Biblio

Hybrid attack graphs are a powerful tool when analyzing the cybersecurity of a cyber-physical system. However, it is important to ensure that this tool correctly models reality, particularly when modelling safety-critical applications, such as a nuclear reactor. By automatically verifying that a simulation reaches the state predicted by an attack graph by analyzing the final state of the simulation, this verification procedure can be accomplished. As such, a mechanism to estimate if a simulation reaches the expected state in a hybrid attack graph is proposed here for the nuclear reactor domain.

The field of robotics has matured using artificial intelligence and machine learning such that intelligent robots are being developed in the form of autonomous vehicles. The anticipated widespread use of intelligent robots and their potential to do harm has raised interest in their security. This research evaluates a cyberattack on the machine learning policy of an autonomous vehicle by designing and attacking a robotic vehicle operating in a dynamic environment. The primary contribution of this research is an initial assessment of effective manipulation through an indirect attack on a robotic vehicle using the Q learning algorithm for real-time routing control. Secondly, the research highlights the effectiveness of this attack along with relevant artifact issues.

This paper presents the development and configuration of a virtually air-gapped cloud environment in AWS, to secure the production software workloads and patient data (ePHI) and to achieve HIPAA compliance.

Deep Learning Models are vulnerable to adversarial inputs, samples modified in order to maximize error of the system. We hereby introduce Spartan Networks, Deep Learning models that are inherently more resistant to adverarial examples, without doing any input preprocessing out of the network or adversarial training. These networks have an adversarial layer within the network designed to starve the network of information, using a new activation function to discard data. This layer trains the neural network to filter-out usually-irrelevant parts of its input. These models thus have a slightly lower precision, but report a higher robustness under attack than unprotected models.

One of the main security concerns of enterprise-level organizations which provide network-based services is combating with complex cybersecurity attacks like advanced persistent threats (APTs). The main features of these attacks are being multilevel, multi-step, long-term and persistent. Also they use an intrusion kill chain (IKC) model to proceed the attack steps and reach their goals on targets. Traditional security solutions like firewalls and intrusion detection and prevention systems (IDPSs) are not able to prevent APT attack strategies and block them. Recently, deception techniques are proposed to defend network assets against malicious activities during IKC progression. One of the most promising approaches against APT attacks is Moving Target Defense (MTD). MTD techniques can be applied to attack steps of any abstraction levels in a networked infrastructure (application, host, and network) dynamically for disruption of successful execution of any on the fly IKCs. In this paper, after presentation and discussion on common introduced IKCs, one of them is selected and is used for further analysis. Also, after proposing a new and comprehensive taxonomy of MTD techniques in different levels, a mapping analysis is conducted between IKC models and existing MTD techniques. Finally, the effect of MTD is evaluated during a case study (specifically IP Randomization). The experimental results show that the MTD techniques provide better means to defend against IKC-based intrusion activities.

This is very true for the Windows operating system (OS) used by government and private organizations. With Windows, the closed source nature of the operating system has unfortunately meant that hidden security issues are discovered very late and the fixes are not found in real time. There needs to be a reexamination of current static methods of malware detection. This paper presents an integrated system for automated and real-time monitoring and prediction of rootkit and malware threats for the Windows OS. We propose to host the target Windows machines on the widely used Xen hypervisor, and collect process behavior using virtual memory introspection (VMI). The collected data will be analyzed using state of the art machine learning techniques to quickly isolate malicious process behavior and alert system administrators about potential cyber breaches. This research has two focus areas: identifying memory data structures and developing prediction tools to detect malware. The first part of research focuses on identifying memory data structures affected by malware. This includes extracting the kernel data structures with VMI that are frequently targeted by rootkits/malware. The second part of the research will involve development of a prediction tool using machine learning techniques.

To add more functionality and enhance usability of web applications, JavaScript (JS) is frequently used. Even with many advantages and usefulness of JS, an annoying fact is that many recent cyberattacks such as drive-by-download attacks exploit vulnerability of JS codes. In general, malicious JS codes are not easy to detect, because they sneakily exploit vulnerabilities of browsers and plugin software, and attack visitors of a web site unknowingly. To protect users from such threads, the development of an accurate detection system for malicious JS is soliciting. Conventional approaches often employ signature and heuristic-based methods, which are prone to suffer from zero-day attacks, i.e., causing many false negatives and/or false positives. For this problem, this paper adopts a machine-learning approach to feature learning called Doc2Vec, which is a neural network model that can learn context information of texts. The extracted features are given to a classifier model (e.g., SVM and neural networks) and it judges the maliciousness of a JS code. In the performance evaluation, we use the D3M Dataset (Drive-by-Download Data by Marionette) for malicious JS codes and JSUPACK for benign ones for both training and test purposes. We then compare the performance to other feature learning methods. Our experimental results show that the proposed Doc2Vec features provide better accuracy and fast classification in malicious JS code detection compared to conventional approaches.

Smart Grid cybersecurity is one of the key ingredients for successful and wide scale adaptation of the Smart Grid by utilities and governments around the world. The implementation of the Smart Grid relies mainly on the highly distributed sensing and communication functionalities of its components such as Wireless Sensor Networks (WSNs), Phasor Measurement Units (PMUs) and other protection devices. This distributed nature and the high number of connected devices are the main challenges for implementing cybersecurity in the smart grid. As an example, the North American Electric Reliability Corporation (NERC) issued the Critical Infrastructure Protection (CIP) standards (CIP-002 through CIP-009) to define cybersecurity requirements for critical power grid infrastructure. However, NERC CIP standards do not specify cybersecurity for different communication technologies such as WSNs, fiber networks and other network types. Implementing security mechanisms in WSNs is a challenging task due to the limited resources of the sensor devices. WSN security mechanisms should not only focus on reducing the power consumption of the sensor devices, but they should also maintain high reliability and throughput needed by Smart Grid applications. In this paper, we present a WSN cybersecurity mechanism suitable for smart grid monitoring application. Our mechanism can detect and isolate various attacks in a smart grid environment, such as denial of sleep, forge and replay attacks in an energy efficient way. Simulation results show that our mechanism can outperform existing techniques while meeting the NERC CIP requirements.

We introduce a new cybersecurity project named RIVALS. RIVALS will assist in developing network defense strategies through modeling adversarial network attack and defense dynamics. RIVALS will focus on peer-to-peer networks and use coevolutionary algorithms. In this contribution, we describe RIVALS' current suite of coevolutionary algorithms that use archiving to maintain progressive exploration and that support different solution concepts as fitness metrics. We compare and contrast their effectiveness by executing a standard coevolutionary benchmark (Compare-on-one) and RIVALS simulations on 3 different network topologies. Currently, we model denial of service (DOS) attack strategies by the attacker selecting one or more network servers to disable for some duration. Defenders can choose one of three different network routing protocols: shortest path, flooding and a peer-to-peer ring overlay to try to maintain their performance. Attack completion and resource cost minimization serve as attacker objectives. Mission completion and resource cost minimization are the reciprocal defender objectives. Our experiments show that existing algorithms either sacrifice execution speed or forgo the assurance of consistent results. rIPCA, our adaptation of a known coevolutionary algorithm named IPC A, is able to more consistently produce high quality results, albeit without IPCA's guarantees for results with monotonically increasing performance, without sacrificing speed.

Distributed Denial of Service (DDoS) attacks routinely disrupt access to critical services. Mitigation of these attacks often relies on planned over-provisioning or elastic provisioning of resources, and third-party monitoring, analysis, and scrubbing of network traffic. While volumetric attacks which saturate a victim's network are most common, non-volumetric, low and slow, DDoS attacks can achieve their goals without requiring high traffic volume by targeting vulnerable network protocols or protocol implementations. Non-volumetric attacks, unlike their noisy counterparts, require more sophisticated detection mechanisms, and typically have only post-facto and targeted protocol/application mitigations. In this paper, we introduce our work under the Adaptive Resource Management Enabling Deception (ARMED) effort, which is developing a network-level approach to automatically mitigate sophisticated DDoS attacks through deception-focused adaptive maneuvering. We describe the concept, implementation, and initial evaluation of the ARMED Network Actors (ANAs) that facilitate transparent interception, sensing, analysis, and mounting of adaptive responses that can disrupt the adversary's decision process.

Network analysts have long used two-dimensional security visualizations to make sense of overwhelming amounts of network data. As networks grow larger and more complex, two-dimensional displays can become convoluted, compromising user cyber-threat perspective. Using augmented reality to display data with cyber-physical context creates a naturally intuitive interface that helps restore perspective and comprehension sacrificed by complicated two-dimensional visualizations. We introduce Mobile Augmented Reality for Cybersecurity, or MARCS, as a platform to visualize a diverse array of data in real time and space to improve user perspective and threat response. Early work centers around CovARVT and ConnectAR, two proof of concept, prototype applications designed to visualize intrusion detection and wireless association data, respectively.

Cyber security management of systems in the cyberspace has been a challenging problem for both practitioners and the research community. Their proprietary nature along with the complexity renders traditional approaches rather insufficient and creating the need for the adoption of a holistic point of view. This paper draws upon the principles theory game in order to present a novel systemic approach towards cyber security management, taking into account the complex inter-dependencies and providing cost-efficient defense solutions.

The Cyber Transport Systems (CTSs) have made significant advancement along with the development of the information technology and transportation industries worldwide. The rapid proliferation of cyber transportation technology provides rich information and infinite possibilities for our society to understand and use the complex inherent mechanism, which governs the novel intelligence world. In addition, applying information technology to cyber transportation applications open a range of new application scenarios, such as vehicular safety, energy efficiency, reduced pollution, and intelligent maintenance services. However, while enjoying the services and convenience provided by CTS, users, vehicles, even the systems might lose privacy during information transmitting and processing. This paper summarizes the state-of-art research findings on information privacy issues in a broad range. We firstly introduce the typical types of information and the basic mechanisms of information communication in CTS. Secondly, considering the information privacy issues of CTS, we present the literature on information privacy issues and privacy protection approaches in CTS. Thirdly, we discuss the emerging challenges and the opportunities for the information technology community in CTS.

Big data is a buzzword used to describe massive volumes of data that provides opportunities of exploring new insights through data analytics. However, big data is mostly structured but can be semi-structured or unstructured. It is normally so large that it is not only difficult but also slow to process using traditional computing systems. One of the solutions is to format the data as graph data structures and process them on shared memory architecture to use fast and novel policies such as transactional memory. In most graph applications in big data type problems such as bioinformatics, social networks, and cybersecurity, graphs are sparse in nature. Due to this sparsity, we have the opportunity to use Transactional Memory (TM) as the synchronization policy for critical sections to speedup applications. At low conflict probability TM performs better than most synchronization policies due to its inherent non-blocking characteristics. TM can be implemented in Software, Hardware or a combination of both. However, hardware TM implementations are fast but limited by scarce hardware resources while software implementations have high overheads which can degrade performance. In this paper, we develop a low overhead, yet simple, dynamically adaptive (i.e., at runtime) hybrid (i.e., combines hardware and software) TM (DyAd-HyTM) scheme that combines the best features of both Hardware TM (HTM) and Software TM (STM) while adapting to application's requirements. It performs better than coarse-grain lock by up to 8.12x, a low overhead STM by up to 2.68x, a couple of implementations of HTMs (by up to 2.59x), and other HyTMs (by up to 1.55x) for SSCA-2 graph benchmark running on a multicore machine with a large shared memory.

A recent paper (Oakland 2017) discussed science and security research in the context of the government-funded Science of Security movement, and the history and prospects of security as a scientific pursuit. It drew on literature from within the security research community, and mature history and philosophy of science literature. The paper sparked debate in numerous organizations and the security community. Here we consider some of the main ideas, provide a summary list of relevant literature, and encourage discussion within the Moving Target Defense (MTD) sub-community1.

Process anomaly is used for detecting cyber-physical attacks on critical infrastructure such as plants for water treatment and electric power generation. Identification of process anomaly is possible using rules that govern the physical and chemical behavior of the process within a plant. These rules, often referred to as invariants, can be derived either directly from plant design or from the data generated in an operational. However, for operational legacy plants, one might consider a data-centric approach for the derivation of invariants. The study reported here is a comparison of design-centric and data-centric approaches to derive process invariants. The study was conducted using the design of, and the data generated from, an operational water treatment plant. The outcome of the study supports the conjecture that neither approach is adequate in itself, and hence, the two ought to be integrated.

In a world of ever-increasing systems interdependence, effective cybersecurity policy design seems to be one of the most critically understudied elements of our national security strategy. Enterprise cyber technologies are often implemented without much regard to the interactions that occur between humans and the new technology. Furthermore, the interactions that occur between individuals can often have an impact on the newly employed technology as well. Without a rigorous, evidence-based approach to ground an employment strategy and elucidate the emergent organizational needs that will come with the fielding of new cyber capabilities, one is left to speculate on the impact that novel technologies will have on the aggregate functioning of the enterprise. In this paper, we will explore a scenario in which a hypothetical government agency applies a complexity science perspective, supported by agent-based modeling, to more fully understand the impacts of strategic policy decisions. We present a model to explore the socio-technical dynamics of these systems, discuss lessons using this platform, and suggest further research and development.

The U.S. federal governments and agencies face increasingly sophisticated and persistent cyber threats and cyberattacks from black hat hackers who breach cybersecurity for malicious purposes or for personal gain. With the rise of malicious attacks that caused untold financial damage and substantial reputational damage, private-sector high-tech firms such as Google, Microsoft and Yahoo have adopted an innovative practice known as vulnerability reward program (VRP) or bug bounty program which crowdsources software bug detection from the cybersecurity community. In an alignment with the 2016 U.S. Cybersecurity National Action Plan, the Department of Defense adopted a pilot VRP in 2016. This paper examines the Pentagon's VRP and examines how it may fit with the national cybersecurity policy and the need for new and enhanced cybersecurity capability development. Our case study results show the feasibility of the government adoption and implementation of the innovative concept of VRP to enhance the government cybersecurity posture.

Today cyber security is one of the most active fields of re- search due to its wide range of impact in business, govern- ment and everyday life. In recent years machine learning methods and algorithms have been quite successful in a num- ber of security areas. In this paper, we explore an approach to classify intrusion called multi-perspective machine learn- ing (MPML). For any given cyber-attack there are multiple methods of detection. Every method of detection is built on one or more network characteristic. These characteristics are then represented by a number of network features. The main idea behind MPML is that, by grouping features that support the same characteristics into feature subsets called perspectives, this will encourage diversity among perspectives (classifiers in the ensemble) and improve the accuracy of prediction. Initial results on the NSL- KDD dataset show at least a 4% improvement over other ensemble methods such as bagging boosting rotation forest and random for- est.

Organizations develop technical and procedural measures to protect information systems. Relying only on technical based security solutions is not enough. Organizations must consider technical security solutions along with social, human, and organizational factors. The human element represents the employees (insiders) who use the information systems and other technology resources in their day-to-day operations. ISP awareness is essential to protect organizational information systems. This study adapts the Innovation Diffusion Theory to examine the antecedents of ISP awareness and its impact on the satisfaction with ISP and security practices. A sample of 236 employees in universities in the United States is collected to evaluate the research model. Results indicated that ISP quality, self-efficacy, and technology security awareness significantly impact ISP awareness. The current study presents significant contributions toward understanding the antecedents of ISP awareness and provides a starting point toward including satisfaction aspect in information security behavioral domain.

This paper suggests a conceptual mechanism for increasing the security level of the global information community, national information technology infrastructures (e-governments) and private cloud structures, which uses the logical characteristic of IPv6-protocol. The mechanism is based on the properties of the IPv6-header and, in particular, rules of coding IPv6-addresses.

This study seeks to investigate how the development of e-government services impacts on cybersecurity. The study uses the methods of correlation and multiple regression to analyse two sets of global data, the e-government development index of the 2015 United Nations e-government survey and the 2015 International Telecommunication Union global cybersecurity development index (GCI 2015). After analysing the various contextual factors affecting e-government development, the study found that, various composite measures of e-government development are significantly correlated with cybersecurity development. The therefore study contributes to the understanding of the relationship between e-government and cybersecurity development. The authors developed a model to highlight this relationship and have validated the model using empirical data. This is expected to provide guidance on specific dimensions of e-government services that will stimulate the development of cybersecurity. The study provided the basis for understanding the patterns in cybersecurity development and has implication for policy makers in developing trust and confidence for the adoption e-government services.

Cyber-attacks and intrusions in cyber-physical control systems are, currently, difficult to reliably prevent. Knowing a system's vulnerabilities and implementing static mitigations is not enough, since threats are advancing faster than the pace at which static cyber solutions can counteract. Accordingly, the practice of cybersecurity needs to ensure that intrusion and compromise do not result in system or environment damage or loss. In a previous paper [2], we described the Cyberspace Security Econometrics System (CSES), which is a stakeholder-aware and economics-based risk assessment method for cybersecurity. CSES allows an analyst to assess a system in terms of estimated loss resulting from security breakdowns. In this paper, we describe two new related contributions: 1) We map the Cyberspace Security Econometrics System (CSES) method to the evaluation and mitigation steps described by the NIST Guide to Industrial Control Systems (ICS) Security, Special Publication 800-82r2. Hence, presenting an economics-based and stakeholder-aware risk evaluation method for the implementation of the NIST-SP-800-82 guide; and 2) We describe the application of this tailored method through the use of a fictitious example of a critical infrastructure system of an electric and gas utility.

The expeditious expansion of the networking technologies have remarkably driven the usage of the distributedcomputing as well as services, such as task offloading to the cloud. However, security and privacy concerns are restricting the implementations of cloud computing because of the threats from both outsiders and insiders. The primary alternative of protecting users' data is developing a Fully Homomorphic Encryption (FHE) scheme, which can cover both data protections and data processing in the cloud. Despite many previous attempts addressing this approach, none of the proposed work can simultaneously satisfy two requirements that include the non-noise accuracy and an efficiency execution. This paper focuses on the issue of FHE design and proposes a novel FHE scheme, which is called Optimal Fully Homomorphic Encryption (O-FHE). Our approach utilizes the properties of the Kronecker Product (KP) and designs a mechanism of achieving FHE, which consider both accuracy and efficiency. We have assessed our scheme in both theoretical proofing and experimental evaluations with the confirmed and exceptional results.

Smart water networks can provide great benefits to our society in terms of efficiency and sustainability. However, smart capabilities and connectivity also expose these systems to a wide range of cyber attacks, which enable cyber-terrorists and hostile nation states to mount cyber-physical attacks. Cyber-physical attacks against critical infrastructure, such as water treatment and distribution systems, pose a serious threat to public safety and health. Consequently, it is imperative that we improve the resilience of smart water networks. We consider three approaches for improving resilience: redundancy, diversity, and hardening. Even though each one of these "canonical" approaches has been throughly studied in prior work, a unified theory on how to combine them in the most efficient way has not yet been established. In this paper, we address this problem by studying the synergy of these approaches in the context of protecting smart water networks from cyber-physical contamination attacks.