Network in Internet and Mobile Malicious Software (NIMBUS)

Lead Research Organisation: Queen's University of Belfast
Department Name: Electronics Electrical Eng and Comp Sci


The transformation of communication and computing technologies in terms of accessibility, ubiquity, mobility and coverage, has enabled new opportunities for personalised on-demand communication (e.g. Facebook, Twitter). This is in addition to new market places for e-commerce and e-businesses, personalised platforms for e-governments and a vast range of new user-centric applications and services. The number of mobile apps (iPhone, Android) taking advantage of the cloud infrastructure has risen beyond several hundred thousand, reshaping the way we communicate and socialise.

This shift in communication technology and services has also led to the emergence of unforeseen types of security and privacy threats with social, economic and political incentives, resulting in major research challenges in terms of the protection and security of information assets in storage and transmission.
Therefore, Digital Security is vital in ensuring the UK is a safe place to do business, can act as a source of competitive advantage for foreign direct investment and provide a platform for SMEs and large corporations alike to develop products that use or supply this security market.

Recent years have seen a massive growth in malware, fuelled by the evolution of the Internet and the migration from malware written by hobbyists to professionally devised malware developed by rogue corporations and organized criminals, primarily targeted for financial or political gain. In 2010, Symantec identified more than 240 million new malicious programs; albeit that many of these are variants of existing malware. Another report, suggests that the actual malware family count is between 1,000 and 3,000.

The detection of malware is a major and ongoing problem. The battle against malware has escalated over the past decade as malware has evolved from simple programs that had little ability to evade detection, the main objective of which was to cause havoc, to more complex programs that target profit and deploy sophisticated evasion techniques.

The focus of the NIMBUS network of researchers is to act as a catalyst to develop a balanced programme of both blue skies research and near term applied research that will assist in the fight against cyber crime in the UK. Malware related cyber threats are global in nature, hence it is essential that an international approach is taken to address these issues. Only a global network of centers of excellence is expected to provide the essential breadth and depth of know-how and the necessary critical mass of specialist competencies for resolving major Cyber Security challenges. NIMBUS will act as the UK's interface to international engagements with research networks in Europe, US and Asia.

Planned Impact

CSIT was established at Queen's University Belfast with the main objective of promoting industrial partnership and the commercial exploitation of University research. CSIT has an active Industrial Advisory Board with wide participation from UK and international industrial experts and partners. Manned by senior representatives from the security, systems integration, IT and networking industries complemented by staff from UK government and security agencies, the board provides an active pathway for the commercial exploitation of research. Malware research is of particular interest to the following board members: BAE Systems, Advanced Technology Centre; Thales UK, Research & Technology Centre; Home Office Science & Technology Branch representatives, IBM security products division, DSTL and GCHQ. We have promoted and demonstrated our work to all these organisations. These existing and well developed relationships offer an excellent basis for establishment of a network of research excellence which engages directly with many of the key UK stakeholders. In addition to the CSIT industrial advisory board we have well developed contacts in the UK retail banking "virtual task force" and the Metropolitan Police eCrime Unit.

Queen's University Belfast also has an excellent track record of developing spin-out companies to commercialise research, including several within CSIT. In 2009 the University was awarded the prestigious UK "Times Higher Education Entrepreneurial University of the Year" award in recognition of the sustained economic contribution made by spin-out companies from Queens. The institute has recently offered all staff and research students the opportunity to attend the ECIT Entrepreneurship Programme. The programme will consist of a series of workshops delivered at ECIT over 5 consecutive days and completion of the programme leads to the QUB Certificate in Entrepreneurship Studies.

Capacity and Involvement
CSIT has a dedicated commercial team, responsible for initiating industrial contacts and developing commercial opportunities such as intellectual property licensing, targeted research contracts and knowledge transfer partnerships. The CSIT commercialisation team raises awareness of our security research by actively participating in (e.g. taking stands at) industry trade shows such as the RSA Europe Conference, and the InfoSecurity Europe Conference held in London. They develop marketing collateral and handle press relations. The commercial team also have the services of a technical marketing executive with extensive experience of Web site management and social media campaigns. CSIT will use these proven, well established structures and mechanisms in order to promote the work of the NIMBUS malware research network, generate interest among (and receive feedback from) stakeholders, disseminate knowledge and exploit the intellectual property and know-how generated by the work.
Description NIMBUS is a network and a research forum comprised of leading academic and industrial research groups, user groups and public security and defence related research organisations, with the aim of exchanging research outputs, sharing knowhow, experience and research resources, jointly developing new research strategies and engaging in knowhow and technology transfer and collaborative research.

Our goal with this network was to enable a medium for cross disciplinary communication amongst diverse research groups, organisations, networks and major cyber security related stake holders, in order to enhance active malware and botnet related research, skills and capabilities within the UK.

Most of the targeted objectives have been met. Information and data-sets on malware have been discussed during the meetings and models how to make data-sets available to the community have been explored. The industrial partners have helped the academic partners to access to malware related research resources, such as traffic samples, malware samples and relevant log files, essential for successful research in malware defence.
Exploitation Route As a research network, the meetings helped the NIMBUS members to engage in dialog with industrial and academic partners, resulting in knowledge sharing and access to data-sets amongst the partners. Regular network member meetings, with leading academic and industrial experts provided a successful forum for disseminating information on malware and cybersecurity.

Going forward, it is essential that NIMBUS is extended into a platform for sharing data-sets and cyber intelligence, providing support and resources to the UK academic research community in malware research, beyond its current role as a networking forum.
Sectors Digital/Communication/Information Technologies (including Software),Electronics

Description NIMBUS has been a successful network and forum for disseminating information on cybersecurity and malware amongst the academic partners in UK, Ireland US and Asia. The network enabled to engage with international partners and corporations and to access to new malware related data-sets, which otherwise would not be able to obtain. Furthermore, the network enabled us to engage in follow-on mini projects and develop research partnerships with international organisations including McAfee, ETRI, AhnLab and Hanyang. Follow on partnerships has resulted to new data-set generation and the development of new cloud-based malware detection methods, which is then licensed to by ETRI to AhanLab.
First Year Of Impact 2016
Sector Digital/Communication/Information Technologies (including Software),Education,Electronics
Impact Types Economic,Policy & public services

Description Malware related test data exchange with ETRI 
Organisation Electronics and Telecommunications Research Institute (ETRI)
Country Korea, Republic of 
Sector Public 
PI Contribution We have closely worked with the South Korean Electronics and Telecommunications Research Institute (ETRI) on Cloud Security and shared with ETRI, AhnLab and Hanyang research data-sets for cloud-based malware detection. We have produced network traffic generated by a range of infected PCs in an isolated test lab to better understand the communication patters, such as C&C and exfiltration, of ransomware and Zeus malware. Furthermore, we generated benign traffic with similar configuration for ML training purpose. These datasets were then shared with ETRI to develop a cloud-based malware detection method using localised traffic monitoring agents.
Collaborator Contribution ETRI and Ahnlab has provide malware samples in form of email attachments, which we used to infect various isolated PCs in the lab, They also provided various log data that characterises the behaviour of malware within virtualised environment. This has helped to develop our isolated test network with emulated communication nodes to experiment and monitor traffic patterns of infected nodes, such as beaconing of compromised nodes.
Impact A cloud-based malware detection method was developed and by ETRI licensed to Ahnlab.
Start Year 2013