Showing total 349 results

1. Extending the classical side-channel analysis framework to access-driven cache attacks

Author

Guo, Pengfei, Yan, Yingjian, Zhang, Fan, Zhu, Chunsheng, Zhang, Lichao, and Dai, Zibin

Subjects

Information science -- Analysis, Noise control -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Classical side-channel analysis framework; Access-driven cache attacks; Difference of means-based analysis; Vector distance-based analysis; Mutual information-based analysis; Guessing entropy Abstract Cryptographic devices are vulnerable to side-channel attacks, which have attracted broad attention in the hardware security field. The side-channel analysis framework proposed at Eurocrypt 2009 has been widely adopted in academia, containing key elements such as points of interest, leakage models, distinguishers, and security metrics. This classical framework, however, is not intuitively compatible with recent micro-architectural attacks such as cache attacks, therefore, few attempts have been made to link them. In this paper, we extend the classical side-channel analysis framework and migrate its ideas to access-driven cache attacks. We find that cache attacks can be effectively incorporated into this framework. Specifically, we propose a leakage model called cache access pattern vector according to the cache timing leakage characteristics. Furthermore, we propose data preprocessing schemes such as noise reduction, dimensionality reduction, and vector expansion to implement efficient attacks. Subsequently, we proposed seven distinguishers in three categories: difference of means-based analysis, vector distance-based analysis, and mutual information-based analysis. Moreover, we attacked the last round of the AES fast software implementation algorithm based on the Chipyard platform. According to the experimental results, all proposed methods can successfully extract the key, and five of them are comparable to mainstream cache analysis in attack efficiency. Finally, we evaluate the five efficient distinguishers under three different cache micro-architectures using guessing entropy. Based on the experimental environment of this paper, vector distance-based distinguishers have the best attack efficiency, and the difference of mean-based analysis has the worst. Surprisingly, the most general mutual information-based attacks can achieve excellent medium results in a few attack rounds without the help of static analysis tools. Meanwhile, the experimental results demonstrate that cache micro-architecture directly impacts the attack effect, in which the smaller cache line size benefits the attacks, while the random replacement policy increases the noise and difficulty of the attacks. Author Affiliation: (a) College of Cryptography Engineering, Information Engineering University, Zhengzhou 450001, China (b) College of Information Science and Electronic Engineering, Zhejiang University, Hangzhou 310027, China (c) College of Cyber Science and Technology, Zhejiang University, Hangzhou 310027, China * Corresponding author at: College of Cryptography Engineering, Information Engineering University, No. 62, Science Avenue, High-Tech Zone, Zhengzhou 450001, China. Article History: Received 8 October 2022; Revised 17 March 2023; Accepted 7 April 2023 Byline: Pengfei Guo [pfguo_hit@126.com] (a,b,*), Yingjian Yan (a), Fan Zhang (c), Chunsheng Zhu (a), Lichao Zhang (a), Zibin Dai (a)

Published

2023

2. A survey on the (in)security of trusted execution environments

Author

Muñoz, Antonio, Ríos, Ruben, Román, Rodrigo, and López, Javier

Subjects

Business, Computers and office automation industries

Abstract

Keywords Computer security; Secure hardware; Trusted execution environments; Hardware attacks; Software attacks; Side-channel attacks Abstract As the number of security and privacy attacks continue to grow around the world, there is an ever increasing need to protect our personal devices. As a matter of fact, more and more manufactures are relying on Trusted Execution Environments (TEEs) to shield their devices. In particular, ARM TrustZone (TZ) is being widely used in numerous embedded devices, especially smartphones, and this technology is the basis for secure solutions both in industry and academia. However, as shown in this paper, TEE is not bullet-proof and it has been successfully attacked numerous times and in very different ways. To raise awareness among potential stakeholders interested in this technology, this paper provides an extensive analysis and categorization of existing vulnerabilities in TEEs and highlights the design flaws that led to them. The presented vulnerabilities, which are not only extracted from existing literature but also from publicly available exploits and databases, are accompanied by some effective countermeasures to reduce the likelihood of new attacks. The paper ends with some appealing challenges and open issues. Author Affiliation: Network, Information and Computer Security (NICS) Lab, University of Malaga, Spain * Corresponding author. Article History: Received 16 November 2022; Revised 4 February 2023; Accepted 9 March 2023 Byline: Antonio Muñoz [amunoz@lcc.uma.es] (*), Ruben Ríos [ruben@lcc.uma.es], Rodrigo Román [roman@lcc.uma.es], Javier López [jlm@lcc.uma.es]

Published

2023

3. Full-stack vulnerability analysis of the cloud-native platform

Author

Zeng, Qingyang, Kavousi, Mohammad, Luo, Yinhong, Jin, Ling, and Chen, Yan

Subjects

Systems and data security software, Container industry, Containers, Cloud computing, Virtualization, Security systems, Systems/data security software, Business, Computers and office automation industries

Abstract

Keywords Cloud-native security; Container security; Vulnerability; Docker; Kubernetes; Istio; CNI Abstract Cloud-native systems have recently emerged as one of the most popular platforms for application development, providing lightweight virtualization, simplified DevOps procedures, scaling, resource efficiency, monitoring, and more. The typical cloud-native system may include containers, container orchestrators, and service meshes. However, a number of attacks exploit vulnerabilities in different components, leading the attacker to gain control over the cloud-native system. In this paper, we collect, classify, exploit, and mitigate vulnerabilities of different components. Firstly, we choose Docker, Kubernetes, and Istio as the most popular cloud technologies and give each an overview. Secondly, we give an in-depth analysis of the vulnerabilities. We collect cloud-native vulnerabilities over the past five years and propose two classifications of those vulnerabilities. One is based on the architecture of the component, and the other is based on the attack enabled. We exploit vulnerabilities that enable us to discover some insightful findings and provide mitigation solutions. Third, we analyze 15 open-source security tools provided for the cloud-native environment. We argue that among all these security tools, none of them covers all features which we will discuss in this paper. We believe that our analysis of cloud security vulnerabilities and open-source security tools can benefit the security of the cloud-native ecosystem. Author Affiliation: (a) Zhejiang University, China (b) Northwestern University, USA * Corresponding author. Article History: Received 23 May 2022; Revised 22 February 2023; Accepted 2 March 2023 Byline: Qingyang Zeng [qyzeng@zju.edu.cn] (a), Mohammad Kavousi [kavousi@u.northwestern.edu] (b), Yinhong Luo [22021181@zju.edu.cn] (a), Ling Jin [ljin1995@zju.edu.cn] (a), Yan Chen [ychen@northwestern.edu] (*,b)

Published

2023

4. CKDAN: Content and keystroke dual attention networks with pre-trained models for continuous authentication

Author

Yang, Haitian, Meng, Xiang, Zhao, Xuan, Wang, Yan, Liu, Yuejun, Kang, Xiaoyu, Shen, Jiahui, and Huang, Weiqing

Subjects

Identification cards -- Analysis, Biometry -- Analysis, Business, Computers and office automation industries

Abstract

Keywords User authentication; Roberta; Keystroke dynamics; Continuous authentication; Attention network Abstract With the rapid development of digitalization, information security becomes more and more important. User authentication is a significant line of defense. During the past few years, many research works concentrating on user authentication have been published. Traditional authentication techniques (password, ID card-based authentication, or other biometrics like fingerprint or iris) basically fall into the category of one-time authentication. The disadvantage of these methods is that once an unknown user completes an authentication through forgery, the system would continue to operate without any resistance, thus putting the entire system at risk. Recently, due to the prevalence of deep learning techniques, some researchers have applied learning-based models to user authentication. However, almost all existing methods only focus on keystroke dynamics while ignoring the 'text' entered by users during keystrokes. In this paper, we propose contents and keystroke dual attention networks with pre-trained models for continuous authentication. To the best of our knowledge, our paper is the first to address user-inputted 'text' during keystrokes as an important asset beyond traditional characteristic keystroke dynamics. Specifically, we use the well-known pre-trained RoBERTa model to capture textual features. Then, we pass textual features and conventional features through our proposed dual attention networks. Our networks fuse these features and acquire final representations. Experiments show that the CKDAN model achieves state-of-the-art performance on two datasets, Clarkson II keystroke dataset and Buffalo dataset, outperforming all baseline methods. Author Affiliation: (a) Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China (b) School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China (c) York University, Ontario, Canada (d) Jiangnan University, Wuxi, China * Corresponding author. Article History: Received 22 July 2022; Revised 18 February 2023; Accepted 21 February 2023 Byline: Haitian Yang [yanghaitian@iie.ac.cn] (a,b), Xiang Meng [mengxiang@iie.ac.cn] (b,*), Xuan Zhao [xuanzhao@eecs.yorku.ca] (c), Yan Wang [wangyan@iie.ac.cn] (a), Yuejun Liu [liuyuejun@jndxrwxy.wecom.work] (d), Xiaoyu Kang [kangxiaoyu@iie.ac.cn] (a), Jiahui Shen [shenjiahui@iie.ac.cn] (a), Weiqing Huang [huangweiqing@iie.ac.cn] (a,b)

Published

2023

5. A comparative risk analysis on CyberShip system with STPA-Sec, STRIDE and CORAS

Author

Sahay, Rishikesh, Estay, D.A. Sepulveda, Meng, Weizhi, Jensen, Christian D., and Barfod, Michael Bruhn

Subjects

Investment analysis -- Usage, Risk assessment -- Usage -- Comparative analysis, Cyberterrorism -- Comparative analysis -- Usage, Business, Computers and office automation industries

Abstract

Keywords Cyber ship; Cyber physical systems (CPS); STPA; Cyber risk assessment; STRIDE; CORAS Abstract The widespread use of software-intensive cyber systems in critical infrastructures such as ships (CyberShips) has brought huge benefits, yet it has also opened new avenues for cyber attacks to potentially disrupt operations. Cyber risk assessment plays a vital role in identifying cyber threats and vulnerabilities that can be exploited to compromise cyber systems. Understanding the nature of cyber threats and their potential risks and impact is essential to improve the security and resilience of cyber systems, and to build systems that are secure by design and better prepared to detect and mitigate cyber attacks. A number of methodologies have been proposed to carry out these analyses. This paper evaluates and compares the application of three risk assessment methodologies: system theoretic process analysis (STPA-Sec), STRIDE and CORAS for identifying threats and vulnerabilities in a CyberShip system. We specifically selected these three methodologies because they identify threats not only at the component level, but also threats or hazards caused due to the interaction between components, resulting in sets of threats identified with each methodology and relevant differences. Moreover, STPA-Sec, which is a variant of the STPA, is widely used for safety and security analysis of cyber physical systems (CPS); CORAS offers a framework to perform cyber risk assessment in a top-down approach that aligns with STPA-Sec; and STRIDE (Spoofing, Tampering, Repudiation,Information disclosure, Denial of Service, Elevation of Privilege) considers threat at the component level as well as during the interaction that is similar to STPA-Sec. As a result of this analysis, this paper highlights the pros and cons of these methodologies, illustrates areas of special applicability, and suggests that their complementary use as threats identified through STRIDE can be used as an input to CORAS and STPA-Sec to make these methods more structured. Author Affiliation: (a) Business Management Department, Oregon Institute of Technology, Klamath Falls, OR 97601, United states (b) Digitalization Group, Rigshospitalet, Denmark (c) Department of Applied Mathematics & Computer Science, Technical University of Denmark, Kgs. Lyngby, DK-2800, Denmark (d) DTU Management Engineering, Technical University of Denmark, DK-2800, Kgs. Lyngby, Denmark * Corresponding author. Article History: Received 15 December 2022; Revised 13 February 2023; Accepted 8 March 2023 Byline: Rishikesh Sahay [rishikesh.sahay@oit.edu] (a), D.A. Sepulveda Estay [daniel.alberto.sepulveda.estay@regionh.dk] (b), Weizhi Meng [weme@dtu.dk] (*,c), Christian D. Jensen [cdje@dtu.dk] (c), Michael Bruhn Barfod [mbba@dtu.dk] (d)

Published

2023

6. DroidRL: Feature selection for android malware detection with reinforcement learning

Author

Wu, Yinwei, Li, Meijin, Zeng, Qi, Yang, Tao, Wang, Junfeng, Fang, Zhiyang, and Cheng, Luyu

Subjects

Natural language interfaces -- Rankings, Spyware, Computational linguistics -- Rankings, Language processing -- Rankings, Machine learning, Data mining, Computer science, Neural networks -- Rankings, Algorithms, Data warehousing/data mining, Neural network, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Reinforcement learning; Android malware detection; Feature selection; RNN; Sequence processing Highlights * This paper applied reinforcement learning algorithms to the feature selection phase of Android malware detection, reducing the burden of feature selection tasks. * This paper adopts Natural Language Processing methods to tackle the feature selection methods. * This paper presented a modifiable framework that can be easily ported to other feature selection tasks for malware detection. Abstract Due to the completely open-source nature of Android, the exploitable vulnerability of malware attacks is increasing. Machine learning, leading to a great evolution in Android malware detection in recent years, is typically applied in the classification phase. Since the correlation between features is ignored in some traditional ranking-based feature selection algorithms, applying wrapper-based feature selection models is a topic worth investigating. Though considering the correlation between features, wrapper-based approaches are time-consuming for exploring all possible valid feature subsets when processing a large number of Android features. To reduce the computational expense of wrapper-based feature selection, a framework named DroidRL is proposed. The framework deploys DDQN algorithm to obtain a subset of features which can be used for effective malware classification. To select a valid subset of features over a larger range, the exploration-exploitation policy is applied in the model training phase. The recurrent neural network (RNN) is used as the decision network of DDQN to give the framework the ability to sequentially select features. Word embedding is applied for feature representation to enhance the framework's ability to find the semantic relevance of features. The framework's feature selection exhibits high performance without any human intervention and can be ported to other feature selection tasks with minor changes. The experiment results show a significant effect when using the Random Forest as DroidRL's classifier, which reaches 95.6% accuracy with only 24 features selected. Author Affiliation: (a) College of Software Engineering, Sichuan University, Chengdu, China (b) School of Cyber Science and Engineering, Sichuan University, Chengdu, China (c) College of Computer Science, Sichuan University, Chengdu, China (d) School of Business, Sichuan University, Chengdu, China * Corresponding author. Article History: Received 21 September 2022; Revised 21 December 2022; Accepted 26 January 2023 Byline: Yinwei Wu (a), Meijin Li (a), Qi Zeng (c), Tao Yang (c), Junfeng Wang (c), Zhiyang Fang [fangzhiyang@scu.edu.cn] (*,b), Luyu Cheng (d)

Published

2023

7. AIDTF: Adversarial training framework for network intrusion detection

Author

Xiong, Wen Ding, Luo, Kai Lun, and Li, Rui

Subjects

Detectors, Machine learning, Computer science, Business, Computers and office automation industries

Abstract

Keywords Cyberspace security; Intrusion detection; Adversarial training; Machine learning; Generative adversarial networks Abstract Network Intrusion Detection Systems (IDS) have achieved high accuracy by widely applying Machine Learning (ML) models. However, most current ML-based IDSs can not cope with targeted attacks from adversaries because they are commonly trained and tested using fixed data sets. In this paper, we propose an Adversarial Intrusion Detection Training Framework (AIDTF) to improve the robustness of IDSs, which consists of an attacker model a-model, a defender model d-model, and a black-box trainer t-module. Both the a-model and d-model are multilayer perceptrons, and the t-module is the module used to train IDSs. AIDTF improves the accuracy of IDS by using an adversarial training method, which is different from traditional training methods. Taking the distribution of normal samples in the dataset as the distribution that the a-model and d-model need to learn, the goal of the a-model is to generate samples that deceive the d-model, while the goal of the d-model is to determine whether the input samples are real samples, so there is an adversarial relationship between a-model and d-model. Different types of IDSs can be trained by the t-module using the samples generated from the confrontation between the a-model and the d-model, and we call this kind of IDS the Adversarial Training Intrusion Detection System (ATIDS). The main contribution of this paper is to propose a training method that is used to obtain an IDS with high accuracy not only for known test sets but also to identify unknown disguised attack samples. We tested different types of ATIDSs using the current mainstream attack methods, which include the Fast Gradient Method, Fast Gradient Sign Method, Projected Gradient Descent, and Jacobs Saliency Map Algorithm. The experimental results prove that AIDTF outperforms other adversarial training methods with not only higher accuracy for the test set but also up to a 99% recognition rate for the attack samples. Author Affiliation: (a) School of Computer Science and Technology, Dongguan University Of Technology, GuangDong, China (b) School of Cyberspace Security, Dongguan University Of Technology, GuangDong, China * Corresponding author. Article History: Received 11 October 2022; Revised 2 February 2023; Accepted 13 February 2023 Byline: Wen Ding Xiong [xiongwending@hotmail.com] (a), Kai Lun Luo [luokl@dgut.edu.cn] (b), Rui Li [ruili@dgut.edu.cn] (*,b)

Published

2023

8. Adversarial attacks against Windows PE malware detection: A survey of the state-of-the-art

Author

Ling, Xiang, Wu, Lingfei, Zhang, Jiangyu, Qu, Zhenqing, Deng, Wei, Chen, Xiang, Qian, Yaguan, Wu, Chunming, Ji, Shouling, Luo, Tianyue, Wu, Jingzheng, and Wu, Yanjun

Subjects

Natural language interfaces -- Surveys, Spyware -- Surveys, Computational linguistics -- Surveys, Language processing -- Surveys, Machine learning -- Surveys, Machine vision -- Surveys, Business, Computers and office automation industries

Abstract

Keywords Portable executable; Malware detection; Machine learning; Adversarial machine learning; Deep learning; Adversarial attack Abstract Malware has been one of the most damaging threats to computers that span across multiple operating systems and various file formats. To defend against ever-increasing and ever-evolving malware, tremendous efforts have been made to propose a variety of malware detection that attempt to effectively and efficiently detect malware so as to mitigate possible damages as early as possible. Recent studies have shown that, on the one hand, existing machine learning (ML) and deep learning (DL) techniques enable superior solutions in detecting newly emerging and previously unseen malware. However, on the other hand, ML and DL models are inherently vulnerable to adversarial attacks in the form of adversarial examples, which are maliciously generated by slightly and carefully perturbing the legitimate inputs to misbehave. Adversarial attacks are initially studied in the domain of computer vision like image classification, and then quickly extended to other domains, including natural language processing, audio recognition, and even malware detection. In this paper, we focus on malware with the file format of portable executable (PE) in the family of Windows operating systems, namely Windows PE malware, as a representative case to study the adversarial attack methods in such adversarial settings. To be specific, we start by first outlining the general learning framework of Windows PE malware detection based on ML/DL and subsequently highlighting three unique challenges of performing adversarial attacks in the context of Windows PE malware. Then, we conduct a comprehensive and systematic review to categorize the state-of-the-art adversarial attacks against PE malware detection, as well as corresponding defenses to increase the robustness of Windows PE malware detection. Finally, we conclude the paper by first presenting other related attacks against Windows PE malware detection beyond the adversarial attacks and then shedding light on future research directions and opportunities. Author Affiliation: (a) Institute of Software, Chinese Academy of Sciences, Beijing, 100190, Beijing, China (b) Pinterest,New York, 10018, NY, USA (c) Zhejiang University of Science and Technology, Hangzhou, 310023, Zhejiang, China (d) Zhejiang University, Hangzhou, 310027, Zhejiang, China * Corresponding authors. Article History: Received 9 October 2022; Revised 19 December 2022; Accepted 4 February 2023 Byline: Xiang Ling [lingxiang@iscas.ac.cn] (a), Lingfei Wu [lwu@email.wm.edu] (b), Jiangyu Zhang [zhangjiangyu@zju.edu.cn] (d), Zhenqing Qu [quzhenqing@zju.edu.cn] (d), Wei Deng [dengwei@zju.edu.cn] (d), Xiang Chen [wasdnsxchen@gmail.com] (d), Yaguan Qian [qianyaguan@zust.edu.cn] (c), Chunming Wu [wuchunming@zju.edu.cn] (d), Shouling Ji [sji@zju.edu.cn] (d), Tianyue Luo [tianyue@iscas.ac.cn] (a), Jingzheng Wu [jingzheng08@iscas.ac.cn] (*,a), Yanjun Wu [yanjun@iscas.ac.cn] (*,a)

Published

2023

9. SoK: Run-time security for cloud microservices. Are we there yet?

Author

Minna, Francesco and Massacci, Fabio

Subjects

Cloud computing -- Analysis -- Safety and security measures, Digital libraries -- Safety and security measures -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Survey; Microservices; Containers; Security; Cloud Abstract The adoption of microservice architecture is rapidly growing, involving industries of every size. Their ability to scale and reconstitute complex functionalities into small, cohesive, and interconnected components (the microservices), and their limited use of isolation contribute to this success. Unfortunately but unsurprisingly, these very factors enlarge the attack surface and increase the security risks of today's deployments. In this study, we performed a systematization of knowledge about the run-time security of microservices. Starting from a keyword search, we initially reviewed 807 papers available in digital libraries (e.g., Google Scholar and Scopus), which we filtered down to 48 by applying a number of selection criteria (e.g., the presence of a proof-of-concept implementation). We also considered over 30 industry tools that offer various security services for microservices. We categorized both papers and tools and highlighted areas where research is abundant, where it is lacking, and where it is misleading. We conclude that the run-time security of microservices is still in its infancy and we supplement our analyses with insights into addressing the key challenges. Author Affiliation: (a) Vrije Universiteit Amsterdam, Netherlands (b) University of Trento, Italy * Corresponding author. Article History: Received 11 September 2022; Revised 19 December 2022; Accepted 22 January 2023 (footnote)[white star] This work has received funding from the European Union under the H2020 grant 952647 (AssureMOSS). Byline: Francesco Minna [f.minna@vu.nl] (*,a), Fabio Massacci [fabio.massacci@ieee.org] (a,b)

Published

2023

10. A comprehensive study of DDoS attacks over IoT network and their countermeasures

Author

Kumari, Pooja and Jain, Ankit Kumar

Subjects

Confidential communications -- Analysis, Denial of service attacks -- Analysis, Machine learning -- Analysis, Zombies -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Internet of things; DDoS attack; Botnet; Machine learning; Software defined network Abstract IoT offers capabilities to gather information from digital devices, infer from their results, and maintain and optimize these devices in different domains. IoT is heterogeneous in nature, which makes it prone to various security threats like confidentiality and integrity breaches, lack of availability of resources, trust issues, etc. The security concerns lead to different attacks over the system, and the Distributed Denial of Services (DDoS) bout is growing generously. DDoS is an assault that targets the availability of resources and servers of a network by flooding the communication medium from distinct locations by utilizing various IoT devices, which makes it harder to detect. Thus, analyzing and defending DDoS is a protruding field of research these days. The paper gives a thorough knowledge of DDoS over IoT. In this, we have critically analysed the existing DDoS variants, IoT Security issues, the execution of DDoS attempts, along with the exploitation of IoT devices and creation of them in Botnets or zombies. Moreover, the paper will also cover prevailing DDoS defense methodologies as well as their comparative analysis for ease of understanding. Author Affiliation: Computer Engineering Department, National Institute of Technology, Kurukshetra, India * Corresponding author. Article History: Received 4 January 2022; Revised 4 January 2023; Accepted 8 January 2023 Byline: Pooja Kumari [poojakumari.cse7@gmail.com] (*), Ankit Kumar Jain

Published

2023

11. Distributed query execution under access restrictions

Author

De Capitani di Vimercati, Sabrina, Foresti, Sara, Jajodia, Sushil, Livraga, Giovanni, Paraboschi, Stefano, and Samarati, Pierangela

Subjects

Business, Computers and office automation industries

Abstract

Keywords Distributed query execution; Controlled data sharing; Authorization model; Relation profile; Cloud computing Abstract The availability of a multitude of data sources has naturally increased the need for subjects to collaborate for supporting distributed computations that combine different data collections for their elaboration and analysis. Due to the quick pace at which datasets grow, often the authorities collecting and owning such datasets resort to external third parties (e.g., cloud providers) for their storage and management. Data under the control of different authorities are autonomously encrypted (using different encryption schemes and keys) for their external storage. This makes distributed computations combining these sources difficult to support. In this paper, we propose an approach enabling collaborative computations over data encrypted in storage, selectively involving also subjects that might not be authorized for accessing the data in plaintext when their collaboration is considered economically convenient. We also consider the possible adoption of trusted hardware components, to enable the evaluation of operations over plaintext data at non-fully trusted computational providers. The experimental results confirm the economic benefits that can be enabled by our proposal. Author Affiliation: (a) Università degli Studi di Milano Via Celoria 18, Milano 20133 MI, Italy (b) George Mason University, 10401 York River Road, Fairfax, VA, 22030-4422, USA (c) Università degli Studi di Bergamo, Viale Marconi 5, Dalmine 24044 BG, Italy * Corresponding author. Article History: Received 13 April 2022; Revised 4 August 2022; Accepted 6 December 2022 (footnote)[white star] A preliminary version of this paper appeared under the title 'Distributed query evaluation over encrypted data,' in Proc. of the 35th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy (DBSec 2021), Calgary, Canada, July 19-20, 2021 (). Byline: Sabrina De Capitani di Vimercati [sabrina.decapitani@unimi.it] (*,a), Sara Foresti [sara.foresti@unimi.it] (a), Sushil Jajodia [jajodia@gmu.edu] (b), Giovanni Livraga [giovanni.livraga@unimi.it] (a), Stefano Paraboschi [parabosc@unibg.it] (c), Pierangela Samarati [pierangela.samarati@unimi.it] (*,a)

Published

2023

12. Understanding situation awareness in SOCs, a systematic literature review

Author

Ofte, Håvard Jakobsen and Katsikas, Sokratis

Subjects

Business, Computers and office automation industries

Abstract

Keywords Situation awareness; Security operations center; Cyber security; Human performance System performance Abstract Situation awareness is shown through human factors research to be a valuable construct to understand and improve how humans perform while operating complex systems in critical environments. Within cyber security one such environment is the Security Operations Center (SOC). With the increasing threat of hybrid warfare, knowledge about situation awareness within SOC environments, where human error or low performance may be detrimental, must be developed. This paper reports on the results of a Systematic Descriptive Literature Review of the current research on situation awareness within SOCs. The goal of the paper is to analyze how situation awareness is understood in the current research. To achieve this goal three aspects of understanding were addressed: Theoretical foundations; levels of conceptualization; and measurement of situation awareness. Theoretical foundations in the literature were assessed by how situation awareness was defined and the presence of references to theoretical models of SA. The results show a clear trend of basing the research on Endsley's three level situation awareness model; this model has been developed into a domain specific formulation called 'Cyber Situation Awareness'. Some parts of the literature, particularly in research aimed at developing tools for improving situation awareness, lack a theoretical foundation; some refer to alternative theoretical foundations of situation awareness like Stanton et al.'s Distributed Situation Awareness. Further, a balance between conceptualizations on the individual, group and system level has been identified. Within research aimed at developing tools for improving situation awareness there are some examples of specialized and precise measurements of situation awareness, but in general the research seems too reliant on indirect measures of situation awareness. The paper concludes with the proposition of connecting the systems-based theoretical perspective of distributed situation awareness into the research, utilizing a systems level conceptualization of situation awareness. This might prove to be a useful bridge between the human cognitive perspective of situation awareness and the development of the complex technical environment of critical importance that SOCs represent. Abbreviations HFR, Human Factors Research; SA, Situation Awareness; ISA, Individual Situation Awareness; DSA, Distributed Situation Awareness; SSA, Shared Situation Awareness; CSA, Cyber Situation Awareness Author Affiliation: Department of Information Security and Communication Technology, Norwegian University of Science and Technology, Gjøvik 2802, Norway * Corresponding author. Article History: Received 17 October 2022; Revised 12 December 2022; Accepted 15 December 2022 (footnote) This work was supported by the Research Council of Norway under Project nr 333900 'Situation awareness in virtual security operations centers' and Project nr 310105 'Norwegian Centre for Cyber Security in Critical Sectors (NORCICS)'. Byline: Håvard Jakobsen Ofte [havard.ofte@ntnu.no] (*), Sokratis Katsikas [sokratis.katsikas@ntnu.no]

Published

2023

13. Evaluation of Asian Countries using Data Center Security Index: A Spherical Fuzzy AHP-based EDAS Approach

Author

Özkan, Baris, Erdem, Mehmet, and Özceylan, Eren

Subjects

Data security -- Analysis, Decision-making -- Analysis, Data security issue, Business, Computers and office automation industries

Abstract

Keywords Asian countries; Data centre security index; EDAS; Evaluation; Spherical fuzzy AHP Abstract The motivation of this paper is to assess and compare Asia Pacific Accreditation Cooperation (APAC) countries' risk profiles that impact data centers' (DCs) effectiveness. Because of the importance of DCs, security to protect a DC from external threats and attacks is an issue to be addressed. However, the conflicted nature of the evaluation criteria (such as infrastructure, energy, natural, business, political, and legal risks) makes it difficult to assess the countries' profiles. The objective of this paper is to provide a systematic evaluation methodology using two different multi-criteria decision making (MCDM) approaches, namely spherical fuzzy analytical hierarchy process (SF-AHP) and EDAS (evaluation based on distance from average solution). While SF-AHP is preferred to prioritize the main and sub-criteria under imprecise decision making environment, EDAS is used to rank the countries' DC profiles embedding the obtained criteria weights. The results of the methods have been compared with the ranking results presented in the report called as Data Centre Security Index (DCSI) is published by Technology Research Project Corporate (TRPC). Consequently, Singapore, Hong Kong and New Zealand rank in the top three due to their high electrification rates and secure internet servers. Author Affiliation: (a) Department of Industrial Engineering, Ondokuz Mayis University, 55139, Samsun, Turkey (b) Department of Industrial Engineering, Gaziantep University, 27310, Gaziantep, Turkey * Corresponding author. Article History: Received 25 March 2022; Revised 26 July 2022; Accepted 25 August 2022 Byline: Baris Özkan (a), Mehmet Erdem (a), Eren Özceylan [erenozceylan@gmail.com] (b,*)

Published

2022

14. Automated city shuttles: Mapping the key challenges in cybersecurity, privacy and standards to future developments

Author

Benyahya, Meriem, Collen, Anastasija, Kechagia, Sotiria, and Nijdam, Niels Alexander

Subjects

Data security -- Analysis, Privacy -- Analysis, Sensors -- Standards -- Access control, Internet -- Safety and security measures, Cyberterrorism -- Analysis, Security management -- Analysis, Local transit -- Standards -- Access control, Internet security, Data security issue, Privacy issue, Business, Computers and office automation industries

Abstract

Keywords Automated city shuttles; Connected automated vehicles; Shared mobility; Cybersecurity; Data privacy Abstract The Automated City Shuttles (ACSs) aim to shape the future public transportation and provide more efficient and accessible mobility in smart cities. With the absence of a driver, such mini-busses process the sensors' inputs and exchanged data with other vehicles and intelligent transport systems to achieve a real time assimilation of its surroundings. Consequently, the technologies supporting the driverless functionalities ushered new cybersecurity risks and data privacy breaches. Unfortunately, several studies mostly focus on individual Connected-Automated Vehicles (CAV), though intrinsic underpinnings of the ACS's threat vectors remain unexplored. In the present paper, we considerably extend that investigation by proposing a comprehensive state of the art with farsighted analyses addressing security threats and data privacy concerns from both technical and legal perspectives to thwart potential attacks. Moreover, as existing approaches have not provided yet a clear road map about ACS's security standards, the present work sheds light on recent and up to date standards and standardisation bodies dealing with cybersecurity and privacy issues in the automated driving ecosystem. This paper presents an analysis debating the trade-off between maximising the ACS benefits and minimising the associated security vulnerabilities and attacks through an overview of technical and legal mitigation strategies. Author Affiliation: (a) Centre Universitaire d'Informatique, Geneva School of Economics and Management, University of Geneva, Geneva, Switzerland (b) Faculty of Law, University of Geneva, Geneva, Switzerland * Corresponding author. Article History: Received 29 July 2021; Revised 7 February 2022; Accepted 28 August 2022 Byline: Meriem Benyahya [meriem.benyahya@unige.ch] (*,a), Anastasija Collen [anastasija.collen@unige.ch] (a), Sotiria Kechagia [sotiria.kechagia@unige.ch] (b), Niels Alexander Nijdam [niels.nijdam@unige.ch] (a)

Published

2022

15. Web-tracking compliance: websites' level of confidence in the use of information-gathering technologies

Author

Martínez, David, Calle, Eusebi, Jové, Albert, and Pérez-Solà, Cristina

Subjects

Web sites -- Case studies -- Analysis -- Usage, Algorithms -- Case studies -- Analysis -- Usage, Information management -- Case studies -- Analysis -- Usage, Company Web site/Web page, Information accessibility, Algorithm, Business, Computers and office automation industries

Abstract

Keywords web tracking; cookies; web beacons; level of confidence; privacy; compliance Abstract With the emergence of new technologies and the generalized use of social media, corporations have an invested economic interest in employing web-tracking techniques, but there is also the issue of protecting users' privacy. In this field of research, only few articles introduce methods to evaluate website compliance in the use of current web-tracking techniques. Moreover, evaluating the level of compliance requires, in the majority of cases, manually implementing an extensive data analysis. In this paper, we present four new algorithms (CIA, CDA, BDA, and SCA) and a novel measure (WLoC) to evaluate user tracking compliance in websites and the level of confidence in the use of information-gathering technologies, by employing the recently published Website Evidence Collector (WEC) software from the European Data Protection Supervisor (EDPS). The paper also showcases a case study of the top 500 websites most visited by Alexa in Spain to evaluate the performance of the presented algorithms and metrics. Results reveal a novel procedure for obtaining categorized websites' compliance and confidence levels of a set of websites under the current European legislation, thus updating and enhancing some of the previous research work. Author Affiliation: (a) Institute of Informatics and Applications, Universitat de Girona, Girona, Spain (b) Universitat Oberta de Catalunya Spain (c) K-riptography and Information Security for Open Networks, IN3, Universitat Oberta de Catalunya Spain (d) CYBERCAT-Center for Cybersecurity Research of Catalonia Spain * Corresponding author. Article History: Received 2 February 2022; Revised 22 July 2022; Accepted 8 August 2022 Byline: David Martínez [david.martineza@udg.edu] (*,a), Eusebi Calle [eusebi.calle@udg.edu] (a), Albert Jové [ajove@uoc.edu] (b), Cristina Pérez-Solà [cperezsola@uoc.edu] (c,d)

Published

2022

16. A Taxonomy for Threat Actors' Persistence Techniques

Author

Villalón-Huerta, Antonio, Marco-Gisbert, Hector, and Ripoll-Ripoll, Ismael

Subjects

Spyware -- Methods -- Analysis, Actors -- Methods -- Analysis, Actresses -- Methods -- Analysis, Business, Computers and office automation industries

Abstract

Keywords TTP; Persistence; Advanced Persistent Threat; Malware; MITRE ATT&CK Abstract The main contribution of this paper is to provide an accurate taxonomy for Persistence techniques, which allows the detection of novel techniques and the identification of appropriate countermeasures. Persistence is a key tactic for advanced offensive cyber operations. The techniques that achieve persistence have been largely analyzed in particular environments, but there is no suitable platform--agnostic model to structure persistence techniques. This lack causes a serious problem in the modeling of activities of advanced threat actors, hindering both their detection and the implementation of countermeasures against their activities. In this paper we analyze previous work in this field and propose a novel taxonomy for persistence techniques based on persistence points, a key concept we introduce in our work as the basis for the proposed taxonomy. Our work will help analysts to identify, classify and detect compromises, significantly reducing the amount of effort needed for these tasks. It follows a logical structure that can be easy to expand and adapt, and it can be directly used in commonly accepted industry standards such as MITRE ATT&CK. Author Affiliation: (a) S2 Grupo, Ramiro de Maeztu 7, Valencia, 46022 Spain (b) Department of Computing Engineering, Universitat Politécnica de Valéncia, Camino de Vera s/n, Valencia,46022 Spain * Corresponding author. Article History: Received 18 March 2022; Revised 22 June 2022; Accepted 21 July 2022 Byline: Antonio Villalón-Huerta [antonio.villalon@s2grupo.es] (*,a), Hector Marco-Gisbert [iripoll@disca.upv.es] (b), Ismael Ripoll-Ripoll (b)

Published

2022

17. Comparative research on network intrusion detection methods based on machine learning

Author

Zhang, Chunying, Jia, Donghao, Wang, Liya, Wang, Wenjie, Liu, Fengchun, and Yang, Aimin

Subjects

Security software -- Comparative analysis -- Methods, Detectors -- Comparative analysis -- Methods, Machine learning -- Comparative analysis -- Methods, Neural networks -- Comparative analysis -- Methods, Data mining -- Comparative analysis -- Methods, Algorithms -- Methods -- Comparative analysis, Military electronics industry -- Comparative analysis -- Methods, Network security software, Data warehousing/data mining, Neural network, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Network intrusion detection; Machine learning; Deep learning; Comparative experiment Abstract Network intrusion detection system is an essential part of network security research. It detects intrusion behaviors through active defense technology and takes emergency measures such as alerting and terminating intrusions. With the rapid development of machine learning technology, more and more researchers apply machine learning algorithms to network intrusion detection to improve detection efficiency and accuracy. Due to the different principles of various algorithms, they also have their advantages and disadvantages. To construct the dominant algorithm model in the field of network intrusion detection and provide the accuracy value, this paper systematically combs the application literature of machine learning algorithms in intrusion detection in the past ten years. A review is made from three categories: traditional machine learning, ensemble learning, and deep learning. Then, this paper selects the KDD CUP99 and NSL-KDD datasets to conduct comparative experiments on decision trees, Naive Bayes, support vector machines, random forests, XGBoost, convolutional neural networks, and recurrent neural networks. The detection accuracy, F1, AUC, and other indicators of these algorithms on different data sets are compared. The experimental results show that the effect of the ensemble learning algorithm is generally better. The Naive Bayes algorithm has low accuracy in recognizing the learned data, but it has obvious advantages when facing new types of attacks, and the training speed is faster. The deep learning algorithm is not particularly prominent in this experiment, but its optimal results are affected by the structure, hyperparameters, and the number of training iterations, which need further in-depth study. Finally, the main challenges facing the current network intrusion detection field are summarized, and the future research directions have been prospected. Author Affiliation: (a) College of Science. North China University of Science and Technology. China (b) Qianan College. North China University of Science and Technology. China * Corresponding author. Article History: Received 23 February 2022; Revised 2 July 2022; Accepted 24 July 2022 Byline: Chunying Zhang (a), Donghao Jia (a), Liya Wang [hblgwly@126.com] (a,*), Wenjie Wang (a), Fengchun Liu (b), Aimin Yang (a)

Published

2022

18. Investigating perceptions about risk of data breaches in financial institutions: A routine activity-approach

Author

Lee, Jaeung, de Guzman, Melchor C., Wang, Jingguo, Gupta, Manish, and Rao, H. Raghav

Subjects

Data security -- Investigations, Financial institutions -- Investigations, Employees -- Beliefs, opinions and attitudes, Information management -- Investigations, Company legal issue, Information accessibility, Data security issue, Business, Computers and office automation industries

Abstract

Keywords Risk Assessment; Financial Institutions; Data Breaches; Routine Activity Theory; Sensitive Data; Information availability ABSTRACT Data breaches in financial institutions could produce extensive damage to an organization's operations. Therefore, it is critical for organizations to identify and assess threats in their operational environment to be able to implement prevention and mitigation strategies. Applying Routine Activity Theory (RAT), this paper develops a risk assessment model using employees' perceptions of risks relative to potential breaches of sensitive data in their organizations. This paper empirically examines the roles of motivated offenders, suitable targets, and the influences of capable guardianship within the organization. Analyses of surveyed employees show that perceptions of value (using a multi-dimensional perspective), inertia, and accessibility of targeted sensitive data along with presence of guardians have an impact on assessment of risk about data breaches in financial institutions. The paper also extends RAT to account for the amount of information (both online and offline) available regarding the data influence the relationship between value of the sensitive data and suitability for data breach. Theoretical and practical implications are discussed. Author Affiliation: (a) Louisiana Tech University (b) Georgia Gwinnett College (c) University of Texas at Arlington (d) State University of New York at Buffalo (e) University of Texas at San Antonio * Corresponding author. Article History: Received 28 September 2021; Revised 24 May 2022; Accepted 10 July 2022 Byline: Jaeung Lee [jakelee@latech.edu] (a,*), Melchor C. de Guzman (b), Jingguo Wang (c), Manish Gupta (d), H. Raghav Rao (e)

Published

2022

19. KRTunnel: DNS channel detector for mobile devices

Author

Wang, Senmiao, Sun, Luli, Qin, Sujuan, Li, WenMin, and Liu, Wentao

Subjects

Mobile devices -- Analysis, Detectors -- Analysis, Business, Computers and office automation industries

Abstract

Keywords DNS tunnel detection; DNS response; Isolated forest; Android; Network security Highlights * In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. * We constructed a framework for mobile devices to collect DNS tunnel traffic. * Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set * We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%. Abstract Nowadays, DNS channel attacks on mobile devices have become a challenging threat. Attackers usually attack mobile devices and steal information with the help of DNS channel. It is difficult for users to detect this kind of attack, especially when attackers covert sensitive information in the DNS response. In this paper, we proposed a method for DNS tunnel detection based on isolated forest for Android. We constructed a framework for mobile devices to collect DNS tunnel traffic. Based on the analysis of DNS tunnel traffic generated on mobile devices, we extracted features based on DNS request and response and constructed the feature set. We proposed a DNS tunnel detector, KRTunnel, for mobile devices. Experiments showed that KRTunnel can identify unseen DNS tunnel traffic with the accuracy of 98.1%. Author Affiliation: The State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China * Corresponding authors. Article History: Received 2 September 2021; Revised 22 June 2022; Accepted 27 June 2022 Byline: Senmiao Wang, Luli Sun, Sujuan Qin [qsujuan@bupt.edu.cn] (*), WenMin Li [liwenmin02@outlook.com] (*), Wentao Liu

Published

2022

20. An empirical study of vulnerability discovery methods over the past ten years

Author

Cui, Lei, Cui, Jiancong, Hao, Zhiyu, Li, Lun, Ding, Zhenquan, and Liu, Yongji

Subjects

Business, Computers and office automation industries

Abstract

Keywords Vulnerability discovery; Empirical study; Effectiveness comparison; Vulnerability; Vulnerability detection; Vulnerability analysis Abstract In recent years, hundreds of vulnerability discovery methods have been proposed and proven to be effective (i.e., Is Effective) by discovering thousands of vulnerabilities in real-world programs. However, the quantified ability to indicate how effective (i.e., How Effective) a method is still unknown. In this paper, we perform an empirical study to understand the effectiveness of these methods better. More specifically, we prepare a dataset of 124 papers focusing on vulnerability discovery from S&P, SECURITY, CCS, and NDSS over the past ten years. These papers cover four techniques, including static analysis, dynamic analysis, concolic analysis, and fuzzing, yielding 3970 vulnerabilities, of which 954 get CVE records. Then, we extract several attributes from the paper and categorize them into five dimensions, i.e., popularity, scalability, capability, severity, and diversity, which facilitate us to compare various techniques along these dimensions statistically. Moreover, taking these attributes into account, we propose a scoring method to quantify the effectiveness of a method, thereby indicating how effective a method is. The empirical study on dimensions and effectiveness scores reveals several findings that help better understand the effectiveness of vulnerability discovery techniques. Author Affiliation: (a) Institute of Information Engineering, Chinese Academy of Science, Beijing 100093, China (b) Institute of Information Engineering, Chinese Academy of Science and University of Chinese Academy of Sciences, Beijing, China * Corresponding author. Article History: Received 5 March 2022; Revised 24 May 2022; Accepted 27 June 2022 Byline: Lei Cui [cuilei@iie.ac.cn] (a), Jiancong Cui (b), Zhiyu Hao [haozhiyu@iie.ac.cn] (*,a), Lun Li (a), Zhenquan Ding (a), Yongji Liu (a)

Published

2022

21. Uncovering APT malware traffic using deep learning combined with time sequence and association analysis

Author

Niu, Weina, Zhou, Jie, Zhao, Yibin, Zhang, Xiaosong, Peng, Yujie, and Huang, Cheng

Subjects

Societies -- Analysis, Spyware -- Analysis, Cyberterrorism -- Analysis, Machine learning -- Analysis, Neural networks -- Analysis, Computer science -- Analysis, Associations, institutions, etc. -- Analysis, Neural network, Business, Computers and office automation industries

Abstract

Keywords APT Malware; Deep learning; Association analysis; PARALLEL_Lstm; RSENET_Lstm Abstract Traditional malware detection methods based on static traffic characteristics and machine learning are hard to cope with the increasing number of APT malware variants. In order to alleviate this problem, this paper proposes a deep-learning-based malware classification approach that combines time sequence features and association rules features. This method uses the improved LSTM neural network structure named RESNET_LSTM and PARALLEL_LSTM to extract time sequence features of different protocol traffic. It also utilizes association analysis to generate quantitative rule features. Finally, we connect the time sequence feature vector and the quantization rule vector as input to deep learning models to detect malware traffic. We evaluated our proposed approach on a dataset consisting of malicious traffic generated by 57 types of malware and normal traffic. The experimental results demonstrate that the loss decline rate of PARALLEL_LSTM structure during the training phase is faster than that of the LSTM and RESNET_LSTM structures. When the RESNET_LSTM structure is used, the prediction accuracy is close to 100%, which is slightly higher than the other two structures. The accuracy of the detection methods proposed in this paper are all above 96%, while the accuracy of malware detection methods combined with static traffic characteristics and machine learning is about 85%. Author Affiliation: (a) School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu, 611731, China (b) School of Cyber Science and Engineering, Sichuan University, Chengdu, 610065, China * Corresponding authors. Article History: Received 29 October 2020; Revised 8 March 2022; Accepted 20 June 2022 Byline: Weina Niu [niuweina1@126.com] (*,a), Jie Zhou [fishjrunning@163.com] (a), Yibin Zhao [18200181243@163.com] (a), Xiaosong Zhang [johnsonzxs@uestc.edu.cn] (a), Yujie Peng [13201497153@l63.com] (a), Cheng Huang [opcodesec@gmail.com] (b,*)

Published

2022

22. An evaluation of potential attack surfaces based on attack tree modelling and risk matrix applied to self-sovereign identity

Author

Naik, Nitin, Grace, Paul, Jenkins, Paul, Naik, Kshirasagar, and Song, Jingping

Subjects

Denial of service attacks -- Models, Identity theft -- Models, Business, Computers and office automation industries

Abstract

Keywords Attack tree model; Risk matrix model; Digital identity; Self-sovereign identity; SSI; Identity management system; Decentralized IDentifier; DID; Verifiable credential; Distributed ledger technology; Blockchain; Faking identity; Identity theft; Distributed denial of service; Lockheed Martin's cyber kill chain; MITRE ATT&CK framework; Diamond model of intrusion analysis Abstract Self-Sovereign Identity (SSI) empowers users to govern their digital identity and personal data. This approach has changed the identity paradigm where users become the central governor of their identity; hence the rapid growth of the SSI model. Utilizing the security and privacy properties of blockchain, together with other security technologies, SSI purports to provide a robust security and privacy service. However, this governing power for users comes with a greater accountability and security risk, as not all users are capable or trained in its use and therefore in its efficient application. This trade-off requires a systematic evaluation of potential attacks on the SSI system and their security risks. Hitherto, there have been no noteworthy research studies performed to evaluate potential attacks on the SSI system and their security risks. This paper proposes an easy, efficient and economical approach to perform an evaluation of potential attacks on the SSI system and their security risks. This approach utilises a combination of an attack tree model and risk matrix model to perform this evaluation of potential attacks and their security risks, in addition to outlining a systematic approach including describing the system architecture and determining its assets in order to perform this evaluation of potential attacks and their security risks. This evaluation work has identified three potential attacks on the SSI system: faking identity, identity theft and distributed denial of service attacks, and performed their security risk evaluation utilising the proposed approach. Finally, this paper has proposed several mitigation strategies for the three evaluated attacks on the SSI system. This proposed evaluation approach is a systematic and generalised approach for evaluating attacks and their security risks, and can be applied to any other IT system. Author Affiliation: (a) School of Informatics and Digital Engineering, Aston University, Birmingham, United Kingdom (b) Cardiff School of Technologies, Cardiff Metropolitan University, Cardiff, United Kingdom (c) Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Canada (d) Software College, Northeastern University, Shenyang, China * Corresponding author. Article History: Received 8 September 2021; Revised 23 April 2022; Accepted 17 June 2022 Byline: Nitin Naik [n.naik1@aston.ac.uk] (*,a), Paul Grace (a), Paul Jenkins (b), Kshirasagar Naik (c), Jingping Song (d)

Published

2022

23. MMM-RF: A novel high accuracy multinomial mixture model for network intrusion detection systems

Author

Hammad, Mohamed, Hewahi, Nabil, and Elmedany, Wael

Subjects

Security software -- Usage, Detectors -- Usage, Algorithms -- Analysis -- Models -- Usage, Network security software, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Intrusion detection; Statistics; Network traffic; Multinomial mixture model; Computer security Abstract The rise of malicious practice in network traffic is one of the most noticeable issues in network security. This practice is negatively impacting the productivity of various organizations and end-users. In this paper, a novel approach called Multinomial Mixture Modeling with Median Absolute Deviation and Random Forest Algorithm (MMM-RF) is proposed for the classification of network attacks. Conducted with a three fold objective, this paper aims to use Correlation Feature Selection (CFS) to perform analysis on the most prominent factors involved in network traffic, focuses on using T-Distributed Stochastic Neighbor Embedding (T-SNE) to minimize data dimension, and finally, the study explores the use of Synthetic Minority Oversampling Technique (SMOTE) coupled with random under-sampling in controlling imbalance in the CSE-CIC-IDS2018 dataset. The use of Multinomial Mixture Modeling (MMM) in this study is coupled with the Expectation-Maximization (EM) algorithm and Median Absolute Deviation (MAD). This precedes the use of the Random Forest (RF) classification algorithm on the CSE-CIC-IDS2018 dataset experiment. The outcome showed a high detection accuracy of 99.98% and a very low False Positive Rate (FPR) of 0.02%. Author Affiliation: College of Information Technology, University of Bahrain, Bahrain * Corresponding author. Article History: Received 17 September 2021; Revised 22 January 2022; Accepted 25 May 2022 Byline: Mohamed Hammad [mnhammad90@gmail.com] (*), Nabil Hewahi, Wael Elmedany

Published

2022

24. Reducing Ransomware Crime: Analysis of Victims' Payment Decisions

Author

Yuryna Connolly, Alena and Borrion, Hervé

Subjects

Decision-making -- Analysis, Police -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Ransomware attacks; Organisations; Decision processes; Ransom payments; Cybercrime Abstract In this paper, the decision-making processes of victims during ransomware attacks were analysed. Forty-one ransomware attacks using qualitative data collected from organisations and police officers from cybercrime units in the UK were examined. The hypothesis tested in this paper is that victims carefully analyse the situation before deciding whether to pay a ransom. This research confirms that victims often weigh the costs and benefits of interventions before making final decisions, and that their decisions are based on a range of reasons. As ransomware attacks become more prevalent globally, the findings should be highly relevant to those developing guidance and policies to prevent or minimise ransom payments. Author Affiliation: Zayed University, Liberty Building, Leeds, United Arab Emirates * Corresponding author. Article History: Received 5 June 2021; Revised 18 February 2022; Accepted 16 May 2022 Byline: Alena Yuryna Connolly [alena.yuryna-connolly@fulbrightmail.org] (*), Hervé Borrion

Published

2022

25. Cybersecurity education, awareness raising, and training initiatives: National level evidence-based results, challenges, and promise

Author

Shillair, Ruth, Esteve-González, Patricia, Dutton, William H., Creese, Sadie, Nagyfejeo, Eva, and von Solms, Basie

Subjects

Data security -- Analysis, Internet -- Safety and security measures, Developing countries -- Analysis, Cyberterrorism -- Analysis, Education -- Analysis, Internet security, Data security issue, Business, Computers and office automation industries

Abstract

Keywords Cybersecurity; Education; Training; Awareness; Internet Abstract This paper assesses the impact of cybersecurity education, awareness raising, and training (CEAT) on the vitality of internet use and services at the national level. CEAT encompasses one of five dimensions of a larger cybersecurity capacity building model (CMM) that was developed by the Global Cybersecurity Capacity Centre. The paper describes this dimension of capacity building within the CMM, and its indicators of education, awareness, and training in cybersecurity capacity. The paper then presents a cross-national analysis of the outcomes of CEAT on internet use based on comparative data from 80 nations. Controlling for contextual variables, such as the wealth of the nations and scale of internet use, the analysis shows a positive and statistically significant impact of CEAT on the vitality of internet use and services, as well as a distribution of CEAT scores that indicates key issues for low-income and developing nations. A qualitative analysis of responses from these nations is used to identify key reasons for their levels of maturity in this area. While recognising key limitations of these findings, it offers suggestions for policy and practice to meet the need for effective programs for education, awareness raising, and training. In addition, the research suggests the need for more detailed indicators of CEAT initiatives in more nations and over time to assess the validity of the findings and the recommendations for policy and practice in this area of capacity building offered in this paper. Author Affiliation: (a) Quello Center, Michigan State University, East Lansing, United States (b) Global Cyber Security Capacity Centre, Department of Computer Science, University of Oxford, Oxford, United Kingdom (c) Director of the University of Johannesburg (UJ) Centre for Cyber Security, Johannesburg, South Africa * Corresponding author. Article History: Received 14 December 2021; Revised 4 May 2022; Accepted 13 May 2022 (footnote)[white star] Funding for this research provided by: The UK Foreign, Commonwealth, and Development Office along with the State Government of Victoria, Australia. In kind support from the Organization of American States and the Inter-American Development Bank Byline: Ruth Shillair [shillai7@msu.edu] (a,*), Patricia Esteve-González (b), William H. Dutton (b), Sadie Creese (b), Eva Nagyfejeo (b), Basie von Solms (c)

Published

2022

26. DIFCS: A Secure Cloud Data Sharing Approach Based on Decentralized Information Flow Control

Author

Lu, Jintian, Sun, Jiakun, Xiao, Ruizhi, and Jin, Shuyuan

Subjects

Data security -- Analysis, Cloud computing -- Analysis, Computer science -- Analysis, Information management -- Analysis, Information accessibility, Data security issue, Business, Computers and office automation industries

Abstract

Keywords Decentralized information flow control; Cloud data sharing; Privilege protection; Model checking; Formal verification Abstract Summary In the field of cloud computing, collaboration and data sharing among clouds have dramatically increased. How to protect the security of shared cloud data is being an urgent problem. Based on decentralized information flow control (DIFC) model, this paper presents an approach, DIFC-based data sharing approach (DIFCS), to protect both confidentiality and integrity of shared cloud data. Additionally, this paper designs a privilege protection policy for DIFCS, resulting in its capability of preventing malicious users from modifying privilege. The correctness and security properties of DIFCS are proved by formal analysis and verification, where firstly, DIFCS is formally interpreted into high-level petri net (HLPN) representation and analyzed using Z language, then is automatically verified with SMT-Lib and Z3 solver. The formal analysis and verification results reveal that DIFCS holds the security properties of confidentiality, integrity, authenticity, and privilege tamper-proof. The experimental results further demonstrate the high efficiency of DIFCS. Author Affiliation: School of Computer Science and Engineering, Sun Yat-sen University, Guangzhou, China * Corresponding author. Article History: Received 15 September 2021; Revised 8 February 2022; Accepted 1 March 2022 Byline: Jintian Lu, Jiakun Sun, Ruizhi Xiao, Shuyuan Jin [jinshuyuan@mail.sysu.edu.cn] (*)

Published

2022

27. FeSA: Feature selection architecture for ransomware detection under concept drift

Author

Fernando, Damien Warren and Komninos, Nikos

Subjects

Machine learning -- Analysis, Computer science -- Analysis, Algorithms -- Analysis, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Ransomware; Concept-drift; Detection; Learning-algorithms; Features Abstract This paper investigates how different genetic and nature-inspired feature selection algorithms operate in systems where the prediction model changes over time in unforeseen ways. As a result, this study proposes a feature section architecture, namely FeSA, independent of the underlying classification algorithm and aims to find a set of features that will improve the longevity of the machine learning classifier. The feature set produced by FeSA is evaluated by creating scenarios in which concept drift is presented to our trained model. Based on our results, the generated feature set remains robust and maintains high detection rates of ransomware malware. Throughout this paper, we will refer to the true-positive rate of ransomware as detection; this is to clearly define what we focus on, as the high true positive rate for ransomware is the main priority. Our architecture is compared to other nature-inspired feature selection algorithms such as evolutionary search, genetic search, harmony search, best-first search and the greedy stepwise feature selection algorithm. Our results show that FeSA displays the least degradation on average when exposed to concept drift. FeSA is evaluated based on ransomware detection rate, recall, false positives and precision. The FeSA architecture provides a feature set that shows competitive recall, false positives and precision under concept drift while maintaining the highest detection rate from the algorithms it has been compared to. Author Affiliation: Department of Computer Science, School of Mathematics, Computer Science and Engineering, City, University of London, UK * Corresponding author. Article History: Received 12 April 2021; Revised 30 November 2021; Accepted 11 February 2022 Byline: Damien Warren Fernando [damien.fernando.1@city.ac.uk] (*), Nikos Komninos

Published

2022

28. Birds of a feather: Collective privacy of online social activist groups

Author

Jia, Haiyan and Baumer, Eric P.S.

Subjects

Political activists, Privacy, Social media, Reformers, Social reformers, Privacy issue, Business, Computers and office automation industries

Abstract

Keywords Collective privacy; Interdependent privacy; Groups; Social media; Collective privacy management Abstract Privacy, usually conceptualized as an individual's right or control over their private information, also encompasses social aspects and collaborative management of co-created and co-owned information. Such issues become highly evident in the online communication of social activist groups. Through interviews with members of several such groups, this paper examines how collective privacy is constructed, managed, negotiated, and enacted. The particular strategies for collective privacy employed by each group emerged from a confluence of the group's defining characteristics and core values, the dynamics of interactions within the group, and the group's relationships with people and entities external to it. After articulating how collective privacy differs from and builds upon previous conceptualizations of privacy, the paper concludes with implications for designing socio-technological tools that enable and facilitate protection of collective privacy especially for sensitive or vulnerable online groups. Author Affiliation: (a) Department of Journalism and Communication, Lehigh University, Bethlehem, PA 18015, USA (b) Department of Computer Science and Engineering, Lehigh University, Bethlehem, PA 18015, USA * Corresponding author. Article History: Received 15 August 2021; Revised 5 January 2022; Accepted 13 January 2022 Byline: Haiyan Jia [haiyan.jia@lehigh.edu] (a,*), Eric P.S. Baumer [ericpsb@lehigh.edu] (b)

Published

2022

29. Orchestration of APT malware evasive manoeuvers employed for eluding anti-virus and sandbox defense

Author

Sharma, Amit, Gupta, Brij B., Singh, Awadhesh Kumar, and Saraswat, V.K.

Subjects

Control systems -- Analysis, Spyware -- Analysis, Cyberterrorism -- Analysis, Virtual computer systems -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Advanced persistent threat; Anti-Virus evasion; Process injection; Covert communication; Anti-Debug; Anti-Virtual machine; Evasive manoeuvers re-Engineering framework(EMRF); Fileless malware; DLL Hijacking; Code obfuscation; IAT Hooking; Windows management instrumentation(WMI) Abstract The modern day cyber attacks are highly targeted and incorporate advanced tactics, techniques and procedures for greater stealth, impact and success. These attacks are also known as Advanced Persistent Threats(APT) because of their evasive and stealth nature along with longer foothold on the victim's digital infrastructure. The malware involved in APT attacks are sophisticated and developed with the intention of sabotaging the victim's digital infrastructure or performing espionage. They are capable of targeting multiple operating environments starting from desktop and server operating systems (Windows, Linux and MacOS), Mobile platforms (Android, iOS), Embedded platforms (IoT Devices), to Industrial control systems (ICS/SCADA Devices). The evolution of evasive tactics and techniques employed in such advanced malware leads to extensive research efforts to develop mechanisms that can counter these evasion techniques. The research primarily aims to demonstrate that evasive manoeuvers are currently over-weighing the security countermeasures deployed by the prevalent security solutions. This paper will first explain the evasion mechanism in a systematic manner employed in modern APT malware and aims to implement a novel Evasive Manoeuvers Re-Engineering Framework(EMRF).EMRF aims to establish and demonstrate combinations of evasive manoeuvers with much known APT malware samples to elude security solutions. The payload variants, i.e., executable, dynamic link library, and shell-code, were experimented through a research-based framework EMRF to demonstrate 36% to 96% of evasive behavior countering the majority of defender engines. The EMRF system with its dynamic user defined evasion manoeuvers is able to transform non-zero-day payloads more potent by evading majority of the modern security solutions. This research clearly demonstrates the attacker's ability to deliver non-zero-day payloads easily rather than investing resources and time in discovering zero-day exploits and developing zero-day payloads. This important observation can potentially disrupt the Advanced Persistent Threat Defenses incorporated in modern day security solution where focus is mainly on to detect zero-day payloads and exploits. Exhibiting the threat landscape poised due to APT, the paper utilizes a dataset of 4403 APT malware samples to extract and orchestrate the prevalence of evasive manoeuvers like stealth, covert communication, and anti-analysis mechanisms. This paper will contribute towards advanced malware analysis as an avenue to analyzing intrusion, evasion, and deception to prevent detection and verification, an association of responsibility, and determination of intent. Author Affiliation: (a) Office of Secretary Department of Defence(R&D), Defence Research and Development Organisation, Ministry of Defence, Government of India, New Delhi 110011, India (b) National Institute of Technology, Department of Computer Engineering, Kurukshetra, Haryana 136119, India (c) NITI Aayog, New Delhi 110001, India (d) Department of Computer Science and Information Engineering, Asia University, Taichung 413, Taiwan (e) King Abdulaziz University, Jeddah, Saudi Arabia (f) Staffordshire University, Stoke-on-Trent ST4 2DE, UK * Corresponding author. Article History: Received 18 April 2021; Revised 3 December 2021; Accepted 24 January 2022 Byline: Amit Sharma [amitsharma@gov.in] (a,b), Brij B. Gupta [bbgupta@nitkkr.ac.in] (b,d,e,f,*), Awadhesh Kumar Singh (b), V.K. Saraswat (c)

Published

2022

30. Situational Crime Prevention (SCP) techniques to prevent and control cybercrimes: A focused systematic review

Author

Ho, Heemeng, Ko, Ryan, and Mazerolle, Lorraine

Subjects

Electrical engineering, Cyberterrorism, Scientists, Crime prevention, Computer science, Developmental biology, Electrical engineering, Business, Computers and office automation industries

Abstract

Keywords Cybercrime; Situational crime prevention; SCP; Criminology; Cyber-focused crime; Cyber-enabled crime Highlights * Evolution and developments of cybercrimes into cyber-focused and cyber-enabled crimes. * Survey of research articles on the application of Situational Crime Prevention (SCP) techniques in preventing cybercrimes. * Research gaps and future areas of research on SCP in cybercrimes. Abstract Situational Crime Prevention (SCP) is a criminological approach that is shown to reduce crime opportunities drawing from five different strategies comprising 25 techniques. With the global increase in cybercrime, practitioners and researchers are increasingly investigating opportunities for applying SCP strategies and techniques to prevent cyber-focused and cyber-enabled crimes. Recent research proposes ways that SCP can be applied to cybercrime. Yet most of this research utilizes only a few of the SCP techniques and the linkages between the SCP techniques and opportunities for reducing cybercrimes are rarely made explicit. In this paper we evaluate the relevance of the full spectrum of SCP techniques to cybercrime and explicate how computer scientists, cybercrime and cybersecurity researchers and practitioners apply SCP principles to prevent and control cyber-enabled crime. Through a focused systematic review of 352 articles across computer science, criminal justice and criminology literature using the PRISMA method, this paper clarifies terminologies, explores the rise of cybercrimes, and explains the value of SCP for responding to cybercrimes. We provide a review of the current research undertaken to apply SCP to cybercrimes and conclude with a discussion on research gaps and potential future areas of research. Author Affiliation: (a) Faculty of Engineering, Cyber Security, School of Information Technology and Electrical Engineering, Architecture and Information Technology, The University of Queensland, Brisbane, QLD 4072, Australia (b) Faculty of Humanities and Social Sciences, School of Social Science, The University of Queensland, Brisbane, QLD 4072, Australia * Corresponding author. Article History: Received 8 April 2021; Revised 5 December 2021; Accepted 10 January 2022 Byline: Heemeng Ho [heemeng.ho@uq.net.au] (a,*), Ryan Ko [ryan.ko@uq.edu.au] (a), Lorraine Mazerolle [l.mazerolle@uq.edu.au] (b)

Published

2022

31. A comprehensive deep learning benchmark for IoT IDS

Author

Ahmad, Rasheed, Alsmadi, Izzat, Alhamdani, Wasim, and Tawalbeh, Lo'ai

Subjects

Security software -- Analysis, Detectors -- Analysis, Denial of service attacks -- Analysis, Machine learning -- Analysis, Network security software, Business, Computers and office automation industries

Abstract

Keywords Intrusion detection system (IDS); Machine learning; Deep learning; Large-scale attacks; Internet of Things (IoT); Benchmark network dataset Abstract The significance of an intrusion detection system (IDS) in networks security cannot be overstated in detecting and responding to malicious attacks. Failure to detect large-scale attacks like DDoS not only makes the networks vulnerable, but a failure of critical lifesaving medical and industrial equipment can also put human lives at risk. Lack of availability of comprehensive and quality network datasets and the narrow scope to build an IDS based on a single machine learning classifier adds further limitations. Such issues can risk producing inaccurate or biased results in the solutions proposed by various researchers. Toward this end, this paper analyzed several datasets (old, recent, non-IoT, and IoT specific) using several individual and hybrid deep learning classifiers. Our goal is to establish a benchmark that can compare several classification models on several datasets to limit (1) dataset quality issues and (2) possible bias in produced results. We reported our empirical results by revealing exciting findings on some of the classifiers, which took hours to converge but could not successfully detect attacks. In contrast, others quickly converged and were able to produce the best results in terms of accuracy and other performance metrics. We believe that this paper's findings will help build a comprehensive IDS by recognizing that classification or prediction models should be trained beyond a limited scope of one dataset or application. Author Affiliation: (a) University of the Cumberlands, 6178 College Station Drive, Williamsburg, KY 40769, USA (b) University of Texas A&M San Antonio, One University Way, San Antonio, TX 78224, USA * Corresponding author. Article History: Received 19 April 2021; Revised 9 November 2021; Accepted 21 December 2021 Byline: Rasheed Ahmad [rahmad4758@ucumberlands.edu] (a,*), Izzat Alsmadi (b), Wasim Alhamdani (a), Lo'ai Tawalbeh (b)

Published

2022

32. A Feature-driven Method for Automating the Assessment of OSINT Cyber Threat Sources

Author

Tundis, Andrea, Ruppert, Samuel, and Mühlhäuser, Max

Subjects

Automation -- Methods -- Analysis, Spyware -- Methods -- Analysis, Cyberterrorism -- Analysis -- Methods, Mechanization -- Methods -- Analysis, Machine learning -- Methods -- Analysis, Web sites -- Analysis -- Methods, Computer science -- Methods -- Analysis, Company Web site/Web page, Business, Computers and office automation industries

Abstract

Keywords Open source cyber threat intelligence; Cybersecurity; Machine learning; Feature engineering; Twitter Abstract Global malware campaigns and large-scale data breaches show how everyday life can be impacted when the defensive measures fail to protect computer systems from cyber threats. Understanding the threat landscape and the adversaries' attack tactics to perform it represent key factors for enabling an efficient defense against threats over the time. Of particular importance is the acquisition of timely and accurate information from threats intelligence sources available on the web which can provide additional intelligence on emerging threats even before they can be observed as actual attacks. Currently, specific indicators of compromise (e.g. IP addresses, domains, hashsums of malicious files) are shared in a semi-automated and structured way via so-called threat feeds. Unfortunately, current systems have to deal with the trade-off between the timeliness of such an alert (i.e. warning at the first mention of a threat) and the need to wait for verification by other sources (i.e. warning after multiple sources have verified the threat). In addition, due to the increasing number of open sources, it is challenging to find the right balance between feasibility and costs in order to identify a relatively small subset of valuable sources. In this paper, a method to automate the assessment of cyber threat intelligence sources and predict a relevance score for each source is proposed. Specifically, a model based on meta-data and word embedding is defined and experimented by training regression models to predict the relevance score of sources on Twitter. The results evaluation show that the assigned score allows to reduce the waiting time for intelligence verification, on the basis of its relevance, thus improving the time advantage of early threat detection. Author Affiliation: (a) Technische Universität Darmstadt, Hochschulstrasse 10, Darmstadt 64289, Germany (b) Deutsche Bahn AG, Frankfurt am Main, Germany * Corresponding author. Article History: Received 6 January 2021; Revised 10 November 2021; Accepted 9 December 2021 (footnote) This is an extended version of the paper 'Tundis A., Ruppert S., Mühlhäuser M. On the Automated Assessment of Open-Source Cyber Threat Intelligence Sources. In: Krzhizhanovskaya V. et al. (eds) Computational Science (ICCS 2020). Lecture Notes in Computer Science, vol 12138. Springer, Cham.' Byline: Andrea Tundis [tundis@tk.tu-darmstadt.de] (a,*), Samuel Ruppert [samuel.ruppert@deutschebahn.com] (b), Max Mühlhäuser [max@tk.tu-darmstadt.de] (a)

Published

2022

33. Enhanced MANET security using artificial immune system based danger theory to detect selfish nodes

Author

Jim, Lincy E., Islam, Nahina, and Gregory, Mark A.

Subjects

Immune system -- Safety and security measures -- Analysis, Dendritic cells -- Analysis -- Safety and security measures, Algorithms -- Analysis -- Safety and security measures, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Artificial immune system; Dendritic cell; Human immune system; Mobile Ad hoc networks; Routing; Trust model Abstract The dynamic distributed topology of a Mobile Ad Hoc Network (MANET) provides many challenges including decentralized infrastructure wherein each node acts as both the host and router for transiting traffic. MANET nodes provide the transmission capability to receive, transmit and route traffic from a sender node to the destination node. In this paper, we design an artificial immune system-based security method for MANET by simulating the mechanism of the human immune system. This paper presents a new bio inspired algorithm namely Artificial Immune System Based Algorithm (AISBA) to select selfish nodes in MANET, which utilizes principles of Artificial Immune Systems (AIS) that in turn mimics the strategy of the Human Immune System. Unlike Combined Immune Theories Algorithm, AISBA does not utilize a learning stage. In AISBA two different Trust models are developed as well to distinguish between a genuine node as well as a selfish node. An average detection rate of 93.41% was achieved with this bio inspired approach. The Simulation results demonstrating the superiority of the proposed scheme compared to the well known secured AODV (SAODV) protocol in terms of packet delivery ratio (about 87% of packet delivery ratio is achieved compared to about 37% in the case of SAODV) and about 94% of detection rate for the proposed scheme compared to 86% for SAODV in the presence of misbehaved nodes. The statistical analysis of the false positive probability is also conducted to assess the efficiency of the obtained results, showing promising results with respect to the effect of weight and trust on threshold. Author Affiliation: (a) School of Engineering, RMIT University, Melbourne, VIC 3000, Australia (b) Centre for Intelligent Systems, School of Engineering and Technology, Central Queensland University, Rockhampton, Australia (c) Institute for Future Farming systems, Central Queensland University, Bundaberg, Australia * Corresponding author. Article History: Received 20 March 2021; Revised 13 October 2021; Accepted 1 November 2021 Byline: Lincy E. Jim (a), Nahina Islam [n.islam@cqu.edu.au] (b,c,*), Mark A. Gregory (a)

Published

2022

34. Machine learning for encrypted malicious traffic detection: Approaches, datasets and comparative study

Author

Wang, Zihao, Fok, Kar Wai, and Thing, Vrizlynn L.L.

Subjects

Machine learning -- Analysis, Algorithms -- Analysis, Algorithm, Business, Computers and office automation industries

Abstract

Keywords encrypted malicious traffic detection; traffic classification; machine learning; deep learning Abstract As people's demand for personal privacy and data security becomes a priority, encrypted traffic has become mainstream in the cyber world. However, traffic encryption is also shielding malicious and illegal traffic introduced by adversaries, from being detected. This is especially so in the post-COVID-19 environment where malicious traffic encryption is growing rapidly. Common security solutions that rely on plain payload content analysis such as deep packet inspection are rendered useless. Thus, machine learning based approaches have become an important direction for encrypted malicious traffic detection. In this paper, we formulate a universal framework of machine learning based encrypted malicious traffic detection techniques and provided a systematic review. Furthermore, current research adopts different datasets to train their models due to the lack of well-recognized datasets and feature sets. As a result, their model performance cannot be compared and analyzed reliably. Therefore, in this paper, we analyse, process and combine datasets from 5 different sources to generate a comprehensive and fair dataset to aid future research in this field. On this basis, we also implement and compare 10 encrypted malicious traffic detection algorithms. We then discuss challenges and propose future directions of research. Author Affiliation: Cybersecurity Strategic Technology Centr ST Engineering Singapore, Singapore * Corresponding author. Article History: Received 18 June 2021; Revised 7 October 2021; Accepted 7 November 2021 Byline: Zihao Wang [zihao.wang@stengg.com] (*), Kar Wai Fok [fok.karwai@stengg.com], Vrizlynn L.L. Thing [vrizlynn.thing@stengg.com]

Published

2022

35. A Survey Of differential privacy-based techniques and their applicability to location-Based services

Author

Kim, Jong Wook, Edemacu, Kennedy, Kim, Jong Seon, Chung, Yon Dohn, and Jang, Beakcheol

Subjects

Mobile devices -- Usage, Privacy -- Surveys -- Methods -- Usage, Computer science -- Usage -- Methods -- Surveys, Privacy issue, Business, Computers and office automation industries

Abstract

Keywords Location-based services; Differential privacy; Location privacy; Privacy; Security Abstract The widespread use of mobile devices such as smartphones, tablets, and smartwatches has led users to constantly generate various location data during their daily activities. Consequently, a growing interest has been seen in location-based services (LBSs), which aim to provide services adjusted to the current locations of users. However, location information may contain sensitive data; therefore, most users are reluctant to provide their exact location data to service providers. This has been identified as the most significant challenge in LBSs. Recently, differential privacy (DP) has emerged as a de facto standard for privacy-preserving data processing. With its strong privacy guarantees, DP has been used in diverse areas such as the collection, analysis, and release of sensitive private data, and several variants of DP have been proposed in the literature. The main objective of this paper is to investigate the applicability of DP-based approaches in an LBS setting. In this paper, we first describe the basic concept of DP and then survey its three variants: (a) geo-indistinguishability, (b) private spatial decomposition, and (c) local differential privacy, which are designed or can be used to protect location privacy in LBSs. Furthermore, we explore the applicability of DP-based schemes in protecting location privacy in different location data processing, collection, and publishing scenarios in LBSs. Finally, certain promising future research directions are discussed to spur further research in this area. Author Affiliation: (a) Department of Computer Science, Sangmyung University, Seoul, Korea (b) Department of Computer Science and Engineering, Korea University, Seoul, Korea (c) Graduate School of Information, Yonsei University, Seoul, Korea * Corresponding author. Article History: Received 10 December 2020; Revised 20 April 2021; Accepted 31 August 2021 Byline: Jong Wook Kim (a), Kennedy Edemacu (a), Jong Seon Kim (b), Yon Dohn Chung (b), Beakcheol Jang [bjang@yonsei.ac.kr] (*,c)

Published

2021

36. Cyber-enabled burglary of smart homes

Author

Hodges, Duncan

Subjects

Decision-making -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Smart home; Cybercrime; Burglary; IoT; Physical security Highlights * The commission of a residential burglary involves a complex set of decision making. * This decision-making process is key to understanding the risk from the smart home. * A property using smart home technology has a small increase in the risk of burglary. * It is unlikely that burglars will routinely exploit smart home technologies. Abstract Over the last few years, there has been a steady increase in smart home technology's pervasiveness, to the degree where consumer IoT is part of many homes. As our homes become complex cyber-physical spaces, the risk to our physical security from attacks originating in cyberspace becomes much more significant. Within the literature, there is much discussion about the technical vulnerabilities within the smart home. However, this is often not linked to a rich understanding of how an attacker could exploit them. In this paper, we focus on residential burglary and develop a rich understanding of the process by which residential burglary is committed and the effect of the smart home on this process. By combining two areas of the academic literature, residential burglary and smart-home security, this paper provides an academically grounded discussion that places the nascent vulnerabilities associated with the smart-home into the context of the process by which burglary is committed. The commission of residential burglary is a complex decision-making process, which the public often simplifies into planned or unplanned crimes; this is a dangerous oversimplification. The analysis identifies some increased risk during the target selection stage phase. However, in the short term, residential burglars are unlikely to exploit smart home technology routinely. Author Affiliation: Centre for Electronic Warfare, Information and Cyber, Cranfield Defence and Security, Cranfield University, Defence Academy of the United Kingdom, Shrivenham, United Kingdom, SN6 8LA Article History: Received 29 March 2021; Revised 13 July 2021; Accepted 23 July 2021 Byline: Duncan Hodges [d.hodges@cranfield.ac.uk]

Published

2021

37. Non-Interactive and secure outsourcing of PCA-Based face recognition

Author

Ren, Yanli, Xu, Xiao, Feng, Guorui, and Zhang, Xinpeng

Subjects

Artificial intelligence -- Analysis, Biometry -- Analysis, Outsourcing -- Analysis, Algorithms -- Analysis, Algorithm, Outsourcing, Artificial intelligence, Business, Computers and office automation industries

Abstract

Keywords Cloud computing; Face recognition; PCA; Non-interactive Highlights * We propose a secure and effective outsourcing protocol, which can solve the PCA-based face recognition problem for limited clients. The proposed protocol is non-interactive, which combines three steps, including two matrix multiplications and one matrix eigenvalue decomposition, into one step and greatly reduces the communication overhead between the clients and the cloud. * The proposed protocol protects the private data and the true outsourcing results from the cloud, which has been confirmed by the theoretical and experimental analysis in this paper. * The client can verify the returned results by an algorithm with complexity of O(n2), and can discover the dishonest behaviors of the cloud with a probability which is closed to 1. * We also show that the accuracy of the proposed outsourcing protocol is the same as that of the original PCA-based face recognition algorithm through lots of experiments. Abstract In recent years, there have been more and more researches focus on the field of face recognition with the development of artificial intelligence (AI). Principal Component Analysis (PCA) is an important face recognition algorithm which has high accuracy without a large amount of data. Currently, the outsourcing of PCA-based face recognition protocol required three interactions between the clients and the cloud to execute matrix multiplications and eigenvalue decomposition, respectively, which needs very high communicational costs. In this paper, we propose a non-interactive PCA-based face recognition outsourcing protocol, which only needs one encryption and decryption without interactions between the clients and the cloud. That is to say, the client can obtain the final result of face recognition by encrypting the original images and decrypting the outsourcing results only once. The privacy of input and output is protected well by the proposed protocol, and the computational complexity is greatly reduced. In addition, the client can effectively detect the bad behaviors of the cloud and refuse the wrong outsourcing results by a verification algorithm. We prove the feasibility of our protocol from both theoretical and experimental analysis. The theoretical analysis shows that our proposed protocol reduces the computational overheads on the client's side from O(n.sup.3) to O(n.sup.2). We simulate the proposed protocol and the experimental results show that when the matrix dimension exceeds 2500x3000, the client can gain more than 16.9825 overhead savings which indicates the efficiency of the proposed protocol. Author Affiliation: School of Communication and Information Engineering, Shanghai Unversity, Shanghai 200444, China * Corresponding author. Article History: Received 6 September 2020; Revised 18 May 2021; Accepted 20 July 2021 Byline: Yanli Ren [renyanli@shu.edu.cn] (*), Xiao Xu, Guorui Feng, Xinpeng Zhang

Published

2021

38. A novel framework for image-based malware detection with a deep neural network

Author

Jian, Yifei, Kuang, Hongbo, Ren, Chenglong, Ma, Zicheng, and Wang, Haizhou

Subjects

Visualization (Computers) -- Analysis, Spyware -- Analysis, Neural networks -- Analysis, Neural network, Business, Computers and office automation industries

Abstract

Keywords Malware detection; Disassembly technology; Deep neural networks; Visualization technology; Three-channel RGB images; Data augmentation Abstract The rapid growth in the number of malware and its variants has seriously affected the security of the Internet. In recent years, deep learning combined with visualization technology has been proven to have good results in malware detection. In this paper, we propose a novel visual malware detection framework based on deep neural networks. Firstly, executable file samples are collected and converted into bytes files and asm files through disassembly technology. In this way, a balanced experimental dataset with our labeled normal software dataset and a widely used malware dataset (BIG 2015) is constructed. Secondly, visualization technology combined with data augmentation is used to further convert the samples into three-channel RGB images, so as to extract high-dimensional intrinsic features from data samples. Finally, we present a deep neural network architecture, i.e. SERLA (SEResNet50 + Bi-LSTM + Attention) to improve the performance of the detection method. After performance evaluation, the results show that our model stands out among other neural network models and state-of-the-art methods for malware detection and classification. Furthermore, our study verifies the superiority of three-channel RGB images compared to grayscale images in malware detection, compares the contribution of different channels, and indicates that data augmentation technology can contribute to malware recognition using visualization technology. This paper provides new ideas and methods for other researchers to carry out malware detection and classification. Author Affiliation: School of Cyber Science and Engineering, Sichuan University, Chengdu 610065 P.R. China * Corresponding author. Article History: Received 22 January 2021; Revised 5 July 2021; Accepted 7 July 2021 Byline: Yifei Jian, Hongbo Kuang, Chenglong Ren, Zicheng Ma, Haizhou Wang [whzh.nc@scu.edu.cn] (*)

Published

2021

39. Rationality constraints in cyber defense: Incident handling, attribution and cyber threat intelligence

Author

Hettema, Hinne

Subjects

Electrical engineering -- Analysis -- Electric properties, Internet -- Safety and security measures, Cyberterrorism -- Analysis -- Electric properties, Internet security, Electrical engineering, Business, Computers and office automation industries

Abstract

Keywords Belief revision; Attribution; Incident response; Cyber security; Cyber defense; AGM-Theory; CTI Abstract In this paper I develop a model for the application of rationality constraints in cyber incident handling, attribution and threat intelligence. The basic idea of this paper is that handling, analysis and attribution involves 'epistemic states' that are based on a limited understanding of the attackers motives, opportunities, steps and specific movements. These states are updated dynamically during the incident response process. In a similar manner, epistemic states also play a role in cyber threat intelligence and attribution. Such updates are limited in scope and piecemeal. The paper argues that despite these limitations, such updates are still valuable contributors to a robust explanation of events. I contrast this characterization with current assumptions in the literature and argue for the moral strength of specific rationality constraints in how intelligence from cyber attributions is analyzed, reported and disseminated. Author Affiliation: School of Information Technology and Electrical Engineering University of Queensland, Brisbane, Australia * Corresponding author. Article History: Received 5 April 2021; Revised 21 June 2021; Accepted 3 July 2021 Byline: Hinne Hettema [h.hettema@uq.edu.au] (*)

Published

2021

40. A survey on security attacks and defense techniques for connected and autonomous vehicles

Author

Pham, Minh and Xiong, Kaiqi

Subjects

Real estate development -- Methods, Infrastructure (Economics) -- Methods, Electrical engineering -- Methods, Military vehicle industry -- Methods, Driverless cars -- Methods, Automatic guided vehicles -- Methods, Electrical engineering, Business, Computers and office automation industries

Abstract

Keywords Connected and autonomous vehicles; Intelligent transportation system; Cybersecurity; Traffic engineering Abstract Autonomous Vehicle has been transforming intelligent transportation systems. As telecommunication technology improves, autonomous vehicles are getting connected to each other and to infrastructures, forming Connected and Autonomous Vehicles (CAVs). CAVs will help humans achieve safe, efficient, and autonomous transportation systems. However, CAVs will face significant security challenges because many of their components are vulnerable to attacks, and a successful attack on a CAV may have significant impacts on other CAVs and infrastructures due to their interconnectivity. In this paper, we conduct a survey on 189 papers from 2000 to 2020 to understand state-of-the-art CAV attacks and defense techniques. Of those 189 papers, 131 were directly concerned with attack models or defense strategies for CAVs. This survey first presents a comprehensive overview of security attacks and their corresponding countermeasures on CAVs. We then discuss the details of attack models based on the targeted CAV components of attacks, access requirements, and attack motives. Finally, we identify some current research challenges and trends from the perspectives of both academic research and industrial development. Based on our studies of academic literature and industrial publications, we have not found any strong connection between academic research and industry's implementation of CAV-related security issues. While efforts from CAV manufacturers to secure CAVs have been reported, there is no evidence to show that CAVs on the market can defend against some novel attack models that the research community has recently found. This survey may give researchers and engineers a better understanding of the current status and trend of CAV security for CAV's future improvement. Author Affiliation: (a) Department of Computer Science and Engineering, University of South Florida, United States (b) Intelligent Computer Networking and Security Laboratory, Florida Center for Cybersecurity, Department of Mathematics and Statistics, Department of Electrical Engineering, University of South Florida, United States * Corresponding author. Article History: Received 16 July 2020; Revised 23 February 2021; Accepted 4 March 2021 Byline: Minh Pham [minhpham@usf.edu] (*,a), Kaiqi Xiong [xiongk@usf.edu] (b)

Published

2021

41. Digestive neural networks: A novel defense strategy against inference attacks in federated learning

Author

Lee, Hongkyu, Kim, Jeehyeong, Ahn, Seyoung, Hussain, Rasheed, Cho, Sunghyun, and Son, Junggab

Subjects

Artificial intelligence -- Analysis, Machine learning -- Analysis, Neural networks -- Analysis, Computer science -- Analysis, Neural network, Artificial intelligence, Business, Computers and office automation industries

Abstract

Keywords Federated learning (FL); Inference attack; White-box assumption; Digestive neural networks; t-SNE analysis; Federated learning security; ML Security; AI Security Abstract Federated Learning (FL) is an efficient and secure machine learning technique designed for decentralized computing systems such as fog and edge computing. Its learning process employs frequent communications as the participating local devices send updates, either gradients or parameters of their models, to a central server that aggregates them and redistributes new weights to the devices. In FL, private data does not leave the individual local devices, and thus, rendered as a robust solution in terms of privacy preservation. However, the recently introduced membership inference attacks pose a critical threat to the impeccability of FL mechanisms. By eavesdropping only on the updates transferring to the center server, these attacks can recover the private data of a local device. A prevalent solution against such attacks is the differential privacy scheme that augments a sufficient amount of noise to each update to hinder the recovering process. However, it suffers from a significant sacrifice in the classification accuracy of the FL. To effectively alleviate the problem, this paper proposes a Digestive Neural Network (DNN), an independent neural network attached to the FL. The private data owned by each device will pass through the DNN and then train the FL. The DNN modifies the input data, which results in distorting updates, in a way to maximize the classification accuracy of FL while the accuracy of inference attacks is minimized. Our simulation result shows that the proposed DNN shows significant performance on both gradient sharing- and weight sharing-based FL mechanisms. For the gradient sharing, the DNN achieved higher classification accuracy by 16.17% while 9% lower attack accuracy than the existing differential privacy schemes. For the weight sharing FL scheme, the DNN achieved at most 46.68% lower attack success rate with 3% higher classification accuracy. Author Affiliation: (a) Information and Intelligent Security (IIS) Lab, Kennesaw State University, Marietta, GA 30060, USA (b) Korea Electronics Technology Institute, Seongnam, South Korea (c) Department of Computer Science and Engineering, Major in Bio Artificial Intelligence, Hanyang University, Ansan, South Korea (d) Networks and Blockchain Lab, Innopolis University, Innopolis, Russia * Corresponding author. Article History: Received 1 March 2021; Revised 3 June 2021; Accepted 14 June 2021 (footnote) The preliminary version of this paper was accepted in IEEE International Conference on Communications (ICC'21) (footnote)1 http://i2s.kennesaw.edu Byline: Hongkyu Lee [hlee115@students.kennesaw.edu] (a), Jeehyeong Kim [jkim8@keti.re.kr] (b), Seyoung Ahn [tpdud1014@hanyang.ac.kr] (c), Rasheed Hussain [r.hussain@innopolis.ru] (d), Sunghyun Cho [chopro@hanyang.ac.kr] (c), Junggab Son [json@kennesaw.edu] (*,1,a)

Published

2021

42. Microscopic printing analysis and application for classification of source printer

Author

Nguyen, Quoc-Thông, Mai, An, Chagas, Lionel, and Reverdy-Bruas, Nadège

Subjects

Forensic sciences, Computer science, Algorithms, Algorithm, Business, Computers and office automation industries

Abstract

Keywords Microscopic printing; Source printer identification; Printer forensics; Documentauthentication; Support vector machine Abstract Identifying a forged printed document with scanned evidence can be a challenge. Microscopic printing is showing random shape which depends on the printing source as well as printing material. This paper presents a statistical analysis of the printing patterns under a microscopic scale, analyses the effect of printing direction, printing substrate (uncoated and coated paper), and printing technology (conventional offset, waterless offset, and electrophotography). The analysis shows a negligible effect of printing direction, yet, using the shape descriptor indexes, the printing materials and technologies are distinguishable under a microscopic scale. As a result, the algorithms based on Support Vectors Machine and Random Forest are developed, with shape descriptor indexes as features, for printing source identification. Both proposed algorithms, equally, achieve a high classification accuracy rate, over 92% accuracy with complex geometric-shape patterns. Thanks to the lightweight and efficiency of the Support Vectors Machine, the study shows promising applications for real-world and potential implementation in the Internet of Things devices. Author Affiliation: (a) Université de Lille, ENSAIT, GEMTEX, F-59000 Lille, France (b) School of Computer Science & Engineering, International University, and Vietnam National University, Ho Chi Minh City, Vietnam (c) University Grenoble Alpes, CNRS, Grenoble INP (Institute of Engineering, Univ. Grenoble Alpes), LGP2, F-38000 Grenoble, France * Corresponding author. Article History: Received 9 January 2021; Revised 2 April 2021; Accepted 4 May 2021 Byline: Quoc-Thông Nguyen [nguyenquocthong1111@gmail.com] (*,a), An Mai (b), Lionel Chagas (c), Nadège Reverdy-Bruas (c)

Published

2021

43. Review of cybersecurity assessment methods: Applicability perspective

Author

Leszczyna, Rafal

Subjects

Data security -- Analysis, Internet -- Safety and security measures, Cyberterrorism -- Analysis, Internet security, Data security issue, Business, Computers and office automation industries

Abstract

Keywords Cybersecurity; Assessment; Methods; Applicability; Usability; Management; Computer security; Information security; Risk assessment; Organisational management; Business management Abstract Cybersecurity assessments are crucial in building the assurance that vital cyberassets are effectively protected from threats. Multiple assessment methods have been proposed during the decades of the cybersecurity field. However, a systematic literature search described in this paper reveals that their reviews are practically missing. Thus, the primary objective of this research was to fulfil this gap by comprehensively identifying and analysing cybersecurity assessment methods described in the scientific literature. A structured research method and transparent criteria were applied for this purpose. As a result, thirty-two methods are presented in this paper. Particular attention is paid to the question of the methods' applicability in realistic contexts and environments. In that regard, the challenges and limitations associated with the methods' application as well as potential approaches to addressing them have been indicated. Besides, the paper systematises the terminology and indicates complementary studies which can be helpful during assessments. Finally, the areas that leave space for improvement and directions for further research and development are indicated. The intention is to support researchers and practitioners in choosing the method to be applied in their assessments and to indicate the areas that can be further explored. Author Affiliation: Gdansk University of Technology, Faculty of Management and Economics, Narutowicza 11/12, Gdansk 80-233, Poland Article History: Received 25 November 2020; Revised 2 June 2021; Accepted 11 June 2021 Byline: Rafal Leszczyna [rle@zie.pg.edu.pl]

Published

2021

44. Differential area analysis for ransomware attack detection within mixed file datasets

Author

Davies, Simon R., Macfarlane, Richard, and Buchanan, William J.

Subjects

Business, Computers and office automation industries

Abstract

Keywords Entropy; Ransomware detection; Test data sets Abstract The threat from ransomware continues to grow both in the number of affected victims as well as the cost incurred by the people and organisations impacted in a successful attack. In the majority of cases, once a victim has been attacked there remain only two courses of action open to them; either pay the ransom or lose their data. One common behaviour shared between all crypto ransomware strains is that at some point during their execution they will attempt to encrypt the users' files. This paper demonstrates a technique that can identify when these encrypted files are being generated and is independent of the strain of the ransomware. An enhanced mixed file ransomware data set of more than 130,000 files was developed based on the govdocs1(Garfinkel, 2020) corpus. This data set was enriched to contain examples of files that reflect the more modern Microsoft file formats, as well as examples of high entropy file formats such as compressed files and archives. The data set also contained eight different sets of files that were generated as the result of different real-world high profile ransomware attacks such as WannaCry, Ryuk, Phobos, Sodinokibi and NetWalker. Previous research Penrose et al. (2013); Zhao et al. (2011) has highlighted the difficulty in differentiating between compressed and encrypted files using Shannon entropy as both file types exhibit similar values. One of the experiments described in this paper shows a unique characteristic for the Shannon entropy of encrypted file header fragments. This characteristic was used to differentiate between encrypted files and other high entropy files such as archives. This discovery was leveraged in the development of a file classification model that used the differential area between the entropy curve of a file under analysis and one generated from random data. When comparing the entropy plot values of a file under analysis against one generated by a file containing purely random numbers, the greater the correlation of the plots is, the higher the confidence that the file under analysis contains encrypted data. The experiments demonstrate a high degree of confidence in the accuracy of the model achieving a success rate of more than 99.96% when examining only the first 192 bytes of a file, using a mixed data set of more than 80,000 files. This technique successfully addresses the problem of using file entropy to differentiate compressed and archived files from files encrypted by ransomware in a timely manner. Author Affiliation: School of Computing, Edinburgh Napier University, Edinburgh, UK * Corresponding author. Article History: Received 8 December 2020; Revised 17 March 2021; Accepted 15 June 2021 (footnote)1 orcid=0000-0001-9377-4539 (footnote)2 orcid=0000-0003-0809-3523 Byline: Simon R. Davies [s.davies@napier.ac.uk] (1,*,a), Richard Macfarlane (a), William J. Buchanan (2,a)

Published

2021

45. An approach to detect user behaviour anomalies within identity federations

Author

Martín, Alejandro G., Beltrán, Marta, Fernández-Isabel, Alberto, and Martín de Diego, Isaac

Subjects

Machine learning -- Usage, Workflow software, Business, Computers and office automation industries

Abstract

Keywords Anomaly detection; Behavioural fingerprint; Federated identity management; Machine learning; User and entity behaviour analytics Highlights * This paper defines a workflow to improve the security levels of federated identity management solutions through user and entity behaviour analytics. * This workflow is implemented at the relying party, based on a session fingerprint that summarizes the behaviour of users. * A novel approach for detecting behaviour anomalies based on this kind of fingerprint is proposed. * An implementation of the proposed workflow has been validated in a real use case using OpenID Connect. Abstract User and Entity Behaviour Analytics (UEBA) mechanisms rely on statistical techniques and Machine Learning to determine when a significant deviation from patterns or trends established as a standard for users and entities is occurring. These mechanisms are beneficial within cybersecurity contexts because they allow managers and administrators to have early alerts warning about potential security incidents. This paper proposes the utilisation of UEBA to improve the security of Federated Identity Management (FIM) solutions. The proposed UEBA workflow allows Relying Parties within identity federations to build a session fingerprint characterising each user's behaviour from available information. Furthermore, it enables anomaly detection based on this fingerprint, integrating raised alerts within current identity management specifications. The proposed workflow is validated and evaluated in a real use case based on a web chat application using OpenID Connect for identity management. Author Affiliation: Rey Juan Carlos University, Department of Computing, ETSII, C/ Tulipán, s/n, Móstoles, 28933, Madrid, Spain * Corresponding author. Article History: Received 13 January 2021; Revised 22 April 2021; Accepted 31 May 2021 Byline: Alejandro G. Martín [alejandro.garciam@urjc.es], Marta Beltrán [marta.beltran@urjc.es] (*), Alberto Fernández-Isabel [alberto.fernandez.isabel@urjc.es], Isaac Martín de Diego [isaac.martin@urjc.es]

Published

2021

46. Three decades of deception techniques in active cyber defense - Retrospect and outlook

Author

Zhang, Li and Thing, Vrizlynn.L.L.

Subjects

Internet -- Safety and security measures, Cyberterrorism -- Analysis -- Methods, Internet security, Business, Computers and office automation industries

Abstract

Keywords Cyber defense; Deception techniques; Honeypots; Honeytokens; Moving target defense; Computer network defense Abstract Deception techniques have been widely seen as a game changer in cyber defense. In this paper, we review representative techniques in honeypots, honeytokens, and moving target defense, spanning from the late 1980s to the year 2021. Techniques from these three domains complement with each other and may be leveraged to build a holistic deception based defense. However, to the best of our knowledge, there has not been a work that provides a systematic retrospect of these three domains all together and investigates their integrated usage for orchestrated deceptions. Our paper aims to fill this gap. By utilizing a tailored cyber kill chain model which can reflect the current threat landscape and a four-layer deception stack, a two-dimensional taxonomy is developed, based on which the deception techniques are classified. The taxonomy literally answers which phases of a cyber attack campaign the techniques can disrupt and which layers of the deception stack they belong to. Cyber defenders may use the taxonomy as a reference to design an organized and comprehensive deception plan, or to prioritize deception efforts for a budget conscious solution. We also discuss two important points for achieving active and resilient cyber defense, namely deception in depth and deception lifecycle, where several notable proposals are illustrated. Finally, some outlooks on future research directions are presented, including dynamic integration of different deception techniques, quantified deception effects and deception operation cost, hardware-supported deception techniques, as well as techniques developed based on better understanding of the human element. Author Affiliation: Cybersecurity Strategic Technology Center, ST Engineering, 609602, Singapore * Corresponding author. . Article History: Received 3 June 2020; Revised 28 January 2021; Accepted 4 April 2021 Byline: Li Zhang [zhang.li@stengg.com] (*), Vrizlynn.L.L. Thing [vrizlynn.thing@stengg.com]

Published

2021

47. A new WAF architecture with machine learning for resource-efficient use

Author

Domingues Junior, Manoel and Ebecken, Nelson F.F.

Subjects

Firewalls (Data security) -- Usage, Architecture -- Usage -- Analysis, Spyware -- Usage -- Analysis, Machine learning -- Usage -- Analysis, Teaching -- Equipment and supplies, Firewall technology, Business, Computers and office automation industries

Abstract

Keywords Web application firewall; SVM; Perceptron; Logistic regression; Benchmark; Modsecurity; OWASP CRS Abstract Web Application Firewalls penalizes everyone, including latency in all requests, whether they are malicious or not. Several studies have reported the benefits of using Machine Learning to extract new rules to detect malware and malicious web requests. However, comparing the metrics of the models with their use of computational resources remains to be accomplished. This work aims to show a distributed WAF architecture, using ML classifiers as one of its components. Instead of having an enforcement point that analyzes the complete HTTP protocol for violations in this architecture, we have a trained classifier to detect them. The first part of this work verifies the viability of using classifiers based on their metrics, such as accuracy and recall. We analyze two datasets and make comparisons about their use. The second part of this paper compares ML models' prediction processing time and a rules-based engine's processing time. The classifiers used in this paper had a processing time of about 18x less than a rule-based engine. We also show that a classifier can find errors in the classification of a dataset generated by a WAF based on rules. We present samples and experimental codes to show the difference in approaches. Author Affiliation: (a) Globo Comunicações e Participações SA, Av. das Américas, 700, Bl.2A - Barra da Tijuca Rio de Janeiro, Brazil (b) Federal University of Rio de Janeiro (COPPE/UFRJ), Av. Athos da Silveira Ramos, 149, Centro de Tecnologia - Bl. B, Sl.101 - Rio de Janeiro, Brazil * Corresponding author. Article History: Received 23 May 2020; Revised 5 March 2021; Accepted 29 March 2021 Byline: Manoel Domingues Junior [mdjunior@ufrj.br] (a,*), Nelson F.F. Ebecken [nelson@ntt.ufrj.br] (b)

Published

2021

48. Challenges and pitfalls in malware research

Author

Botacin, Marcus, Ceschin, Fabricio, Sun, Ruimin, Oliveira, Daniela, and Grégio, André

Subjects

Spyware -- Usage -- Analysis, Business, Computers and office automation industries

Abstract

Keywords Malware; Research methodology; Systematization of knowledge; Experiment design; Science of security Abstract As the malware research field became more established over the last two decades, new research questions arose, such as how to make malware research reproducible, how to bring scientific rigor to attack papers, or what is an appropriate malware dataset for relevant experimental results. The challenges these questions pose also brings pitfalls that affect the multiple malware research stakeholders. To help answering those questions and to highlight potential research pitfalls to be avoided, in this paper, we present a systematic literature review of 491 papers on malware research published in major security conferences between 2000 and 2018. We identified the most common pitfalls present in past literature and propose a method for assessing current (and future) malware research. Our goal is towards integrating science and engineering best practices to develop further, improved research by learning from issues present in the published body of work. As far as we know, this is the largest literature review of its kind and the first to summarize research pitfalls in a research methodology that avoids them. In total, we discovered 20 pitfalls that limit current research impact and reproducibility. The identified pitfalls range from (i) the lack of a proper threat model, that complicates paper's evaluation, to (ii) the use of closed-source solutions and private datasets, that limit reproducibility. We also report yet-to-be-overcome challenges that are inherent to the malware nature, such as non-deterministic analysis results. Based on our findings, we propose a set of actions to be taken by the malware research and development community for future work: (i) Consolidation of malware research as a field constituted of diverse research approaches (e.g., engineering solutions, offensive research, landscapes/observational studies, and network traffic/system traces analysis); (ii) design of engineering solutions with clearer, direct assumptions (e.g., positioning solutions as proofs-of-concept vs. deployable); (iii) design of experiments that reflects (and emphasizes) the target scenario for the proposed solution (e.g., corporation, user, country-wide); (iv) clearer exposition and discussion of limitations of used technologies and exercised norms/standards for research (e.g., the use of closed-source antiviruses as ground-truth). Author Affiliation: (a) Federal University of Paraná (UFPR), Brazil (b) University of Florida, USA * Corresponding author. Article History: Received 11 December 2020; Revised 2 March 2021; Accepted 5 April 2021 Byline: Marcus Botacin [mfbotacin@inf.ufpr.br] (*,a), Fabricio Ceschin [fjoceschin@inf.ufpr.br] (a), Ruimin Sun [gracesrm@ufl.edu] (b), Daniela Oliveira [daniela@ece.ufl.edu] (b), André Grégio [gregio@inf.ufpr.br] (a)

Published

2021

49. Tor forensics: Proposed workflow for client memory artefacts

Author

Alfosail, Malak and Norris, Peter

Subjects

Memory -- Usage -- Analysis, Home banking services -- Usage, Computer forensics -- Usage -- Analysis, Computer science -- Usage -- Analysis, Internet -- Usage -- Analysis, Workflow software, Internet, Business, Computers and office automation industries

Abstract

Keywords Tor; Forensics; Memory analysis; Anonymity; Windows 10 Abstract The Internet is now part of everyday life, and plays a significant role in communication, online shopping, online banking, etc. However, one of the current issues with using the Internet is lack of security since it is still possible for an eavesdropper to be able to intercept transferred data. As a result, the number of incidents has increased, posing a real threat to the user while people have become more conscious about how applications treat their personal data. Therefore, some users have shifted to using The Onion Router (Tor) as it claims to preserve user's anonymity and privacy. However, while using or investigating the use of Tor, the question of how the memory residue of the client leaks anonymity during Tor's interaction arises. This question is addressed in this paper as it investigates how the client's memory residue leaks anonymity before, during, and after Tor's interaction. While there has been significant research on the topic of Tor, there is a gap in the literature concerning Tor forensics. One of the leading concepts to identify artefacts in digital investigation is digital forensics. Thus, this paper will address the question by an experimental method that uses memory forensics tactics on Tor clients to find artefacts related to Tor usage. Subsequently, an analysis of the findings can stand against Tor's claims about the user's privacy and anonymity since the Tor browser keeps a plethora of details about client activities, which could be gained during or even after closing the client session. This paper provides a workflow and a python shell script for analyzing the Tor client's memory residue, which will serve as a workflow and act as a starting point for broadening studies in a similar area. It also introduces a positive impact on the investigators. It aims to make the process easier and contributes to society as users will be aware of how Tor treats their data. Author Affiliation: (a) Department of Computer Science, College of Computer Science and IT, Imam Abdulrahman Bin Faisal University, Dammam, P.O. Box 1982, Dammam, Saudi Arabia (b) Cyber Security Centre, Warwick Manufacturing Group, University of Warwick, Coventry CV4 7AL, UK * Corresponding author. Article History: Received 7 November 2020; Revised 3 March 2021; Accepted 22 April 2021 Byline: Malak Alfosail [mkaalfosail@iau.edu.sa] (a,*), Peter Norris [pn@warwick.ac.uk] (b)

Published

2021

50. GDroid: Android malware detection and classification with graph convolutional network

Author

Gao, Han, Cheng, Shaoyin, and Zhang, Weiming

Subjects

Information science -- Analysis, Spyware -- Analysis, Neural networks -- Analysis, Neural network, Business, Computers and office automation industries

Abstract

Keywords Android malware; Malware detection; Malware familial classification; API Embedding; Graph neural network Abstract The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the 'App-API' and 'API-API' edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real-world impact, and GDroid also maintains satisfactory performance in real-world scenarios. Author Affiliation: CAS Key Laboratory of Electromagnetic Space Information, School of Information Science and Technology, University of Science and Technology of China, China * Corresponding authors. Article History: Received 29 April 2020; Revised 25 February 2021; Accepted 25 March 2021 Byline: Han Gao [gh2018@mail.ustc.edu.cn], Shaoyin Cheng [sycheng@ustc.edu.cn] (*), Weiming Zhang [zhangwm@ustc.edu.cn] (*)

Published

2021