Biblio

The advanced persistent threat (APT) landscape has been studied without quantifiable data, for which indicators of compromise (IoC) may be uniformly analyzed, replicated, or used to support security mechanisms. This work culminates extensive academic and industry APT analysis, not as an incremental step in existing approaches to APT detection, but as a new benchmark of APT related opportunity. We collect 15,259 APT IoC hashes, retrieving subsequent sandbox execution logs across 41 different file types. This work forms an initial focus on Windows-based threat detection. We present a novel Windows APT executable (APT-EXE) dataset, made available to the research community. Manual and statistical analysis of the APT-EXE dataset is conducted, along with supporting feature analysis. We draw upon repeat and common APT paths access, file types, and operations within the APT-EXE dataset to generalize APT execution footprints. A baseline case analysis successfully identifies a majority of 117 of 152 live APT samples from campaigns across 2018 and 2019.

Ransomware attacks are taking advantage of the ongoing pandemics and attacking the vulnerable systems in business, health sector, education, insurance, bank, and government sectors. Various approaches have been proposed to combat ransomware, but the dynamic nature of malware writers often bypasses the security checkpoints. There are commercial tools available in the market for ransomware analysis and detection, but their performance is questionable. This paper aims at proposing an AI-based ransomware detection framework and designing a detection tool (AIRaD) using a combination of both static and dynamic malware analysis techniques. Dynamic binary instrumentation is done using PIN tool, function call trace is analyzed leveraging Cuckoo sandbox and Ghidra. Features extracted at DLL, function call, and assembly level are processed with NLP, association rule mining techniques and fed to different machine learning classifiers. Support vector machine and Adaboost with J48 algorithms achieved the highest accuracy of 99.54% with 0.005 false-positive rates for a multi-level combined term frequency approach.

Enforcing security and resilience in a cloud platform is an essential but challenging problem due to the presence of a large number of heterogeneous applications running on shared resources. A security analysis system that can detect threats or malware must exist inside the cloud infrastructure. Much research has been done on machine learning-driven malware analysis, but it is limited in computational complexity and detection accuracy. To overcome these drawbacks, we proposed a new malware detection system based on the concept of clustering and trend micro locality sensitive hashing (TLSH). We used Cuckoo sandbox, which provides dynamic analysis reports of files by executing them in an isolated environment. We used a novel feature extraction algorithm to extract essential features from the malware reports obtained from the Cuckoo sandbox. Further, the most important features are selected using principal component analysis (PCA), random forest, and Chi-square feature selection methods. Subsequently, the experimental results are obtained for clustering and non-clustering approaches on three classifiers, including Decision Tree, Random Forest, and Logistic Regression. The model performance shows better classification accuracy and false positive rate (FPR) as compared to the state-of-the-art works and non-clustering approach at significantly lesser computation cost.

Whenever any internet user visits a website, a scripting language runs in the background known as JavaScript. The embedding of malicious activities within the script poses a great threat to the cyberworld. Attackers take advantage of the dynamic nature of the JavaScript and embed malicious code within the website to download malware and damage the host. JavaScript developers obfuscate the script to keep it shielded from getting detected by the malware detectors. In this paper, we propose a novel technique for analysing and detecting JavaScript using sandbox assisted ensemble model. We extract the payload using malware-jail sandbox to get the real script. Upon getting the extracted script, we analyse it to define the features that are needed for creating the dataset. We compute Pearson's r between every feature for feature extraction. An ensemble model consisting of Sequential Minimal Optimization (SMO), Voted Perceptron and AdaBoost algorithm is used with voting technique to detect malicious JavaScript. Experimental results show that our proposed model can detect obfuscated and de-obfuscated malicious JavaScript with an accuracy of 99.6% and 0.03s detection time. Our model performs better than other state-of-the-art models in terms of accuracy and least training and detection time.

Mining of data is used to analyze facts to discover formerly unknown patterns, classifying and grouping the records. There are several crucial scalable statistics mining platforms that have been developed in latest years. RapidMiner is a famous open source software which can be used for advanced analytics, Weka and Orange are important tools of machine learning for classifying patterns with techniques of clustering and regression, whilst Knime is often used for facts preprocessing like information extraction, transformation and loading. This article encapsulates the most important and robust platforms.

The dynamicity and complexity of clouds highlight the importance of automated root cause analysis solutions for explaining what might have caused a security incident. Most existing works focus on either locating malfunctioning clouds components, e.g., switches, or tracing changes at lower abstraction levels, e.g., system calls. On the other hand, a management-level solution can provide a big picture about the root cause in a more scalable manner. In this paper, we propose DOMINOCATCHER, a novel provenance-based solution for explaining the root cause of security incidents in terms of management operations in clouds. Specifically, we first define our provenance model to capture the interdependencies between cloud management operations, virtual resources and inputs. Based on this model, we design a framework to intercept cloud management operations and to extract and prune provenance metadata. We implement DOMINOCATCHER on OpenStack platform as an attached middleware and validate its effectiveness using security incidents based on real-world attacks. We also evaluate the performance through experiments on our testbed, and the results demonstrate that DOMINOCATCHER incurs insignificant overhead and is scalable for clouds.

Automated techniques for rigorous floating-point round-off error analysis are a prerequisite to placing important activities in HPC such as precision allocation, verification, and code optimization on a formal footing. Yet existing techniques cannot provide tight bounds for expressions beyond a few dozen operators-barely enough for HPC. In this work, we offer an approach embedded in a new tool called SATIHE that scales error analysis by four orders of magnitude compared to today's best-of-class tools. We explain how three key ideas underlying SATIHE helps it attain such scale: path strength reduction, bound optimization, and abstraction. SATIHE provides tight bounds and rigorous guarantees on significantly larger expressions with well over a hundred thousand operators, covering important examples including FFT, matrix multiplication, and PDE stencils.

As neural networks make their way into safety-critical systems, where misbehavior can lead to catastrophes, there is a growing interest in certifying the equivalence of two structurally similar neural networks - a problem known as differential verification. For example, compression techniques are often used in practice for deploying trained neural networks on computationally- and energy-constrained devices, which raises the question of how faithfully the compressed network mimics the original network. Unfortunately, existing methods either focus on verifying a single network or rely on loose approximations to prove the equivalence of two networks. Due to overly conservative approximation, differential verification lacks scalability in terms of both accuracy and computational cost. To overcome these problems, we propose NEURODIFF, a symbolic and fine-grained approximation technique that drastically increases the accuracy of differential verification on feed-forward ReLU networks while achieving many orders-of-magnitude speedup. NEURODIFF has two key contributions. The first one is new convex approximations that more accurately bound the difference of two networks under all possible inputs. The second one is judicious use of symbolic variables to represent neurons whose difference bounds have accumulated significant error. We find that these two techniques are complementary, i.e., when combined, the benefit is greater than the sum of their individual benefits. We have evaluated NEURODIFF on a variety of differential verification tasks. Our results show that NEURODIFF is up to 1000X faster and 5X more accurate than the state-of-the-art tool.

The usage of wireless devices is increased from last decade due to its reliable, fast and easy transfer of data. Ensuring the security to these networks is a crucial thing. There are several types of network attacks, in this paper, DDoS attacks on networks and techniques, consequences, effects and prevention methods are focused on. The DDoS attack is carried out by multiple attackers on a system which floods the system with a greater number of incoming requests to the system. The destination system cannot immediately respond to the huge requests, due to this server crashes or halts. To detect, or to avoid such scenarios Intrusion prevention system is designed. The IPS block the network attacker at its first hop and thus reduce the malicious traffic near its source. Intrusion detection system prevents the attack without the prior knowledge of the attacker. The attack is detected at the router side and path is changed to transfer the files. The proposed model is designed to obtain the dynamic path for efficient transmission in wireless neworks.

Recently, there has been a dramatic increase in cyber attacks around the globe. Hundreds of 0day vulnerabilities on different platforms are discovered by security researchers worldwide. The attack vectors are becoming more and more difficult to be discovered by any anti threat detection engine. Inorder to bypass these smart detection mechanisms, attackers now started carrying out attacks at extremely low level where no threat inspection units are present. This makes the attack more stealthy with increased success rate and almost zero detection rate. A best case example for this scenario would be attacks like Meltdown and Spectre that targeted the modern processors to steal information by exploiting out-of-order execution feature in modern processors. These types of attacks are incredibly hard to detect and patch. Even if a patch is released, a wide range of normal audience are unaware of this both the vulnerability and the patch. This paper describes one such low level attacks that involves the process of reverse engineering firmwares and manually backdooring them with several linux utilities. Also, compromising a real world WiFi router with the manually backdoored firmware and attaining reverse shell from the router is discussed. The WiFi routers are almost everywhere especially in public places. Firmwares are responsible for controlling the routers. If the attacker manipulates the firmware and gains control over the firmware installed in the router, then the attacker can get a hold of the network and perform various MITM attacks inside the network with the help of the router.

In today's era, the probability of the wireless devices getting hacked has grown extensively. Due to the various WLAN vulnerabilities, hackers can break into the system. There is a lack of awareness among the people about security mechanisms. From the past experiences, the study reveals that router security encrypted protocol is often cracked using several ways like dictionary attack and brute force attack. The identified methods are costly, require extensive hardware, are not reliable and do not detect all the vulnerabilities of the system. This system aims to test all router protocols which are WEP, WPA, WPA2, WPS and detect the vulnerabilities of the system. Kali Linux version number 2.0 is being used over here and therefore the tools like airodump-ng, aircrack-ng are used to acquire access point pin which gives prevention methods for detected credulity and aims in testing various security protocols to make sure that there's no flaw which will be exploited.

The sophistication and complexity of recent exploitation techniques, which rely on memory disclosure and whole-function reuse to bypass address space layout randomization and control flow integrity, is indicative of the effect that the combination of exploit mitigations has in challenging the construction of reliable exploits. In addition to software diversification and control flow enforcement, recent efforts have focused on the complementary approach of code and API specialization to restrict further the critical operations that an attacker can perform as part of a code reuse exploit. In this paper we propose Saffire, a compiler-level defense against code reuse attacks. For each calling context of a critical function, Saffire creates a specialized and hardened replica of the function with a restricted interface that can accommodate only that particular invocation. This is achieved by applying staticargumentbinding, to eliminate arguments with static values and concretize them within the function body, and dynamicargumentbinding, which applies a narrow-scope form of data flow integrity to restrict the acceptable values of arguments that cannot be statically derived. We have implemented Saffire on top of LLVM, and applied it to a set of 11 applications, including Nginx, Firefox, and Chrome. The results of our experimental evaluation with a set of 17 real-world ROP exploits and three whole-function reuse exploits demonstrate the effectiveness of Saffire in preventing these attacks while incurring a negligible runtime overhead.

Memory corruption vulnerabilities, mainly present in C and C++ applications, may enable attackers to maliciously take control over the program running on a target machine by forcing it to execute an unintended sequence of instructions present in memory. This is the principle of modern Code-Reuse Attacks (CRAs) and of famous attack paradigms as Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). Control-Flow Integrity (CFI) is a promising approach to protect against such runtime attacks. Recently, many CFI-based solutions have been proposed, resorting to both hardware and software implementations. However, many of these solutions are hardly applicable to microcontroller systems, often very resource-limited. The paper presents a generic, portable, and lightweight CFI solution for bare-metal embedded systems, i.e., systems that execute firmware directly from their Flash memory, without any Operating System. The proposed defense mixes software and hardware instrumentation and is based on monitoring the Control-Flow Graph (CFG) with an FPGA connected to the CPU. The solution, applicable in principle to any architecture which disposes of an FPGA, forces all control-flow transfers to be compliant with the CFG, and preserves the execution context from possible corruption when entering unpredictable code such as Interrupt Services Routines (ISR).

Network security policies contain requirements - including system and software features as well as expected and desired actions of human actors. In this paper, we present a framework for evaluation of textual network security policies as requirements documents to identify areas for improvement. Specifically, our framework concentrates on completeness. We use topic modeling coupled with expert evaluation to learn the complete list of important topics that should be addressed in a network security policy. Using these topics as a checklist, we evaluate (students) a collection of network security policies for completeness, i.e., the level of presence of these topics in the text. We developed three methods for topic recognition to identify missing or poorly addressed topics. We examine network security policies and report the results of our analysis: preliminary success of our approach.

Internet Service Providers (ISPs) have an economic and operational interest in detecting malicious network activity relating to their subscribers. However, it is unclear what kind of traffic data an ISP has available for cyber-security research, and under which legal conditions it can be used. This paper gives an overview of the challenges posed by legislation and of the data sources available to a European ISP. DNS and NetFlow logs are identified as relevant data sources and the state of the art in anonymization and fingerprinting techniques is discussed. Based on legislation, data availability and privacy considerations, a practically applicable anonymization policy is presented.

The electrical power system is the backbone of our nations critical infrastructure. It has been designed to withstand single component failures based on a set of reliability metrics which have proven acceptable during normal operating conditions. However, in recent years there has been an increasing frequency of extreme weather events. Many have resulted in widespread long-term power outages, proving reliability metrics do not provide adequate energy security. As a result, researchers have focused their efforts resilience metrics to ensure efficient operation of power systems during extreme events. A resilient system has the ability to resist, adapt, and recover from disruptions. Therefore, resilience has demonstrated itself as a promising concept for currently faced challenges in power distribution systems. In this work, we propose an operational resilience metric for modern power distribution systems. The metric is based on the aggregation of system assets adaptive capacity in real and reactive power. This metric gives information to the magnitude and duration of a disturbance the system can withstand. We demonstrate resilience metric in a case study under normal operation and during a power contingency on a microgrid. In the future, this information can be used by operators to make more informed decisions based on system resilience in an effort to prevent power outages.

Machine learning algorithms used to detect attacks are limited by the fact that they cannot incorporate the back-ground knowledge that an analyst has. This limits their suitability in detecting new attacks. Reinforcement learning is different from traditional machine learning algorithms used in the cybersecurity domain. Compared to traditional ML algorithms, reinforcement learning does not need a mapping of the input-output space or a specific user-defined metric to compare data points. This is important for the cybersecurity domain, especially for malware detection and mitigation, as not all problems have a single, known, correct answer. Often, security researchers have to resort to guided trial and error to understand the presence of a malware and mitigate it.In this paper, we incorporate prior knowledge, represented as Cybersecurity Knowledge Graphs (CKGs), to guide the exploration of an RL algorithm to detect malware. CKGs capture semantic relationships between cyber-entities, including that mined from open source. Instead of trying out random guesses and observing the change in the environment, we aim to take the help of verified knowledge about cyber-attack to guide our reinforcement learning algorithm to effectively identify ways to detect the presence of malicious filenames so that they can be deleted to mitigate a cyber-attack. We show that such a guided system outperforms a base RL system in detecting malware.

In the past decades, learning an effective distance metric between pairs of instances has played an important role in the classification and retrieval task, for example, the person identification or malware retrieval in the IoT service. The core motivation of recent efforts focus on improving the metric forms, and already showed promising results on the various applications. However, such models often fail to produce a reliable metric on the ambiguous test set. It happens mainly due to the sampling process of the training set, which is not representative of the distribution of the negative samples, especially the examples that are closer to the boundary of different categories (also called hard negative samples). In this paper, we focus on addressing such problems and propose an adaptive margin deep adversarial metric learning (AMDAML) framework. It exploits numerous common negative samples to generate potential hard (adversarial) negatives and applies them to facilitate robust metric learning. Apart from the previous approaches that typically depend on the search or data augmentation to find hard negative samples, the generation of adversarial negative instances could avoid the limitation of domain knowledge and constraint pairs' amount. Specifically, in order to prevent over fitting or underfitting during the training step, we propose an adaptive margin loss that preserves a flexible margin between the negative (include the adversarial and original) and positive samples. We simultaneously train both the adversarial negative generator and conventional metric objective in an adversarial manner and learn the feature representations that are more precise and robust. The experimental results on practical data sets clearly demonstrate the superiority of AMDAML to representative state-of-the-art metric learning models.

In many organizations, permissioned blockchain networks are currently transitioning from a proof-of-concept stage to production use. A crucial part of this transition is ensuring awareness of potential threats to network operations. Due to the plethora of software components involved in distributed ledgers, threats may be difficult or impossible to detect without a structured monitoring approach. To this end, we conduct a survey of attacks on permissioned blockchains and develop a set of threat indicators. To gather these indicators, a data processing pipeline is proposed to aggregate log information from relevant blockchain components, enriched with data from external sources. To evaluate the feasibility of monitoring current blockchain frameworks, we determine relevant data sources in Hyperledger Fabric. Our results show that the required data is mostly available, but also highlight significant improvement potential with regard to threat intelligence, chaincode scanners and built-in metrics.

Mobile browsers have become one of the main mediators of our online activities. However, as web pages continue to increase in size and streaming media on-the-go has become commonplace, mobile data plan constraints remain a significant concern for users. As a result, data-saving features can be a differentiating factor when selecting a mobile browser. In this paper, we present a comprehensive exploration of the security and privacy threat that data-saving functionality presents to users. We conduct the first analysis of Android's data-saving browser (DSB) ecosystem across multiple dimensions, including the characteristics of the various browsers' infrastructure, their application and protocol-level behavior, and their effect on users' browsing experience. Our research unequivocally demonstrates that enabling data-saving functionality in major browsers results in significant degradation of the user's security posture by introducing severe vulnerabilities that are not otherwise present in the browser during normal operation. In summary, our experiments show that enabling data savings exposes users to (i) proxy servers running outdated software, (ii) man-in-the-middle attacks due to problematic validation of TLS certificates, (iii) weakened TLS cipher suite selection, (iv) lack of support of security headers like HSTS, and (v) a higher likelihood of being labelled as bots. While the discovered issues can be addressed, we argue that data-saving functionality presents inherent risks in an increasingly-encrypted Web, and users should be alerted of the critical savings-vs-security trade-off that they implicitly accept every time they enable such functionality.

A significant challenge in modern computer security is the growing skill gap as intruder capabilities increase, making it necessary to begin automating elements of penetration testing so analysts can contend with the growing number of cyber threats. In this paper, we attempt to assist human analysts by automating a single host penetration attack. To do so, a smart agent performs different attack sequences to find vulnerabilities in a target system. As it does so, it accumulates knowledge, learns new attack sequences and improves its own internal penetration testing logic. As a result, this agent (AgentPen for simplicity) is able to successfully penetrate hosts it has never interacted with before. A computer security administrator using this tool would receive a comprehensive, automated sequence of actions leading to a security breach, highlighting potential vulnerabilities, and reducing the amount of menial tasks a typical penetration tester would need to execute. To achieve autonomy, we apply an unsupervised machine learning algorithm, Q-learning, with an approximator that incorporates a deep neural network architecture. The security audit itself is modelled as a Markov Decision Process in order to test a number of decision-making strategies and compare their convergence to optimality. A series of experimental results is presented to show how this approach can be effectively used to automate penetration testing using a scalable, i.e. not exhaustive, and adaptive approach.

The prevalence and availability of cloud infrastructures has made them the de facto solution for storing and archiving data, both for organizations and individual users. Nonetheless, the cloud's wide spread adoption is still hindered by dependability and security concerns, particularly in applications with large data collections where efficient search and retrieval services are also major requirements. This leads to an increased tension between security, efficiency, and search expressiveness. In this paper we tackle this tension by proposing BISEN, a new provably-secure boolean searchable symmetric encryption scheme that improves these three complementary dimensions by exploring the design space of isolation guarantees offered by novel commodity hardware such as Intel SGX, abstracted as Isolated Execution Environments (IEEs). BISEN is the first scheme to support multiple users and enable highly expressive and arbitrarily complex boolean queries, with minimal information leakage regarding performed queries and accessed data, and verifiability regarding fully malicious adversaries. Furthermore, BISEN extends the traditional SSE model to support filter functions on search results based on generic metadata created by the users. Experimental validation and comparison with the state of art shows that BISEN provides better performance with enriched search semantics and security properties.

This paper proposes a Time Difference of Arrival (TDoA) based method for the localization of Radio Frequency (RF) emitters working at different carriers, by using wideband spectrum sensors exploiting compressive sampling. The proposed measurement method is based on four or more RF receivers, with known Cartesian positions, performing non uniform sampling on the received signal. By means of simulations, the method has been compared against a localization method adopting RF receivers performing uniform sampling at Nyquist rate. The obtained preliminary results demonstrate that the method is capable of localizing two RF emitters achieving the same results obtained with uniform sampling, with a compression ratio up to CR = 20.

The paper proposes a new measurement method for impairments identification in wireline channels (i.e. wire cables) by exploiting a Compressive Sampling (CS)-based technique. The method consists of two-phases: (i) acquisition and reconstruction of the channel impulse response in the nominal working condition and (ii) analysis of the channel state to detect any physical anomaly/discontinuity like deterioration (e.g. aging due to harsh environment) or unauthorized side channel attacks (e.g. taps). The first results demonstrate that the proposed method is capable of estimating the channel impairments with an accuracy that could allow the classification of the main channel impairments. The proposed method could be used to develop low-cost instrumentation for continuous monitoring of the physical layer of data networks and to improve their hardware security.

Microservices architecture has become one of the most prominent software architectures in the software development processes due to its features such as scalability, maintainability, resilience, and composability. It allows developing business applications in a decentralized manner by dividing the important business logic into separate independent services. Digital certificates are used to verify the identity of microservices in most cases. However, the certificate authorities (CA) who issue the certificates to microservices cannot be trusted always since they can issue certificates without the consent of the relevant microservice. Nevertheless, existing implementations of certificate transparency are mostly centralized and has the vulnerability of the single point of failure. The distributed ledger technologies such as blockchain can be used to achieve decentralized nature in certificate transparency implementations. A blockchain-based decentralized certificate transparency system specified for microservices architecture is proposed in this paper to ensure secure communication among services. After the implementation and deployment in a cloud service, the system expressed average certificate querying time of 643 milliseconds along with the highly secured service provided.