Biblio

Recent advances in networking and communication technologies have enabled Internet-of-Things (IoT) devices to communicate more frequently and faster. An IoT device typically transmits data over the Internet which is an insecure channel. Cyber attacks such as denial-of-service (DoS), man-in-middle, and SQL injection are considered as big threats to IoT devices. In this paper, an anomaly-based intrusion detection scheme is proposed that can protect sensitive information and detect novel cyber-attacks. The Artificial Bee Colony (ABC) algorithm is used to train the Random Neural Network (RNN) based system (RNN-ABC). The proposed scheme is trained on NSL-KDD Train+ and tested for unseen data. The experimental results suggest that swarm intelligence and RNN successfully classify novel attacks with an accuracy of 91.65%. Additionally, the performance of the proposed scheme is also compared with a hybrid multilayer perceptron (MLP) based intrusion detection system using sensitivity, mean of mean squared error (MMSE), the standard deviation of MSE (SDMSE), best mean squared error (BMSE) and worst mean squared error (WMSE) parameters. All experimental tests confirm the robustness and high accuracy of the proposed scheme.

Network attacks continue to pose threats to missions in cyber space. To prevent critical missions from getting impacted or minimize the possibility of mission impact, active cyber defense is very important. Mission impact graph is a graphical model that enables mission impact assessment and shows how missions can be possibly impacted by cyber attacks. Although the mission impact graph provides valuable information, it is still very difficult for human analysts to comprehend due to its size and complexity. Especially when given limited resources, human analysts cannot easily decide which security measures to take first with respect to mission assurance. Therefore, this paper proposes to apply a ranking algorithm towards the mission impact graph so that the huge amount of information can be prioritized. The actionable conditions that can be managed by security admins are ranked with numeric values. The rank enables efficient utilization of limited resources and provides guidance for taking security countermeasures.

Intrusion detection is one essential tool towards building secure and trustworthy Cloud computing environment, given the ubiquitous presence of cyber attacks that proliferate rapidly and morph dynamically. In our current working paradigm of resource, platform and service consolidations, Cloud Computing provides a significant improvement in the cost metrics via dynamic provisioning of IT services. Since almost all cloud computing networks lean on providing their services through Internet, they are prone to experience variety of security issues. Therefore, in cloud environments, it is necessary to deploy an Intrusion Detection System (IDS) to detect new and unknown attacks in addition to signature based known attacks, with high accuracy. In our deliberation we assume that a system or a network ``anomalous'' event is synonymous to an ``intrusion'' event when there is a significant departure in one or more underlying system or network activities. There are couple of recently proposed ideas that aim to develop a hybrid detection mechanism, combining advantages of signature-based detection schemes with the ability to detect unknown attacks based on anomalies. In this work, we propose a network based anomaly detection system at the Cloud Hypervisor level that utilizes a hybrid algorithm: a combination of K-means clustering algorithm and SVM classification algorithm, to improve the accuracy of the anomaly detection system. Dataset from UNSW-NB15 study is used to evaluate the proposed approach and results are compared with previous studies. The accuracy for our proposed K-means clustering model is slightly higher than others. However, the accuracy we obtained from the SVM model is still low for supervised techniques.

This paper addresses the recent shift in the United States' policy that emphasizes forward defense and deterrence and to “intercept and halt” adversary cyber operations. Supporters believe these actions should significantly reduce attacks against the United States, while critics worry that they may incite more adversary activity. As there is no standard methodology to measure which is the case, this paper introduces a transparent framework to better assess whether the new U.S. policy and actions are suppressing or encouraging attacks1. Determining correlation and causation will be difficult due to the hidden nature of cyber attacks, the veiled motivations of differing actors, and other factors. However even if causation may never be clear, changes in the direction and magnitude of cyber attacks can be suggestive of the success or failure of these new policies, especially as their proponents suggest they should be especially effective. Rough-and-ready metrics can be helpful to assess the impacts of policymaking, can lay the groundwork for more comprehensive measurements, and may also provide insight into academic theories of persistent engagement and deterrence.

The advent of the cyber domain has introduced a new dimension into warfare and complicated existing strategic concepts, provoking divergent responses within different national contexts and strategic cultures. Although current theories regarding cyber deterrence remain relatively nascent, a comparison of U.S. and Chinese strategic thinking highlights notable asymmetries between their respective approaches. While U.S. debates on cyber deterrence have primarily focused on the deterrence of cyber threats, Chinese theorists have also emphasized the potential importance of cyber capabilities to enhance strategic deterrence. Whereas the U.S. government has maintained a consistent declaratory policy for response, Beijing has yet to progress toward transparency regarding its cyber strategy or capabilities. However, certain PLA strategists, informed by a conceptualization of deterrence as integrated with warfighting, have advocated for the actualization of deterrence through engaging in cyber attacks. Regardless of whether these major cyber powers' evolving strategic thinking on cyber deterrence will prove logically consistent or feasibly operational, their respective perspectives will certainly shape their attempts to achieve cyber deterrence. Ultimately, cyber deterrence may continue to be "what states make of it," given conditions of "cyber anarchy" and prevailing uncertainties regarding cyber conflict. Looking forward, future strategic stability in Sino-U.S. cyber interactions will require mitigation of the misperceptions and heightened risks of escalation that could be exacerbated by these divergent strategic approaches.

Transactive energy systems (TES) are emerging as a transformative solution for the problems that distribution system operators face due to an increase in the use of distributed energy resources and rapid growth in scalability of managing active distribution system (ADS). On the one hand, these changes pose a decentralized power system control problem, requiring strategic control to maintain reliability and resiliency for the community and for the utility. On the other hand, they require robust financial markets while allowing participation from diverse prosumers. To support the computing and flexibility requirements of TES while preserving privacy and security, distributed software platforms are required. In this paper, we enable the study and analysis of security concerns by developing Transactive Energy Security Simulation Testbed (TESST), a TES testbed for simulating various cyber attacks. In this work, the testbed is used for TES simulation with centralized clearing market, highlighting weaknesses in a centralized system. Additionally, we present a blockchain enabled decentralized market solution supported by distributed computing for TES, which on one hand can alleviate some of the problems that we identify, but on the other hand, may introduce newer issues. Future study of these differing paradigms is necessary and will continue as we develop our security simulation testbed.

Critical infrastructures have suffered from different kind of cyber attacks over the years. Many of these attacks are performed using malwares by exploiting the vulnerabilities of these resources. Smart power grid is one of the major victim which suffered from these attacks and its SCADA system are frequently targeted. In this paper we describe our proposed framework to analyze smart power grid, while its SCADA system is under attack by malware. Malware propagation and its effects on SCADA system is the focal point of our analysis. OMNeT++ simulator and openDSS is used for developing and analyzing the simulated smart power grid environment.

Advent of Cyber has converted the entire World into a Global village. But, due to vurneabilites in SCADA architecture [1] national assests are more prone to cyber attacks.. Cyber invasions have a catastrophic effect in the minds of the civilian population, in terms of states security system. A robust cyber security is need of the hour to protect the critical information infastructrue & critical infrastructure of a country. Here, in this paper we scrutinize cyber terrorism, vurneabilites in SCADA network systems [1], [2] and concept of cyber resilience to combat cyber attacks.

Traditional anti-virus technologies have failed to keep pace with proliferation of malware due to slow process of their signatures and heuristics updates. Similarly, there are limitations of time and resources in order to perform manual analysis on each malware. There is a need to learn from this vast quantity of data, containing cyber attack pattern, in an automated manner to proactively adapt to ever-evolving threats. Machine learning offers unique advantages to learn from past cyber attacks to handle future cyber threats. The purpose of this research is to propose a framework for multi-classification of malware into well-known categories by applying different machine learning models over corpus of malware analysis reports. These reports are generated through an open source malware sandbox in an automated manner. We applied extensive pre-modeling techniques for data cleaning, features exploration and features engineering to prepare training and test datasets. Best possible hyper-parameters are selected to build machine learning models. These prepared datasets are then used to train the machine learning classifiers and to compare their prediction accuracy. Finally, these results are validated through a comprehensive 10-fold cross-validation methodology. The best results are achieved through Gaussian Naive Bayes classifier with random accuracy of 96% and 10-Fold Cross Validation accuracy of 91.2%. The said framework can be deployed in an operational environment to learn from malware attacks for proactively adapting matching counter measures.

Modern industrial control systems (ICS) act as victims of cyber attacks more often in last years. These attacks are hard to detect and their consequences can be catastrophic. Cyber attacks can cause anomalies in the work of the ICS and its technological equipment. The presence of mutual interference and noises in this equipment significantly complicates anomaly detection. Moreover, the traditional means of protection, which used in corporate solutions, require updating with each change in the structure of the industrial process. An approach based on the machine learning for anomaly detection was used to overcome these problems. It complements traditional methods and allows one to detect signal correlations and use them for anomaly detection. Additional Tennessee Eastman Process Simulation Data for Anomaly Detection Evaluation dataset was analyzed as example of industrial process. In the course of the research, correlations between the signals of the sensors were detected and preliminary data processing was carried out. Algorithms from the most common techniques of machine learning (decision trees, linear algorithms, support vector machines) and deep learning models (neural networks) were investigated for industrial process anomaly detection task. It's shown that linear algorithms are least demanding on computational resources, but they don't achieve an acceptable result and allow a significant number of errors. Decision tree-based algorithms provided an acceptable accuracy, but the amount of RAM, required for their operations, relates polynomially with the training sample volume. The deep neural networks provided the greatest accuracy, but they require considerable computing power for internal calculations.

Dynamic Information Flow Tracking (DIFT) has been proposed to detect stealthy and persistent cyber attacks that evade existing defenses such as firewalls and signature-based antivirus systems. A DIFT defense taints and tracks suspicious information flows across the network in order to identify possible attacks, at the cost of additional memory overhead for tracking non-adversarial information flows. In this paper, we present the first analytical model that describes the interaction between DIFT and adversarial information flows, including the probability that the adversary evades detection and the performance overhead of the defense. Our analytical model consists of a multi-stage game, in which each stage represents a system process through which the information flow passes. We characterize the optimal strategies for both the defense and adversary, and derive efficient algorithms for computing the strategies. Our results are evaluated on a realworld attack dataset obtained using the Refinable Attack Investigation (RAIN) framework, enabling us to draw conclusions on the optimal adversary and defense strategies, as well as the effect of valid information flows on the interaction between adversary and defense.

Software defined networking (SDN) is a networking paradigm to provide automated network management at run time through network orchestration and virtualization. SDN can also enhance system resilience through recovery from failures and maintaining critical operations during cyber attacks. SDN's self-healing mechanisms can be leveraged to realized autonomous attack containment, which dynamically modifies access control rules based on configurable trust levels. In this paper, we present an approach to aid in selection of security countermeasures dynamically in an SDN enabled Energy Delivery System (EDS) and achieving tradeoff between providing security and QoS. We present the modeling of security cost based on end-to-end packet delay and throughput. We propose a non-dominated sorting based multi-objective optimization framework which can be implemented within an SDN controller to address the joint problem of optimizing between security and QoS parameters by alleviating time complexity at O(M N2), where M is the number of objective functions and N is the number of population for each generation respectively. We present simulation results which illustrate how data availability and data integrity can be achieved while maintaining QoS constraints.

The rapid evolution of the power grid into a smart one calls for innovative and compelling means to experiment with the upcoming expansions, and analyze their behavioral response under normal circumstances and when targeted by attacks. Such analysis is fundamental to setting up solid foundations for the smart grid. Smart grid Hardware-In-the-Loop (HIL) co-simulation environments serve as a key approach to answer questions on the systems components, functionality, security concerns along with analysis of the system outcome and expected behavior. In this paper, we introduce a HIL co-simulation framework capable of simulating the smart grid actions and responses to attacks targeting its power and communication components. Our testbed is equipped with a real-time power grid simulator, and an associated OpenStack-based communication network. Through the utilized communication network, we can emulate a multitude of attacks targeting the power system, and evaluating the grid response to those attacks. Moreover, we present different illustrative cyber attacks use cases, and analyze the smart grid behavior in the presence of those attacks.

With the rapid growth of the cyber attacks, cyber threat intelligence (CTI) sharing becomes essential for providing advance threat notice and enabling timely response to cyber attacks. Our goal in this paper is to develop an approach to extract low-level cyber threat actions from publicly available CTI sources in an automated manner to enable timely defense decision making. Specifically, we innovatively and successfully used the metrics of entropy and mutual information from Information Theory to analyze the text in the cybersecurity domain. Combined with some basic NLP techniques, our framework, called ActionMiner has achieved higher precision and recall than the state-of-the-art Stanford typed dependency parser, which usually works well in general English but not cybersecurity texts.

With the rapid development of the smart grid, a large number of intelligent sensors and meters have been introduced in distribution network, which will inevitably increase the integration of physical networks and cyber networks, and bring potential security threats to the operating system. In this paper, the functions of the information system on distribution network are described when cyber attacks appear at the intelligent electronic devices (lED) or at the distribution main station. The effect analysis of the distribution network under normal operating condition or in the fault recovery process is carried out, and the reliability assessment model of the distribution network considering cyber attacks is constructed. Finally, the IEEE-33-bus distribution system is taken as a test system to presented the evaluation process based on the proposed model.

In recent years, cyber attacks have caused substantial financial losses and been able to stop fundamental public services. Among the serious attacks, Advanced Persistent Threat (APT) has emerged as a big challenge to the cyber security hitting selected companies and organisations. The main objectives of APT are data exfiltration and intelligence appropriation. As part of the APT life cycle, an attacker creates a Point of Entry (PoE) to the target network. This is usually achieved by installing malware on the targeted machine to leave a back-door open for future access. A common technique employed to breach into the network, which involves the use of social engineering, is the spear phishing email. These phishing emails may contain disguised executable files. This paper presents the disguised executable file detection (DeFD) module, which aims at detecting disguised exe files transferred over the network connections. The detection is based on a comparison between the MIME type of the transferred file and the file name extension. This module was experimentally evaluated and the results show a successful detection of disguised executable files.

One of the biggest problems of today's internet technologies is cyber attacks. In this paper whether DDoS attacks will be determined by deep packet inspection. Initially packets are captured by listening of network traffic. Packet filtering was achieved at desired number and type. These packets are recorded to database to be analyzed, daily values and average values are compared by known attack patterns and will be determined whether a DDoS attack attempts in real time systems.

To improve the resilience of state estimation strategy against cyber attacks, the Compressive Sensing (CS) is applied in reconstruction of incomplete measurements for cyber physical systems. First, observability analysis is used to decide the time to run the reconstruction and the damage level from attacks. In particular, the dictionary learning is proposed to form the over-completed dictionary by K-Singular Value Decomposition (K-SVD). Besides, due to the irregularity of incomplete measurements, sampling matrix is designed as the measurement matrix. Finally, the simulation experiments on 6-bus power system illustrate that the proposed method achieves the incomplete measurements reconstruction perfectly, which is better than the joint dictionary. When only 29% available measurements are left, the proposed method has generality for four kinds of recovery algorithms.

With the integration of computing, communication, and physical processes, the modern power grid is becoming a large and complex cyber physical power system (CPPS). This trend is intended to modernize and improve the efficiency of the power grid, yet it makes the CPPS vulnerable to potential cascading failures caused by cyber-attacks, e.g., the attacks that are originated by the cyber network of CPPS. To prevent these risks, it is essential to analyze how cyber-attacks can be conducted against the CPPS and how they can affect the power systems. In light of that General Packet Radio Service (GPRS) has been widely used in CPPS, this paper provides a case study by examining possible cyber-attacks against the cyber-physical power systems with GPRS-based SCADA system. We analyze the vulnerabilities of GPRS-based SCADA systems and focus on DoS attacks and message spoofing attacks. Furthermore, we show the consequence of these attacks against power systems by a simulation using the IEEE 9-node system, and the results show the validity of cascading failures propagated through the systems under our proposed attacks.

This paper considers a framework of electrical cyber-physical systems (ECPSs) in which each bus and branch in a power grid is equipped with a controller and a sensor. By means of measuring the damages of cyber attacks in terms of cutting off transmission lines, three solution approaches are proposed to assess and deal with the damages caused by faults or cyber attacks. Splitting incident is treated as a special situation in cascading failure propagation. A new simulation platform is built for simulating the protection procedure of ECPSs under faults. The vulnerability of ECPSs under faults is analyzed by experimental results based on IEEE 39-bus system.

In recent years a wide range of wearable IoT healthcare applications have been developed and deployed. The rapid increase in wearable devices allows the transfer of patient personal information between different devices, at the same time personal health and wellness information of patients can be tracked and attacked. There are many techniques that are used for protecting patient information in medical and wearable devices. In this research a comparative study of the complexity for cyber security architecture and its application in IoT healthcare industry has been carried out. The objective of the study is for protecting healthcare industry from cyber attacks focusing on IoT based healthcare devices. The design has been implemented on Xilinx Zynq-7000, targeting XC7Z030 - 3fbg676 FPGA device.

In this paper, cyber physical system is analyzed from security perspective. A double closed-loop security control structure and algorithm with defense functions is proposed. From this structure, the features of several cyber attacks are considered respectively. By this structure, the models of information disclosure, denial-of-service (DoS) and Man-in-the-Middle Attack (MITM) are proposed. According to each kind attack, different models are obtained and analyzed, then reduce to the unified models. Based on this, system security conditions are obtained, and a defense scenario with detail algorithm is design to illustrate the implementation of this program.

Software Defined Networks (SDNs) is a new networking paradigm that has gained a lot of attention in recent years especially in implementing data center networks and in providing efficient security solutions. The popularity of SDN and its attractive security features suggest that it can be used in the context of smart grid systems to address many of the vulnerabilities and security problems facing such critical infrastructure systems. This paper studies the impact of different cyber attacks that can target smart grid communication network which is implemented as a software defined network on the operation of the smart grid system in general. In particular, we perform different attack scenarios including DDoS attacks, location highjacking and link overloading against SDN networks of different controller types that include POX, Floodlight and RYU. Our experiments were carried out using the mininet simulator. The experiments show that SDN-enabled smartgrid systems are vulnerable to different types of attacks.

Mobile attack approaches can be categorized as Application Based Attacks and Frequency Based Attacks. Application based attacks are reviewed extensively in the literature. However, frequency based attacks to mobile phones are not experimented in detail. In this work, we have experimentally succeeded to attack an Android smartphone using a simple software based radio circuit. We have developed a software “Primary Mobile Hack Builder” to control Android operated cellphone as a distance. The SMS information and pictures in the cellphone can be obtained using this device. On the other hand, after launching a software into targeting cellphone, the camera of the cellphone can be controlled for taking pictures and downloading them into our computers. It was also possible to eavesdropping the conversation.

High accurate time synchronization is very important for many applications and industrial environments. In a computer network, synchronization of time for connected devices is provided by the Precision Time Protocol (PTP), which in principal allows for device time synchronization down to microsecond level. However, PTP and network infrastructures are vulnerable to cyber-attacks, which can de-synchronize an entire network, leading to potentially devastating consequences. This paper will focus on the issue of internal attacks on time synchronization networks and discuss how counter-measures based on public key infrastructures, trusted platform modules, network intrusion detection systems and time synchronization supervisors can be adopted to defeat or at least detect such internal attacks.