Sylvain P. Leblanc

• PhD
• Professor (Full) at Royal Military College of Canada

As nefarious activity in the cyber domain continues to increase, more and more actors are contemplating "hacking back" as a strategy for defence. At first glance, such deterrence may seem desirable because it intuitively offers a disincentive to the attacker to attack one's assets; a purely defensive stance that does not cause the attacker harm may...

Many tools and techniques can potentially contribute to preparing us to defend safety critical applications. Taking a cue from the fifth edition of the US Department of Homeland Security's namesake exercise, the aim of such preparation is to "Strengthen cybersecurity preparedness and response capabilities by exercising policies, processes, and proc...

This paper will argue for the use of fulsome Cyber operations in the education of Cyber Forces. The authors will describe such fulsome operations as those where participants must design a network to provide traditional information technology services and to support a simulated kinetic military mission, where they must implement the network as they...

It is necessary to understand how attackers operate to be able to defend against them. This paper examines how attackers may use the SMB protocol to exercise C2 of compromised computer systems inside a target network. The paper describes the SMB protocol and presents a characterization of it on an operational network to demonstrate how attackers ca...

The statement that cyber-attacks occur at "electron speed" is often offered as a truism in the study of cyber warfare. A reasonable consequence of this statement is that effective cyber defences should also respond almost instantaneously, creating a view of conflict in the cyber domain as a war of algorithms where processing speed and reaction time...

Object Management Group's Data Distribution Service for Real-Time Systems (DDS) middle-ware standard is a popular technology that forms the core of many mission-critical distributed real-time, data-centric systems, including command and control systems, Air Traffic Control (ATC) systems and critical infrastructure systems. This paper shows how DDS...

Client-side attacks have become very popular in recent years. Consequently, third party client software, such as Adobe's Acrobat Reader, remains a popular vector for infections. In order to support their malicious activities, PDF malware authors often turn to JavaScript. Because of this malicious intent, JavaScript from malicious PDF is markedly di...

Published in the Journal of Information Warfare, vol 17, issue 2; this journal is not listed on ResearchGate. This paper aims at improving the incident-response process by studying how cognitive biases such as the base rate fallacy, confirmation, and hindsight can affect decision-making in the cyber realm. This paper argues that cognitive biases n...

As the number of advanced persistent threat (APT) incidents grows, incident response and threat monitoring becomes increasingly important. However, while organizations like SANS and ISO have made efforts to standardize the incident response process, the facts that nearly 50 % of victims learn of breaches through third party last year and that the m...

Modern automobiles are controlled by computers and are increasingly connected to the outside world. This makes them vulnerable to cyber-attacks. Defending cars against cyber-attacks requires a multifaceted approach to improving security, but the last line of defence is detecting those attacks within the data traffic exchanged by the vehicles contro...

The expressiveness of constraints has a potential to define network behavior and defend against complex network intrusions. This potential can be an integral part of an Intrusion Detection System (IDS) for defending networks against various attacks. The existing approaches of constraint logic programming have limitations when it comes to solving th...

Freedom of action is essential to the successful prosecution of warfare. For example, achieving air dominance prevents the use of the air domain by an adversary and allows unimpeded freedom of action by friendly forces. In this paper, we argue that the freedom of action in the cyber domain will not be determined by the amount of destructive power t...

Modern automobiles have been proven vulnerable to hacking by security researchers. By exploiting vulnerabilities in the car’s external interfaces, such as wifi, bluetooth, and physical connections, they can access a car’s controller area network (CAN) bus. On the CAN bus, commands can be sent to control the car, for example cutting the brakes or st...

The modern automobile is controlled by networked computers. The security of these networks was historically of little concern, but researchers have in recent years demonstrated their many vulnerabilities to attack. As part of a defence against these attacks, we evaluate an anomaly detector for the automotive controller area network (CAN) bus. The m...

The ability to project power has traditionally been defined as the ability to deploy conventional military assets across the world. While this definition does not apply to a cyber context, cyber forces can still play a role in force projection. By studying the cases of the denial of services attack targeting Estonia in 2007, the Shamoon worm attack...

With the rise of cyber espionage the role of cyber incident responders is becoming more complex, but the personnel profile of incident handlers has remained constant. In this new environment, the strategic position of companies is being affected by operation personnel, including cyber incident responders, who have little to no awareness of the stra...

One common vector of malware is JavaScript in Adobe Acrobat(PDF) files. In this paper, we investigate using near miss clone detectors to find the malware. We start by collecting a set of PDF files containing JavaScript malware and a set with clean JavaScript from the VirusTotal repository. We use the NiCad clone detector to find the classes of clon...

The reliance of modern military forces on networks and information systems makes them susceptible to cyber attacks and highlights the importance of cyber operations. This increased awareness of cyber operations has led to a need for concept development and experimentation. Concept development and experimentation work must be assessed, which require...

Cyber operations are expected to become more important, and thus military commanders and staff will need to be trained in these operations. The aim of this paper is to describe an approach for simulating the effects of cyber operations in constructive simulations used for training by modern military forces. The paper argues that it is not currently...

This paper continues the discussion of the risks posed by Hardware Trojan Horse devices by detailing research efforts to build such a Hardware Trojan Horse based on unintended USB channels. Because of the ubiquitousness of the USB protocol in contemporary computer systems, the research focused on identifying, characterizing and modeling unintended...

This paper extends the discussion of potential dam- age that can be done by Hardware Trojan Horse devices by discussing the specific risks associated with an Insider's use of such a device to circumvent established security policies, even when these are implemented with state of the art Endpoint Security Solutions. The paper argues that a specific...

This paper represents a snapshot of the current state of the art in the simulation and modeling of cyber attacks and defensive responses to those. It discusses a number of simulations of cyber warfare, including live, virtual, and constructive simulations. The simulations discussed in this paper were found in the open literature and were conducted...

Due to an increasing level of reliance on computer network technology, military organizations are increasingly vulnerable to cyber attacks. Cyber attacks take a variety of forms and have a broad spectrum of effects. In order to facilitate military cyber operators' and defenders' understanding of the threats they face, we propose a taxonomy of cyber...

The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system, and begin a forensic investigation. It can be argued that this type of response is not appropriate in many situations. Breaking contact often leaves the defender not knowing who the attacker is, wh...

The Cyber Defense Exercise (CDX) is a four day In- formation Assurance exercise run by the National Secu- rity Agency/Central Security Service (NSA/CSS) to help train federal service academy students in secure network operations. This paper is a collaborative work on the various tools and techniques used and the overall effec- tiveness of live-atta...

The classic response to attack in computer networks has been to disconnect the effected system from the network, preserve the information on the system (including evidence of the attack for a forensic investigation), and restore the system. However, it can be argued that this type of response is not appropriate in many situations. This paper argues...

This paper discusses research activities that investigated the risk associated with USB devices. The research focused on identifying, characterizing and modelling unintended USB channels in contemporary computer systems. Such unintended channels can be used by a USB hardware Trojan horse device to create two way communications with a targeted netwo...

Special Operations and Information Operations are both important aspects of modern military operations. This paper will examine the contributions that Information Operations can make to SO, in all of the typical phases of Special Operations Forces missions. The paper also discusses the contributions of Information Operations to the combat power of...

The criticality of cyber infrastructure makes it a very attractive target, which we try to protect by building perimeter defences. This paper argues that a reactive-oriented network defence policy based solely on perimeter defences is not sufficient to properly safeguard IT infrastructure. An argument is made for an approach based on the idea that...

The reliability evaluation of hardware systems is usually well integrated into the design process. Because it is done early, this reliability evaluation is useful in making design decisions. Software Reliability Evaluation (SRE), on the other hand, has been mostly conducted after development has been completed, therefore offering little or no input...