer to parts of a system, the set of all hardware and software components, to be critical to the overall security of the
system. The TCB must not contain any bugs or vulnerabilities occurring inside because this might jeopardize the security
of the entire system. An exhaustive and rigorous examination of its code base is conducted through computer-assisted
software audit or program verification to ensure the security of TCB. In a hardware watermarking, the ownership information
is embedded and concealed in the description of a circuit preventing the host object from illegal counterfeit. Hardware
Obfuscation is a technique to modify the description or the structure of electronic hardware to intentionally conceal its
functionality . These techniques are used to prevent adversaries from obtaining the original design or counterfeiting
/cloning important parts of the hardware such as IC units. Some of the countermeasures to count against side channel
attacks includes introducing noises so that the physical information cannot be directly displayed, filtering some parts of
physical information, and making/blinding which seeks to remove any correlation between the input data and side channel
3.2. Software defects
A software bug is the common term used to describe an error, flaw, mistake, or fault in a computer program such as
internal OS, external I/O interface drivers, and applications . Cyber attacks utilize the software bugs in their benefits
to cause the systems to behave unintended ways that are different from their original intent. The majority of cyber attacks
today still occur as a result of exploiting software vulnerabilities caused by software bug and design flaws .
Software-based exploitation occurs when certain features of software stack and interface is exploited. Most common
software vulnerabilities happen as a result of exploiting software bugs in the memory, user input validation, race conditions
and user access privileges [40,39,42]. Memory safety violations are performed by attackers to modify the contents of a
memory location. Most exemplary technique is buffer overflow. The buffer overflow occurs when a program tries to store
more data in a buffer than it was intended to hold. Since buffers are created to contain a finite amount of data, the extra
information can overflow into adjacent buffers, corrupting or overwriting the valid data held in them. It allows attackers
to interfere into existing process code. Input validation is the process of ensuring that the input data follows certain rules.
Incorrect data validation can lead to data corruption such as seen in SQL injection. SQL injection is one of the most well
known techniques that exploit a program bug in a website’s software. An attacker injects SQL commands from the web form
either to change the database content or dump the database information like credit cards or passwords to the attacker.
Adversary exploits a flaw in a process where the output of the process is unexpectedly and critically dependent on the
timing of other events. The time of check to time of use is a bug caused by changes in a system between the checking of a
condition and the use of the results of that check. It is also called exploiting race condition error. Privilege confusion is an
978 J. Jang-Jaccard, S. Nepal / Journal of Computer and System Sciences 80 (2014) 973–993
act of exploiting a bug by gaining elevated access to resources that are normally protected from an application or user. The
result is that adversaries with more privileges perform unauthorized actions such as accessing protected secret keys.
In the programming community, a number of projects have been initiated that are devoted to increasing the security
as a major goal [36–38]. Not only attending to fix inherent common set of security flaws, the primary concern of these
projects is to provide new ideas in an attempt to create a secure computing environment. In a code review-based secure
coding practice, software engineers identify common programming errors that lead to software vulnerabilities, establish
standard secure coding standards, educate software developers, and advance the state of the practice in secure coding. In
a language-based secure coding practice, techniques are developed to ensure that programs can be relied on not to violate
important security policies. The most widely used techniques include analysis and transformation. A well-known form of
analysis is “type checking” where the program detects any unsafe type of objects before the program is run. Another
well-known form of program transformation is the addition of runtime checks where the program is instrumented in a
way that prevents the program from making any policy-violating transformation . Code obfuscation is a process of
producing source or machine code that has been made difficult to understand for humans [43,44]. Programmers often
deliberately obfuscate code to conceal its purpose or its logic to prevent any possibility with reverse engineering. Secure
design and development cycle has also been proposed in [41,27] which provides a set of design techniques enabling efficient
verification that a piece of system component is free of any potential defects from its original design. Though they are not
straightforward approaches, formal methods provide the ability to comprehensively explore the design and identify intricate
security vulnerabilities. Tools [34,35] and techniques [32,33] have been developed to facilitate the verification of mission
critical security properties. These tools and techniques help to translate higher-level security objectives into a collection of
atomic properties to be verified.
3.3. Network infrastructure and protocol vulnerabilities
The early network protocol was developed to support entirely different environment we have today in a much smaller
scale and often does not work properly in many situations it is used today. Weaknesses in network protocols are complicated
when both system administrators and users have limited knowledge of the networking infrastructure [46,47]. For example,
the system administrators do not use efficient encryption scheme, do not apply recommended patches on time, or forget to
apply security filters or policies.
One of the most common network attacks occurs by exploiting the limitations of the commonly used network protocols
Internet Protocol (IP), Transmission Control Protocol (TCP) or Domain Name System (DNS) . The IP is the main protocol
of the network layer. It provides the information needed for routing packets among routers and computers of the network.
The original IP protocol did not have any mechanism to check the authenticity and privacy of data being transmitted. This
allowed the data being intercepted or changed while they are transmitted over unknown network between two devices. To
prevent the problem, IPSec was developed to provide encryption of IP traffic. In many years, IPSec has been used as one of
the main technology for the creation of a virtual private network (VPN) which creates a secure channel across the Internet
between a remote computer and a trusted network (i.e., company intranet). TCP sits on top of the IP to transmit the packets
in reliable (i.e., retransmitting lost packets) and ordered delivery of the packets. SSL was originally developed to provide
end-to-end security, as oppose to only layer-based protocol, between two computers which sits over the transmission control
protocol (TCP). SSL/TLS is commonly used with http to form https for secure Web pages. The domain name server (DNS)
is the protocol that translates the human-readable host names into 32-bit Internet protocol (IP) addresses. It is essentially
works as a directory book for the Internet telling routers to which IP address to direct packets when the user gives a url.
Because DNS replies are not authenticated, an attacker may be able to send malicious DNS messages to impersonate an
Internet server. Another major concern about DNS is its availability. Because a successful attack against the DNS service
would create a significant communication disruption in the Internet, DNS has been the target of several Denial-of-Service
Cryptography is an essential tool to protect the data that transmits between users by encrypting the data so that only in-
tended users with appropriate keys can decrypt the data. Cryptography is the most commonly used mechanism in protecting
data. A survey conducted by Computer …