Biblio

Most of the recent high-profile attacks targeting cyber-physical systems (CPS) started with lengthy reconnaissance periods that enabled attackers to gain in-depth understanding of the victim’s environment. To simulate these stealthy attacks, several covert channel tools have been published and proven effective in their ability to blend into existing CPS communication streams and have the capability for data exfiltration and command injection.In this paper, we report a novel machine learning feature engineering and data processing pipeline for the detection of covert channel attacks on CPS systems with real-time detection throughput. The system also operates at the network layer without requiring physical system domain-specific state modeling, such as voltage levels in a power generation system. We not only demonstrate the effectiveness of using TCP payload entropy as engineered features and the technique of grouping information into network flows, but also pitch the proposed detector against scenarios employing advanced evasion tactics, and still achieve above 99% detection performance.

The analysis shows how important Power Network Measuring and Characterization (PSMC) is to the plan. Networks planning and oversight for the transmission of electrical energy is becoming increasingly frequent. In reaction to the current contest of assimilating trying to cut charging in the crate, estimation, information sharing, but rather govern into PSMC reasonable quantities, Electrical Transmit Monitoring and Management provides a thorough outline of founding principles together with smart sensors for domestic spying, security precautions, and control of developed broadening power systems.Electricity supply control must depend increasingly heavily on telecommunications infrastructure to manage and run their processes because of the fluctuation in transmission and distribution of electricity. A wider attack surface will also be available to threat hackers as a result of the more communications. Large-scale blackout have occurred in the past as a consequence of cyberattacks on electrical networks. In order to pinpoint the key issues influencing power grid computer networks, we looked at the network infrastructure supporting electricity grids in this research.

Open set recognition (OSR) problem has been a challenge in many machine learning (ML) applications, such as security. As new/unknown malware families occur regularly, it is difficult to exhaust samples that cover all the classes for the training process in ML systems. An advanced malware classification system should classify the known classes correctly while sensitive to the unknown class. In this paper, we introduce a self-supervised pre-training approach for the OSR problem in malware classification. We propose two transformations for the function call graph (FCG) based malware representations to facilitate the pretext task. Also, we present a statistical thresholding approach to find the optimal threshold for the unknown class. Moreover, the experiment results indicate that our proposed pre-training process can improve different performances of different downstream loss functions for the OSR problem.

At present, the black-start mode of the large power grid is mostly limited to relying on the black-start power supply inside the system, or only to the recovery mode that regards the transmission power of tie lines between systems as the black-start power supply. The starting power supply involved in the situation of the large power outage is incomplete and it is difficult to give full play to the respective advantages of internal and external power sources. In this paper, a method of coordinated black-start of large power grid internal and external power sources is proposed by combining the two modes. Firstly, the black-start capability evaluation system is built to screen out the internal black-start power supply, and the external black-start power supply is determined by analyzing the connection relationship between the systems. Then, based on the specific implementation principles, the black-start power supply coordination strategy is formulated by using the Dijkstra shortest path algorithm. Based on the condensation idea, the black-start zoning and path optimization method applicable to this strategy is proposed. Finally, the black-start security verification and corresponding control measures are adopted to obtain a scheme of black-start cooperation between internal and external power sources in the large power grid. The above method is applied in a real large power grid and compared with the conventional restoration strategy to verify the feasibility and efficiency of this method.

The industrial Internet platform has been applied to various fields of industrial production, effectively improving the data flow of all elements in the production process, improving production efficiency, reducing production costs, and ensuring the market competitiveness of enterprises. The premise of the effective application of the industrial Internet platform is the interconnection of industrial equipment. In the industrial Internet platform, industrial robot is a very common industrial control device. These industrial robots are connected to the control network of the industrial Internet platform, which will have obvious advantages in production efficiency and equipment maintenance, but at the same time will cause more serious network security problems. The industrial robot system based on the industrial Internet platform not only increases the possibility of industrial robots being attacked, but also aggravates the loss and harm caused by industrial robots being attacked. At the same time, this paper illustrates the effects and scenarios of industrial robot attacks based on industrial interconnection platforms from four different scenarios of industrial robots being attacked. Availability and integrity are related to the security of the environment.

It is the key to the Internet's expansion of social and economic functions by ensuring the credibility of online users' identities and behaviors while taking into account privacy protection. Public Key Infrastructure (PKI) and blockchain technology have provided ways to achieve credibility from different perspectives. Based on these two technologies, we attempt to generalize people's offline activities to online ones with our proposed model, Atom and Molecule. We then present the strict definition of trustworthy system and the trustworthy Internet. The definition of Generalized Blockchain and its practical implementation are provided as well.

Current intrusion detection techniques cannot keep up with the increasing amount and complexity of cyber attacks. In fact, most of the traffic is encrypted and does not allow to apply deep packet inspection approaches. In recent years, Machine Learning techniques have been proposed for post-mortem detection of network attacks, and many datasets have been shared by research groups and organizations for training and validation. Differently from the vast related literature, in this paper we propose an early classification approach conducted on CSE-CIC-IDS2018 dataset, which contains both benign and malicious traffic, for the detection of malicious attacks before they could damage an organization. To this aim, we investigated a different set of features, and the sensitivity of performance of five classification algorithms to the number of observed packets. Results show that ML approaches relying on ten packets provide satisfactory results.

The growing number of cybersecurity incidents and the always increasing complexity of cybersecurity attacks is forcing the industry and the research community to develop robust and effective methods to detect and respond to network attacks. Many tools are either built upon a large number of rules and signatures which only large third-party vendors can afford to create and maintain, or are based on complex artificial intelligence engines which, in most cases, still require personalization and fine-tuning using costly service contracts offered by the vendors.This paper introduces an open-source network traffic monitoring system based on the concept of cyberscore, a numerical value that represents how a network activity is considered relevant for spotting cybersecurity-related events. We describe how this technique has been applied in real-life networks and present the result of this evaluation.

Black-box adversarial attack has aroused much research attention for its difficulty on nearly no available information of the attacked model and the additional constraint on the query budget. A common way to improve attack efficiency is to transfer the gradient information of a white-box substitute model trained on an extra dataset. In this paper, we deal with a more practical setting where a pre-trained white-box model with network parameters is provided without extra training data. To solve the model mismatch problem between the white-box and black-box models, we propose a novel algorithm EigenBA by systematically integrating gradient-based white-box method and zeroth-order optimization in black-box methods. We theoretically show the optimal directions of perturbations for each step are closely related to the right singular vectors of the Jacobian matrix of the pretrained white-box model. Extensive experiments on ImageNet, CIFAR-10 and WebVision show that EigenBA can consistently and significantly outperform state-of-the-art baselines in terms of success rate and attack efficiency.

Throughout history, technological evolution has generated less desired side effects with impact on society. In the field of IT&C, there are ongoing discussions about the role of robots within economy, but also about their impact on the labour market. In the case of digital media systems, we talk about misinformation, manipulation, fake news, etc. Issues related to the protection of the citizen's life in the face of technology began more than 25 years ago; In addition to the many messages such as “the citizen is at the center of concern” or, “privacy must be respected”, transmitted through various channels of different entities or companies in the field of ICT, the EU has promoted a number of legislative and normative documents to protect citizens' rights and freedoms.

The vertiginous technological advance related to globalization and the new digital era has led to the design of new techniques and tools that deal with the risks of technology and information. Terms such as "cybersecurity" stand out, which corresponds to that area of computer science that is responsible for the development and implementation of information protection mechanisms and technological infrastructure, in order to deal with cyberattacks. Phishing is a crime that uses social engineering and technical subterfuge to steal personal identity data and financial account credentials from users, representing a high economic and financial risk worldwide, both for individuals and for large organizations. The objective of this research is to determine the ways to prevent phishing, by analyzing the characteristics of this computer fraud, the various existing modalities and the main prevention strategies, in order to increase the knowledge of users about this. subject, highlighting the importance of adequate training that allows establishing efficient mechanisms to detect and block phishing.

Measuring the information leakage is critical for evaluating the practical security of cryptographic devices against side-channel analysis. Information-theoretic measures can be used (along with Fano’s inequality) to derive upper bounds on the success rate of any possible attack in terms of the number of side-channel measurements. Equivalently, this gives lower bounds on the number of queries for a given success probability of attack. In this paper, we consider cryptographic implementations protected by (first-order) masking schemes, and derive several information-theoretic bounds on the efficiency of any (second-order) attack. The obtained bounds are generic in that they do not depend on a specific attack but only on the leakage and masking models, through the mutual information between side-channel measurements and the secret key. Numerical evaluations confirm that our bounds reflect the practical performance of optimal maximum likelihood attacks.

In recent years, blockchain technology has become one of the key technical innovation fields in the world. From the simple Bitcoin that can only be transferred at first to the blockchain application ecology that is now blooming, blockchain is gradually building a credible internet of value. However, with the continuous development and application of blockchain, even the blockchain based on cryptography is facing a series of network security problems and has caused great property losses to participants. Therefore, studying blockchain security and accelerating standardization of blockchain security have become the top priority to ensure the orderly and healthy development of blockchain technology. This paper briefly introduces the scope of blockchain security from the perspective of network security, sorts out some existing standards related to blockchain security, and gives some suggestions to promote the development and application of blockchain security standardization.

Integration of technology with power grid emerged Smart grid. The advancement of power grid into smart grid faces some security issues like message mod-ification attacks, message injection attacks etc. If these issues are correctly not addressed, then the performance of the smart grid is degraded. Smart grid has bidirectional communication among the smart grid entities. The flow of user energy consumption information between all smart grid entities may lead the user privacy violation. Smart grids have various components but service providers and smart meters are the main components. Smart meters have sensing and communication functionality, while service providers have control and communication functionality. There are many privacy preservation schemes proposed that ensure the cus-tomer's privacy in the smart grid. To preserve the customer's data privacy and communication, authentication and key agreement schemes are required between the smart meter and the service provider. This paper proposes an efficient key agreement protocol to handle several security challenges in smart grid. The proposed protocol is tested against the various security attributes necessary for a key establishment protocol and found safe. Further the performance of the proposed work is compared with several others existing work for smart grid application and it has been observed that the proposed protocol performs significantly better than the existing protocols available in the literature.

This paper examines audio-based social networking platforms and how their environments can affect the persistence of fake news and mis/disinformation in the whole information ecosystem. This is performed through an exploration of their features and how they compare to that of general-purpose multimodal platforms. A case study on Spotify and its recent issue on free speech and misinformation is the application area of this paper. As a supplementary, a demographic analysis of the current statistics of podcast streamers is outlined to give an overview of the target audience of possible deception attacks in the future. As for the conclusion, this paper confers a recommendation to policymakers and experts in preparing for future mis-affordance of the features in social environments that may unintentionally give the agents of mis/disinformation prowess to create and sow discord and deception.

Microcontroller-based embedded systems have become ubiquitous with the emergence of IoT technology. Given its critical roles in many applications, its security is becoming increasingly important. Unfortunately, MCU devices are especially vulnerable. Code reuse attacks are particularly noteworthy since the memory address of firmware code is static. This work seeks to combat code reuse attacks, including ROP and more advanced JIT-ROP via continuous randomization. Previous proposals are geared towards full-fledged OSs with rich runtime environments, and therefore cannot be applied to MCUs. We propose the first solution for ARM-based MCUs. Our system, named HARM, comprises a secure runtime and a binary analysis tool with rewriting module. The secure runtime, protected inside the secure world, proactively triggers and performs non-bypassable randomization to the firmware running in a sandbox in the normal world. Our system does not rely on any firmware feature, and therefore is generally applicable to both bare-metal and RTOS-powered firmware. We have implemented a prototype on a development board. Our evaluation results indicate that HARM can effectively thaw code reuse attacks while keeping the performance and energy overhead low.

Recent studies show that the state-of-the-art deep neural networks are vulnerable to model inversion attacks, in which access to a model is abused to reconstruct private training data of any given target class. Existing attacks rely on having access to either the complete target model (whitebox) or the model's soft-labels (blackbox). However, no prior work has been done in the harder but more practical scenario, in which the attacker only has access to the model's predicted label, without a confidence measure. In this paper, we introduce an algorithm, Boundary-Repelling Model Inversion (BREP-MI), to invert private training data using only the target model's predicted labels. The key idea of our algorithm is to evaluate the model's predicted labels over a sphere and then estimate the direction to reach the target class's centroid. Using the example of face recognition, we show that the images reconstructed by BREP-MI successfully reproduce the semantics of the private training data for various datasets and target model architectures. We compare BREP-MI with the state-of-the-art white-box and blackbox model inversion attacks, and the results show that despite assuming less knowledge about the target model, BREP-MI outperforms the blackbox attack and achieves comparable results to the whitebox attack. Our code is available online.11https://github.com/m-kahla/Label-Only-Model-Inversion-Attacks-via-Boundary-Repulsion

While vehicle-to-everything communication technology enables information sharing and cooperative control for vehicles, it also poses a significant threat to the vehicles' driving security owing to cyber-attacks. In particular, Sybil malicious attacks hidden in the vehicle broadcast information flow are challenging to detect, thereby becoming an urgent issue requiring attention. Several researchers have considered this problem and proposed different detection schemes. However, the detection performance of existing schemes based on plausibility checks and neighboring observers is affected by the traffic and attacker densities. In this study, we propose a malicious attack detection scheme based on traffic-flow information fusion, which enables the detection of Sybil attacks without neighboring observer nodes. Our solution is based on the basic safety message, which is broadcast by vehicles periodically. It first constructs the basic features of traffic flow to reflect the traffic state, subsequently fuses it with the road detector information to add the road fusion features, and then classifies them using machine learning algorithms to identify malicious attacks. The experimental results demonstrate that our scheme achieves the detection of Sybil attacks with an accuracy greater than 90 % at different traffic and attacker densities. Our solutions provide security for achieving a usable vehicle communication network.

We study semantic security for classical-quantum channels. Our security functions are functional forms of mosaics of combinatorial designs. We extend methods in [25] from classical channels to classical-quantum channels to demonstrate that mosaics of designs ensure semantic security for classical-quantum channels, and are also capacity achieving coding schemes. An advantage of these modular wiretap codes is that we provide explicit code constructions that can be implemented in practice for every channel, given an arbitrary public code.

Embedded memory are important components in system-on-chip, which may be crippled by aging and wear faults or Hardware Trojan attacks to compromise run-time security. The current built-in self-test and pre-silicon verification lack efficiency and flexibility to solve this problem. To this end, we address such vulnerabilities by proposing a run-time memory security detecting framework in this paper. The solution builds mainly upon a centralized security detection controller for partially reconfigurable inspection content, and a static memory wrapper to handle access conflicts and buffering testing cells. We show that a field programmable gate array prototype of the proposed framework can pursue 16 memory faults and 3 types Hardware Trojans detection with one reconfigurable partition, whereas saves 12.7% area and 2.9% power overhead compared to a static implementation. This architecture has more scalable capability with little impact on the memory accessing throughput of the original chip system in run-time detection.

Trojan attacks threaten deep neural networks (DNNs) by poisoning them to behave normally on most samples, yet to produce manipulated results for inputs attached with a particular trigger. Several works attempt to detect whether a given DNN has been injected with a specific trigger during the training. In a parallel line of research, the lottery ticket hypothesis reveals the existence of sparse sub-networks which are capable of reaching competitive performance as the dense network after independent training. Connecting these two dots, we investigate the problem of Trojan DNN detection from the brand new lens of sparsity, even when no clean training data is available. Our crucial observation is that the Trojan features are significantly more stable to network pruning than benign features. Leveraging that, we propose a novel Trojan network detection regime: first locating a “winning Trojan lottery ticket” which preserves nearly full Trojan information yet only chance-level performance on clean inputs; then recovering the trigger embedded in this already isolated sub-network. Extensive experiments on various datasets, i.e., CIFAR-10, CIFAR-100, and ImageNet, with different network architectures, i.e., VGG-16, ResNet-18, ResNet-20s, and DenseNet-100 demonstrate the effectiveness of our proposal. Codes are available at https://github.com/VITA-Group/Backdoor-LTH.

With the advent of the 5G era, high-speed and secure network access services have become a common pursuit. The QUIC (Quick UDP Internet Connection) protocol proposed by Google has been studied by many scholars due to its high speed, robustness, and low latency. However, the research on the security of the QUIC protocol by domestic and foreign scholars is insufficient. Therefore, based on the self-similarity of QUIC network traffic, combined with traffic characteristics and signal processing methods, a QUIC-based network traffic anomaly detection model is proposed in this paper. The model decomposes and reconstructs the collected QUIC network traffic data through the Empirical Mode Decomposition (EMD) method. In order to judge the occurrence of abnormality, this paper also intercepts overlapping traffic segments through sliding windows to calculate Hurst parameters and analyzes the obtained parameters to check abnormal traffic. The simulation results show that in the network environment based on the QUIC protocol, the Hurst parameter after being attacked fluctuates violently and exceeds the normal range. It also shows that the anomaly detection of QUIC network traffic can use the EMD method.

Ransomware uses encryption methods to make data inaccessible to legitimate users. To date a wide range of ransomware families have been developed and deployed, causing immense damage to governments, corporations, and private users. As these cyberthreats multiply, researchers have proposed a range of ransom ware detection and classification schemes. Most of these methods use advanced machine learning techniques to process and analyze real-world ransomware binaries and action sequences. Hence this paper presents a survey of this critical space and classifies existing solutions into several categories, i.e., including network-based, host-based, forensic characterization, and authorship attribution. Key facilities and tools for ransomware analysis are also presented along with open challenges.

With the advent of technology and owing to mankind’s reliance on technology, it is of utmost importance to safeguard people’s data and their identity. Biometrics have for long played an important role in providing that layer of security ranging from small scale uses such as house locks to enterprises using them for confidentiality purposes. In this paper we will provide an insight into behavioral biometrics that rely on identifying and measuring human characteristics or behavior. We review different types of behavioral parameters such as keystroke dynamics, gait, footstep pressure signals and more.

This paper offers a comparative vector assessment of DDoS and disinformation attacks. The assessed dimensions are as follows: (1) the threat agent, (2) attack vector, (3) target, (4) impact, and (5) defense. The results revealed that disinformation attacks, anchoring on astroturfs, resemble DDoS’s zombie computers in their method of amplification. Although DDoS affects several layers of the OSI model, disinformation attacks exclusively affect the application layer. Furthermore, even though their payloads and objectives are different, their vector paths and network designs are very similar. This paper, as its conclusion, strongly recommends the classification of disinformation as an actual cybersecurity threat to eliminate the inconsistencies in policies in social networking platforms. The intended target audiences of this paper are IT and cybersecurity experts, computer and information scientists, policymakers, legal and judicial scholars, and other professionals seeking references on this matter.