Biblio

The Internet of Things is an emerging technology for recent marketplace. In IoT, the heterogeneous devices are connected through the medium of the Internet for seamless communication. The devices used in IoT are resource-constrained in terms of memory, power and processing. Due to that, IoT system is unable to implement hi-end security for malicious cyber-attacks. The recent era is all about connecting IoT devices in various domains like medical, agriculture, transport, power, manufacturing, supply chain, education, etc. and thus need to be prevented from attacks and analyzed after attacks for legal action. The legal analysis of IoT data, devices and communication is called IoT forensics which is highly indispensable for various types of attacks on IoT system. This paper will review types of IoT attacks and its preventive measures in cyber security. It will also help in ascertaining IoT forensics and its challenges in detail. This paper will conclude with the high requirement of cyber security in IoT domains with implementation of standard rules for IoT forensics.

This study addresses the coordination issue of multi-agent systems under complicated actuator faults and cyber attacks. Distributed fault-tolerant design is developed with the estimated and output neighboring information in decentralized estimation observer. Criteria of reaching the exponential coordination of multi-agent systems with cyber attacks is obtained with average dwelling time and chattering bound method. Simulations validate the efficiency of the anti-attack fault-tolerant design.

As the traditional grids are transitioning to the smart grid, they are getting more prone to cyber-attacks. Among all the cyber-attack one of the most dangerous attack is false data injection attack. When this attack is performed with historical information of the data packet the attack goes undetected. As the false data is included for training and testing the model, the accuracy is decreased, and decision making is affected. In this paper we analyzed the impact of the false data injection attack(FDIA) on AI based smart grid. These analyses were performed using two different multi-layer perceptron architectures with one of the independent variables being compared and modified by the attacker. The root-mean squared values were compared with different models.

Supervisory control and data acquisition (SCADA) networks provide high situational awareness and automation control for industrial control systems, whilst introducing a wide range of access points for cyber attackers. To address these issues, a line of machine learning or deep learning based intrusion detection systems (IDSs) have been presented in the literature, where a large number of attack examples are usually demanded. However, in real-world SCADA networks, attack examples are not always sufficient, having only a few shots in many cases. In this paper, we propose a novel few-shot learning based IDS, named FS-IDS, to detect cyber attacks against SCADA networks, especially when having only a few attack examples in the defenders’ hands. Specifically, a new method by orchestrating one-hot encoding and principal component analysis is developed, to preprocess SCADA datasets containing sufficient examples for frequent cyber attacks. Then, a few-shot learning based preliminary IDS model is designed and trained using the preprocessed data. Last, a complete FS-IDS model for SCADA networks is established by further training the preliminary IDS model with a few examples for cyber attacks of interest. The high effectiveness of the proposed FS-IDS, in detecting cyber attacks against SCADA networks with only a few examples, is demonstrated by extensive experiments on a real SCADA dataset.

Modern cyberattacks are the most powerful disturbance factor for computer networks, as they have a complex and devastating impact. The impact of cyberattacks is primarily aimed at disrupting the performance of computer network protection means. Therefore, managing this defense system in the face of cyberattacks is an important task. The paper examines a technique for constructing an effective control system for a computer network security system operating in real time in the context of cyber attacks. It is supposed that it is built on the basis of constructing a system state space and a stack of control decisions. The probability of finding the security system in certain state at each control step is calculated using a finite Markov chain. The technique makes it possible to predict the number of iterations for managing the security system when exposed to cyber attacks, depending on the segment of the space of its states and the selected number of transitions, as well as automatically generate control decisions. An algorithm has been developed for situational control of a computer network security system in conditions of cyber attacks. The experimental results obtained using the generated dataset demonstrated the high efficiency of the developed technique and the ability to use it to determine the parameters that are most susceptible to abnormal deviations during the impact of cyber attacks.

In the digital era, cyber security has become a serious problem. Information penetrates, wholesale fraud, manual human test breaking, and other comparable occurrences proliferate, influencing a large number of individuals just as organizations. The hindrances have consistently been endless in creating appropriate controls and procedures and putting them in place with utmost precision in order to deal with cyber-attacks. To recent developments in artificial intelligence, the danger of cyber - attacks has increased drastically. AI has affected everything from healthcare to robots. Because malicious hackers couldn't keep this ball of fire from them, ``normal'' cyber-attacks have grown in to the ``intelligent'' cyber attacks. In this paper, The most promising artificial intelligence approaches are discussed. Researchers look at how such techniques may be used for cyber security. At last, the conversation concludes with a discussion about artificial intelligence's future and cyber security.

In this paper, we investigate joint sensor-actuator cyber attacks in discrete event systems. We assume that attackers can attack some sensors and actuators at the same time by altering observations and control commands. Because of the nondeterminism in observation and control caused by cyber attacks, the behavior of the supervised systems becomes nondeterministic and deviates from the target. We define two bounds on languages, an upper-bound and a lower-bound, to describe the nondeterministic behavior. We then use the upper-bound language to investigate the safety supervisory control problem under cyber attacks. After introducing CA-controllability and CA-observability, we successfully solve the supervisory control problem under cyber attacks.

Power systems automation and communication standards are crucial for the transition of the conventional power system towards a smart grid. The IEC 61850 standard is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation devices. IEC 61850 serves as the foundation for open communication and data exchange for digital substations of the smart grid. However, IEC 61850 has cyber security vulnerabilities that can be exploited with a man-in-the-middle attack. Such coordinated cyber attacks against the protection system in digital substations can disconnect generation and transmission lines, causing cascading failures. In this paper, we demonstrate a cyber attack involving the Generic Object-Oriented Substation Event (GOOSE) protocol of IEC 61850. This is achieved by exploiting the cyber security vulnerabilities in the protocol and injecting spoofed GOOSE data frames into the substation communication network at the bay level. The cyber attack leads to tripping of multiple protective relays in the power grid, eventually resulting in a blackout. The attack model and impact on system dynamics are verified experimentally through hardware-in-the-loop simulations using commercial relays and Real-Time Digital Simulator (RTDS).

Power system automation and communication standards are spearheading the power system transition towards a smart grid. IEC 61850 is one such standard, which is widely used for substation automation and protection. It enables real-time communication and data exchange between critical substation automation and protection devices within digital substations. However, IEC 61850 is not cyber secure. In this paper, we demonstrate the dangerous implications of not securing IEC 61850 standard. Cyber attacks may exploit the vulnerabilities of the Sampled Values (SV) and Generic Object-Oriented Substation Event (GOOSE) protocols of IEC 61850. The cyber attacks may be realised by injecting spoofed SV and GOOSE data frames into the substation communication network at the bay level. We demonstrate that such cyber attacks may lead to obstruction or tripping of multiple protective relays. Coordinated cyber attacks against the protection system in digital substations may cause generation and line disconnections, triggering cascading failures in the power grid. This may eventually result in a partial or complete blackout. The attack model, impact on system dynamics and cascading failures are veri ed experimentally through a proposed cyber-physical experimental framework that closely resembles real-world conditions within a digital substation, including Intelligent Electronic Devices (IEDs) and protection schemes. It is implemented through Hardware-in-the-Loop (HIL) simulations of commercial relays with a Real-Time Digital Simulator (RTDS).

With the widespread of Artificial Intelligence (AI)-enabled security applications, there is a need for collecting heterogeneous and scalable data sources for effectively evaluating the performances of security applications. This paper presents the description of new datasets, named ToNİoT datasets that include distributed data sources collected from Telemetry datasets of Internet of Things (IoT) services, Operating systems datasets of Windows and Linux, and datasets of Network traffic. The paper aims to describe the new testbed architecture used to collect Linux datasets from audit traces of hard disk, memory and process. The architecture was designed in three distributed layers of edge, fog, and cloud. The edge layer comprises IoT and network systems, the fog layer includes virtual machines and gateways, and the cloud layer includes data analytics and visualization tools connected with the other two layers. The layers were programmatically controlled using Software-Defined Network (SDN) and Network-Function Virtualization (NFV) using the VMware NSX and vCloud NFV platform. The Linux ToNİoT datasets would be used to train and validate various new federated and distributed AI-enabled security solutions such as intrusion detection, threat intelligence, privacy preservation and digital forensics. Various Data analytical and machine learning methods are employed to determine the fidelity of the datasets in terms of examining feature engineering, statistics of legitimate and security events, and reliability of security events. The datasets can be publicly accessed from [1].

In recent times, an increasing amount of intelligent electronic devices (IEDs) are being deployed to make power systems more reliable and economical. While these technologies are necessary for realizing a cyber-physical infrastructure for future smart power grids, they also introduce new vulnerabilities in the grid to different cyber-attacks. Traditional methods such as state vector estimation (SVE) are not capable of identifying cyber-attacks while the geometric information is also injected as an attack vector. In this paper, a machine learning based smart grid attack identification method is proposed. The proposed method is carried out by first collecting smart grid power flow data for machine learning training purposes which is later used to classify the attacks. The performance of both the proposed SVM method and the traditional SVE method are validated on IEEE 14, 30, 39, 57 and 118 bus systems, and the performance regarding the scale of the power system is evaluated. The results show that the SVM-based method performs better than the SVE-based in attack identification over a much wider scale of power systems.

Current cyber attribution approaches proposed to use a variety of datasets and analytical techniques to distill the information that will be useful to identify cyber attackers. In contrast, practitioners and researchers in cyber attribution face several technical and regulation challenges. In this paper, we describe the main challenges of cyber attribution and present a state of the art of used approaches to face these challenges. Then, we will present an exploratory study to perform cyber attacks attribution based on pattern recognition from real data. In our study, we are using attack pattern discovery and identification based on real data collection and analysis.

Intrusion Detection Systems (IDS) are the systems that detect and block any potential threats (e.g. DDoS attacks) in the network. In this project, we explore the performance of several machine learning techniques when used as parts of an IDS. We experiment with the CICIDS2017 dataset, one of the biggest and most complete IDS datasets in terms of having a realistic background traffic and incorporating a variety of cyber attacks. The techniques we present are applicable to any IDS dataset and can be used as a basis for deploying a real time IDS in complex environments.

Cyber attacks and the associated costs made cybersecurity a vital part of any system. User behavior and decisions are still a major part in the coping with these risks. We developed a model of optimal investment and human decisions with security measures, given that the effectiveness of each measure depends partly on the performance of the others. In an online experiment, participants classified events as malicious or non-malicious, based on the value of an observed variable. Prior to making the decisions, they had invested in three security measures - a firewall, an IDS or insurance. In three experimental conditions, maximal investment in only one of the measures was optimal, while in a fourth condition, participants should not have invested in any of the measures. A previous paper presents the analysis of the investment decisions. This paper reports users' classifications of events when interacting with these systems. The use of security mechanisms helped participants gain higher scores. Participants benefited in particular from purchasing IDS and/or Cyber Insurance. Participants also showed higher sensitivity and compliance with the alerting system when they could benefit from investing in the IDS. Participants, however, did not adjust their behavior optimally to the security settings they had chosen. The results demonstrate the complex nature of risk-related behaviors and the need to consider human abilities and biases when designing cyber security systems.

Machine learning techniques help to understand underlying patterns in datasets to develop defense mechanisms against cyber attacks. Multilayer Perceptron (MLP) technique is a machine learning technique used in detecting attack vs. benign data. However, it is difficult to construct any effective model when there are imbalances in the dataset that prevent proper classification of attack samples in data. In this research, we use UGR'16 dataset to conduct data wrangling initially. This technique helps to prepare a test set from the original dataset to train the neural network model effectively. We experimented with a series of inputs of varying sizes (i.e. 10000, 50000, 1 million) to observe the performance of the MLP neural network model with distribution of features over accuracy. Later, we use Generative Adversarial Network (GAN) model that produces samples of different attack labels (e.g. blacklist, anomaly spam, ssh scan) for balancing the dataset. These samples are generated based on data from the UGR'16 dataset. Further experiments with MLP neural network model shows that a balanced attack sample dataset, made possible with GAN, produces more accurate results than an imbalanced one.

Modern industrial control systems (ICS) act as victims of cyber attacks more often in last years. These cyber attacks often can not be detected by classical information security methods. Moreover, the consequences of cyber attack's impact can be catastrophic. Since cyber attacks leads to appearance of anomalies in the ICS and technological equipment controlled by it, the task of intrusion detection for ICS can be reformulated as the task of industrial process anomaly detection. This paper considers the applicability of generative adversarial networks (GANs) in the field of industrial processes anomaly detection. Existing approaches for GANs usage in the field of information security (such as anomaly detection in network traffic) were described. It is proposed to use the BiGAN architecture in order to detect anomalies in the industrial processes. The proposed approach has been tested on Secure Water Treatment Dataset (SWaT). The obtained results indicate the prospects of using the examined method in practice.

Wide integration of information and communication technology (ICT) in modern power grids has brought many benefits as well as the risk of cyber attacks. A critical step towards defending grid cyber security is to understand the cyber-physical causal chain, which describes the progression of intrusion in cyber-space leading to the formation of consequences on the physical power grid. In this paper, we develop an attack vector for a time delay attack at load frequency control in the power grid. Distinct from existing works, which are separately focused on cyber intrusion, grid response, or testbed validation, the proposed attack vector for the first time provides a full cyber-physical causal chain. It targets specific vulnerabilities in the protocols, performs a denial-of-service (DoS) attack, induces the delays in control loop, and destabilizes grid frequency. The proposed attack vector is proved in theory, presented as an attack tree, and validated in an experimental environment. The results will provide valuable insights to develop security measures and robust controls against time delay attacks.

The increase of cyber attacks in both the numbers and varieties in recent years demands to build a more sophisticated network intrusion detection system (NIDS). These NIDS perform better when they can monitor all the traffic traversing through the network like when being deployed on a Software-Defined Network (SDN). Because of the inability to detect zero-day attacks, signature-based NIDS which were traditionally used for detecting malicious traffic are beginning to get replaced by anomaly-based NIDS built on neural networks. However, recently it has been shown that such NIDS have their own drawback namely being vulnerable to the adversarial example attack. Moreover, they were mostly evaluated on the old datasets which don't represent the variety of attacks network systems might face these days. In this paper, we present Reconstruction from Partial Observation (RePO) as a new mechanism to build an NIDS with the help of denoising autoencoders capable of detecting different types of network attacks in a low false alert setting with an enhanced robustness against adversarial example attack. Our evaluation conducted on a dataset with a variety of network attacks shows denoising autoencoders can improve detection of malicious traffic by up to 29% in a normal setting and by up to 45% in an adversarial setting compared to other recently proposed anomaly detectors.

DDoS attacks impose serious threats to many large or small organizations; therefore DDoS attacks have to be detected as soon as possible. In this study, a methodology to detect DDoS attacks is proposed and implemented on online systems. In the scope of the proposed methodology, Multi Layer Perceptron (MLP), Random Forest (RF), K-Nearest Neighbor (KNN), C-Support Vector Machine (SVC) machine learning methods are used with scaling and feature reduction preprocessing methods and then effects of preprocesses on detection accuracy rates of HTTP (Hypertext Transfer Protocol) flood, TCP SYN (Transport Control Protocol Synchronize) flood, UDP (User Datagram Protocol) flood and ICMP (Internet Control Message Protocol) flood DDoS attacks are analyzed. Obtained results showed that DDoS attacks can be detected with high accuracy of 99.2%.

Cloud-hosted applications are prone to targeted attacks such as DDoS, advanced persistent threats, cryptojacking which threaten service availability. Recently, methods for threat information sharing and defense require co-operation and trust between multiple domains/entities. There is a need for mechanisms that establish distributed trust to allow for such a collective defense. In this paper, we present a novel threat intelligence sharing and defense system, namely “DefenseChain”, to allow organizations to have incentive-based and trustworthy co-operation to mitigate the impact of cyber attacks. Our solution approach features a consortium Blockchain platform to obtain threat data and select suitable peers to help with attack detection and mitigation. We propose an economic model for creation and sustenance of the consortium with peers through a reputation estimation scheme that uses `Quality of Detection' and `Quality of Mitigation' metrics. Our evaluation experiments with DefenseChain implementation are performed on an Open Cloud testbed with Hyperledger Composer and in a simulation environment. Our results show that the DefenseChain system overall performs better than state-of-the-art decision making schemes in choosing the most appropriate detector and mitigator peers. In addition, we show that our DefenseChain achieves better performance trade-offs in terms of metrics such as detection time, mitigation time and attack reoccurence rate. Lastly, our validation results demonstrate that our DefenseChain can effectively identify rational/irrational service providers.

Advanced Persistent Threats (APTs) are stealthy, sophisticated, long-term, multi-stage attacks that threaten the security of sensitive information. Dynamic Information Flow Tracking (DIFT) has been proposed as a promising mechanism to detect and prevent various cyber attacks in computer systems. DIFT tracks suspicious information flows in the system and generates security analysis when anomalous behavior is detected. The number of information flows in a system is typically large and the amount of resources (such as memory, processing power and storage) required for analyzing different flows at different system locations varies. Hence, efficient use of resources is essential to maintain an acceptable level of system performance when using DIFT. On the other hand, the quickest detection of APTs is crucial as APTs are persistent and the damage caused to the system is more when the attacker spends more time in the system. We address the problem of detecting APTs and model the trade-off between resource efficiency and quickest detection of APTs. We propose a game model that captures the interaction of APT and a DIFT-based defender as a two-player, multi-stage, zero-sum, Stackelberg semi-Markov game. Our game considers the performance parameters such as false-negatives generated by DIFT and the time required for executing various operations in the system. We propose a two-time scale Q-learning algorithm that converges to a Stackelberg equilibrium under infinite horizon, limiting average payoff criteria. We validate our model and algorithm on a real-word attack dataset obtained using Refinable Attack INvestigation (RAIN) framework.

Few developments seem as poised to alter the characteristics of security in the digital age as the advent of artificial intelligence (AI) technologies. For national defense establishments, the emergence of AI techniques is particularly worrisome, not least because prototype applications already exist. Cyber attacks augmented by AI portend the tailored manipulation of human vectors within the attack surface of important societal systems at great scale, as well as opportunities for calamity resulting from the secondment of technical skill from the hacker to the algorithm. Arguably most important, however, is the fact that AI-enabled cyber campaigns contain great potential for operational obfuscation and strategic misdirection. At the operational level, techniques for piggybacking onto routine activities and for adaptive evasion of security protocols add uncertainty, complicating the defensive mission particularly where adversarial learning tools are employed in offense. Strategically, AI-enabled cyber operations offer distinct attempts to persistently shape the spectrum of cyber contention may be able to pursue conflict outcomes beyond the expected scope of adversary operation. On the other, AI-augmented cyber defenses incorporated into national defense postures are likely to be vulnerable to "poisoning" attacks that predict, manipulate and subvert the functionality of defensive algorithms. This article takes on two primary tasks. First, it considers and categorizes the primary ways in which AI technologies are likely to augment offensive cyber operations, including the shape of cyber activities designed to target AI systems. Then, it frames a discussion of implications for deterrence in cyberspace by referring to the policy of persistent engagement, agreed competition and forward defense promulgated in 2018 by the United States. Here, it is argued that the centrality of cyberspace to the deployment and operation of soon-to-be-ubiquitous AI systems implies new motivations for operation within the domain, complicating numerous assumptions that underlie current approaches. In particular, AI cyber operations pose unique measurement issues for the policy regime.

In the process of informationization and networking of smart grids, the original physical isolation was broken, potential risks increased, and the increasingly serious cyber security situation was faced. Therefore, it is critical to develop accuracy and efficient anomaly detection methods to disclose various threats. However, in the industry, mainstream security devices such as firewalls are not able to detect and resist some advanced behavior attacks. In this paper, we propose a time series anomaly detection model, which is based on the periodic extraction method of discrete Fourier transform, and determines the sequence position of each element in the period by periodic overlapping mapping, thereby accurately describe the timing relationship between each network message. The experiments demonstrate that our model can detect cyber attacks such as man-in-the-middle, malicious injection, and Dos in a highly periodic network.

The limited information on the cyberattacks available in the unclassified regime, hardens standardizing the analysis. We address the problem of modeling and analyzing cyberattacks using a multimodal graph approach. We formulate the stages, actors, and outcomes of cyberattacks as a multimodal graph. Multimodal graph nodes include cyberattack victims, adversaries, autonomous systems, and the observed cyber events. In multimodal graphs, single-modality graphs are interconnected according to their interaction. We apply community and centrality analysis on the graph to obtain in-depth insights into the attack. In community analysis, we cluster those nodes that exhibit “strong” inter-modal ties. We further use centrality to rank the nodes according to their importance. Classifying nodes according to centrality provides the progression of the attack from the attacker to the targeted nodes. We apply our methods to two popular case studies, namely GhostNet and Putter Panda and demonstrate a clear distinction in the attack stages.

Security refers to precautions designed to shield the availability and integrity of information exchanged among the digital global community. Information safety measure typically protects the virtual facts from unauthorized sources to get a right of entry to, disclosure, manipulation, alteration or destruction on both hardware and software technologies. According to an evaluation through experts operating in the place of information safety, some of the new cyber-attacks are keep on emerging in all the business processes. As a stop result of the analyses done, it's been determined that although the level of risk is not excessive in maximum of the attacks, it's far a severe risk for important data and the severity of those attacks is prolonged. Prior safety structures has been established to monitor various cyber-threats, predominantly using a gadget processed data or alerts for showing each deterministic and stochastic styles. The principal finding for deterministic patterns in cyber- attacks is that they're neither unbiased nor random over the years. Consequently, the quantity of assaults in the past helps to monitor the range of destiny attacks. The deterministic styles can often be leveraged to generate moderately correct monitoring.