MSc in Cyber Security
Permanent URI for this collectionhttps://rda.sliit.lk/handle/123456789/2918
Students enrolled in the MSc in Cyber Security programme are required to submit a thesis as a compulsory component of their degree requirements. This collection comprises merit-based theses submitted by postgraduate candidates specialising in Cyber Security. Abstracts are available for public viewing, while the full texts can be accessed on-site within the library.
Theses and Dissertations of the Sri Lanka Institute of Information Technology (SLIIT) are licensed under a
Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
.
Browse
Publication Open Access ADVANCING RANSOMWARE DETECTION SYSTEM USING MACHINE LEARNING(Sri Lanka Institute of Information Technology, 2025-09) De Silva, G.A.A.I.SRansomware attacks pose a significant and evolving threat to data security and operational integrity, necessitating advanced detection mechanisms. This project aims to develop an effective ransomware detection system leveraging machine learning techniques, specifically Recurrent Neural Networks (RNN) and auto encoders, to analyze network traffic for anomalies indicative of ransomware activity. Utilizing the UNSW-NB15 datasets, we undertook extensive data preprocessing, including handling missing values and normalizing features, to prepare the datasets for training. The model employs Long Short-Term Memory (LSTM) layers to capture temporal dependencies and patterns within the network traffic data. The training and validation processes focused on normal traffic data to establish a baseline for detecting deviations caused by ransomware. Our results demonstrate high accuracy in distinguishing between normal and ransomware-infected traffic, with a clear ability to identify potential threats in real-time. This innovative approach showcases the potential of RNN-based auto encoders in enhancing cyber security measures. The conclusion emphasizes the system’s effectiveness in providing early warnings of ransomware attacks, thereby significantly aiding in the protection of valuable data assets and maintaining operational continuity.Publication Open Access AI Powered Log Analysis and Threat Detection System for Windows(Sri Lanka Institute of Information Technology, 2025-12) Sriharan, GThe increasing volume and complexity of cyber threats demand advanced, automated methods for analyzing Windows event logs. Traditional rule-based systems often fail to detect novel attacks, prompting the exploration of deep learning techniques. This research develops and evaluates an anomaly detection system by fine tuning a BERT (Bidirectional Encoder Representations from Transformers) model on the windows system security logs. The methodology involved processing the ATLASv2 dataset, a collection of 20.5 million realistic Windows Security Logs containing both benign and malicious activity. A baseline model was implemented using the Hugging Face transformers library and trained on a representative sample of 100,000 log events, accelerated by a GPU. Evaluation of this baseline model on an unseen validation set demonstrated strong performance, achieving 96.98% overall accuracy and a 94.55% precision rate. The key finding was a recall of 79.10%, indicating a weakness in detecting rare malicious events due to the natural class imbalance of the dataset. To address this, a new, perfectly balanced dataset was created using oversampling, which dramatically improved the model's F1-Score to 95.33%. Following this data-centric improvement, a comprehensive hyperparameter tuning phase was conducted, employing Grid Search, Random Search, and Bayesian Optimization. This optimization successfully identified a BEST model with a high F1-Score of 96.60%. This research successfully validates a complete framework for applying and optimizing advanced AI models for log analysis. The next phase will focus on implementing a functional prototype with a user interface and expanding the comparative analysis to include other traditional ML models to further strengthen the research findingsPublication Open Access An AI-Driven Intrusion Detection System to Defend Against Satellite Hijacking(Sri Lanka Institute of Information Technology, 2025-12) Karunathilake K. K. H.The increasing reliance of the world on satellite systems has made them prime targets for cyber threats, with satellite orbital manipulation, a form of satellite hijacking, posing a critical national security risk due to its potential for disrupting essential infrastructure. To address this threat, this research proposes a novel Artificial Intelligence (AI)-based anomaly detection system tailored for identifying suspicious orbital maneuvers. The study employs Machine Learning (ML) models to analyze a custom dataset derived from the public European Space Agency Anomaly Detection Benchmark (ESA-ADB). This dataset was rigorously pre-filtered to include only anomalies occurring within a ±48.00 hours window of a telecommand execution, thereby creating a naturally balanced, command-linked dataset to proxy for the kinematic footprint of a cyberattack. Findings established that temporal pattern recognition is paramount for detecting these attacks. LSTM networks emerged as the most promising model, leveraging their ability to learn sequential dependencies to achieve a high recall rate of 95.64% with a corresponding precision of 90.88%. Furthermore, a novel physics validation gate, grounded in orbital mechanics, was incorporated as a final, non-negotiable security layer. This component is vital, as it confirms that detected anomalies are physically non-nominal deviations, transforming raw statistical alerts into high-confidence cybersecurity indicators and dramatically boosting the overall trustworthiness and suitability of the system for operational deployment.Publication Embargo Android Hybrid Malware Detection Approaches Using Machine Learning Algorithms(2021) Weerawardhana, B.K.G.P.N.Smart phones are a major part of a life in modern life. Among them android is the most usable mobile operating system. According to IDC corporate report in USA android operating system use 84.5% from market share [3]. currently most mobile attacks [22] happen with android operating system. Most of the attackers use chunks of malware code attached with android application java code to attack devices. The purpose of android malware writes is to get financial benefits; most of the famous type of android malware is ransomware which after executing malicious application on the device The malware will encrypt all the device valuable information of the device. To decrypt all data owners should be pay for decryption key. Due to android openness and free availability of market, android mobile operating system has become major attractive target for Cyber criminals. In this research paper focus issue of mobile application, analyze malware using reverse engineering, static and dynamic malware analysis, Malicious URL analysis and application code analysis of the android application and implement framework using machine learning based on Supervised machine learning approach for detect and classify android malware. static malware analysis based on reverse engineering of application and extracted application features without executing application. This recognizes application information flow, code structure, permissions, network details and static related features. Dynamic analysis examines the dynamic behaviors of the application during run time of the application in a fully controlled virtual environment. comparing both analysis static analysis consists with pattern-based approach; same time dynamic detection approach can be provided additional protecting from malicious application since it consists dynamic behaviors of the application including memory logs, CPU usage, system call logs, etc. Also, used malicious URL analysis to users protect from unawares downloading malware by using untrusted web URLs. Finally, the outcome will be developed platform which will be identified and protected from malware affected functions. Also, this framework will be using both static, dynamic malware analysis and URL analysis technique, and will solution for traditional malware detection tools problems and Final outcome framework called as Hybrid android malware detection [92] [93] system. Application will be based on machine learning algorithms and python programming. This application can protect from both malware codes and functions which functions are previously analyze using reverse engineering [11], machine learning algorithms, android code analysis and traditional malware features. Especially malware functions consisting of both raditional and newly coming malware features. My experimental result project depicts that based machine learning based android malware classification and my project can be classify unknown applications malware analyzing android application static and dynamic features. In my project primarily based on android applications permissions and all dynamic related features. Also, users can classify their used accessed URLs are malicious or not and can be safe from android attacks.Publication Embargo Anonymity and Data Security Related Security Concerns in TOR Network(2021) JAYASINGHE, D.G.G.RFor those unfamiliar with Tor, it is a privacy-enhancing system that is meant to protect Internet users' confidentiality against non-global opponent traffic analysis attempts. TOR is a network protocol that has been developed to provide the anonymous transfer of communication data packets for the transport of lowlatency information. Tor is well-suited for mobile devices, such as those used for online browsing, document management, and video conferencing since it provides anonymity on top of TCP while maintaining a rapid reaction time and throughput. Because the communications exchanged over the TOR network are encrypted and the sender stays anonymous, many people believe that the TOR network is safe. TOR, like every other software, contains flaws, which are difficult to detect. Even when TOR is utilized appropriately, there are a plethora of cautions to be aware of. Due to the use of risky protocols in Tor, a malicious router might potentially collect passwords by monitoring exit traffic. While exit routers are monitoring data in such cases, it is quite straightforward to identify the source of the problem. Exit routers are used to capture POP3 traffic in order to breach accounts. Tor is exposed when a router is configured with the default escape policy because it discloses information about the numerous harmful actions that are tunneled via it. Attempts to hack, charges of copyright infringement, and bot network control networks, to name a few examples of malicious communication that may be identified using Tor are all common. There are several types of attacks that may be launched against TOR. Some assaults are designed to cause damage to the Tor client, such as denial of service attacks. Some of them are as follows: The customer is threatened by plug-in assaults, which are carried out via the Web browser that he or she uses to access the network. Certain attacks make advantage of remote technology that has been inserted into the program (a "plug-in"). These applications operate as independent software and are executed on the operating system with the privileges granted to the users by the operating system. ii) The Torben attack manipulates web pages in order to encourage the user to examine information from untrusted sources in order to find a Tor client on their computer. iii) P2P Significant Parameters This kind of attack takes use of Tor clients' connections to peer-to-peer networks in order to deanonymize their communications. TCP/IP packets are sent to a torrent tracker, which is a network service with which a client must contact in order to get information about the list of peers that are able to share the desired resource. Attackers may manipulate the content of the list by inserting a malicious torrent peer's IP address in it, which will cause the list to be re-generated. A suite of assaults known as Raptor, which may be conducted by the Autonomous System in order to deanonymize clients, is described in detail in Section 4. In one attack, traffic analysis of asymmetric communications that characterize the network is used to determine the vulnerability. The suspect's purpose in this form of threat is to put the secret service in a position of vulnerability by threatening to reveal its identify or undermine it. As previously stated, the Tor network may be used to access apps on both the public surface Internet and Tor (hidden services), as well as applications on the private surface Internet. Some assaults are designed to cause damage to the Tor network's servers. In other cases, the secret service is obliged to connect to a malicious target site during these assaults. Cell counting and padding are two examples of such tactics: During the introduction step of the secret services, the attacker delivers a Tor cell/packet that he has particularly crafted. In order to enter the (malicious) meeting location, the message is transmitted to the secret service, which is requested to construct a Tor chain in order to do so. In addition, Coronate is a program that automatically detects location leaks in hidden services, which is a kind of phishing. Information about a hidden service's IP address may be revealed if sensitive data in the material is disclosed. Most of the time, the administrator is the source of these breaches. Off-path MitM- This kind of attack involves a man-in-the-middle (MitM) assault on a Tor covert operation in order to get access to the Tor network. The fact that the attacker does not have to be in the communication channel is a significant point to consider. To connect and recover data from the Tor network, traffic must eventually depart the anonymized and encrypted Tor protocol, which must be accessed via the "normal Internet" in order for users to link and retrieve data from it. This is accomplished via the use of exit nodes, which serve as virtual gateways through which encrypted Tor communication may be sent to the Internet. As a result, the proposed study is primarily concerned with the security of information that is sent from the exit node to the server and provides a solution for data security at the exit nodes. The solution is mostly focused on the server side.Publication Open Access Automated Detection of Deepfake Audio in Real-Time VoIP Communication(Sri Lanka Institute of Information Technology, 2025-12) Chandrasiri, D.D.C.M.With the increasing sophistication of AI-generated deepfake audio, real-time voice communication systems such as Voice over IP (VoIP) are at heightened risk of misuse through impersonation, fraud, and misinformation. Existing detection methods primarily rely on computationally expensive deep learning models trained on static data, which are impractical for live applications constrained by low latency and limited resources. This research addresses this gap by investigating the viability of a lightweight, highly efficient Random Forest (RF) classifier for real-time deepfake audio detection in VoIP environments. The proposed system utilizes a focused methodology: raw audio is segmented into 2-second chunks and transformed into a comprehensive 800-dimension feature vector comprising Mel-Frequency Cepstral Coefficients (MFCCs), Chroma, Spectral Contrast, and Zero-Crossing Rate. Through an iterative training process using combined standard and 'in-the-wild' datasets to ensure generalization, the final RF model achieved an overall accuracy of 93.77% on an independent test set. Critically, the system demonstrated extremely low end-to-end processing latency of approximately 76 milliseconds (well below the <200ms target). The findings prove that this computationally efficient, classical machine learning approach can achieve both high accuracy and speed. The final model successfully met the False Positive Rate objective (<5%) with a measured FPR of 2.85% on independent data, making it a viable and practical solution for enhancing the security and trustworthiness of real-time voice interactions against emerging deepfake threats.Publication Open Access Automated Phishing Detection: A Noval Machine Learning Approach(SLIIT, 2024-12) Jayasinghe, RThis research contributes a novel machine learning-based approach to cybersecurity, enhancing defenses against phishing and protecting users from emerging online threats. Phishing is an increasingly pervasive cybersecurity threat that exploits user trust by creating fraudulent websites that imitate legitimate ones to steal sensitive information, such as usernames, passwords, and financial details. These deceptive sites use visual and linguistic elements from authentic brands, making them difficult to distinguish from trusted sources and increasing the likelihood of successful attacks. As phishing tactics evolve alongside technological advancements, there is a critical need for robust, adaptive anti-phishing solutions. This research investigates the application of machine learning to enhance phishing detection, focusing on a model that uses the Gradient Boosting Classifier to identify phishing websites based on key URL features. This approach involves extracting unique characteristics that differentiate phishing URLs from genuine ones, enabling real-time classification and improved detection accuracy. The proposed method systematically analyzes URL features, comparing and contrasting aspects such as domain structure, syntax, and use of brand elements to accurately identify malicious sites. The model achieved 97.6% accuracy, demonstrating high classification correctness. With a precision of 96.5%, it effectively minimizes false positives, reducing legitimate URL misclassifications. A recall of 98.1% highlights its sensitivity in identifying phishing URLs, and an F1 score of 97.3% balances precision and recall, underscoring its reliability. These results validate the Gradient Boosting Classifier as an effective, adaptable tool against advanced phishing tactics.Publication Open Access Cryptographic Issues and Vulnerabilities in Web Applications(2021) Herath, H M P Kavinda Ranjan KumaraWeb application security is the most controversial and crucial factor to be concentrated on considering the security aspect of cyberspace. Cryptography takes critical parts of security by implementing encryption and decryption phenomena on data at rest, in moving, and in use to be protected the security breaches. Cryptographic concepts had developed over the last few decades as a result of well-known series of mathematical and logical functions. Weakness of poor programming techniques or leakiness of traditional software development life cycles is a crucial element of the security vulnerabilities that can be a huge impact on several web applications which are currently in existence. The cryptographic vulnerabilities of the web application would depend on several factors such as lack of knowledge on particular subject matters of cryptography, least privilege and contribution of security techniques while cording, unable to proceed with proper standardized vulnerability assessment criteria, the improper adaptation of cryptographic concepts, unable to intended with high secure framework like DevSecOps, depend on the procedures rather than empirical approaches, etc. Sophisticated tools and techniques are necessary factors of driving through the rectification and mitigation of the security vulnerabilities that exist in the web applications whereas implementation process, testing and monitoring of the System Development Life Cycle. This dissertation emphasized indeed a further illustration of cryptographic vulnerability assessment in several specimens collected from different domains from enterprise web applications and related APIs (Application Protocol Interface) currently established. The tools are the critical elements used to evaluate errors on the codes whereas statistical or dynamic analysis. Static tools are given in high percentage of accuracy of the results whereas automated tools are well suited for mega scripting projects such as millions of code evaluated for errors. Java-based code scripting has been dominated still among the huge percentage of the web sources. Python will be established gradually due to the high inbuilt security system on it. Java and Python are the programming languages still being dominated of existence to discuss in the cryptographic vulnerabilities on the process of web application developments. The ultimate goal of this dissertation could be retain valuable sources of documents enriched with sophisticated technics to be used a reference guide for the developers and the security engineers to fulfilled their gaps between code and security requirementsPublication Open Access Cyber Security Awareness and Behavior Change for IoT Users(SLIIT, 2024-12) Shivakumar, RThis research explores the factors affecting IoT security perceptions and user behavioral among different user groups. By using an integrated approach, we link research between user characteristics. Perceived Risk and contextual factors in determining safety practices. These research findings highlight the growing awareness of the importance of IoT security. But there is a significant gap between awareness and action. Many individuals display limited knowledge and security measures are used infrequently. They often rely on default settings and neglect to update. Additionally, technical expertise Perceived Risk and contextual factors influence safety behavior. From these insights We propose a proactive, user centric framework. with an emphasis on tailored education User friendly security solution and share common responsibilities to promote a secure IoT ecosystem.Publication Embargo Detect Anomalous Activities in an Apparel Manufacturing Plant(2021) Munasinghe, M. M. D. C.Suspicious activity detection is one of the most rapidly developing areas of Computer Vision and Artificial Intelligence. Computer vision is used extensively in abnormal detection and monitoring to solve a variety of problems. Because of the growing demand for the protection of personal safety, security, and property, the need for and deployment of video surveillance systems capable of recognizing and interpreting scene and anomaly events is critical in intelligence monitoring. Because, as we all know, prevention is preferable to cure, preventing a crime before it occurs is preferable to investigating what or how the crime occurred. In the same way that vaccinations are given to people to prevent disease, it has become necessary in today's world with a much higher rate of crime to have a Crime detection technique that prevents crime happenings. Security surveillance is a critical requirement in many places, including airports, train stations, shopping malls, and public places, where detecting suspicious and abnormal behavior has a significant impact on ensuring security. Despite the availability of CCTV (closed-circuit television) cameras in many locations, CCTV footage is used as an investigation tool to identify suspects. These Detection techniques can be used by police officers to detect crimes before they occur, allowing them to be prevented. This is accomplished by turning a video into frames and then evaluating the activity of individuals within those frames. Human detection has long been a difficult challenge due to the non-rigid nature of human bodies, which alter shape at will. Human recognition and detection in both the interior and outdoor environments is a difficult task due to a variety of issues such as inadequate illumination, variations instances, and so on. This study introduces a new approach to detecting human behaviors based on context and situation. We devised a three-stage procedure for analyzing abnormal situations and detecting suspicious behavior. We introduced methods for human detection with associated context objects in the first stage. To identify normal situations, the identified human objects were mapped with context information. Stage two created a model for recognizing human actions, which includes both normal and abnormal actions. In stage three, we developed a conventional model, to represent the normal situation of a given context. We combined the identified human actions with their context and compare them with the conventional model. Deviation from the conventional model is used to recognize the abnormal actions along with their underlying situations. To build our system, we used an unsupervised approach. We used publicly available datasets for the evaluation, and our abnormal situation detection approach performed better. When compared to the baseline systems, the results of the unsupervised approach are encouraging. This system will be useful for detecting abnormal and suspicious human behaviors in real-time, allowing people to be monitoredPublication Embargo Publication Open Access Developing an Optimal Strategy to Address the Vulnerability of Image Tampering(SLIIT, 2024-12) Kumara, P. M. I. NThe paper proposes a hybrid image tampering detection system that incorporates the Convolutional Neural Networks into the pool of traditional forensic techniques such as Error Level Analysis and noise analysis. Its objective is to provide high detection accuracy in tampered images through deep learning and forensic methods. According to this method, ELA detects compression inconsistencies in the system, while noise analysis detects abnormal noise patterns in the image. A combination of these techniques provides the capability for the system to capture various methods for tampering, including copy-move forgery, splicing, and subtle retouching. It was trained and tested on the CASIA 2.0 dataset with high accuracy: 98% training accuracy and over 96% validation accuracy. It was successfully deployed as a real-time Flask web application wherein users can upload an image and perform the analysis very quickly. While powerful, the model has a limitation of only revealing a subset of lossless image format tampering and performs subtle manipulations. The future work will involve enhancing scalability and deepfake detection that can handle complex techniques of tampering. The research proposed herein provides a holistic and scalable solution for the detection of image tampering to be applied in digital forensics, verification of media, and cybersecurityPublication Open Access Developing Robust AI-Based Cybersecurity Alerting and Intelligence Systems Against Adversarial Attacks(Sri Lanka Institute of Information Technology, 2025-11) Puvaneswaran, TThe increasing reliance on Artificial Intelligence (AI) in cybersecurity has significantly enhanced detection and defense mechanisms. But, adversarial machine learning (AML) presents critical vulnerabilities that undermine reliability of AI-driven security systems. Adversaries craft subtle perturbations to inputs, deceiving models into misclassifications, thereby bypassing intrusion detection systems, malware classifiers, and other defense mechanisms. This reasearch explores the two-fold nature of artificial intelligence in the field of cybersecurity, both as an enabler of robust defense and as target for adversarial attacks. Focusing on intrusion detection and malware classification, we propose a hybrid defense framework that combines adversarial training, model distillation, and explainable AI (XAI) to counter adversarial threats. By integrating dual datasets (CSE-CIC-IDS2018 and Microsoft Malware Dataset) and evaluating them under various adversarial attack strategies, the framework enhances both robustness and interpretability of AI models. Additionally, this is deployed in real-time cloud environments to ensure scalability and operational efficiency. The proposed methodology is aim to provide reliable cybersecurity solutions capable of withstanding sophisticated adversarial attacks while maintaining high levels of transparency for security analysts. This research contributes to advancing resilient, scalable, and explainable AI-driven cybersecurity frameworks for modern digital infrastructures.Publication Open Access Early Detection of DDoS attacks and Enhancing Feature Selection using Network Traffic Analysis with Machine Learning Techniques(SLIIT, 2024-12) KARUNARATHNA, D R A IDistributed Denial-of-Service (DDoS) attacks are a very serious and developing menace to many providers of online services. Web services have become more important because of new technology, making them appealing targets. DDoS means Distributed Denial of Service. This is a way to attack where a lot of 'zombie' computers work together to send so many requests to a system that it can't respond anymore. Such attacks interfere with normal functioning and as a consequence the services providers may end up losing money and suffering from tarnished reputations. For the contemporary DDoS menace, researchers have come up with solutions that can detect and prevent the attack. A most hopeful solution in this regard is the combination of Machine Learning (ML) methods with Intrusion Detection Systems (IDS). IDS is capable of detecting DDoS attacks by comparing them through the application of the ML algorithms with normal patterns that are characteristic of network traffic. In the last decade, IDS enhanced with ML evolved significantly even if just in the last years a distributed architecture is consolidating its position which is able to protect from individual attacks by dividing the task among multiple IDS. This research employed the CICIDS2017 dataset which is standard for any cybersecurity research in developing and evaluating the DDoS detection models by feature enhancing. Data normalization has been performed as the initial stage to rank the data values for better comparability. Using both passive and active ML-based feature selection approaches, only the most selective traffic features were isolated. Passive feature selection is specially used for controlling incoming traffic, whereas the active feature selection mainly focuses on the identification of features in real time. Two testing sets were also developed for comparing the ML classification models of choice, as well as the best hyperparameter s for each model. In particular, Random Forest algorithm was examined by its scalability and by the ability to classify the DDoS attacks accurately.Many classification models in the ML process were built and tested, and the hyperparameters were adjusted in accordance with the result. On the same, the Random Forest algorithm was tested based on its performance on big data and success rate towards DDoS detection. The use of ML has several advantages such as high efficiency in recognizing DDoS attacks, perspectives to update the method if new kinds of attacks appear, and real-time work with the enormous amount of network data. When these systems are implemented within distributed architectures, they improve scalability and reliability to accommodate large scale deployment in the services environment. Passive and active feature selection also ensures that a lot of the data processing load is removed without a negative impact on the detection rate. Thus, this experiment identifies that the Random Forest algorithm model yields the highest detection accuracy with the mean detection accuracy of 97.5% for DDoS attacks. This result is essential to understand how ML techniques, specifically the Random Forest model, can accurately identify malicious traffic from the legitimate one. Such high accuracy proves that the applicability of ML-based DDoS detection systems can improve the security of application layer as a strong protection against future cyber threats.Publication Open Access Enabling Consistent Stateful Security in Distributed Web Application Firewalls: A Framework for Scalable Cloud Environment(Sri Lanka Institute of Information Technology, 2025-12) Palendrarajah, PThe rapid adoption of cloud-native infrastructures has highlighted a critical limitation in existing Web Application Firewalls (WAFs): their stateless design restricts consistent enforcement of security policies across distributed environments. This research addresses this gap by designing and evaluating a portable persistence module for open-source WAFs, enabling stateful security enforcement through integration with distributed data stores. Guided by the principles of design science research [1], the study develops a pluggable framework that supports both Redis and Memcached as backends. Redis is widely recognized for its durability and advanced data structures [2], while Memcached offers lightweight, in-memory caching optimized for speed [3]. By embedding the module within ModSecurity v3 [4] and deploying it on AWS cloud infrastructure, the research benchmarks the comparative performance of Redis and Memcached under simulated traffic and attack scenarios, including Distributed Denial of Service (DDoS) conditions [5]. Evaluation metrics include latency overhead, throughput, memory utilization, and resilience under node failures. Preliminary results indicate that Redis achieves superior consistency and resilience, albeit with higher memory consumption, while Memcached provides lower latency at the cost of weaker fault tolerance. Beyond technical performance, the research contributes a generalizable, portable framework that can be embedded into other open-source WAFs, expanding their applicability in distributed and multi-tenant environments. Both artifact and empirical evaluation contributions positions the work as a step forward in bridging distributed systems and web security, while also providing a foundation for future enhancements such as adaptive, machine-learning-based intrusion prevention [6].Publication Open Access Enhancing Email Security: Abnormal Login Detection Through Machine Learning Algorithm(SLIIT, 2024-12) Ariyawansa, M.M.T.R.The research focuses on the application of random forest machine learning algorithm for the identification of non-standard authentication activities in email systems. The idea of the software is to strengthen email defenses by the means of the dynamical determination of the unusual login patterns and then responsively to the continuously changing threats in cyberspace. These projects use the most up-to-date machine learning approaches, meticulous hyperparameter tuning and comprehensive feature engineering, so that a strong barrier against unauthorized entry would be created. The purpose is to design a machine learning model capable of differentiating between the most and least likely behaviors, based on the analysis of users' activity data. This includes steps of label encoding and timestamp processing targeted to clean the input data before model training for optimal efficiency. In the process of training, the Scikit-learn library is employed to implement the machine learning algorithms. Furthermore, hyperparameter optimization is performed using GridSearchCV to refine the model’s accuracy and efficiency. The study puts its emphasis on user-friendly implementation with the development of an intuitive interface offering the users an understandable classification report illustrating the model of breach detection performance. The developed model that associated the random forest machine learning algorithm showed a accuracy of 83%, making it ideal for real world use. Instead of just enhancing user engagement, it also enables prompt reaction and mitigation measures. As a result, this thesis offers a practical and effective way of guarding email accounts from rapidly evolving threats.Publication Open Access Evaluating and Enhancing the Robustness of CNN algorithm Against Adversarial Attacks: A Case Study on MNIST(Sri Lanka Institute of Information Technology, 2025-12) Aththanayaka A.M.R.E.The Convolutional Neural Networks (CNNs) have achieved exceptional performance in computer vision tasks, particularly in image classification domains such as MNIST digit recognition. However, their susceptibility to adversarial attacks poses serious security threats that limit their deployment in real-world applications. This research examines CNNs vulnerability through systematic evaluation of five potent adversarial attacks such as FGSM, BIM, PGD, Deep Fool, and Carlini-Wagner on MNIST dataset. The baseline CNN model achieves 99.23% accuracy on clean data, However, adversarial attacks which subtly perturbed inputs designed to fool classifiers cause catastrophic performance degradation, reducing accuracy to as low as 8.91%. To address these vulnerabilities, this study proposes CADF: a Comprehensive Cyber Attack Detection Framework which implements a multi-layered defense strategy. The framework incorporates a binary detection classifier achieving 99.56% accuracy in identifying adversarial examples, followed by a multi-class attack identifier with 93.56% accuracy in categorizing specific threat types. CADF's adaptive defense engine dynamically selects optimal countermeasures including feature squeezing, spatial smoothing, and ensemble defenses based on the identified attack characteristics. Experimental results demonstrate that CADF restores model accuracy under multi-attack scenarios while maintaining high performance on clean samples and achieving real-time processing capabilities. This integrated approach provides a scalable and efficient solution for enhancing CNN robustness without compromising computational performance, offering significant advancements in securing deep learning systems against evolving adversarial threats.Publication Open Access Evaluating Cybersecurity Awareness in Sri Lankan Healthcare Sector: A Role-Based Training Framework for Public and Private Institutions(Sri Lanka Institute of Information Technology, 2025-12) Hewamanna I.U.KThis study investigates cybersecurity awareness within Sri Lanka’s healthcare sector and develops a role-based training framework to enhance awareness and secure digital practices across public and private healthcare institutions. As healthcare systems increasingly digitize, human factors remain a major vulnerability, particularly in environments with limited resources and inconsistent policy enforcement. A quantitative survey was conducted among healthcare professionals to assess their awareness levels, training exposure, institutional support, and perceptions of cybersecurity importance. Data collected through Google Forms were analyzed using Excel and Jamovi. Descriptive statistics, Independent Sample T-Tests, One-Way ANOVA, and Regression Analysis were employed to explore patterns and relationships across professional roles and institution types. Results revealed moderate awareness levels overall, with significant variation between public and private institutions and across roles, emphasizing the need for contextualized, role-specific training. Based on these findings, a Role-Based Cybersecurity Awareness and Training Framework was developed, aligned with NIST SP 800-50r1, the Personal Data Protection Act (2022), and Ministry of Health Information Security Guidelines (2023). Expert evaluation (n = 6) rated the framework highly for clarity, practicality, and policy alignment (mean score = 4.37/5). The study concludes that micro-learning modules, continuous reinforcement, and leadership involvement can significantly enhance cybersecurity culture in healthcare while minimizing operational disruption. The proposed framework offers a feasible, low-cost, and scalable model to strengthen human-centered cybersecurity resilience across Sri Lanka’s healthcare sector.Publication Open Access Evaluating Zero Trust Vulnerabilities in Identity and Access Management: Strengthening Security Posture in Dynamic Environments.(SLIIT, 2024-12) Sivalingam, KIn the era of widespread digital transformation, cybersecurity frameworks play a crucial role in protecting essential assets. The Zero Trust model has become prominent, advocating a “always verify, never trust” approach to secure network access and control. This study examines vulnerabilities within Zero Trust-based Identity and Access Management (IAM) systems, focusing on the challenges that arise in dynamic digital environments where technological advancements and shifting user behaviors impact security. Using a mixed-methods approach, the research combines quantitative survey data from cybersecurity professionals with qualitative insights from case studies and expert interviews. Findings indicate that while Zero Trust models strengthen organizational security posture, they introduce operational complexities. High resource demands, integration difficulties, and the need for continuous monitoring pose challenges for organizations, potentially hindering efficient operations. These hurdles underscore the difficulty of balancing Zero Trust’s security benefits with streamlined processes. Additionally, the study reveals that Zero Trust IAM vulnerabilities become especially evident in fast-paced digital settings, where rapidly changing technology and varied user interactions demand an adaptive security approach. To address these vulnerabilities, the study proposes a structured Zero Trust implementation framework, comprising seven key stages: preparation and assessment, identity verification and access control, network and device security, continuous monitoring via User Behavior Analytics (UBA), data security protocols, incident response, and compliance integration. Each stage targets specific challenges, aiming to enhance security without compromising operational efficiency. For example, identity verification and access control help ensure strict authentication, while network segmentation and endpoint security protect critical assets. Regular monitoring with UBA aids in detecting insider threats, and data security protocols like encryption and Data Loss Prevention (DLP) safeguard sensitive information. This research contributes to cybersecurity in several ways. Academically, it advances understanding of the vulnerabilities within Zero Trust IAM systems, particularly in dynamic environments where these weaknesses are accentuated. Methodologically, it presents a replicable framework that integrates quantitative and qualitative approaches, providing a comprehensive lens for future cybersecurity research. Practically, the study offers actionable recommendations for organizations across industries, enabling them to bolster their security postures against emerging threats. These insights are invaluable for policymakers and industry leaders seeking to establish resilient cybersecurity standards and guidelines in a rapidly evolving digital landscape. Ultimately, this research provides a detailed look at Zero Trust IAM vulnerabilities and emphasizes the need for adaptive security strategies to navigate the challenges of a complex digital environment. By addressing key operational hurdles and proposing targeted solutions, this study makes a significant contribution to advancing cybersecurity practices. Its findings underscore the importance of flexible security measures that enable organizations to protect digital assets effectively, supporting organizational resilience within an interconnected and increasingly volatile digital space.Publication Embargo “FireX” – A Low Cost Raspberry Pi Based Open-Source Firewall Appliance for Sri Lanka Post(2021) Fernando, G.G.U.Recent statistics on data breach shows millions of data get stolen or lost every year and larger organizations are moving in to complex IT security solutions to protect their data from the intruders. However, organizations with limited financial capabilities remain unprotected to lack of available funds to invest on decent IT security solution for their organization. Department of Posts Sri Lanka (Sri Lanka POST) is also in a situation where seeking a low cost IT security firewall solution to protect their post offices located around the country. The open source firewall solutions are the most popular world-wide methodology for used to empower the overall security of a medium scale home and office computing network as well as large scale cooperate networks without spending a large amount of funds. Open Source Firewall Controls embedded to a hardware device provides more centralized approach for IT Engineers when managing a network. Furthermore, most of other Government Organizations in Sri Lanka faces the same issues when protecting their cooperate network infrastructure due to financial capabilities. As a solution, The Researcher designed an open source low cost embedded hardware device to act as a corporate firewall where the device can govern the network access while catering the business requirements whereas protecting the IT assets from the intruders. The designed firewall solution is based on multiple open source packages which can run on a raspberry pi model 3b+ single-board computer (SBC). The open source firewall package ‘IPFire’ was used to act as the firewalling module for this project. At the end of this research project the Researcher is planning to locate on post offices around Sri Lanka.