Biblio

Unauthorized access or intrusion is a massive threatening issue in the modern era. This study focuses on designing a model for an ideal intrusion detection system capable of defending a network by alerting the admins upon detecting any sorts of malicious activities. The study proposes a two layered anomaly-based detection model that uses filter co-relation method for dimensionality reduction along with Random forest and Support Vector Machine as its classifiers. It achieved a very good detection rate against all sorts of attacks including a low rate of false alarms as well. The contribution of this study is that it could be of a major help to the computer scientists designing good intrusion detection systems to keep an industry or organization safe from the cyber threats as it has achieved the desired qualities of a functional IDS model.

In the current scenario, the data owners would like to access data from anywhere and anytime. Hence, they will store their data in public or private cloud along with encryption and particular set of attributes to access control on the cloud data. While uploading the data into public or private cloud they will assign some attribute set to their data. If any authorized cloud user wants to download their data they should enter that particular attribute set to perform further actions on the data owner's data. A cloud user wants to register their details under cloud organization to access the data owner's data. Users wants to submit their details as attributes along with their designation. Based on the Users details Semi-Trusted Authority generates decryption keys to get control on owner's data. A user can perform a lot of operation over the cloud data. If the user wants to read the cloud data he needs to be entering some read related, and if he wants to write the data he needs to be entering write related attribute. For each and every action user in an organization would be verified with their unique attribute set. These attributes will be stored by the admins to the authorized users in cloud organization. These attributes will be stored in the policy files in a cloud. Along with this attribute,a rule based engine is used, to provide the access control to user. If any user leaks their decryption key to the any malicious user data owners wants to trace by sending audit request to auditor and auditor will process the data owners request and concludes that who is the convict.

Brute-force login attempts are common for every host on the public Internet. While most of them can be discarded as low-threat attacks, targeted attack campaigns often use a dictionary-based brute-force attack to establish a foothold in the network. Therefore, it is important to characterize the attackers' behavior to prioritize defensive measures and react to new threats quickly. In this paper we present a set of metrics that can support threat hunters in characterizing brute-force login attempts. Based on connection metadata, timing information, and the attacker's dictionary these metrics can help to differentiate scans and to find common behavior across distinct IP addresses. We evaluated our novel metrics on a real-world data set of malicious login attempts collected by our honeypot Honeygrove. We highlight interesting metrics, show how clustering can be leveraged to reveal common behavior across IP addresses, and describe how selected metrics help to assess the threat level of attackers. Amongst others, we for example found strong indicators for collusion between ten otherwise unrelated IP addresses confirming that a clustering of the right metrics can help to reveal coordinated attacks.

Cybercrime is growing dramatically in the technological world nowadays. World Wide Web criminals exploit the personal information of internet users and use them to their advantage. Unethical users leverage the dark web to buy and sell illegal products or services and sometimes they manage to gain access to classified government information. A number of illegal activities that can be found in the dark web include selling or buying hacking tools, stolen data, digital fraud, terrorists activities, drugs, weapons, and more. The aim of this project is to collect evidence of any malicious activity in the dark web by using computer security mechanisms as traps called honeypots.

In recent years, persistent cyber adversaries have developed increasingly sophisticated techniques to evade detection. Once adversaries have established a foothold within the target network, using seemingly-limited passive reconnaissance techniques, they can develop significant network reconnaissance capabilities. Cyber deception has been recognized as a critical capability to defend against such adversaries, but, without an accurate model of the adversary's reconnaissance behavior, current approaches are ineffective against advanced adversaries. To address this gap, we propose a novel model to capture how advanced, stealthy adversaries acquire knowledge about the target network and establish and expand their foothold within the system. This model quantifies the cost and reward, from the adversary's perspective, of compromising and maintaining control over target nodes. We evaluate our model through simulations in the CyberVAN testbed, and indicate how it can guide the development and deployment of future defensive capabilities, including high-interaction honeypots, so as to influence the behavior of adversaries and steer them away from critical resources.

We propose a novel attestation architecture for the Internet of Things (IoT). Our distributed attestation network (DAN) utilizes blockchain technology to store and share device information. We present the design of this new attestation architecture as well as a prototype system chosen to emulate an IoT deployment with a network of Raspberry Pi, Infineon TPMs, and a Hyperledger Fabric blockchain.

Bitcoin is gaining traction as an alternative store of value. Its market capitalization transcends all other cryptocurrencies in the market. But its high monetary value also makes it an attractive target to cyber criminal actors. Hacking campaigns usually target the weakest points in an ecosystem. In Bitcoin, these are currently the exchange platforms. As each exchange breach potentially decreases Bitcoin's market value by billions, it is a threat not only to direct victims, but to everyone owning Bitcoin. Based on an extensive analysis of 36 breaches of Bitcoin exchanges, we show the attack patterns used to exploit Bitcoin exchange platforms using an industry standard for reporting intelligence on cyber security breaches. Based on this we are able to provide an overview of the most common attack vectors, showing that all except three hacks were possible due to relatively lax security. We also show that while the security regimen of Bitcoin exchanges is not on par with other financial service providers, the use of stolen credentials, which does not require any hacking, is decreasing. We also show that the amount of BTC taken during a breach is decreasing, as well as the exchanges that terminate after being breached. With exchanges being targeted by nation-state hacking groups, security needs to be a first concern.

Computer networks and surging advancements of innovative information technology construct a critical infrastructure for network transactions of business entities. Information exchange and data access though such infrastructure is scrutinized by adversaries for vulnerabilities that lead to cyber-attacks. This paper presents an agent-based system modelling to conceptualize and extract explicit and latent structure of the complex enterprise systems as well as human interactions within the system to determine common vulnerabilities of the entity. The model captures emergent behavior resulting from interactions of multiple network agents including the number of workstations, regular, administrator and third-party users, external and internal attacks, defense mechanisms for the network setting, and many other parameters. A risk-based approach to modelling cybersecurity of a business entity is utilized to derive the rate of attacks. A neural network model will generalize the type of attack based on network traffic features allowing dynamic state changes. Rules of engagement to generate self-organizing behavior will be leveraged to appoint a defense mechanism suitable for the attack-state of the model. The effectiveness of the model will be depicted by time-state chart that shows the number of affected assets for the different types of attacks triggered by the entity risk and the time it takes to revert into normal state. The model will also associate a relevant cost per incident occurrence that derives the need for enhancement of security solutions.

In the last couple of years, the move to cyberspace provides a fertile environment for ransomware criminals like ever before. Notably, since the introduction of WannaCry, numerous ransomware detection solution has been proposed. However, the ransomware incidence report shows that most organizations impacted by ransomware are running state of the art ransomware detection tools. Hence, an alternative solution is an urgent requirement as the existing detection models are not sufficient to spot emerging ransomware treat. With this motivation, our work proposes "DeepGuard," a novel concept of modeling user behavior for ransomware detection. The main idea is to log the file-interaction pattern of typical user activity and pass it through deep generative autoencoder architecture to recreate the input. With sufficient training data, the model can learn how to reconstruct typical user activity (or input) with minimal reconstruction error. Hence, by applying the three-sigma limit rule on the model's output, DeepGuard can distinguish the ransomware activity from the user activity. The experiment result shows that DeepGuard effectively detects a variant class of ransomware with minimal false-positive rates. Overall, modeling the attack detection with user-behavior permits the proposed strategy to have deep visibility of various ransomware families.

Digitalization of production and management as the imperatives of Industry 4.0 stipulated the requirements of state regulators for informing and training personnel of a significant object of critical information infrastructure. However, the attention of industrial enterprises to this problem is assessed as insufficient. This determines the relevance and purpose of this article - to develop a methodology and tool for raising the awareness of workers of an industrial enterprise about information security (IS) of significant objects of critical information infrastructure. The article reveals the features of training at industrial enterprises associated with a high level of development of safety and labor protection systems. Traditional and innovative methods and means of training personnel at the workplace within the framework of these systems and their opportunities for training in the field of information security are shown. The specificity of the content and forms of training employees on the security of critical information infrastructure has been substantiated. The scientific novelty of the study consists in the development of methods and software applications that can perform the functions of identifying personal qualities of employees; testing the input level of their knowledge in the field of IS; testing for knowledge of IS rules (by the example of a response to socio-engineering attacks); planning an individual thematic plan for employee training; automatic creation of a modular program and its content; automatic notification of the employee about the training schedule at the workplace; organization of training according to the schedule; control self-testing and testing the level of knowledge of the employee after training; organizing a survey to determine satisfaction with employee training. The practical significance of the work lies in the possibility of implementing the developed software application in industrial enterprises, which is confirmed by the successful results of its testing.

Data security is becoming more and more important in data exchange. Once the data is leaked, it will pose a great threat to the privacy and property security of users. Copyright authentication and data provenance have become an important requirement of the information security defense mechanism. In order to solve the collusion leakage of the data distributed by organization and the low efficiency of tracking the leak provenance after the data is destroyed, this paper proposes a concatenated-group digital fingerprint coding based on CFF code and Reed-solomon (RS) that can resist collusion attacks and corresponding detection algorithm. The experiments based on an asymmetric anti-collusion fingerprint protocol show that the proposed method has better performance to resist collusion attacks than similar non-grouped fingerprint coding and effectively reduces the percentage of misjudgment, which verifies the availability of the algorithm and enriches the means of organization data security audit.

More and more organizations are today using the cloud for their business as a quite convenient alternative to in-house solutions for storing, processing, and managing data. Cloud-based solutions are then permeating almost all aspects of business organizations, resulting appealing also for functions that, already in-house, may result sensitive or security critical, and whose enforcement in the cloud requires then particular care. In this paper, we provide an approach for securely relying on cloud-based services for the enforcement of Internal Controls and Audit (ICA) functions for corporate governance. Our approach is based on the use of selective encryption and of tags to provide a level of self-protection to data and for enabling only authorized parties to access data and perform operations on them, providing privacy and integrity guarantees, as well as accountability and non-repudiation.

A wide range of tools exist to assist developers in creating secure software. Many of these tools, such as static analysis engines or security checkers included in compilers, use warnings to communicate security issues to developers. The effectiveness of these tools relies on developers heeding these warnings, and there are many ways in which these warnings could be displayed. Johnson et al. [46] conducted qualitative research and found that warning presentation and integration are main issues. We built on Johnson et al.'s work and examined what developers want from security warnings, including what form they should take and how they should integrate into their workflow and work context. To this end, we conducted a Grounded Theory study with 14 professional software developers and 12 computer science students as well as a focus group with 7 academic researchers to gather qualitative insights. To back up the theory developed from the qualitative research, we ran a quantitative survey with 50 professional software developers. Our results show that there is significant heterogeneity amongst developers and that no one warning type is preferred over all others. The context in which the warnings are shown is also highly relevant, indicating that it is likely to be beneficial if IDEs and other development tools become more flexible in their warning interactions with developers. Based on our findings, we provide concrete recommendations for both future research as well as how IDEs and other security tools can improve their interaction with developers.

When modeling information security systems (ISS), the vast majority of works offer various models of threats to the object of protection (threat trees, Petri nets, etc.). However, ISS is not only a mean to prevent threats or reduce damage from their implementation, but also other components - the qualifications of employees responsible for IS, the internal climate in the team, the company's position on the market, and many others. The article considers the cognitive model of the state of the information security system of an average organization. The model is a weighted oriented graph, its' vertices are standard elements of the organization's information security system. The most significant factors affecting the condition of information security of the organization are identified based on the model. Influencing these factors is providing the most effect if IS level.

This article describes attacks methods, vectors and technics used by threat actors during pandemic situations in the world. Identifies common targets of threat actors and cyber-attack tactics. The article analyzes cybersecurity challenges and specifies possible solutions and improvements in cybersecurity. Defines cybersecurity controls, which should be taken against analyzed attack vectors.

Hardening is the process of configuring IT systems to ensure the security of the systems' components and data they process or store. The complexity of contemporary IT infrastructures, however, renders manual security hardening and maintenance a daunting task. In many organizations, security-configuration guides expressed in the SCAP (Security Content Automation Protocol) are used as a basis for hardening, but these guides by themselves provide no means for automatically implementing the required configurations. In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined. We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides. In many organizations, security-configuration guides expressed in the SCAP (Security Content Automation Protocol) are used as a basis for hardening, but these guides by themselves provide no means for automatically implementing the required configurations. In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined. We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides. In this paper, we propose an approach to automatically extract the relevant information from publicly available security-configuration guides for Windows operating systems using natural language processing. In a second step, the extracted information is verified using the information of available settings stored in the Windows Administrative Template files, in which the majority of Windows configuration settings is defined. We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides. We show that our implementation of this approach can extract and implement 83% of the rules without any manual effort and 96% with minimal manual effort. Furthermore, we conduct a study with 12 state-of-the-art guides consisting of 2014 rules with automatic checks and show that our tooling can implement at least 97% of them correctly. We have thus significantly reduced the effort of securing systems based on existing security-configuration guides.

Organizations perform security analysis for assessing network health and safe-guarding their growing networks through Vulnerability Assessments (AKA VA Scans). The output of VA scans is reports on individual hosts and its vulnerabilities, which, are of little use as the origin of the attack can't be located from these. Attack Graphs, generated without an in-depth analysis of the VA reports, are used to fill in these gaps, but only provide cursory information. This study presents an effective model of depicting the devices and the data flow that efficiently identifies the weakest nodes along with the concerned vulnerability's origin.The complexity of the attach graph using MulVal has been greatly reduced using the proposed approach of using the risk and CVSS base score as evaluation criteria. This makes it easier for the user to interpret the attack graphs and thus reduce the time taken needed to identify the attack paths and where the attack originates from.

Protecting sensitive information from illegal access and misuse is crucial to all organizations. An inappropriate Information Security (IS) policy and procedures are not only a suitable environment for an outsider attack but also a good chance for the insiders' misuse. In this paper, we will discuss the roles of an organization in information security and how human behavior affects the Information Security System (ISS). How an organization can create and instill an effective information security culture in an organization to improve their information safeguards. The findings in this review can be used to further researches and will be useful for organizations to improve their information security structure (ISC).

Whenever we talk about big data, the concern is always about the security of the data. In recent days the most heard about technology is the Natural Language Processing. This new and trending technology helps in solving the ever ending security problems which are not completely solved using big data. Starting with the big data security issues, this paper deals with addressing the topics related to cyber security and information security using the Natural Language Processing technology. Including the well-known cyber-attacks such as phishing identification and spam detection, this paper also addresses issues on information assurance and security such as detection of Advanced Persistent Threat (APT) in DNS and vulnerability analysis. The goal of this paper is to provide the overview of how natural language processing can be used to address cyber security issues.

The timely exchange of information on new threats and vulnerabilities has become a cornerstone of effective cyber defence in recent years. Especially national authorities increasingly assume their role as information brokers through national cyber security centres and distribute warnings on new attack vectors and vital recommendations on how to mitigate them. Although many of these initiatives are effective to some degree, they also suffer from severe limitations. Many steps in the exchange process require extensive human involvement to manually review, vet, enrich, analyse and distribute security information. Some countries have therefore started to adopt distributed cyber security sensor networks to enable the automatic collection, analysis and preparation of security data and thus effectively overcome limiting scalability factors. The basic idea of IoC-centric cyber security sensor networks is that the national authorities distribute Indicators of Compromise (IoCs) to organizations and receive sightings in return. This effectively helps them to estimate the spreading of malware, anticipate further trends of spreading and derive vital findings for decision makers. While this application case seems quite simple, there are some tough questions to be answered in advance, which steer the further design decisions: How much can the monitored organization be trusted to be a partner in the search for malware? How much control of the scanning process should be delegated to the organization? What is the right level of search depth? How to deal with confidential indicators? What can be derived from encrypted traffic? How are new indicators distributed, prioritized, and scan targets selected in a scalable manner? What is a good strategy to re-schedule scans to derive meaningful data on trends, such as rate of spreading? This paper suggests a blueprint for a sensor network and raises related questions, outlines design principles, and discusses lessons learned from small-scale pilots.

Many organizations around the world recognize the vitality of cloud computing. However, some concerns make organizations reluctant to adopting cloud computing. These include data security, privacy, and trust issues. It is very important that these issues are addressed to meet client concerns and to encourage the wider adoption of cloud computing. This paper develops a user privacy framework based upon on emerging security model that includes access control, encryption and protection monitor schemas in the cloud environment.

In the era of Industry 4.0 (IR 4.0), information leakage has become a critical issue for information security. The basic approach to addressing information leakage threats is to implement an information security policy (ISP) that defines the standards, boundaries, and responsibilities of users of information and technology of an organization. ISPs are one of the most commonly used methods for controlling internal user security behaviours, which include, but not limited to, computer usage ethics; organizational system usage policies; Internet and email usage policies; and the use of social media. Human error is the main security threat to information security, resulting from negligence, ignorance, and failure to adhere to organizational information security policies. Information security incidents are a problem related to human behaviour because technology is designed and operated by humans, presenting the opportunities and spaces for human error. In addition to the factor of human error as the main source of information leakage, this study aims to systematically analyse the fundamental issues of information security policy compliance. An analysis of these papers identifies and categories critical factor that effect an employee's attitude toward compliance with ISP. The human, process, technology element and information governance should be thought as a significant scope for more efficiency of information security policy compliance and in any further extensive studies to improve on information security policy compliance. Therefore, to ensure these are properly understood, further study is needed to identity the information governance that needs to be included in organizations and current best practices for developing an information security policy compliance within organizations.

Understanding the IP address depletion and the importance of handling security issues in IPv6 deployment can make IT personnel becomes more functional and helpful to the organization. It also applied to the management people who are responsible for approving the budget or organization policy related to network security. Unfortunately, new employees or fresh graduates may not really understand the challenge related to IPv6 deployment. In order to be equipped with appropriate knowledge and skills, these people may require a few weeks of attending workshops or training. Thus, of course involving some implementation cost as well as sacrificing allocated working hours. As an alternative to save cost and to help new IT personnel become quickly educated and familiar with IPv6 deployment issues, this paper presented a learning kit that has been designed to include self-learning features that can help neophytes to learn about IPv6 at their own pace. The kit contains some compact notes, brief security model and framework as well as a guided module with supporting quizzes to maintain a better understanding of the topics. Since IPv6 is still in the early phase of implementation in most of developing countries, this kit can be an additional assisting tool to accelerate the deployment of IPv6 environment in any organization. The kit also can be used by teachers and trainers as a supporting tool in the classroom. The pre-alpha testing has attracted some potential users and the findings proved their acceptance. The kit has prospective to be further enhanced and commercialized.

The task of the insider threat detection is one of the most sophisticated problems of the information security. The analysis of the logs of the access control system may reveal on how employees move and interact providing thus better understanding on how personnel observe security policies and established business processes. The paper presents an approach to the detection of the location-centric employees' interaction patterns. The authors propose the formal definition of the interaction patterns and present the visualization-driven technique to the extraction of the patterns from the data when any prior information about existing interaction routine and procedures is not available. The proposed approach is demonstrated on the data set provided within VAST MiniChallenge-2 2016 contest.

In this article, we introduce the MACH-2K trust overlay network and its architecture. MACH-2K's objectives are to (a) enhance the resiliency of emergency response and public service networks and (b) help build such networks in places, or at times, where network infrastructure is limited. Resiliency may be enhanced in an economic manner by building new ad hoc networks of private mobile devices and joining these to public service networks at specific trusted points. The major barrier to building resiliency by using private devices is ensuring security. MACH-2K uses device location and communication utility patterns to assign trust to devices, after owner approval. After trust is established, message confidentiality, privacy, and integrity may be implemented by well-known cryptographic means. MACH-2K devices may be then requested to forward or consume different types of messages depending on their current level of trust and utility.