Biblio

Cyber security is an important concern in critical infrastructures such as banking and financial organizations, where a number of malicious insiders are involved. These insiders may be existing employees / users present within the organization and causing harm by performing any malicious activity and are commonly known as insider threats. Existing insider threat detection (ITD) methods are based on statistical analysis, machine and deep learning approaches. They monitor and detect malicious user activity based on pre-built rules which fails to detect unforeseen threats. Also, some of these methods require explicit feature engineering which results in high false positives. Apart from this, some methods choose relatively insufficient features and are computationally expensive which affects the classifier's accuracy. Hence, in this paper, a user behaviour based ITD method is presented to overcome the above limitations. It is a conceptually simple and flexible approach based on augmented decision making and anomaly detection. It consists of bi-directional long short term memory (bi-LSTM) for efficient feature extraction. For the purpose of classifying users as "normal" or "malicious", a binary class support vector machine (SVM) is used. CMU-CERT v4.2 dataset is used for testing the proposed method. The performance is evaluated using the following parameters: Accuracy, Precision, Recall, F- Score and AUC-ROC. Test results show that the proposed method outperforms the existing methods.

Cyber supply chain (CSC) security cost effectiveness should be the first and foremost decision to consider when integrating various networks in supplier inbound and outbound chains. CSC systems integrate different organizational network systems nodes such as SMEs and third-party vendors for business processes, information flows, and delivery channels. Adversaries are deploying various attacks such as RAT and Island-hopping attacks to penetrate, infiltrate, manipulate and change delivery channels. However, most businesses fail to invest adequately in security and do not consider analyzing the long term benefits of that to monitor and audit third party networks. Thus, making cost benefit analysis the most overriding factor. The paper explores the cost-benefit analysis of investing in cyber supply chain security to improve security. The contribution of the paper is threefold. First, we consider the various existing cybersecurity investments and the supply chain environment to determine their impact. Secondly, we use the NPV method to appraise the return on investment over a period of time. The approach considers other methods such as the Payback Period and Internal Rate of Return to analyze the investment appraisal decisions. Finally, we propose investment options that ensure CSC security performance investment appraisal, ROI, and business continuity. Our results show that NVP can be used for cost-benefit analysis and to appraise CSC system security to ensure business continuity planning and impact assessment.

Cyber security is a topic of increasing relevance in relation to industrial networks. The higher intensity and intelligent use of data pushed by smart technology (Industry 4.0) together with an augmented integration between the operational technology (production) and the information technology (business) parts of the network have considerably raised the level of vulnerabilities. On the other hand, many industrial facilities still use serial networks as underlying communication system, and they are notoriously limited from a cyber security perspective since protection mechanisms available for ТСР/IР communication do not apply. Therefore, an attacker gaining access to a serial network can easily control the industrial components, potentially causing catastrophic incidents, jeopardizing assets and human lives. This study proposes a framework to act as an anomaly detection system (ADS) for industrial serial networks. It has three ingredients: an unsupervised К-means component to analyse message content, a knowledge-based Expert System component to analyse message metadata, and a voting process to generate alerts for security incidents, anomalous states, and faults. The framework was evaluated using the Proflbus-DP, a network simulator which implements a serial bus system. Results for the simulated traffic were promising: 99.90% for accuracy, 99,64% for precision, and 99.28% for F1-Score. They indicate feasibility of the framework applied to serial-based industrial networks.

The digitalization process did not circumvent either railway domain. With new technology and new functionality, such as digital interlocking system, automated train operation, object recognition, GPS positioning, traditional railway domain got a vulnerability that can be exploited. Another issue is usage of CotS (Commercial-of-the-Shelf) hardware and software and openness of traditionally closed system. Most of published similar paper are focused on cyber security and security & safety model for securing of assessment in this kind of domain, but this paper will deal with this upcoming railway technology and digital investigation process in such kind of environment. Digital investigation process will be presented, but not only in ICS and SCADA system, but also in specific, railway environment. Framework for investigation process and for maintaining chain of custody in railway domain will be proposed.

As it is easy to ensure the confidentiality of users on the Dark Web, malware and exploit kits are sold on the market, and attack methods are discussed in forums. Some services provide IoT Botnet to perform distributed denial-of-service (DDoS as a Service: DaaS), and it is speculated that the purchase of these services is made on the Dark Web. By crawling such information and storing it in a database, threat intelligence can be obtained that cannot otherwise be obtained from information on the Surface Web. However, crawling sites on the Dark Web present technical challenges. For this paper, we implemented a crawler that can solve these challenges. We also collected information on markets and forums on the Dark Web by operating the implemented crawler. Results confirmed that the dataset collected by crawling contains threat intelligence that is useful for analyzing cyber attacks, particularly those related to IoT Botnet and DaaS. Moreover, by uncovering the relationship with security reports, we demonstrated that the use of data collected from the Dark Web can provide more extensive threat intelligence than using information collected only on the Surface Web.

The expression of cyber-attacks on communication links in smart grids has emerged recently. In microgrids, cooperation between agents through communication links is required, thus, microgrids can be considered as cyber-physical-systems and they are vulnerable to cyber-attack threats. Cyber-attacks can cause damages in control systems, therefore, the resilient control methods are necessary. In this paper, a resilient control approach against false data injection attack is proposed for secondary control of DC microgrids. In the proposed framework, a PI controller with an adjustable gain is utilized to eliminate the injected false data. The proposed control method is employed for both sensor and link attacks. Convergence analysis of the measurement sensors and the secondary control objectives under the studied control method is performed. Finally, a DC microgrid with four units is built in Matlab/Simulink environment to verify the proposed approach.

There has been a significant rise in ransomware attacks over the last few years. Cyber attackers have made use of tried and true ransomware viruses to target the government, health care, and educational institutions. Ransomware variants can be purchased on the dark web by amateurs giving them the same attack tools used by professional cyber attackers without experience or skill. Traditional antivirus and antimalware products have improved, but they alone fall short when it comes to catching and stopping ransomware attacks. Employee training has become one of the most important aspects of being prepared for attempted cyberattacks. However, training alone only goes so far; human error is still the main entry point for malware and ransomware infections. In this paper, we propose a multi-layered defense approach to safeguard against ransomware. We have come to the startling realization that it is not a matter of “if” your organization will be hit with ransomware, but “when” your organization will be hit with ransomware. If an organization is not adequately prepared for an attack or how to respond to an attack, the effects can be costly and devastating. Our approach proposes having innovative antimalware software on the local machines, properly configured firewalls, active DNS/Web filtering, email security, backups, and staff training. With the implementation of this layered defense, the attempt can be caught and stopped at multiple points in the event of an attempted ransomware attack. If the attack were successful, the layered defense provides the option for recovery of affected data without paying a ransom.

Video Conferencing has emerged as a new paradigm of communication in the age of COVID-19 pandemic. This technology is allowing us to have real-time interaction during the social distancing era. Even before the current crisis, it was increasingly commonplace for organizations to adopt a video conferencing tool. As people adopt video conferencing tools and access data with potentially less secure equipment and connections, meetings are becoming a target to cyber attackers. Enforcing appropriate security and privacy settings prevents attackers from exploiting the system. To design the video conferencing system's security and privacy model, an exhaustive threat model must be adopted. Threat modeling is a process of optimizing security by identifying objectives, vulnerabilities, and defining the plan to mitigate or prevent potential threats to the system. In this paper, we use the widely accepted STRIDE threat modeling technique to identify all possible risks to video conferencing tools and suggest mitigation strategies for creating a safe and secure system.

Mitigation of dangers posed by authorized and trusted insiders to the organization is a challenging Cyber Security issue. Despite state-of-the-art cyber security practices, malicious insiders present serious threat for the enterprises due to their wider access to organizational resources (Physical, Cyber) and good knowledge of internal processes with potential vulnerabilities. The issue becomes particularly important for isolated (air-gapped) computer networks, normally used by security sensitive organizations such as government, research and development, critical infrastructure (e.g. power, nuclear), finance, and military. Such facilities are difficult to compromise from outside; however, are quite much prone to insider threats. Although many insider threat taxonomies exist for generic computer networks; yet, the existing taxonomies do not effectively address the issue of Insider Threat in isolated computer networks. Thereby, we have developed an insider threat taxonomy specific to isolated computer networks focusing on actions performed by the trusted individual(s), Our methodology is to identify limitations in existing taxonomies and map real world insider threat cases on proposed taxonomy. We argue that for successful attack in an isolated computer network, the attack must manifest in both Physical and Cyber world. The proposed taxonomy systematically classifies different aspects of the problem into separate dimensions and branches out these dimensions into further sub-categories without loss of general applicability. Our multi-dimensional hierarchical taxonomy provides comprehensive treatment of the insider threat problem in isolated computer networks; thus, improving situational awareness of the security analyst and helps in determining proper countermeasures against perceived threats. Although many insider threat taxonomies exist for generic computer networks; yet, the existing taxonomies do not effectively address the issue of Insider Threat in isolated computer networks. Thereby, we have developed an insider threat taxonomy specific to isolated computer networks focusing on actions performed by the trusted individual(s), Our methodology is to identify limitations in existing taxonomies and map real world insider threat cases on proposed taxonomy. We argue that for successful attack in an isolated computer network, the attack must manifest in both Physical and Cyber world. The proposed taxonomy systematically classifies different aspects of the problem into separate dimensions and branches out these dimensions into further sub-categories without loss of general applicability. Our multi-dimensional hierarchical taxonomy provides comprehensive treatment of the insider threat problem in isolated computer networks; thus, improving situational awareness of the security analyst and helps in determining proper countermeasures against perceived threats. The proposed taxonomy systematically classifies different aspects of the problem into separate dimensions and branches out these dimensions into further sub-categories without loss of general applicability. Our multi-dimensional hierarchical taxonomy provides comprehensive treatment of the insider threat problem in isolated computer networks; thus, improving situational awareness of the security analyst and helps in determining proper countermeasures against perceived threats.

A Cyber Attack is a sudden attempt launched by cybercriminals against multiple computers or networks. According to evolution of cyber space, insider attack is the most serious attack faced by end users, all over the world. Cyber Security reports shows that both US federal Agency as well as different organizations faces insider threat. Machine learning (ML) provide an important technology to secure data from insider threats. Random Forest is the best algorithm that focus on user's action, services and ability for insider attack detection based on data granularity. Substantial raise in the count of decision tree, increases the time consumption and complexity of Random Forest. A novel algorithm Known as Random Forest With Randomized Weighted Fuzzy Feature Set (RF-RWFF) is developed. Fuzzy Membership Function is used for feature aggregation and Randomized Weighted Majority Algorithm (RWMA) is used in the prediction part of Random Forest (RF) algorithm to perform voting. RWMA transform conventional Random Forest, to a perceptron like algorithm and increases the miliage. The experimental results obtained illustrate that the proposed model exhibits an overall improvement in accuracy and recall rate with very much decrease in time complexity compared to conventional Random Forest algorithm. This algorithm can be used in organization and government sector to detect insider fastly and accurately.

Automated teller machines are affected by two kinds of attacks: physical and logical. It is common for most banks to look for zero-day protection for their devices. The most secure solutions available are based on complex security policies that are extremely hard to configure. The goal of this article is to present a concept of using the modified MajorClust algorithm for generating a sandbox-based security policy based on ATM usage data. The results obtained from the research prove the effectiveness of the used techniques and confirm that it is possible to create a division into sandboxes in an automated way.

Recently, cyber security in power systems has captured significant interest. This is because the world has seen a surge in cyber attacks on power systems. One of the prolific cyber attacks in modern power systems are False Data Injection Attacks (FDIA). In this paper, we analyzed the impact of FDIA on the operation cost of power systems. Also, we introduced a novel Advanced Persistent Threat (APT) based attack strategy that maximizes the operating costs when attacking specific nodes in the system. We model the attack strategy using an optimization problem and use metaheuristics algorithms to solve the optimization problem and execute the attack. We have found that our attacks can increase the power generation cost by up to 15.6%, 60.12%, and 74.02% on the IEEE 6-Bus systems, 30-Bus systems, and 118-Bus systems, respectively, as compared to normal operation.

The network security problem brought by the cloud computing has become an important issue to be dealt with in information construction. Since anomaly detection and attack detection in cloud environment need to find the vulnerability through the reverse analysis of data flow, it is of great significance to carry out the reverse analysis of unknown network protocol in the security application of cloud environment. To solve this problem, an improved mining method on bitstream protocol association rules with unknown type and format is proposed. The method combines the location information of the protocol framework to make the frequent extraction process more concise and accurate. In addition, for the frame separation problem of unknown protocol, we design a hierarchical clustering algorithm based on Jaccard distance and a frame field delimitation method based on the proximity of information entropy between bytes. The experimental results show that this technology can correctly resolve the protocol format and realize the purpose of anomaly detection in cloud computing, and ensure the security of cloud services.

The Internet, originally an academic network for the rapid exchange of information, has moved over time into the commercial media, business and later industrial communications environment. Recently, it has been included as a part of cyberspace as a combat domain. Any device connected to the unprotected Internet is thus exposed to possible attacks by various groups and individuals pursuing various criminal, security and political objectives. Therefore, each such device must be set up to be as resistant as possible to these attacks. For the implementation of small home, academic or industrial systems, people very often use small computing system Raspberry PI, which is usually equipped with the operating system Raspbian Linux. Such a device is often connected to an unprotected Internet environment and if successfully attacked, can act as a gateway for an attacker to enter the internal network of an organization or home. This paper deals with security configuration of Raspbian Linux operating system for operation on public IP addresses in an unprotected Internet environment. The content of this paper is the conduction and analysis of an experiment in which five Raspbian Linux/Raspberry PI accounts were created with varying security levels; the easiest to attack is a simulation of the device of a user who has left the system without additional security. The accounts that follow gradually add further protection and security. These accounts are used to simulate a variety of experienced users, and in a practical experiment the effects of these security measures are evaluated; such as the number of successful / unsuccessful attacks; where the attacks are from; the type and intensity of the attacks; and the target of the attack. The results of this experiment lead to formulated conclusions containing an analysis of the attack and subsequent design recommendations and settings to secure such a device. The subsequent section of the paper discusses the implementation of a simple TCP server that is configured to listen to incoming traffic on preset ports; it simulates the behaviour of selected services on these ports. This server's task is to intercept unauthorized connection attempts to these ports and intercepting attempts to communicate or attack these services. These recorded attack attempts are analyzed in detail and formulated in the conclusion, including implications for the security settings of such a device. The overall result of this paper is the recommended set up of operating system Raspbian Linux to work on public IP addresses in an unfiltered Internet environment.

The digital transformation is injecting energy into economic growth and governance improvement for the China government. Digital governance and e-government services are playing a more and more important role in public management and social governance. Meanwhile, cyber-attacks and threats become the major challenges for e-government application systems. In this paper, we proposed a novel dynamic access entry scheme for web application, which provide a rapidly-changing defender-controlled attack surface based on Moving Target Defense (MTD) technology. The scheme can turn the static keywords of Uniform Resource Locator (URL) into the dynamic and random ones, which significantly increase the cost to adversaries attack. We present the prototype of the proposed scheme and evaluate the feasibility and effectiveness. The experimental results demonstrated the scheme is practical and effective.

With the booming of Internet technology, the continuous emergence of new technologies and new algorithms greatly expands the application boundaries of cyberspace. While enjoying the convenience brought by informatization, the society is also facing increasingly severe threats to the security of cyberspace. In cyber security defense, cyberspace operators rely on the discovered vulnerabilities, attack patterns, TTPs, and other knowledge to observe, analyze and determine the current threats to the network and security situation in cyberspace, and then make corresponding decisions. However, most of such open-source knowledge is distributed in different data sources in the form of text or web pages, which is not conducive to the understanding, query and correlation analysis of cyberspace operators. In this paper, a knowledge graph for cyber security is constructed to solve this problem. At first, in the process of obtaining security data from multi-source heterogeneous cyberspaces, we adopt efficient crawler to crawl the required data, paving the way for knowledge graph building. In order to establish the ontology required by the knowledge graph, we abstract the overall framework of security data sources in cyberspace, and depict in detail the correlations among various data sources. Then, based on the \$$\backslash$mathbfOWL +$\backslash$mathbfSWRL\$ language, we construct the cyber security knowledge graph. On this basis, we design an analysis system for situation in cyberspace based on knowledge graph and the Snort intrusion detection system (IDS), and study the rules in Snort. The system integrates and links various public resources from the Internet, including key information such as general platforms, vulnerabilities, weaknesses, attack patterns, tactics, techniques, etc. in real cyberspace, enabling the provision of comprehensive, systematic and rich cyber security knowledge to security researchers and professionals, with the expectation to provide a useful reference for cyber security defense.

In the era of rapid technological growth, malicious traffic has drawn increased attention. Most well-known offensive security assessment todays are heavily focused on pre-compromise. The amount of anomalous data in today's context is massive. Analyzing the data using primitive methods would be highly challenging. Solution to it is: If we can detect adversary behaviors in the early stage of compromise, one can prevent and safeguard themselves from various attacks including ransomwares and Zero-day attacks. Integration of new technologies Artificial Intelligence & Machine Learning with manual Anomaly Detection can provide automated machine-based detection which in return can provide the fast, error free, simplify & scalable Threat Detection & Response System. Endpoint Detection & Response (EDR) tools provide a unified view of complex intrusions using known adversarial behaviors to identify intrusion events. We have used the EMBER dataset, which is a labelled benchmark dataset. It is used to train machine learning models to detect malicious portable executable files. This dataset consists of features derived from 1.1 million binary files: 900,000 training samples among which 300,000 were malicious, 300,000 were benevolent, 300,000 un-labelled, and 200,000 evaluation samples among which 100K were malicious, 100K were benign. We have also included open-source code for extracting features from additional binaries, enabling the addition of additional sample features to the dataset.

Cyber-attacks are becoming more complex & increasing tasks in accurate intrusion detection (ID). Failure to avoid intrusion can reduce the reliability of security services, for example, integrity, Privacy & availability of data. The rapid proliferation of computer networks (CNs) has reformed the perception of network security. Easily accessible circumstances affect computer networks from many threats by hackers. Threats to a network are many & hypothetically devastating. Researchers have recognized an Intrusion Detection System (IDS) up to identifying attacks into a wide variety of environments. Several approaches to intrusion detection, usually identified as Signature-based Intrusion Detection Systems (SIDS) & Anomaly-based Intrusion Detection Systems (AIDS), were proposed in the literature to address computer safety hazards. This survey paper grants a review of current IDS, complete analysis of prominent new works & generally utilized dataset to evaluation determinations. It also introduces avoidance techniques utilized by attackers to avoid detection. This paper delivers a description of AIDS for attack detection. IDS is an applied research area in artificial intelligence (AI) that uses multiple machine learning algorithms.

Trust is essential in designing autonomous and semiautonomous Robots and Autonomous Systems (RAS), because of the ``No trust, no use'' concept. RAS should provide high quality services, with four key properties that make them trustworthy: they must be (i) robust with regards to any system health related issues, (ii) safe for any matters in their surrounding environments, (iii) secure against any threats from cyber spaces, and (iv) trusted for human-machine interaction. This article thoroughly analyses the challenges in implementing the trustworthy RAS in respects of the four properties, and addresses the power of AI in improving the trustworthiness of RAS. While we focus on the benefits that AI brings to human, we should realize the potential risks that could be caused by AI. This article introduces for the first time the set of key aspects of human-centered AI for RAS, which can serve as a cornerstone for implementing trustworthy RAS by design in the future.

The Internet of Things (IoT) has enabled the rapid pace of the use of communication technology and infiltration of technical systems in a digital world. In terms of power systems generation and operation, a reliable solution for substation automation and smart grid communication is the IEC 61850 standard. It has a robust modelling structure for monitoring, protection, and control and management systems in substations and across the grid. Modern communication technologies are destined for internet use for remote monitoring, settings, and data recovery. However, the communication network is exposed to cyber threats and evident risks in security defense of automated power systems. To tackle these vulnerabilities, the IEC 62351 standard aims to improve security in handling the communication and data transfers in power system automation. This paper discusses the different security measures in communication, information and cyber security solutions in power systems. To further illustrate the novel communication and security schemes of digital substations, a case study using the Victoria University Zone Substation (VUZS) simulator for cybersecurity assessment has been instigated.

Power system automation and communication standards are spearheading the power system transition towards a smart grid. IEC 61850 is one such standard, which is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation and protection devices within digital substations. However, IEC 61850 is not cyber secure. In this paper, we demonstrate the dangerous implications of not securing IEC 61850 standard. Cyber attacks may exploit the vulnerabilities of the Sampled Values (SV) and Generic Object-Oriented Substation Event (GOOSE) protocols of IEC 61850. The cyber attacks may be realised by injecting spoofed SV and GOOSE data frames into the substation communication network at the bay level. We demonstrate that such cyber attacks may lead to obstruction or tripping of multiple protective relays. Coordinated cyber attacks against the protection system in digital substations may cause generation and line disconnections, triggering cascading failures in the power grid. This may eventually result in a partial or complete blackout. The attack model, impact on system dynamics and cascading failures are veri ed experimentally through a proposed cyber-physical experimental framework that closely resembles real-world conditions within a digital substation, including Intelligent Electronic Devices (IEDs) and protection schemes. It is implemented through Hardware-in-the-Loop (HIL) simulations of commercial relays with a Real-Time Digital Simulator (RTDS).

Power systems automation and communication standards are crucial for the transition of the conventional power system towards a smart grid. The IEC 61850 standard is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation devices. IEC 61850 serves as the foundation for open communication and data exchange for digital substations of the smart grid. However, IEC 61850 has cyber security vulnerabilities that can be exploited with a man-in-the-middle attack. Such coordinated cyber attacks against the protection system in digital substations can disconnect generation and transmission lines, causing cascading failures. In this paper, we demonstrate a cyber attack involving the Generic Object-Oriented Substation Event (GOOSE) protocol of IEC 61850. This is achieved by exploiting the cyber security vulnerabilities in the protocol and injecting spoofed GOOSE data frames into the substation communication network at the bay level. The cyber attack leads to tripping of multiple protective relays in the power grid, eventually resulting in a blackout. The attack model and impact on system dynamics are verified experimentally through hardware-in-the-loop simulations using commercial relays and Real-Time Digital Simulator (RTDS).

The following topics are dealt with: security of data; distributed power generation; power engineering computing; power grids; power system security; computer network security; voltage control; risk management; power system measurement; critical infrastructures.

The intelligent electronic devices widely deployed across the distribution network are inevitably making the feeder automation (FA) system more vulnerable to cyber-attacks, which would lead to disastrous socio-economic impacts. This paper proposes a three-stage game-theoretic framework that the defender allocates limited security resources to minimize the economic impacts on FA system while the attacker deploys limited attack resources to maximize the corresponding impacts. Meanwhile, the probability of successful attack is calculated based on the Bayesian attack graph, and a fault-tolerant location technique for centralized FA system is elaborately considered during analysis. The proposed game-theoretic framework is converted into a two-level zero-sum game model and solved by the particle swarm optimization (PSO) combined with a generalized reduced gradient algorithm. Finally, the proposed model is validated on distribution network for RBTS bus 2.

Recent cyberattacks targeting Supervisory Control and Data Acquisition (SCADA)/Industrial Control System(ICS) exploit weaknesses of host system software environment and take over the control of host processes in the host of the station network. We analyze the attack path of these attacks, which features how the attack hijacks the host in the network and compromises the operations of field device controllers. The paper proposes a host-based protection method, which can prevent malware penetration into the process memory by code injection attacks. The method consists of two protection schemes. One is to prevent file-based code injection such as DLL injection. The other is to prevent fileless code injection. The method traces changes in memory regions and determine whether the newly allocated memory is written with malicious codes. For this method, we show how a machine learning method can be adopted.