Biblio

Due to the increasing threat of network attacks, Firewall has become crucial elements in network security, and have been widely deployed in most businesses and institutions for securing private networks. The function of a firewall is to examine each packet that passes through it and decide whether to letting them pass or halting them based on preconfigured rules and policies, so firewall now is the first defense line against cyber attacks. However most of people doesn't know how firewall works, and the most users of windows operating system doesn't know how to use the windows embedded firewall. This paper explains how firewall works, firewalls types, and all you need to know about firewall policies, then presents a novel application (QudsWall) developed by authors that manages windows embedded firewall and make it easy to use.

Detecting attacks that are based on unknown security vulnerabilities is a challenging problem. The timely detection of attacks based on hitherto unknown vulnerabilities is crucial for protecting other users and systems from being affected as well. To know the attributes of a novel attack's target system can support automated reconfiguration of firewalls and sending alerts to administrators of other vulnerable targets. We suggest a novel approach of post-incident intrusion detection by utilizing information gathered from real-time social media streams. To accomplish this we take advantage of social media users posting about incidents that affect their user accounts of attacked target systems or their observations about misbehaving online services. Combining knowledge of the attacked systems and reported incidents, we should be able to recognize patterns that define the attributes of vulnerable systems. By matching detected attribute sets with those attributes of well-known attacks, we furthermore should be able to link attacks to already existing entries in the Common Vulnerabilities and Exposures database. If a link to an existing entry is not found, we can assume to have detected an exploitation of an unknown vulnerability, i.e., a zero day exploit or the result of an advanced persistent threat. This finding could also be used to direct efforts of examining vulnerabilities of attacked systems and therefore lead to faster patch deployment.

In this paper, we present the design, architecture, and implementation of a novel analysis engine, called Feature Collection and Correlation Engine (FCCE), that finds correlations across a diverse set of data types spanning over large time windows with very small latency and with minimal access to raw data. FCCE scales well to collecting, extracting, and querying features from geographically distributed large data sets. FCCE has been deployed in a large production network with over 450,000 workstations for 3 years, ingesting more than 2 billion events per day and providing low latency query responses for various analytics. We explore two security analytics use cases to demonstrate how we utilize the deployment of FCCE on large diverse data sets in the cyber security domain: 1) detecting fluxing domain names of potential botnet activity and identifying all the devices in the production network querying these names, and 2) detecting advanced persistent threat infection. Both evaluation results and our experience with real-world applications show that FCCE yields superior performance over existing approaches, and excels in the challenging cyber security domain by correlating multiple features and deriving security intelligence.

Taiwan has become the frontline in an emerging cyberspace battle. Cyberattacks from different countries are constantly reported during past decades. The incident of Advanced Persistent Threat (APT) is analyzed from the golden triangle components (people, process and technology) to ensure the application of digital forensics. This study presents a novel People-Process-Technology-Strategy (PPTS) model by implementing a triage investigative step to identify evidence dynamics in digital data and essential information in auditing logs. The result of this study is expected to improve APT investigation. The investigation scenario of this proposed methodology is illustrated by applying to some APT incidents in Taiwan.

The threats of smartphone security are mostly from the privacy disclosure and malicious chargeback software which deducting expenses abnormally. They exploit the vulnerabilities of previous permission mechanism to attack to mobile phones, and what's more, it might call hardware to spy privacy invisibly in the background. As the existing Android operating system doesn't support users the monitoring and auditing of system resources, a dynamic supervisory mechanism of process behavior based on Dalvik VM is proposed to solve this problem. The existing android system framework layer and application layer are modified and extended, and special underlying services of system are used to realize a dynamic supervisory on the process behavior of Dalvik VM. Via this mechanism, each process on the system resources and the behavior of each app process can be monitored and analyzed in real-time. It reduces the security threats in system level and positions that which process is using the system resource. It achieves the detection and interception before the occurrence or the moment of behavior so that it protects the private information, important data and sensitive behavior of system security. Extensive experiments have demonstrated the accuracy, effectiveness, and robustness of our approach.

Advanced Persistent Threats (APT) consist of most skillful hackers who employ sophisticated techniques to stealthily gain unauthorized access to private networks and exfiltrate sensitive data. When their existence is discovered, organizations - if they can sustain business continuity - mostly have to perform forensics activities to assess the damage of the attack and discover the extent of sensitive data leakage. In this paper, we construct a novel framework to pinpoint sensitive data that may have been leaked in such an attack. Our framework consists of creating baseline fingerprints for each workstation for setting normal activity, and we consider the change in the behavior of the network overall. We compare the accused fingerprint with sensitive database information by utilizing both Levenstein distance and TF-IDF/cosine similarity resulting in a similarity percentage. This allows us to pinpoint what part of data was exfiltrated by the perpetrators, where in the network the data originated, and if that data is sensitive to the private company's network. We then perform feasibility experiments to show that even these simple methods are feasible to run on a network representative of a mid-size business.

Collective self-adaptive systems (CSAS) are distributed and interconnected systems composed of multiple agents that can perform complex tasks such as environmental data collection, search and rescue operations, and discovery of natural resources. By providing individual agents with learning capabilities, CSAS can cope with challenges related to distributed sensing and decision-making and operate in uncertain environments. This unique characteristic of CSAS enables the collective to exhibit robust behaviour while achieving system-wide and agent-specific goals. Although learning has been explored in many CSAS applications, selecting suitable learning models and techniques remains a significant challenge that is heavily influenced by expert knowledge. We address this gap by performing a multifaceted analysis of existing CSAS with learning capabilities reported in the literature. Based on this analysis, we introduce a 3D framework that illustrates the learning aspects of CSAS considering the dimensions of autonomy, knowledge access, and behaviour, and facilitates the selection of learning techniques and models. Finally, using example applications from this analysis, we derive open challenges and highlight the need for research on collaborative, resilient and privacy-aware mechanisms for CSAS.

Multi-stage Proof-of-Work is a recently proposed protocol which extends the Proof-of-Work protocol used in Bitcoin. It splits Proof-of-Work into multiple stages, to achieve a more efficient block generation and a fair reward distribution. In this paper we study some of the Multi-stage Proof-of-Work security vulnerabilities. Precisely, we present two attacks: a Selfish Mining attack and a Selfish Stage-Withholding attack. We show that Multi-stage Proof-of-Work is not secure against a selfish miner owning more than 25% of the network hashing power. Moreover, we show that Selfish Stage-Withholding is a complementary strategy to boost a selfish miner's profitability.

The majority of applications use a prompt for a username and password. Passwords are recommended to be unique, long, complex, alphanumeric and non-repetitive. These reasons that make passwords secure may prove to be a point of weakness. The complexity of the password provides a challenge for a user and they may choose to record it. This compromises the security of the password and takes away its advantage. An alternate method of security is Keystroke Biometrics. This approach uses the natural typing pattern of a user for authentication. This paper proposes a new method for reducing error rates and creating a robust technique. The new method makes use of multiple sensors to obtain information about a user. An artificial neural network is used to model a user's behavior as well as for retraining the system. An alternate user verification mechanism is used in case a user is unable to match their typing pattern.

In recent year, there has been a growing need for intelligent systems that not only are able to provide reliable classifications but can also produce explanations for the decisions they make. The demand for increased explainability has led to the emergence of explainable artificial intelligence (XAI) as a specific research field. In this context, fuzzy logic systems represent a promising tool thanks to their inherently interpretable structure. The use of a rule-base and linguistic terms, in fact, have allowed researchers to create models that are able to produce explanations in natural language for each of the classifications they make. So far, however, designing systems that make use of interval type-2 (IT2) fuzzy logic and also give explanations for their outputs has been very challenging, partially due to the presence of the type-reduction step. In this paper, it will be shown how constrained interval type-2 (CIT2) fuzzy sets represent a valid alternative to conventional interval type-2 sets in order to address this issue. Through the analysis of two case studies from the medical domain, it is shown how explainable CIT2 classifiers are produced. These systems can explain which rules contributed to the creation of each of the endpoints of the output interval centroid, while showing (in these examples) the same level of accuracy as their IT2 counterpart.