Biblio

The issues of development and legal regulation of cybersecurity in Ukraine are considered. The expediency of further improvement of the regulatory framework, its implementation and development of cybersecurity systems is substantiated. Further development of the theoretical base of cyber defense using spline functions is proposed. The characteristics of network traffic are considered from the point of view of detecting DDoS cyber attacks (SYN-Flood, ICMP-Flood, UDP-Flood) and predicting DDoS cyber-attacks using spline functions. The spline extrapolation method makes it possible to predict DDoS cyber attacks with great accuracy.

Target attack identification and detection has always been a concern of network security in the current environment. However, the economic losses caused by DDoS attacks are also enormous. In recent years, DDoS attack detection has made great progress mainly in the user application layer of the network layer. In this paper, a review and discussion are carried out according to the different detection methods and platforms. This paper mainly includes three parts, which respectively review statistics-based machine learning detection, target attack detection on SDN platform and attack detection on cloud service platform. Finally, the research suggestions for DDoS attack detection are given.

Software Defined Networking (SDN) is an emerging technology, which provides the flexibility in communicating among network. Software Defined Network features separation of the data forwarding plane from the control plane which includes controller, resulting centralized network. Due to centralized control, the network becomes more dynamic, and resources are managed efficiently and cost-effectively. Network Virtualization is transformation of network from hardware-based to software-based. Network Function Virtualization will permit implementation, adaptable provisioning, and even management of functions virtually. The use of virtualization of SDN networks permits network to strengthen the features of SDN and virtualization of NFV and has for that reason has attracted notable research awareness over the last few years. SDN platform introduces network security challenges. The network becomes vulnerable when a large number of requests is encapsulated inside packet\_in messages and passed to controller from switch for instruction, if it is not recognized by existing flow entry rules. which will limit the resources and become a bottleneck for the entire network leading to DDoS attack. It is necessary to have quick provisional methods to prevent the switches from breaking down. To resolve this problem, the researcher develops a mechanism that detects and mitigates flood attacks. This paper provides a comprehensive survey which includes research relating frameworks which are utilized for detecting attack and later mitigation of flood DDoS attack in Software Defined Network (SDN) with the help of NFV.

Embedded memory are important components in system-on-chip, which may be crippled by aging and wear faults or Hardware Trojan attacks to compromise run-time security. The current built-in self-test and pre-silicon verification lack efficiency and flexibility to solve this problem. To this end, we address such vulnerabilities by proposing a run-time memory security detecting framework in this paper. The solution builds mainly upon a centralized security detection controller for partially reconfigurable inspection content, and a static memory wrapper to handle access conflicts and buffering testing cells. We show that a field programmable gate array prototype of the proposed framework can pursue 16 memory faults and 3 types Hardware Trojans detection with one reconfigurable partition, whereas saves 12.7% area and 2.9% power overhead compared to a static implementation. This architecture has more scalable capability with little impact on the memory accessing throughput of the original chip system in run-time detection.

Global cybersecurity threats have grown as a result of the evolving digital transformation. Cybercriminals have more opportunities as a result of digitization. Initially, cyberthreats take the form of phishing in order to gain confidential user credentials.As cyber-attacks get more sophisticated and sophisticated, the cybersecurity industry is faced with the problem of utilising cutting-edge technology and techniques to combat the ever-present hostile threats. Hackers use phishing to persuade customers to grant them access to a company’s digital assets and networks. As technology progressed, phishing attempts became more sophisticated, necessitating the development of tools to detect phishing.Machine learning is unsupervised one of the most powerful weapons in the fight against terrorist threats. The features used for phishing detection, as well as the approaches employed with machine learning, are discussed in this study.In this light, the study’s major goal is to propose a unique, robust ensemble machine learning model architecture that gives the highest prediction accuracy with the lowest error rate, while also recommending a few alternative robust machine learning models.Finally, the Random forest algorithm attained a maximum accuracy of 96.454 percent. But by implementing a hybrid model including the 3 classifiers- Decision Trees,Random forest, Gradient boosting classifiers, the accuracy increases to 98.4 percent.

Risk management is an essential part of software security. Assemblyline is a software security tool developed by the Canadian Centre for Cyber Security (CCCS) for malware detection and analysis. In this paper, we examined the performance of Assemblyline for assessing the risk of executable files. We developed and examined use-cases where Assemblyline is included as part of a security safety net assessing vulnerabilities that would lead to risk. Finally, we considered Assemblyline’s utility in a continuous integration / delivery context using our test results.

With the advancement in Generative Adversarial Networks (GAN), it has become easier than ever to generate fake images. These images are more realistic and non-discernible by untrained eyes and can be used to propagate fake information on the Internet. In this paper, we propose a novel method to detect GAN generated fake images by using a combination of frequency spectrum of image and deep learning. We apply Discrete Fourier Transform to each of 3 color channels of the image to obtain its frequency spectrum which shows if the image has been upsampled, a common trend in most GANs, and then train a Capsule Network model with it. Conducting experiments on a dataset of almost 1000 images based on Unconditional data modeling (StyleGan2 - ADA) gave results indicating that the model is promising with accuracy over 99% when trained on the state-of-the-art GAN model. In theory, our model should give decent results when trained with one dataset and tested on another.

Phishing is a frequent assault in which unsuspecting people’s unique, private, and sensitive information is stolen through fake websites. The primary objective of phishing websites’consistent resource allocators isto steal unique, private, and sensitive information such as user login passwords and online financial transactions. Phishers construct phony websites that look and sound just like genuine things. With the advent of technology, there are protecting users significantly increased in phishing methods. It necessitates the development of an anti-phishing technology to identify phishing and protect users. Machine learning is a useful technique for combating phishing attempts. These articles were utilized to examine Machine learning for detection strategies and characteristics.

Plagiarism is the act of using someone else’s words or ideas without giving them due credit and representing it as one’s own work. In today's world, it is very easy to plagiarize others' work due to advancement in technology, especially by the use of the Internet or other offline sources such as books or magazines. Plagiarism can be classified into two broad categories on the basis of detection namely extrinsic and intrinsic plagiarism. Extrinsic plagiarism detection refers to detecting plagiarism in a document by comparing it against a given reference dataset, whereas, Intrinsic plagiarism detection refers to detecting plagiarism with the help of variation in writing styles without using any reference corpus. Although there are many approaches which can be adopted to detect extrinsic plagiarism, few are available for intrinsic plagiarism detection. In this paper, a simplified approach is proposed for developing an intrinsic plagiarism detector which is helpful in detecting plagiarism even when no reference corpus is available. The approach deals with development of an intrinsic plagiarism detection system by identifying the writing style of authors in the document using stylometric features and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) clustering. The proposed system has an easy to use interactive interface where user has to upload a text document to be checked for plagiarism and the result is displayed on the web page itself. In addition, the user can also see the analysis of the document in the form of graphs.

Crypto-ransomware is a malware that uses the system’s cryptography functions to encrypt user data. The irreversible effect of crypto-ransomware makes it challenging to survive the attack compared to other malware categories. When a crypto-ransomware attack encrypts user files, it becomes difficult to access these files without having the decryption key. Due to the availability of ransomware development tool kits like Ransomware as a Service (RaaS), many ransomware variants are being developed. This contributes to the rise of ransomware attacks witnessed nowadays. However, the conventional approaches employed by malware detection solutions are not suitable to detect ransomware. This is because ransomware needs to be detected as early as before the encryption takes place. These attacks can effectively be handled only if detected during the pre-encryption phase. Early detection of ransomware attacks is challenging due to the limited amount of data available before encryption. An adaptive pre-encryption model is proposed in this paper which is expected to deal with the population concept drift of crypto-ransomware given the limited amount of data collected during the pre-encryption phase of the attack lifecycle. With such adaptability, the model can maintain up-to-date knowledge about the attack behavior and identify the polymorphic ransomware that continuously changes its behavior.

Cyber-Physical Systems (CPS) tightly couple information technology with physical processes, which rises new vulnerabilities such as physical attacks that are beyond conventional cyber attacks. Attackers may non-invasively compromise sensors and spoof the controller to perform unsafe actions. This issue is even emphasized with the increasing autonomy in CPS. While this fact has motivated many defense mechanisms against sensor attacks, a clear vision on the timing and usability (or the false alarm rate) of attack detection still remains elusive. Existing works tend to pursue an unachievable goal of minimizing the detection delay and false alarm rate at the same time, while there is a clear trade-off between the two metrics. Instead, we argue that attack detection should bias different metrics when a system sits in different states. For example, if the system is close to unsafe states, reducing the detection delay is preferable to lowering the false alarm rate, and vice versa. To achieve this, we make the following contributions. In this paper, we propose a real-time adaptive sensor attack detection framework. The framework can dynamically adapt the detection delay and false alarm rate so as to meet a detection deadline and improve the usability according to different system status. The core component of this framework is an attack detector that identifies anomalies based on a CUSUM algorithm through monitoring the cumulative sum of difference (or residuals) between the nominal (predicted) and observed sensor values. We augment this algorithm with a drift parameter that can govern the detection delay and false alarm. The second component is a behavior predictor that estimates nominal sensor values fed to the core component for calculating the residuals. The predictor uses a deep learning model that is offline extracted from sensor data through leveraging convolutional neural network (CNN) and recurrent neural network (RNN). The model relies on little knowledge of the system (e.g., dynamics), but uncovers and exploits both the local and complex long-term dependencies in multivariate sequential sensor measurements. The third component is a drift adaptor that estimates a detection deadline and then determines the drift parameter fed to the detector component for adjusting the detection delay and false alarms. Finally, we implement the proposed framework and validate it using realistic sensor data of automotive CPS to demonstrate its efficiency and efficacy.

Emerging blockchain and cryptocurrency-based technologies are redefining the way we conduct business in cyberspace. Today, a myriad of blockchain and cryp-tocurrency systems, applications, and technologies are widely available to companies, end-users, and even malicious actors who want to exploit the computational resources of regular users through cryptojacking malware. Especially with ready-to-use mining scripts easily provided by service providers (e.g., Coinhive) and untraceable cryptocurrencies (e.g., Monero), cryptojacking malware has become an indispensable tool for attackers. Indeed, the banking industry, major commercial websites, government and military servers (e.g., US Dept. of Defense), online video sharing platforms (e.g., Youtube), gaming platforms (e.g., Nintendo), critical infrastructure resources (e.g., routers), and even recently widely popular remote video conferencing/meeting programs (e.g., Zoom during the Covid-19 pandemic) have all been the victims of powerful cryptojacking malware campaigns. Nonetheless, existing detection methods such as browser extensions that protect users with blacklist methods or antivirus programs with different analysis methods can only provide a partial panacea to this emerging crypto-jacking issue as the attackers can easily bypass them by using obfuscation techniques or changing their domains or scripts frequently. Therefore, many studies in the literature proposed cryptojacking malware detection methods using various dynamic/behavioral features. However, the literature lacks a systemic study with a deep understanding of the emerging cryptojacking malware and a comprehensive review of studies in the literature. To fill this gap in the literature, in this SoK paper, we present a systematic overview of cryptojacking malware based on the information obtained from the combination of academic research papers, two large cryptojacking datasets of samples, and 45 major attack instances. Finally, we also present lessons learned and new research directions to help the research community in this emerging area.

IP Identification (IP ID) is an IP header field that identifies a data packet in the network to distinguish its fragments from others during the reassembly process. Random generated IP ID field could be used as a covert channel by embedding hidden bits within it. This paper uses the support vector machine (SVM) while enabling a features reduction procedure for investigating to what extend could the entropy feature of the IP ID covert channel affect the detection. Then, an entropy-based SVM is employed to evaluate the roles of the IP ID covert channel hidden bits on detection. Results show that, entropy is a distinct discrimination feature in classifying and detecting the IP ID covert channel with high accuracy. Additionally, it is found that each of the type, the number and the position of the hidden bits within the IP ID field has a specified influence on the IP ID covert channel detection accuracy.

With the rapid growth of data exfiltration carried out by cyber attacks, Covert Timing Channels (CTC) have become an imminent network security risk that continues to grow in both sophistication and utilization. These types of channels utilize inter-arrival times to steal sensitive data from the targeted networks. CTC detection relies increasingly on machine learning techniques, which utilize statistical-based metrics to separate malicious (covert) traffic flows from the legitimate (overt) ones. However, given the efforts of cyber attacks to evade detection and the growing column of CTC, covert channels detection needs to improve in both performance and precision to detect and prevent CTCs and mitigate the reduction of the quality of service caused by the detection process. In this article, we present an innovative image-based solution for fully automated CTC detection and localization. Our approach is based on the observation that the covert channels generate traffic that can be converted to colored images. Leveraging this observation, our solution is designed to automatically detect and locate the malicious part (i.e., set of packets) within a traffic flow. By locating the covert parts within traffic flows, our approach reduces the drop of the quality of service caused by blocking the entire traffic flows in which covert channels are detected. We first convert traffic flows into colored images, and then we extract image-based features for detection covert traffic. We train a classifier using these features on a large data set of covert and overt traffic. This approach demonstrates a remarkable performance achieving a detection accuracy of 95.83% for cautious CTCs and a covert traffic accuracy of 97.83% for 8 bit covert messages, which is way beyond what the popular statistical-based solutions can achieve.

This paper discusses DDoS attacks, their current threat level and IDS systems, which are one of the main tools to protect against them. It focuses on the problems encountered by IDS systems in detecting DDoS attacks and the difficulties and challenges of integrating them with artificial intelligence systems today.

In contrast to traditional grids, smart grids can help utilities save energy, thereby reducing operating costs. In the smart grid, the quality of monitoring and control can be fully improved by combining computing and intelligent communication knowledge. However, this will expose the system to FDI attacks, and the system is vulnerable to intrusion. Therefore, it is very important to detect such erroneous data injection attacks and provide an algorithm to protect the system from such attacks. In this paper, a FDI detection method based on LSTM has been proposed, which is validated by the simulation on the ieee-14 bus platform.

Network traffic analysis and deep packet inspection are time-consuming tasks, which current processors can not handle at 100 Gbps speed. Therefore security systems need fast packet processing with hardware acceleration. With the growing of encrypted network traffic, it is necessary to extend Intrusion Detection Systems (IDSes) and other security tools by new detection methods. Security tools started to use classifiers trained by machine learning techniques based on decision trees. Random Forest, Compact Random Forest and AdaBoost provide excellent result in network traffic analysis. Unfortunately, hardware architectures for these machine learning techniques need high utilisation of on-chip memory and logic resources. Therefore we propose several optimisations of highly pipelined architecture for acceleration of machine learning techniques based on decision trees. The optimisations use the various encoding of a feature vector to reduce hardware resources. Due to the proposed optimisations, it was possible to reduce LUTs by 70.5 % for HTTP brute force attack detection and BRAMs by 50 % for application protocol identification. Both with only negligible impact on classifiers' accuracy. Moreover, proposed optimisations reduce wires and multiplexors in the processing pipeline, positively affecting the proposed architecture's maximal achievable frequency.

This advanced research survey aims to perform intrusion detection and routing in ad hoc networks in wireless MANET networks using machine learning techniques. The MANETs are composed of several ad-hoc nodes that are randomly or deterministically distributed for communication and acquisition and to forward the data to the gateway for enhanced communication securely. MANETs are used in many applications such as in health care for communication; in utilities such as industries to monitor equipment and detect any malfunction during regular production activity. In general, MANETs take measurements of the desired application and send this information to a gateway, whereby the user can interpret the information to achieve the desired purpose. The main importance of MANETs in intrusion detection is that they can be trained to detect intrusion and real-time attacks in the CIC-IDS 2019 dataset. MANETs routing protocols are designed to establish routes between the source and destination nodes. What these routing protocols do is that they decompose the network into more manageable pieces and provide ways of sharing information among its neighbors first and then throughout the whole network. The landscape of exciting libraries and techniques is constantly evolving, and so are the possibilities and options for experiments. Implementing the framework in python helps in reducing syntactic complexity, increases performance compared to implementations in scripting languages, and provides memory safety.

Resilience has been defined as a priority for the US critical infrastructure. This paper presents a process for incorporating resiliency-derived metrics into security system evaluations. To support this analysis, we used a multi-layer network model (MLN) reflecting the defined security system of a hypothetical nuclear power plant to define what metrics would be useful in understanding a system’s ability to absorb perturbation (i.e., system resilience). We defined measures focusing on the system’s criticality, rapidity, diversity, and confidence at each network layer, simulated adversary path, and the system as a basis for understanding the system’s resilience. For this hypothetical system, our metrics indicated the importance of physical infrastructure to overall system criticality, the relative confidence of physical sensors, and the lack of diversity in assessment activities (i.e., dependence on human evaluations). Refined model design and data outputs will enable more nuanced evaluations into temporal, geospatial, and human behavior considerations. Future studies can also extend these methodologies to capture respond and recover aspects of resilience, further supporting the protection of critical infrastructure.

With the rapid development of the Internet and communication technologies, efficient management of cyberspace, safe monitoring and protection of various network assets can effectively improve the overall level of network security protection. Accurate, effective and comprehensive network asset detection is the prerequisite for effective network asset management, and it is also the basis for security monitoring and analysis. This paper proposed an artificial intelligence algorithm based scheme which accurately identify the website icon and help to determine the ownership of network assets. Through experiments based on data set collected from real network, the result demonstrate that the proposed scheme has higher accuracy and lower false alarm rate, and can effectively reduce the training cost.

Ransomware attack is posting a serious threat against Android devices and stored data that could be locked or/and encrypted by such attack. Existing solutions attempt to detect and prevent such attack by studying different features and applying various analysis mechanisms including static, dynamic or both. In this paper, recent ransomware detection solutions were investigated and compared. Moreover, a deep analysis of android permissions was conducted to identify significant android permissions that can discriminate ransomware with high accuracy before harming users' devices. Consequently, based on the outcome of this analysis, a permissions-based ransomware detection system is proposed. Different classifiers were tested to build the prediction model of this detection system. After the evaluation of the ransomware detection service, the results revealed high detection rate that reached 96.9%. Additionally, the newly permission-based android dataset constructed in this research will be made available to researchers and developers for future work.

This paper presents Forensic methods for detection and prevention of multiple attacks along with neural networks like Denial-of-Service (DoS), probe, vampire, and User-to-Root (U2R) attacks, in a Mobile Ad hoc Network (MANET). We accomplish attacker(s) detection and prevention percentage upto 99% in varied node density scenarios 50/100/150.

Development of an intrusion detection system, which tries to detect signs of technology of malware, is discussed. The system can detect signs of technology of malware such as peer to peer (P2P) communication, DDoS attack, Domain Generation Algorithm (DGA), and network scanning. The system consists of beneficial botnet and the R statistical computing system. The beneficial botnet is a group of Wiki servers, agent bots and analyzing bots. The script in a Wiki page of the Wiki server controls an agent bot or an analyzing bot. An agent bot is placed between a LAN and its gateway. It can capture every packet between hosts in the LAN and hosts behind the gateway from the LAN. An analyzing bot can be placed anywhere in the LAN or WAN if it can communicate with the Wiki server for controlling the analyzing bot. The analyzing bot has R statistical computing system and it can analyze data which is collected by agent bots.

Connected vehicles as a promising concept of Intelligent Transportation System (ITS), are a potential solution to address some of the existing challenges of emission, traffic congestion as well as fuel consumption. To achieve these goals, connectivity among vehicles through the wireless communication network is essential. However, vehicular communication networks endure from reliability and security issues. Cyber-attacks with purposes of disrupting the performance of the connected vehicles, lead to catastrophic collision and traffic congestion. In this study, we consider a platoon of connected vehicles equipped with Cooperative Adaptive Cruise Control (CACC) which are subjected to a specific type of cyber-attack namely "False Data Injection" attack. We developed a novel method to model the attack with ghost vehicles injected into the connected vehicles network to disrupt the performance of the whole system. To aid the analysis, we use a Partial Differential Equation (PDE) model. Furthermore, we present a PDE model-based diagnostics scheme capable of detecting the false data injection attack and isolating the injection point of the attack in the platoon system. The proposed scheme is designed based on a PDE observer with measured velocity and acceleration feedback. Lyapunov stability theory has been utilized to verify the analytically convergence of the observer under no attack scenario. Eventually, the effectiveness of the proposed algorithm is evaluated with simulation study.

Security has always been one of the main concerns in the field of computer architecture and cloud computing. Cache-based side-channel attacks pose a threat to almost all existing architectures and cloud computing. Especially in the public cloud, the cache is shared among multiple tenants, and cache attacks can make good use of this to extract information. Cache side-channel attacks are a problem to be solved for security, in which how to accurately detect cache side-channel attacks has been a research hotspot. Because the cache side-channel attack does not require the attacker to physically contact the target device and does not need additional devices to obtain the side channel information, the cache-side channel attack is efficient and hidden, which poses a great threat to the security of cryptographic algorithms. Based on the AES algorithm, this paper uses hardware performance counters to obtain the features of different cache events under Flush + Reload, Prime + Probe, and Flush + Flush attacks. Firstly, the random forest algorithm is used to filter the cache features, and then the support vector machine algorithm is used to model the system. Finally, high detection accuracy is achieved under different system loads. The detection accuracy of the system is 99.92% when there is no load, the detection accuracy is 99.85% under the average load, and the detection accuracy under full load is 96.57%.