查看更多>>摘要:Security protocols are crucial for ensuring communication security and safeguarding data integrity in computer networks and distributed systems。 The complexity of security protocol logic, coupled with implementation challenges, often results in protocol implementations failing to satisfy the security requirements due to logical errors。 Unlike memory-related bugs, logical errors do not exhibit fixed patterns or behaviors, thereby rendering them especially challenging to detect。 Therefore, we propose a logic error detection method based on blackbox fuzzing。 This method takes protocol interaction behavior as atomic proposition, utilizes linear temporal logic on finite traces (LTL_f) to express expected properties。 Logical errors are identified according to whether the abstract interaction sequence extracted from the fuzz data can be accepted by the automata corresponding to the LTL_f property。 Furthermore, we design an automata-guided fuzz testing algorithm that leverages the state information of automatas to drive test sequence generation, thereby accelerating the error search process。 To support this method, a general-purpose black-box fuzz testing framework, AGLFuzz, has been implemented, currently including testing modules for the TLS1。3 and IPsec protocol implementations。 Experimental evaluations on several widely used TLS1。3 and IPsec protocol implementations have led to the discovery of multiple counterexamples that violated specific properties and vulnerabilities that could cause the target to crash。 Notably, three of these vulnerabilities have been assigned CVE numbers, highlighting the effectiveness of the proposed method。
Samuel AnsongWindhya RankothgeSomayeh SadeghiHesamodin Mohammadian...
104156.1-104156.21页
查看更多>>摘要:In an age where global connectivity has become pivotal to socio-economic development, satellite communication (SATCOM) systems have become the backbone of modern telecommunication infrastructure。 However, the increasing reliance on SATCOM also elevates the potential impact of cyber threats。 Cyber risk assessment is a critical component of any satellite communications risk management strategy。 It plays a pivotal role in identifying and managing risks to satellite communications, which helps stakeholders isolate the most critical threats and select the appropriate cybersecurity measures。 To the best of our knowledge, the field of satellite communications lacks an established framework for cyber risk assessment。 Moreover, previous research work has focused only on a limited number of security threats and categories。 Therefore, in this paper, we propose a comprehensive risk assessment methodology to qualitatively assess the risk associated with satellite communications cyber threats, following the NIST special publication 800-30: Guide for Conducting Rick Assessments。 We analyze existing literature and real-world scenarios to identify potential satellite communications cyber threats and employ the STRIDE threat model for threat modeling。 We validate the proposed methodology by performing a risk assessment for the cyber threats identified。 Finally, we discuss existing challenges and open research problems for satellite communications cyber risk assessment。
查看更多>>摘要:User-centric privacy preservation is of paramount importance in the realm of Cyber-Physical Systems (CPS), where making decisions based on nature of data is crucial。 This abstract presents a novel approach to safeguarding user privacy within CPS environments by leveraging user query trends and dataset trends while incorporating the principles of differential privacy。 By meticulously analyzing historical query patterns and dataset dynamics, this methodology empowers users to retain control over their sensitive data。 The application of differential privacy techniques ensures that individual user information remains confidential while enabling comprehensive data analysis to unveil valuable insights, trends, and changes in data distribution。 This approach fosters a dynamic privacy ecosystem where users can interact with CPS systems, query their data, and extract valuable knowledge, all while preserving their personal privacy。 As we navigate the evolving landscape of CPS, characterized by increasing interconnectivity and data sharing, this user-centric privacy framework not only guarantees data protection but also ushers in a new era of responsible data-driven decision-making, where privacy and utility coexist harmoniously, ultimately enhancing the trust and confidence of users in the CPS environment。
查看更多>>摘要:Internet Web and cloud services are routinely abused by malware, but the breadth of this abuse has not been thoroughly investigated。 In this work, we quantitatively investigate this abuse by leveraging data from the Cyber Threat Alliance (CTA), where 36 security vendors share threat intelligence。 We analyze CTA data collected over 4 years from January 2020 until December 2023 comprising over one billion cyber-security observations from where we extract 7。7M URLs and 1。8M domains related to malware。 We complement this dataset with an active measurement where we periodically attempt to download the content pointed out by 33,876 recently reported malicious URLs。 We investigate the following questions。 How generalized is malware abuse of Internet services? How do domains of abused Internet services differ? For what purpose are Internet services abused? and How long do malicious resources remain active? Among others, we uncover a broad abuse affecting 22K domains of Internet services, that Internet services are largely abused for enabling malware distribution, and that malicious content in Internet services remains active longer than on malicious domains。
Abdullah Al MamunHarith Al-SahafIan WelchSeyit Camtepe...
104185.1-104185.18页
查看更多>>摘要:Advanced Persistent Threats (APTs) pose considerable challenges in the realm of cybersecurity, characterized by their evolving tactics and complex evasion techniques。 These characteristics often outsmart traditional security measures and necessitate the development of more sophisticated detection methods。 This study introduces Feature Evolution using Genetic Programming (FEGP), a novel method that leverages multi-tree Genetic Programming (GP) to construct and enhance features for APT detection。 While GP has been widely utilized for tackling various problems in different domains, our study focuses on the adaptation of GP to the multifaceted landscape of APT detection。 The proposed method automatically constructs discriminative features by combining the original features using mathematical operators。 By leveraging GP, the system adapts to the evolving tactics employed by APTs, enhancing the identification of APT activities with greater accuracy and reliability。 To assess the efficacy of the proposed method, comprehensive experiments were conducted on widely used and publicly accessible APT datasets。 Using the combination of constructed and original features on the DAPT-2020 dataset, FEGP achieved a balanced accuracy of 79。28%, surpassing the best comparative methods by an average of 2。12% in detecting APT stages。 Additionally, utilizing only constructed features on the Unraveled dataset, FEGP achieved a balanced accuracy of 83。14%, demonstrating a 3。73% improvement over the best comparative method。 The findings presented in this paper underscore the importance of GP-based feature construction for APT detection, providing a pathway toward improved accuracy and efficiency in identifying APT activities。 The comparative analysis of the proposed method against existing feature construction methods demonstrates FEGP's effectiveness as a state-of-the-art method for multi-class APT classification。 In addition to the performance evaluation, further analysis was conducted, encompassing feature importance analysis, and a detailed time analysis。
查看更多>>摘要:The evolution of IoT malware and the effectiveness of defense strategies, e。g。, leveraging malware family classification, have driven the development of advanced classification learning models。 These models, particularly those that utilize model-extracted features, significantly enhance classification performance while minimizing the need for extensive expert knowledge from developers。 However, a critical challenge lies in the interpretability of these learning models, which can obscure potential security risks。 Among these risks are backdoor attacks, a sophisticated and deceptive threat where attackers induce malicious behaviors in the model under specific triggers。 In response to the growing need for integrity and reliability in these models, this work assesses the vulnerability of state-of-the-art IoT malware classification models to backdoor attacks。 Given the complexities of attacking model-based classifiers, we propose a novel trigger generation framework, B-CTG, supported by a specialized training procedure。 This framework enables B-CTG to dynamically poison or attack samples to achieve specific objectives。 From an attacker's perspective, the design and training of B-CTG incorporate knowledge from the IoT domain to ensure the attack's effectiveness。 We conduct experiments under two distinct knowledge assumptions: the main evaluation, which assesses the attack method's performance when the attacker has limited control over the model training pipeline, and the transferred setting, which further explores the significance of knowledge in predicting attacks in real-world scenarios。 Our in-depth analysis focuses on attack performance in specific scenarios rather than a broad examination across multiple scenarios。 Results from the main evaluation demonstrate that the proposed attack strategy can achieve high success rates even with low poisoning ratios, though stability remains a concern。 Additionally, the inconsistent trends in model performance suggest that designers may struggle to detect the poisoned state of a model based on its performance alone。 The transferred setting highlights the critical importance of model and feature knowledge for successful attack predictions, with feature knowledge proving particularly crucial。 This insight prompts further investigation into model-agnostic mitigation methods and their effectiveness against the proposed attack strategy, with findings indicating that stability remains a significant concern for both attackers and defenders。
查看更多>>摘要:Lateral movement (LM) is an umbrella term for techniques through which attackers spread from an entry point to the rest of the network。 Typically, LM involves both pivoting through multiple systems and privilege escalation。 As LM techniques proliferate and evolve, there is a need for advanced security controls able to detect and possibly nip such attacks in the bud。 Based on the published literature, we argue that although LM-focused intrusion detection systems have received considerable attention, a prominent issue remains largely unaddressed。 This concerns the detection of LM through unsupervised machine learning (ML) techniques。 This work contributes to this field by capitalizing on the LMD-2023 dataset containing traces of 15 diverse LM attack techniques as they were logged by the system monitor (Sysmon) service of the MS Windows platform。 We provide a panorama of this sub-field and associated methodologies, exploring the potential of standard ML-based detection。 In further detail, in addition to analyzing feature selection and preprocessing, we detail and evaluate a plethora of unsupervised ML techniques, both shallow and deep。 The derived scores for the best performer in terms of the AUC and F1 metrics are quite promising, around 94。7%/93% and 95。2%/93。8%, for the best shallow and deep neural network model, respectively。 On top of that, in an effort to further improve on those metrics, we devise and evaluate a two-stage ML model, surpassing the previous best score by approximately 3。5%。 Overall, to our knowledge, this work provides the first full-blown study on LM detection via unsupervised learning techniques, therefore it is anticipated to serve as a groundwork for anyone working in this timely field。
查看更多>>摘要:Industrial networks are vulnerable to various cyber threats that can compromise their Confidentiality, Integrity, and Availability (CIA)。 To counter the increasing frequency of such threats, we designed and developed an Explainable Artificial Intelligence (XAI) integrated Deep Learning (DL)-based threat detection system (XDLTDS)。 We first employ a Long-Short Term Memory-AutoEncoder (LSTM-AE) to encode IIoT data and mitigate inference attacks。 Then, we introduce an Attention-based Gated Recurrent Unit (AGRU) with softmax for multiclass threat classification in IIoT networks。 To address the black-box nature of DL-based IDS, we use the Shapley Additive Explanations (SHAP) mechanism to provide transparency and trust for the system's decisions。 This interpretation helps SOC analysts understand why specific events are flagged as malicious by the XDLTDS framework。 Our approach reduces the risk of sensitive data and reputation loss。 We also present a Software-Defined Networking (SDN)-based deployment architecture for the XDLTDS framework。 Extensive experiments with the N-BaloT, Edge-IIoTset, and CIC-IDS2017 datasets confirm the effectiveness of XDLTDS against existing frameworks in addressing modern cybersecurity challenges and protecting industrial networks。
查看更多>>摘要:Knowledge graph technology is widely used in network security design, analysis, and detection。 By collecting, organizing, and mining various security knowledge, it provides scientific support for security decisions。 Some public Security Knowledge Repositories (SKRs) are frequently used to construct security knowledge graphs。 The quality of SKRs affects the efficiency and effectiveness of security analysis。 However, the current situation is that the identification of relational information among security knowledge elements is not sufficient and timely, and a large number of key relational information is missing。 In view of this, we propose a security knowledge graph relational reasoning method, based on the fusion embedding of semantic correlation and structure correlation, named SecKG2vec。 By SecKG2vec, the embedded vector simultaneously presents both semantic and structural characteristics, and it can exhibit better relational reasoning performance。 In qualitative evaluation and quantitative experiments with baseline methods, SecKG2vec has better performance in relationship reasoning task and entity reasoning task, and potential capability of O-shot scenario prediction。
查看更多>>摘要:Threat actors continuously update their code to incorporate counter-analysis techniques designed to evade detection and hinder the blocking of their malware。 The first line of defence for malware authors is often to bypass static analysis, a relatively straightforward task using readily available tools such as packers and cryptors。 To address this shortcoming, defenders send potential malware samples for execution in a sandbox environment。 While sandboxing can provide valuable insights into the behaviour of software on an information system, advanced techniques like anti-virtualisation and hooking evasion allow malware to escape detection。 The primary objective of this work is to complement sandbox execution with symbolic execution frameworks to detect new malware strains efficiently。 Symbolic execution offers a distinct advantage over sandboxing by achieving greater coverage of all possible execution traces, as it can explore every potential execution path, regardless of the evasion methods employed by the malware authors。 By carefully selecting the samples to be analysed, we can significantly reduce the workload while extracting essential dynamic features in a fraction of the time and with far fewer computational resources compared to sandboxing。 To this end, we leverage machine learning in an automated pipeline, enabling the accurate detection of sophisticated malware using a real-world dataset。 Our approach yields average F1 scores of 0。93 for the benign class and 0。99 for the malware class in a binary classification setup, surpassing the detection rates reported in the literature。 Additionally, our method outperforms a commercial malware sandbox when applied to the same dataset, further highlighting the efficacy of the proposed method。
NETL
NSTL
Elsevier