Biblio
Accurate, precise, and unambiguous definitions of software weaknesses (bugs) and clear descriptions of software vulnerabilities are vital for building the foundations of cybersecurity. The Bugs Framework (BF) comprises rigorous definitions and (static) attributes of bug classes, along with their related dynamic properties, such as proximate, secondary and tertiary causes, consequences, and sites. This paper presents an overview of previously developed BF classes and the new cryptography related classes: Encryption Bugs (ENC), Verification Bugs (VRF), and Key Management Bugs (KMN). We analyze corresponding vulnerabilities and provide their clear descriptions by applying the BF taxonomy. We also discuss the lessons learned and share our plans for expanding BF.
Cloud storage is vulnerable to advanced persistent threats (APTs), in which an attacker launches stealthy, continuous, well-funded and targeted attacks on storage devices. In this paper, cumulative prospect theory (CPT) is applied to study the interactions between a defender of cloud storage and an APT attacker when each of them makes subjective decisions to choose the scan interval and attack interval, respectively. Both the probability weighting effect and the framing effect are applied to model the deviation of subjective decisions of end-users from the objective decisions governed by expected utility theory, under uncertain attack durations. Cumulative decision weights are used to describe the probability weighting effect and the value distortion functions are used to represent the framing effect of subjective APT attackers and defenders in the CPT-based APT defense game, rather than discrete decision weights, as in earlier prospect theoretic study of APT defense. The Nash equilibria of the CPT-based APT defense game are derived, showing that a subjective attacker becomes risk-seeking if the frame of reference for evaluating the utility is large, and becomes risk-averse if the frame of reference for evaluating the utility is small.
Nowadays, an increasing number of IoT vendors have complied and deployed third-party code bases across different architectures. Therefore, to avoid the firmware from being affected by the same known vulnerabilities, searching known vulnerabilities in binary firmware across different architectures is more crucial than ever. However, most of existing vulnerability search methods are limited to the same architecture, there are only a few researches on cross-architecture cases, of which the accuracy is not high. In this paper, to promote the accuracy of existing cross-architecture vulnerability search methods, we propose a new approach based on Support Vector Machine (SVM) and Attributed Control Flow Graph (ACFG) to search known vulnerability in firmware across different architectures at function level. We employ a known vulnerability function to recognize suspicious functions in other binary firmware. First, considering from the internal and external characteristics of the functions, we extract the function level features and basic-block level features of the functions to be inspected. Second, we employ SVM to recognize a little part of suspicious functions based on function level features. After the preliminary screening, we compute the graph similarity between the vulnerability function and suspicious functions based on their ACFGs. We have implemented our approach CVSSA, and employed the training samples to train the model with previous knowledge to improve the accuracy. We also search several vulnerabilities in the real-world firmware images, the experimental results show that CVSSA can be applied to the realistic scenarios.
The paper suggests several techniques for computer network risk assessment based on Common Vulnerability Scoring System (CVSS) and attack modeling. Techniques use a set of integrated security metrics and consider input data from security information and event management (SIEM) systems. Risk assessment techniques differ according to the used input data. They allow to get risk assessment considering requirements to the accuracy and efficiency. Input data includes network characteristics, attacks, attacker characteristics, security events and countermeasures. The tool that implements these techniques is presented. Experiments demonstrate operation of the techniques for different security situations.
Cyber anonymity tools have attracted wide attention in resisting network traffic censorship and surveillance, and have played a crucial role for open communications over the Internet. The Onion Routing (Tor) is considered the prevailing technique for circumventing the traffic surveillance and providing cyber anonymity. Tor operates by tunneling a traffic through a series of relays, making such traffic to appear as if it originated from the last relay in the traffic path, rather than from the original user. However, Tor faced some obstructions in carrying out its goal effectively, such as insufficient performance and limited capacity. This paper presents a cyber anonymity technique based on software-defined networking; named SOR, which builds onion-routed tunnels across multiple anonymity service providers. SOR architecture enables any cloud tenants to participate in the anonymity service via software-defined networking. Our proposed architecture leverages the large capacity and robust connectivity of the commercial cloud networks to elevate the performance of the cyber anonymity service.
With the integration of computing, communication, and physical processes, the modern power grid is becoming a large and complex cyber physical power system (CPPS). This trend is intended to modernize and improve the efficiency of the power grid, yet it makes the CPPS vulnerable to potential cascading failures caused by cyber-attacks, e.g., the attacks that are originated by the cyber network of CPPS. To prevent these risks, it is essential to analyze how cyber-attacks can be conducted against the CPPS and how they can affect the power systems. In light of that General Packet Radio Service (GPRS) has been widely used in CPPS, this paper provides a case study by examining possible cyber-attacks against the cyber-physical power systems with GPRS-based SCADA system. We analyze the vulnerabilities of GPRS-based SCADA systems and focus on DoS attacks and message spoofing attacks. Furthermore, we show the consequence of these attacks against power systems by a simulation using the IEEE 9-node system, and the results show the validity of cascading failures propagated through the systems under our proposed attacks.
There has been a growing spate of Cyber attacks targeted at different corporate enterprises and systems across the globe. The scope of these attacks spans from small scale (grid and control system manipulation, domestic meter cyber hacking etc) to large scale distributed denial of service attacks (DDoSA) in enterprise networks. The effect of hacking on control systems through distributed control systems (DCS) using communication protocols on vulnerable home area networks (HANs) and neighborhood area networks (NANs) is terrifying. To meet the current security requirements, a new security network is proposed called Smart grid convoluted network (SGCN). With SGCN, the basic activities of data processing, monitoring and query requests are implemented outside the grid using Fog computing layer-3 devices (gatekeepers). A cyber monitor agent that leverages a reliable end-to end-communication network to secure the systems components on the grid is employed. Cyber attacks which affects the computational requirements of SG applications is mitigated by using a Fourier predictive cyber monitor (FPCM). The network uses flexible resources with loopback services shared across the network. Serial parallelism and efficient bandwidth provisioning are used by the locally supported Fog nodes within the SG cloud space. For services differentiation, SGCN employed secure communication between its various micro-grids as well as its metering front-ends. With the simulated traffic payload extraction trend (STPET), SGCN promises hard time for hackers and malicious malwares. While the work guarantees security for SGs, reliability is still an open issue due to the complexity of SG architecture. In conclusion, the future of the Cyber security in SGs must employ the concept of Internet of Everything (IoE), Malware predictive analytics and Fog layers on existing SG prototypes for optimal security benefits.
In this paper, an industrial testbed is proposed utilizing commercial-off-the-shelf equipment, and it is used to study the weakness of industrial Ethernet, i.e., PROFINET. The investigation is based on observation of the principles of operation of PROFINET and the functionality of industrial control systems.
This brief paper reports on an early stage ongoing PhD project in the field of cyber-physical security in health care critical infrastructures. The research overall aims to develop a methodology that will increase the ability of secure recovery of health critical infrastructures. This ambitious or reckless attempt, as it is currently at an early stage, in this paper, tries to answer why cyber-physical security for health care infrastructures is important and of scientific interest. An initial PhD project methodology and expected outcomes are also discussed. The report concludes with challenges that emerge and possible future directions.
Cybersecurity is one of critical issues in modern military operations. In cyber operations, security professionals depend on various information and security systems to mitigate cyber threats through enhanced cyber situational awareness. Cyber situational awareness can give decision makers mission completeness and providing appropriate timely decision support for proactive response. The crucial information for cyber situational awareness can be collected at network boundaries through deep packet inspection with security systems. Regular expression is regarded as a practical method for deep packet inspection that is considering a next generation intrusion detection and prevention, however, it is not commonly used by the reason of its resource intensive characteristics. In this paper, we describe our effort and achievement on regular expression processing capability in real time and an evaluation method with experimental result.
In this paper, the mathematical framework of behavioral system will be applied to detect the cyber-attack on the networked control system which is used to control the remotely operated underwater vehicle ROV. The Intelligent Generalized Predictive Controller IGPC is used to control the ROV. The IGPC is designed with fault-tolerant ability. In consequence of the used fault accommodation technique, the proposed cyber-attacks detector is able to clearly detect the presence of attacker control signal and to distinguish between the effects of the attacker signal and fault on the plant side. The test result of the suggested method demonstrates that it can be considerably used for detection of the cyber-attack.
Deregulated electricity markets rely on a two-settlement system consisting of day-ahead and real-time markets, across which electricity price is volatile. In such markets, locational marginal pricing is widely adopted to set electricity prices and manage transmission congestion. Locational marginal prices are vulnerable to measurement errors. Existing studies show that if the adversaries are omniscient, they can design profitable attack strategies without being detected by the residue-based bad data detectors. This paper focuses on a more realistic setting, in which the attackers have only partial and imperfect information due to their limited resources and restricted physical access to the grid. Specifically, the attackers are assumed to have uncertainties about the state of the grid, and the uncertainties are modeled stochastically. Based on this model, this paper offers a framework for characterizing the optimal stochastic guarantees for the effectiveness of the attacks and the associated pricing impacts.
As cloud computing becomes increasingly pervasive, it is critical for cloud providers to support basic security controls. Although major cloud providers tout such features, relatively little is known in many cases about their design and implementation. In this paper, we describe several security features in OpenStack, a widely-used, open source cloud computing platform. Our contributions to OpenStack range from key management and storage encryption to guaranteeing the integrity of virtual machine (VM) images prior to boot. We describe the design and implementation of these features in detail and provide a security analysis that enumerates the threats that each mitigates. Our performance evaluation shows that these security features have an acceptable cost-in some cases, within the measurement error observed in an operational cloud deployment. Finally, we highlight lessons learned from our real-world development experiences from contributing these features to OpenStack as a way to encourage others to transition their research into practice.
Data security has become an issue of increasing importance, especially for Web applications and distributed databases. One solution is using cryptographic algorithms whose improvement has become a constant concern. The increasing complexity of these algorithms involves higher execution times, leading to an application performance decrease. This paper presents a comparison of execution times for three algorithms using asymmetric keys, depending on the size of the encryption/decryption keys: RSA, ElGamal, and ECIES. For this algorithms comparison, a benchmark using Java APIs and an application for testing them on a test database was created.
Distributed Denial of Service (DDoS) attack is a congestion-based attack that makes both the network and host-based resources unavailable for legitimate users, sending flooding attack packets to the victim's resources. The non-existence of predefined rules to correctly identify the genuine network flow made the task of DDoS attack detection very difficult. In this paper, a combination of unsupervised data mining techniques as intrusion detection system are introduced. The entropy concept in term of windowing the incoming packets is applied with data mining technique using Clustering Using Representative (CURE) as cluster analysis to detect the DDoS attack in network flow. The data is mainly collected from DARPA2000, CAIDA2007 and CAIDA2008 datasets. The proposed approach has been evaluated and compared with several existing approaches in terms of accuracy, false alarm rate, detection rate, F. measure and Phi coefficient. Results indicates the superiority of the proposed approach with four out five detected phases, more than 99% accuracy rate 96.29% detection rate, around 0% false alarm rate 97.98% F-measure, and 97.98% Phi coefficient.
Among the several threats to cyber services Distributed denial-of-service (DDoS) attack is most prevailing nowadays. DDoS involves making an online service unavailable by flooding the bandwidth or resources of a targeted system. It is easier for an insider having legitimate access to the system to circumvent any security controls thus resulting in insider attack. To mitigate insider assisted DDoS attacks, this paper proposes a moving target defense mechanism that involves isolation of insiders from innocent clients by using attack proxies. Further using the concept of load balancing an effective algorithm to detect and handle insider attack is developed with the aim of maximizing attack isolation while minimizing the total number of proxies used.
Securing Internet of Things (IoT) systems is a challenge because of its multiple points of vulnerability. A spate of recent hacks and security breaches has unveiled glaring vulnerabilities in the IoT. Due to the computational and memory requirement constraints associated with anomaly detection algorithms in core networks, commercial in-line (part of the direct line of communication) Anomaly Detection Systems (ADSs) rely on sampling-based anomaly detection approaches to achieve line rates and truly-inline anomaly detection accuracy in real-time. However, packet sampling is inherently a lossy process which might provide an incomplete and biased approximation of the underlying traffic patterns. Moreover, commercial routers uses proprietary software making them closed to be manipulated from the outside. As a result, detecting malicious packets on the given network path is one of the most challenging problems in the field of network security. We argue that the advent of Software Defined Networking (SDN) provides a unique opportunity to effectively detect and mitigate DDoS attacks. Unlike sampling-based approaches for anomaly detection and limitation of proprietary software at routers, we use the SDN infrastructure to relax the sampling-based ADS constraints and collect traffic flow statistics which are maintained at each SDN-enabled switch to achieve high detection accuracy. In order to implement our idea, we discuss how to mitigate DDoS attacks using the features of SDN infrastructure.
Data Deduplication provides lots of benefits to security and privacy issues which can arise as user's sensitive data at risk of within and out of doors attacks. Traditional secret writing that provides knowledge confidentiality is incompatible with knowledge deduplication. Ancient secret writing wants completely different users to encode their knowledge with their own keys. Thus, identical knowledge copies of completely different various users can result in different ciphertexts that makes Deduplication not possible. Convergent secret writing has been planned to enforce knowledge confidentiality whereas creating Deduplication possible. It encrypts/decrypts a knowledge copy with a confluent key, that is obtained by computing the cryptographical hash price of the content of the information copy. Once generation of key and encryption, the user can retain the keys and send ciphertext to cloud.
Smart spammers and telemarketers circumvent the standalone spam detection systems by making low rate spam-ming activity to a large number of recipients distributed across many telecommunication operators. The collaboration among multiple telecommunication operators (OPs) will allow operators to get rid of unwanted callers at the early stage of their spamming activity. The challenge in the design of collaborative spam detection system is that OPs are not willing to share certain information about behaviour of their users/customers because of privacy concerns. Ideally, operators agree to share certain aggregated statistical information if collaboration process ensures complete privacy protection of users and their network data. To address this challenge and convince OPs for the collaboration, this paper proposes a decentralized reputation aggregation protocol that enables OPs to take part in a collaboration process without use of a trusted third party centralized system and without developing a predefined trust relationship with other OPs. To this extent, the collaboration among operators is achieved through the exchange of cryptographic reputation scores among OPs thus fully protects relationship network and reputation scores of users even in the presence of colluders. We evaluate the performance of proposed protocol over the simulated data consisting of five collaborators. Experimental results revealed that proposed approach outperforms standalone systems in terms of true positive rate and false positive rate.
We present a novel approach to proving the absence of timing channels. The idea is to partition the programâs execution traces in such a way that each partition component is checked for timing attack resilience by a time complexity analysis and that per-component resilience implies the resilience of the whole program. We construct a partition by splitting the program traces at secret-independent branches. This ensures that any pair of traces with the same public input has a component containing both traces. Crucially, the per-component checks can be normal safety properties expressed in terms of a single execution. Our approach is thus in contrast to prior approaches, such as self-composition, that aim to reason about multiple (k⥠2) executions at once. We formalize the above as an approach called quotient partitioning, generalized to any k-safety property, and prove it to be sound. A key feature of our approach is a demand-driven partitioning strategy that uses a regex-like notion called trails to identify sets of execution traces, particularly those influenced by tainted (or secret) data. We have applied our technique in a prototype implementation tool called Blazer, based on WALA, PPL, and the brics automaton library. We have proved timing-channel freedom of (or synthesized an attack specification for) 24 programs written in Java bytecode, including 6 classic examples from the literature and 6 examples extracted from the DARPA STAC challenge problems.
In this paper a method of monostatic RCS measuring in real conditions for complex shaped objects is proposed. The basic idea of the method is to provide measuring in near field zone for different parts of the object (fragments) separately. This technique is titled "decomposition method". After such measurements all RCS data are summed and one can obtain the average RCS of investigated object. Such method is much more accessible in comparison with natural measurements in far field zone. In this paper the decomposition method is tested numerically. For this a model of complex shape object (tank T-90) is divided into the fragments for some direction of view. It is shown that the sum of RCS of the fragments is close to the full object RCS for corresponding direction.
Cross-modal audio-visual perception has been a long-lasting topic in psychology and neurology, and various studies have discovered strong correlations in human perception of auditory and visual stimuli. Despite work on computational multimodal modeling, the problem of cross-modal audio-visual generation has not been systematically studied in the literature. In this paper, we make the first attempt to solve this cross-modal generation problem leveraging the power of deep generative adversarial training. Specifically, we use conditional generative adversarial networks to achieve cross-modal audio-visual generation of musical performances. We explore different encoding methods for audio and visual signals, and work on two scenarios: instrument-oriented generation and pose-oriented generation. Being the first to explore this new problem, we compose two new datasets with pairs of images and sounds of musical performances of different instruments. Our experiments using both classification and human evaluation demonstrate that our model has the ability to generate one modality, i.e., audio/visual, from the other modality, i.e., visual/audio, to a good extent. Our experiments on various design choices along with the datasets will facilitate future research in this new problem space.
Network traffic classification is an important problem in network traffic analysis. It plays a vital role in many network tasks including quality of service, firewall enforcement and security. One of the challenging problems of classifying network traffic is the imbalanced property of network data. Usually, the amount of traffic in some classes is much higher than the amount of traffic in other classes. In this paper, we proposed an application of a deep learning approach to address imbalanced data problem in network traffic classification. We used a recent proposed deep network for unsupervised learning called Auxiliary Classifier Generative Adversarial Network to generate synthesized data samples for balancing between the minor and the major classes. We tested our method on a well-known network traffic dataset and the results showed that our proposed method achieved better performance compared to a recent proposed method for handling imbalanced problem in network traffic classification.
Convolutional Neural Network (CNN) based methods have shown significant performance gains in the problem of visual tracking in recent years. Due to many uncertain changes of objects online, such as abrupt motion, background clutter and large deformation, the visual tracking is still a challenging task. We propose a novel algorithm, namely Deep Location-Specific Tracking, which decomposes the tracking problem into a localization task and a classification task, and trains an individual network for each task. The localization network exploits the information in the current frame and provides a specific location to improve the probability of successful tracking, while the classification network finds the target among many examples generated around the target location in the previous frame, as well as the one estimated from the localization network in the current frame. CNN based trackers often have massive number of trainable parameters, and are prone to over-fitting to some particular object states, leading to less precision or tracking drift. We address this problem by learning a classification network based on 1 × 1 convolution and global average pooling. Extensive experimental results on popular benchmark datasets show that the proposed tracker achieves competitive results without using additional tracking videos for fine-tuning. The code is available at https://github.com/ZjjConan/DLST
Deep Learning has recently become hugely popular in machine learning for its ability to solve end-to-end learning systems, in which the features and the classifiers are learned simultaneously, providing significant improvements in classification accuracy in the presence of highly-structured and large databases. Its success is due to a combination of recent algorithmic breakthroughs, increasingly powerful computers, and access to significant amounts of data. Researchers have also considered privacy implications of deep learning. Models are typically trained in a centralized manner with all the data being processed by the same training algorithm. If the data is a collection of users' private data, including habits, personal pictures, geographical positions, interests, and more, the centralized server will have access to sensitive information that could potentially be mishandled. To tackle this problem, collaborative deep learning models have recently been proposed where parties locally train their deep learning structures and only share a subset of the parameters in the attempt to keep their respective training sets private. Parameters can also be obfuscated via differential privacy (DP) to make information extraction even more challenging, as proposed by Shokri and Shmatikov at CCS'15. Unfortunately, we show that any privacy-preserving collaborative deep learning is susceptible to a powerful attack that we devise in this paper. In particular, we show that a distributed, federated, or decentralized deep learning approach is fundamentally broken and does not protect the training sets of honest participants. The attack we developed exploits the real-time nature of the learning process that allows the adversary to train a Generative Adversarial Network (GAN) that generates prototypical samples of the targeted training set that was meant to be private (the samples generated by the GAN are intended to come from the same distribution as the training data). Interestingly, we show that record-level differential privacy applied to the shared parameters of the model, as suggested in previous work, is ineffective (i.e., record-level DP is not designed to address our attack).