This lab has two application domains: smart devices security and network defence.
Smart Devices Security
In this lab research will focus on security analysis of Android OS, customization of Android OS with security enhancements, addressing privacy concerns of users, that includes securing files, folders, pictures, gallery and sending of usage statistics to Google and providing strong user control of device sensors i.e. GPS, WiFi, Mobile Networks, Camera, Mic etc. Moreover with smart devices becoming fixtures of our lives, there is a rising concern in companies on how to merge with the rising trend while at the same time safeguarding company’s proprietary information and communication on these devices. Thereby, research would also be aimed towards development of an indigenous Enterprise Level Control solution for Android devices.
Network Cyber Defence
Securing network infrastructure against cyberattacks is among one of the top priorities in any private sector, government departments, military or any other sensitive organizations. It is in this niche that the research work in the domain of Network Cyber Defence will play an important national role. The fundamental research would be towards development of an indigenous Security information and event management (SIEM) solution -- a framework that provides real-time analysis of security alerts generated by applications and network hardware. The research would target analysis of network log information using advanced machine learning techniques, effect analysis of network security policies on a large network, detection and prevention of advanced cyberattacks, automated security audit of an enterprise network, prediction based cyber defence mechanisms, network risk management and vulnerability management

The main objective of the proposed lab is to work in close collaboration with the national bodies of Pakistan, such as NR3C (FIA), Pakistan Air Force (PAF), Army, Navy, and Police to counter their existing problems and facilitate them in areas where they lack research expertise. In particular, the lab will work in three main areas, namely social media forensics, computer forensics, and mobile phone forensics:
Social Media Forensics
In recent years, social media has gained high popularity. Today, Facebook alone have over 2.13 billion monthly active users. Forensic analysis of social data is performed post-incident. Naturally, investigators will gravitate to where the evidence exists. Although the photo and video evidence is sometimes posted by the criminals themselves, investigators can also utilize information posted by others to both strengthen a case and even identify the perpetrator of a crime. Lab focus in this area would be to perform R&D of social media forensic techniques and tools.
Computer Forensics
Computer forensics is the practice of collecting, analyzing and reporting on digital data. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. It is not just the content of emails, documents and other files which may be of interest to investigators but also the ‘metadata’ associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions. Lab focus in this area would be to perform R&D of computer forensic techniques and tools.
Mobile Forensics Mobile forensics is about the acquisition and the analysis of mobile devices to recover digital evidences of investigative interest. This is a useful for investigators as a method of gathering criminal evidence from a trail of digital data, which is often difficult to delete. Extraction of deleted mobile phone files used as criminal evidence is the primary work of mobile phone forensics. The continuous evolution of mobile phone technology allows the commercialization of new mobile phones, which creates new digital investigation problems. Lab focus in this area would be to perform R&D of mobile forensic techniques and tools.

National Cyber Security Auditing and Evaluation Lab (NCSAEL) will emphasize on following three main core areas for accomplishment of its goals.
Security Assessment (for applications and OS) NCSAEL will design and develop Security Assessment tools that will help perform security evaluation of existing foreign and local software, mobile applications (both Android and iOS), web applications and embedded applications (firmware) in accordance with the internationally recognized IT evaluation standards namely Common Criteria, NIST/FIPs etc. The lab will also develop Security Compliance Assessment toolkit for Windows and Linux OS in order to guarantee right and secure configurations in accordance with the CC protection Profiles (PP).
Advanced Threat Protection
NCSAEL will focus on development of indigenous malware sandbox that would help in early detection of zero-day vulnerabilities/ APTs thereby thwarting the risk of ever-escalating cyber-attacks. To preserve the security and anonymity of data over the insecure Internet, a secure VPN will also be developed which will provide a dedicated and secure connection for all stakeholders.
Readiness and Preparedness for CCTL Assessment Since Pakistan is only a certificate-consuming member of CCRA, NCSAEL will help organizations prepare for the security evaluation of their local products by the CCTL. Also, it will formulate a National Technology Framework, to standardize the security practices in the country.

The Cyber Reconnaissance and Combat (CRC) Lab will focus on development of indigenous IDS software that can monitor and raise alarms in case of cyber-attacks. The CRC lab will design a hardware prototype of IDS that would serve as a proof of concept. The FPGA based implementation of a complex IDS is extremely challenging task that shall require considerable time and effort. Over all the application domains of the IDS shall consist of the following:

• Database Designing & Pre-processing
• IDS Core Functionalities
• Multicore System Implementation & Integration
• Hardware Prototyping

The lab application domains include:
End Point Security
This will include operating system, memory, application and data security of PCs, mobile, servers used by individuals from malware. This has very vast scope due to variety and associated vulnerabilities in end point systems used by individuals and all corporate sector include government, transport, medical, travel, entertainment etc. Critical Infrastructure Security: Some online or offline end point systems can be classified as critical infrastructure due to their reliability and availability requirements. These services include banking, cyber connected power grid, control systems of nuclear power plants and critical cyber and communication services used by defence sector (navy, airforce and armed forces).
Internet Security
Early DOS and DDOS detection and prevention to ensure Cyber Security of government and corporate sector of Pakistan. Enhancing Cloud Security and resolving trust issues on Cloud so that Pakistan’s government and private sector can utilize the benefits of cloud computing with no security and privacy concerns. Development of regional’s and Pakistan’s Internet traffic and security archive for security profiling and uncovering the hidden malware and features and properties of Internet traffic. This security archive will globally increase Pakistan’s footprint in security.
Digital Forensics: Whether the computer forensic examiner investigates the evidence in his lab or he works directly at the crime scene, he needs a lot of tools and a well-prepared location to go, through analysis and fully investigate the digital evidence. This prepared location, the Computer Forensics Lab, must be equipped with the all needed tools and hardware to analyze, identify, preserve, recover, and present facts and opinions about the information at hand. The application domain of forensics will cover aspects related to endpoints and Internet systems.
Quantum Technology: As quantum information is an emerging technology and compared to the advanced countries of the world there is negligible research going on in the country. We aim to not only promote knowledge, research and expertise in this area but also provide security in communication, specifically to government and private sector organizations and generally to all the citizens of the country. As a result of this lab it will become possible for the country to utilize the latest quantum key distribution technology at affordable cost by manufacturing it indigenously. Secure and sustainable communication infrastructure is one of the main national security needs, as it will enhance the security and reliability of national communication infrastructure.

The blockchain is often considered as the internet 2.0. The blockchain, essentially a database and a giant network, known as a distributed ledger, records ownership and value, and allows anyone with access to view and take part. The blockchain is currently having its biggest impact in financial services, with the largest changes caused by infrastructures using blockchain APIs, which are delivering in the areas of speed in data processing, transparency (amongst the right people) and security. The blockchain offers consumers opportunity to achieve greater control over their information. This will impact on most organisations, as they increasingly rely on the acquisition and application of customer data.
The lab will deliver three different applications using blockchain technology:

• Blockchain-powered Trust management system for identity authentication
• Blockchain-based storage of Highly sensitive data.
• Detection and Mitigation system for vulnerabilities in blockchain (private data-leakage)

The above-mentioned application areas are symbiotic and complement each other: only trusted entities are allowed to update data stored in blockchains running on hardware that are being protected against data leakage attacks.

The proposed Cyber Security lab will focus on development a high speed deep packet inspection (DPI) engine. Based on high speed packet access, packet flow identification, protocol classification and high speed pattern matching services provided by DPI Core engine, This will contain two extension cores that include IP Data Record (IPDRs) generation and provisioning engine and context-aware contents extraction engine for L-7 protocols. These two packet processing engines along with DPI core engine can be used to develop different Cyber Security applications like high speed IPDR analytics for quick threat identification, link analysis to identify communication relationships and traffic behaviour analysis or L-7 protocol based comprehensive contents analysis for development of IDS, URL filtering, lawful interception and other Cyber Security applications as elaborated.

The proposed lab will provide fundamental advances in cyber defence to limit the ability of adversaries to compromise networks, improve security planning, vulnerability management, and outlining incident response activities. To this end, we specifically target three application domains:
Situational Awareness
In the situational awareness application domain, lab plan to 1) build a measurement infrastructure to study the threat landscape of Pakistan, and 2) derive actionable security intelligence from analysing hundreds of millions of log records and network data collected from distributed vantage points.
Software Security
In this part, lab will develop an automated toolchain for application debloating using 1) application configuration in a particular deployment, 2) specifications of the required functionality, and 3) application’s needs from libraries, other applications, peripheral devices and networks, and even the operating system kernel.
Infrastructure Security
In the infrastructure security application domain, our lab will build outside-the-VM defences including 1) classifying malware and abuse using VM performance counters, and 2) building a provenance manager that enables a live audit (for immediate attribution) and root-cause analysis (for determining how this was done). This would enable an immediate and online response that can selectively rollback only those operations that are identified as performed by the attacker

This Lab will be focused on developing the following systems.
Cyber Threat Monitoring System for Corporate Networks
The system will perform real-time data collection from various networked devices using agent- based and agentless mechanisms. It will use its own log parser and correlate available data from multiple systems. It will also quantify bad, suspicious, or abnormal events, corroborate behavioural events in a manner that will enable efficient detection of cyber-attacks using computational intelligence and machine-learning techniques. The system will focus on IT networks.
ICS Network Monitoring and Mitigation System
Once an initial security posture of an ICS is established, the next step is to deploy protection mechanisms protect the ICS, detect and respond to security breaches or cyber-attacks. This involves continuous monitoring of the ICS network and process-physics related studies to map the impact of cyber-attacks on the physical process. The system will focus on ICS specific protocols.
Development of National Threat Library and Anti Malware System
Malware Chemistry is getting more and more complex with each passing day. Encryption, polymorphism and metamorphism are used for evasion of detection techniques. The objective of this project will be the development of national cyber-threat library, providing a collection of common malware signature database. This will be followed by development of an anti-malware system using computational intelligence and machine learning techniques to detect patterns of unknown malwares.
ICS Cyber Vulnerability Assessment System
Assessment of the Cyber Security posture of any ICS is an important step to pro-actively address any shortcomings and vulnerabilities. A vulnerability assessment system shall collect data from the system, analyze, and deduce if the system is vulnerable to any known exploits.

The proposed IoTSEC Lab will address the three crucial research problems faced across the globe, first research domain is the "Implementation of Standard Security framework for IoT" in which lab will be developing a standard compliant security architecture for providing interoperability and secure communication among IoT devices.
Second, another research domain is the "Development of Next Generation IoT Firewalls" that will develop database of IoT security attacks and consider security attacks specific to IoT to perform their threat modelling, security profiling, threat prioritization, and also consider the countermeasures and log down the unhandled events. It will comprise of context aware breach detection system and will utilize Cyber Security (AI) and Machine Learning (ML) based techniques for rule based filtering and threshold based filtering of vulnerabilities and then take proactive measures to deal with the zero-day attack detection, advanced persistent attacks and other specific attacks such as device cloning, etc.
Third research domain is the "Development of IoT Security Audit Tool(s)" for audit and verification of security measures taken on IoT hardware, software and within IoT security frameworks. It should perform autonomous auditing of devices firmware, software (OS) and hardware to discover vulnerabilities in IoT systems. Data integrity, isolation and confidentiality will be checked by developing security testing techniques and then certificates issuing mechanism can also be developed for IoT devices and systems that will pass the security auditing tests.