Magisterprogram i nätverksforensik på Utexpo

CTEM: the next big thing or just a buzzword?

• Participants: Lisa Larsson and Alice Svensson.
  
• Collaborator: Knowit Cybersecurity & Law.

This thesis investigates Continuous Threat Exposure Management (CTEM) compared to the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) 2.0. Through a comparative analysis and interviews with cybersecurity professionals, the study aims to explore how CTEM can help organizations adopt a more continuous and adaptive approach to manage cybersecurity risks.

The results shows that CTEM offers a dynamic and proactive approach to threat management, focusing on continuous monitoring, while NIST CSF 2.0 relies more on traditional methods. It also identifies similarities and differences between the frameworks, recognizing that the continuously approach can complement NIST CSF 2.0. That integration can strengthen organizations comprehensive cybersecurity strategy that addresses current and emerging threats. A combination of CTEM and NIST CSF 2.0 address challenges such as management support which are discussed in the discussion. The combination can lead to an approach sustained resilience against cyberthreats and ensure a safer digital environment with economic benefits for organizations.

Pattern-based detection of malicious browser extensions​

• Participant: Tobias Frei.
  

Browser extensions offer powerful customization but can also betray user trust – secretly harvesting data, injecting ads or executing malware – all while hiding behind benign manifests. My thesis presents a manifest level fingerprinting framework that adapts to Chrome’s transition from Manifest Version 2 (MV2) to the more restrictive Version 3 (MV3).
We began by snapshotting the Chrome Web Store (CWS) in January 2025, gathering 45 848 MV2 and 88 327 MV3 extensions. A ground truth set of known malicious and policy violating extensions (“Security Noteworthy Extensions” or SNEs) served to calibrate our detectors. First, we applied Google’s extension manifest converter (EMC) to convert known malicious extension from MV2 to MV3. Second, we searched for patterns in malicious and benign converted MV3 extensions to extract the malicious ones. EMC-based patterns achieved strong detection (≈80 % flagged) on MV2→MV3 converted extensions but collapsed on pure MV3, indicating very low EMC usage.
To address this, we developed MV3 native pattern analysis: we used MV3-native malicious and benign extensions and used a similar pipeline. The classifier trained on the found patterns scored all MV3 extensions. We further analyzed scoring distributions to identify high risk score ranges and demonstrated MV3 patterns yields robust detection. Overall, the results are in line with previous research.
This manifest level approach provides an efficient, static early warning system.

Predictive Modelling for Network Security Incidents Using AI on Layer 2 Data

• Participants: Dantene Davis and Ishika Trony.
  

Cyber attacks evolve quickly beyond the reach of current detection systems. To defeat zero-day attacks, we introduce a Convolutional Neural Network (CNN)-driven system for real-time malware detection. Our approach learns from previous network traffic to identify dangerous patterns and is tested using tampered malware samples in live traffic, which offers more flexibility towards emerging threats than rule-based systems. We use tools like Wireshark and Zeek to monitor Layer 2 traffic and scan anomalies in MAC and ARP traffic. To improve detection rates, we establish a “golden dataset” containing both real and artificially generated threats. Accuracy, precision, recall and F1-score metrics prove that CNNs are superior to conventional detection tools like Snort and machine learning-based tools like Random Forest. By merging deep learning and network security, our approach boosts the cyber resilience and offers an extendable way of zero-day attack detection.

Privacy-Preserving Anomaly Detection in Encrypted Traffic

• Participants: Aiswarya Jayakumari and Jincy C Shaji.
  

Traditional cybersecurity techniques that depend on examining the content of data packets are no longer viable because over 90 % of internet traffic is now encrypted using tools like vpns and Tor. Without compromising encryption or user privacy, this research offers a privacy-preserving method for identifying irregularity in encrypted network data.
Using only metadata (for example packet size, flow duration, timing), we apply dimensionality reduction with Principal Component Analysis (PCA) and detect anomalies using unsupervised machine learning, especially Isolation Forest. The system was evaluated on the CIC-Darknet2020 dataset and achieved strong performance (AUC = 0.94).
We created 13 interactive visualizations to assist analysts in spotting questionable trends without viewing the packet content to support real-world forensic work. The effectiveness of the system, especially the PCA cluster plots and the Precision-Recall curve, was validated by a user study. Our method suits cybersecurity and law enforcement activities, and complies with GDPR.

Privacy-Preserving Malware Detection with Explainable AI (XAI) – A Federated Learning Approach

• Participants: Mary Divya Thundiparambil Dominic and Joemon Ranjan.
  

This project focuses on developing a privacy-preserving malware detection framework using Federated Learning (FL) combined with Explainable Artificial Intelligence (XAI). Traditional AI-based cybersecurity systems often compromise data privacy due to centralized data collection. This framework addresses that concern by utilizing FL to train machine learning models across distributed clients without sharing raw data, thus enhancing data confidentiality and compliance with privacy regulations, such as GDPR.

To tackle the challenge of interpretability in AI-driven decisions, the project incorporates XAI techniques – specifically SHAP and LIME – which help cybersecurity analysts understand why certain data is classified as malicious. A Logistic Regression model was used within the FL framework and achieved a high accuracy of 99.78 % on test data. Differential privacy mechanisms were integrated to further ensure data protection without compromising model performance.

A real-time Flask API was also implemented for practical deployment, allowing for on-the-fly malware detection with transparency and privacy safeguards. This work contributes a scalable, interpretable, and privacy-aware solution to modern malware detection challenges.

Swedish Password Cracking with PassGAN: Generating Tailored Swedish Password Dictionaries for Offline Cracking

• Participants: Mohamad Al Chtiwi and Kevin Laurila.
  

Passwords are still the most common form of authentication used today. Most computers and mobile phones available today offer built-in encryption and password protection for storage. Password cracking plays a huge role in digital forensic investigations. The efficiency of cracking passwords is affected by the password lists chosen and can be extremely difficult at times.

However, people often choose simple passwords that are easy to remember. Users also tend to use personal information when creating their passwords, which can be exploited. This study focuses on generating tailored and customised word lists with PassGAN for improving password cracking on passwords in Swedish. We also analysed patterns, trends and contextual information in a collection of Swedish password leaks. To our knowledge, no other study in Sweden has addressed this research problem.

Our analysis of Swedish password leaks showed that users tend to stay away from long, complex passwords and instead choose simple ones that are easy to remember. Using PassGAN, we could create a customised Swedish password dictionary that outperforms rockyou.txt, the most popular password list, by leveraging Swedish users’ tendencies and unique linguistic structure. The new generated password dictionary is tailored to the nuances of the Swedish language.

Smart but Vulnerable: Features That Draw Attackers to Smart Contracts

• Participant: Henrik Knutsson and Matilda Engholm Flärd.
  

Smart contracts are self-executing programs designed to perform a specific task. Once deployed on a blockchain, smart contracts cannot be changed or reprogrammed and must therefore be resilient to prevent attackers from profiting by exploiting bugs or flawed features. This thesis aims to identify functionalities that attract attackers to Ethereum-deployed smart contracts, the vulnerabilities that are exploited to access them, and methods for detecting and mitigating these vulnerabilities. To achieve this, we analyzed incident reports, analyses and other sources with details on attacks that occurred in 2024.

The study conclude that the functionality most targeted was fund management, followed by price calculations, borrow and repayment mechanisms, and liquidity management. Vulnerabilities that exploited these include logic errors, lack of input validation, arbitrary external calls, unregulated access control and price oracle manipulation. Detection involves a combination of audits, scenario testing, and code reviews. A general mitigation strategy should include a clear rule and behavior definition, strict access control, routines for input validation, using reputable libraries and multiple external price oracles. These finding were combined to propose a framework for improving the security of smart contracts, using cyber threat intelligence to identify critical functionalities and prevent future attacks.

The Future of Medical Device Cybersecurity: Preparing for Quantum Computing Threats

• Participants: Akhil Marath Dayalan and Shikha Eveline.
  

We researched how to keep medical devices like pacemakers, insulin pumps and wearable health monitors safe from future cybersecurity risks, especially from quantum computers. These devices, part of the Internet of Things (IoT) in healthcare, collect and send critical patient data in real-time, improving care but creating vulnerabilities. Currently, they use Elliptic Curve Cryptography (ECC), which is efficient with limited power and memory. However, quantum computers, expected in the next two decades, could break ECC with algorithms like Shor’s – threatening privacy and safety.

We compare ECC with Kyber512, a quantum-resistant method from NIST’s post-quantum cryptography standards. Kyber512 offers strong protection but needs more memory and power, challenging small devices. Using simulations and benchmark data, we assess their performance key generation, encryption speed and resource use for lightweight medical IoT. Results show ECC suits now, while Kyber512 fits the future with hardware upgrades.

We recommend a hybrid approach: using ECC in the short-term and preparing for Kyber512 as devices evolve, with hardware improvements and updated regulations like HIPAA, to ensure security as quantum technology advances. Our work guides manufacturers, researchers and policymakers for a safer healthcare future.

Uncovering hidden digital traces: Investigating steganography in encrypted IoT traffic

• Participants: Ahmed Mourad and Thanh Quang Le.
  

The rise of encrypted communication in IoT has improved data privacy, but also made it harder to detect hidden threats. This study explores whether steganography in encrypted IoT traffic can be identified by analyzing metadata instead of decrypting the content. A Python-based detection framework was built and tested using three steganographic methods: packet size changes, timing patterns and message sequencing. These were applied to MQTT over TLS traffic in a controlled setup.

What are we teaching our IoT Forensics Students? A qualitative assessment of educational courses

• Participant: Martina Sundelin.
  

Internet of Things Forensics is the subdiscipline of Digital Forensics dedicated to investigating Internet of Things devices. For various reasons, this is a complicated and highly technical field of study. Prior research has indicated that some practitioners feel unsure about their readiness to perform IoT Forensics at their workplaces. My work focuses on creating an understanding of the preexisting educational opportunities for aspiring IoT-forensics practitioners. Using Thematic Analysis, I have charted the contents of 24 educational courses offered by various universities around the world. I identify common themes and topics, as well as areas where current coverage is lacking.