BT: Difference between revisions
Line 146: | Line 146: | ||
====Alan comment:==== | ====Alan comment:==== | ||
Where would the students get the devices from? Group coordination would be tricky, but perhaps interesting. Danger that one student could find the whole thing trivial, leaving others with nothing to do. | |||
====Original suggestion==== | ====Original suggestion==== | ||
Revision as of 07:30, 7 October 2015
Current contact: Daniel Garner, daniel.garner@bt.com
New suggestions for 2016
Am I where I think I am?
Alan comment:
I don't really see what the project is here - "finding ways", or "reviewing ways"? What are they supposed to build?
Original suggestion
Today over1 billion Android smart phones rely on Google Location Services to tell their users where they are and where they are going, every day. Given the growing reliance on this information, how can users be sure the location data they are relying on is accurate, reliable and safe? How can they be certain that when they don’t want to disclose their location, their device isn’t continuing to do so behind their backs?
This project addresses the first concern by finding ways of trusting location providers, so that users can place greater confidence in the service they’re receiving. We suggest approaching the disclosure concern by reviewing ways of locating a device, such as through connectivity, sensors, and the immediate environment. Once we understand the options for locating the device, we can implement ways of safeguarding prevention of data collection. That way your private business meeting really does stay private.
The outcomes of the project will be an improved understanding of how location based services work, their strengths and weaknesses, and a tool demonstrating the most significant aspects.
IMSI Grabbing
Alan comment:
Sounds plausible - need an application idea that incorporates this technique.
Original suggestion
An IMSI is an International mobile subscriber identity - every mobile phone has one, and they are unique. Because mobile devices broadcast their IMSI, threat actors have the opportunity to detect the presence of a device. For individuals who are at risk from physical attack, such as when carrying valuable goods or sensitive information between offices, accidentally announcing their location may be unwise.
This project builds on the Open Source Android IMSI-Catcher Detector, which implements ways of detecting IMSI grab attempts. We want to take an extra step, and detect the attempt by device and radio behaviour, rather than relying on whitelisting safe cell sites.
The outcomes of the project will be a tool that announces to the user that their device has had an IMSI grab attempt directed at it. The ideal solution will go one step further, by reporting on and implementing a technique to prevent the threat actors from receiving the device’s IMSI.
Has my mobile device been rooted?
Alan comment:
Not enough work for a team. Combine with one of the other projects?
Original suggestion
Rooting is the process of allowing users of smartphones, tablets and other devices running the Android mobile operating system to attain privileged control (known as root access) over various Android's subsystems. For many people this is a good thing, because it enables them to perform operations the platform normally prevents them from doing. But what if someone else rooted the device without them knowing?
This project aims to find ways of detecting if the device has been rooted without the knowledge of its user. Current techniques to do this are weak, leaving ways to evade their detection.
The outcome of the project will report on and demonstrate an Android application that implements novel methods of detecting the rooted state. It will show how difficult it is to circumvent the detection, perhaps backed up by evidence from the behaviour of real malware.
What can my second factor be?
Alan comment:
How close is this to the Pico project, or other security group work? Should check with them. "evaluation of a range" of options is not an approach we have recommended to group projects in the past, but could conceivably be done.
Original suggestion
Two factor authentication improves security of normal username and password authentication by exploiting the “something I have, and something I know” approach. The widest application of this is in the banking sector, where a user authenticating online typically receives a onetime code via SMS, which the website verifies. Other popular online service providers, such as Google, Facebook and Dropbox, all offer similar two-factor authentication systems too.
The aim of this project is to find new and unusual forms for the “something I have” part. This must not have a negative impact on the user experience, and not require a change of user behaviour. What about using near field communication readers in mobile phones to read some details from a credit card, or using session data in a user’s device to see that they are using their home machine? Suh and Devadas wrote a paper for the ACM entitled “Physical Unclonable Functions for Device Authentication and Secret Key Generation”, in which they set out the properties and examples of good unclonable functions. The paper may serve as a good starting point for this project.
The outcomes of this project will be an evaluation of a range of novel second factors, including an implementation of each. Each will need a thorough analysis, so that we can understand how easy and secure each option is. It should round up with a recommendation of the best of the bunch.
Detecting power cuts from internet data
Alan comment:
Sounds good. We need to find out what the data is.
Original suggestion
Companies providing a service that relies on the UK’s power and network infrastructure need to know when things go wrong as quickly as possible. But with so much legacy infrastructure out in the wild, monitoring it all becomes a complex and expensive task.
There may be an answer based on how traffic flows across the internet. Can we inspect the data flowing across our network, and find a way to detect a number of service deterioration events, or disconnection events, and cluster them? If so, can we begin at a high level, for instance clustering service disruption in order to localise it to a particular failing device in the core of the BT network, before going down to a low level, for instance clustering within a postcode?
The outcomes of this project will be a study of search algorithms that allow us to detect power loss events, and a software tool that implements it and maps the likely fault area. In order to make this realistic, we expect to provide real anonymised data from the BT network.
Am I over sharing?
Alan comment:
How much is "over"? Could this be extended to consider people who are invisible on the web, or don't have easily verified identities (perhaps because of common name)? It's going to require a search index, and I can't imagine any serious alternative to using Google API (or perhaps a Google alternative?) Wouldn't want to encourage 1b students to create indexing spiders.
Original suggestion
In recent years, many people have protested about how complex the privacy settings of many widely used social media sites. Social media sites like Facebook are not the only source of personal information that is freely available online: there are professional sites like LinkedIn, as well as less obvious sources such as electoral registers and local planning authorities. Including privileged sources enriches the available data even further, including things like credit checks.
The complexity arises from understanding and quantifying the reliability of sources, and unifying different data sources. There should also be consideration about how relevant the information is and which sources are most trusted.
The aim of this project is to find a way to discover and present the user with an assessment of how much personal data they have exposed online. This method must be easy to use, and ideally, provide recommendations about how to improve the situation if required.
Improving the performance of facial recognition algorithms
Alan comment:
Unlikely that 1B students would make progress on this. Could perhaps focus on small dataset for candidate matches, in order to use a quick and dirty algorithm rather than state of the art.
Original suggestion
Computer Vision forms a field of its own in research, and people have made exciting breakthroughs in how well software can recognise and identify individuals in an image. The process is still computationally expensive, and when resource constrained, slow.
We would like to port the functionality to mobile devices, so that for instance security personnel carrying cameras can have individuals around them identified against known images in real time.
The outcome of this project would be a theoretical explanation and demonstrable improvement in the time taken for identification. This project would suit an advanced student with a background in computer vision.
Auditing smart phone permissions
Alan comment:
Ask advice from ARB - perhaps add the root-kit functionality to here?
Original suggestion
Most users have dozens of free apps installed on their smart phones, and many users don’t check what permissions are requested as they install them. As businesses begin to champion bring-your-own-device schemes in the workplace, understanding the vulnerabilities of these unknown devices will be of paramount importance to system administrators.
The outcome of this project will be a smart phone app, which users can install on their devices, and will give them informative output about what applications have what permissions granted to them. In addition it should highlight anything consider a specific threat, or any applications with permissions that don’t align with its overt purpose.
Sudo and network security
Alan comment:
Framed as a consultancy report - not enough design content.
Original suggestion
Understanding security is of crucial importance to business, for the protection and availability of their IT infrastructure, and the protection of intellectual property and customer data stored on it.
The best practice is to apply security in layers, but any security is only as good as its weakest link, with perceived risk balanced against the initial and ongoing cost of a solution. This project is to understand what protection we can apply through skilful use of the Sudo command set to a program or application, running on Linux and UNIX devices hosted on a network operating Active directory.
The outcome of this project is to find, document and demonstrate ways to enhance security using the Sudo command set. The main areas to address are:
- Protection of the Sudoers file
- User account and role separation
- Protection against Sudo weaknesses that could lead to account compromise
- Applying penetration testing to demonstrate the strengths and weaknesses of the solution Further scope could include a cost, risk and benefits analysis, an analysis of usability and management overhead, and a comparison with other solutions.
Automated network provisioning
Alan comment:
Original suggestion
Teams of all sizes are embracing virtual environments for their servers and processing needs, but often they still deploy the networking elements of a system on physical network devices. The alternative is that their administrators have to engage in a long and complex configuration process to make a virtual network that fills their needs.
The aim of this project is to automate the creation of virtual networks, with minimal user direction and configuration. The outcome should be some software that can capture a user’s high-level requirements, inspect the layout of virtual machines deployed on common hypervisors like vSphere and OpenStack, and then automatically create and configure the network infrastructure. The project would likely take a phased approach, starting with simple networks and one hypervisor, but the potential scope is huge.
Can you hack my IOT device?
Alan comment:
Where would the students get the devices from? Group coordination would be tricky, but perhaps interesting. Danger that one student could find the whole thing trivial, leaving others with nothing to do.
Original suggestion
The concept of the internet of things (IOT) is the driving force that is beginning to flood the market with small, often simple devices that communicate over the internet. As the demand for these surges, how well are designers taking care of security?
The aim of this project is to analyse popular IOT devices, such as smart home sensors and smart watches, and see how they respond to well-known network attacks such as man in the middle and data spoofing. Where there are vulnerabilities, what data do they disclose? The outcomes of the project should be an analysis of the vulnerabilities of these types of devices and the consequences of their exploitation.
Anonymisation of big data sets
Alan comment:
Original suggestion
Big data and data security make up two of today’s hot topics. People make use of these big data sets for research, system testing, freedom of information disclosures, and even as resources in innovation competitions. In order to safeguard the privacy of the people described in this data, it must go through some anonymisation process. Narayanan et al have written an insightful paper on the subject, titled “A Precautionary Approach to Big Data Privacy”, that forms a good starting point for this project. The Information Commissioners Office publishes a Code of Practice about anonymisation, which sets out the reasons for and standards expected of a solution.
This project aims to understand the anonymisation problem by understanding the state of play in research and practice, and then developing, or pointing at, robust but practical tools. These tools should would work in both trusted, for instance audit use, and open, for instance publicly released online, environments.
It should justify the value of data anonymity traded off against retention of the statistical properties of the data. As an extra step, the project could contrast research and system test value of anonymised data with synthetically generated data sets.
Hunting domain generation algorithms
Alan comment:
Looks more like a Part II project - explore a single data set, with not much for a team to do.
Original suggestion
Malware deployed on the internet relies on contacting servers for its command and control. There is a battle going on between the malware designers and internet providers, where the designers open a new control server, and the providers try to find it and block it as quickly as they can to protect their customers.
The malware designer’s best weapon is the domain generation algorithm. It is there to generate new domain names for the control servers dynamically, so that the malware implants don’t have to contain a list of control servers that they will use in the future, meaning internet providers can’t pre-emptively block their URLs.
The aim of this project is to look into the DNS data flowing across the BT network, and find ways to detect the activity of a domain generation algorithm. When it identifies a generated domain, it should try to cluster similar instances, and then try to classify it against known malware. The ideal outcome is that we find new malware very quickly, allowing us to block it or capture it for static analysis. In order to make this project realistic, we expect to provide real anonymised data from the BT network.
The outcome of the project should be software that can examine network data, and carry out the clustering and classification. You could apply many techniques, likely focussing around machine learning.
2014
Contacts: fraser.burton@bt.com
Projects proceeding:
original suggestions
Project 1 : How important is visual feedback to the success of in air gesture UIs ?
Catherine White
In air gesture control has been imagined for decades and was popularized by the film Minority Report. In recent years, hardware such as Kinect and Leap Motion have transformed the concept to technical reality. However, no really pervasive in air gesture control UI has emerged. One hypothesis for this lack of success is that lack of visual feedback make such UIs difficult to control, requiring too much conscious effort. You will investigate how providing visual feedback affects the ease of use of an in air UI. You will consider the users awareness of himself and his state of interaction with the system. You will develop a UI for the purposes of running experiments (based on Leap Motion or Kinect hardware) and run experiments to determine effortlessness of use. You will choose whether to design a UI to be fully intuitive, or to develop a UI which requires learning but is then very easy to use. The types of visual feedback that you could consider providing to the user include: wire frame models of the user interacting with the system; abstract geometric representations (such as an bounding ellipsoid mapped to a hand, or cursors mapped to the end of each finger); or variations of colour, shade and shadow on the screen.
Project 2: Collaborative Multitouch Interfaces
Catherine White
10 point multitouch screens are now widely available, and continuous surface touch interfaces are also technically possible. How can two or more people make use of such an interface on a large screen or surface, for collaborative activities? You can draw on examples from social activities, games or the workplace and will think of a concept, develop and implement it. Finally, you will need to design and run usability tests of your idea to assess whether it has potential.
Project 3: Novel interactive data visualisations and UI demo
Ben Azvine
BT’s networks are a source of huge quantities of time-varying data which have many variables. A wealth of information can be extracted from such data, but initial exploration of the dataset may be formidable, particularly when the features of the dataset are initially completely unknown. There are a few standard means of data visualisation including trend graphs, bubble diagrams, network diagrams, pie charts, geographical maps, sun ray diagrams, and radial views. This project asks you to discover alternative Opensource visualisation techniques beyond these methods and to build an interface using one of these for the purpose of exploring a large, complex graph dataset visually in a way that allows discovery of correlations and clusters in the dataset (such as relatedness in a single or multiple category).
2013
Contacts: paul.reid@bt.com james.mistry@bt.com oliver.newbury@bt.com
Final project was: Terabyte threat analysis
Original introduction via Calum Eadie