Biblio

Due to the increased diversity and complexity of cyberattacks, innovative and effective analytics are needed in order to identify critical cyber incidents on a corporate network even if no ground truth data is available. This paper develops an automated system which processes a set of intrusion alerts to create behavior aggregates and then classifies these aggregates into empirical attack models through a dynamic Bayesian approach with innovative feature engineering methods. Each attack model represents a unique collective attack behavior that helps to identify critical activities on the network. Using 2017 National Collegiate Penetration Testing Competition data, it is demonstrated that the developed system is capable of generating and refining unique attack models that make sense to human, without a priori knowledge.

Cybersecurity cannot be addressed by technology alone; the most intractable aspects are in fact sociotechnical. As a result, the 'human factor' has been recognised as being the weakest and most obscure link in creating safe and secure digital environments. This study examines the subjective and often complex nature of human factors in the cybersecurity context through a systematic literature review of 27 articles which span across technical, behavior and social sciences perspectives. Results from our study suggest that there is still a predominately a technical focus, which excludes the consideration of human factors in cybersecurity. Our literature review suggests that this is due to a lack of consolidation of the attributes pertaining to human factors; the application of theoretical frameworks; and a lack of in-depth qualitative studies. To ensure that these gaps are addressed, we propose that future studies take into consideration (a) consolidating the human factors; (b) examining cyber security from an interdisciplinary approach; (c) conducting additional qualitative research whilst investigating human factors in cybersecurity.

We propose a novel visualization technique (Eagle-Eye) for intrusion detection, which visualizes a host as a commu- nity of system call traces in two-dimensional space. The goal of EagleEye is to visually cluster the system call traces. Although human eyes can easily perceive anomalies using EagleEye view, we propose two different methods called SAM and CPM that use the concept of data depth to help administrators distinguish between normal and abnormal behaviors. Our experimental results conducted on Australian Defence Force Academy Linux Dataset (ADFA-LD), which is a modern system calls dataset that includes new exploits and attacks on various programs, show EagleEye's efficiency in detecting diverse exploits and attacks.

Financial fraud is commonly represented by the use of illegal practices where they can intervene from senior managers until payroll employees, becoming a crime punishable by law. There are many techniques developed to analyze, detect and prevent this behavior, being the most important the fraud triangle theory associated with the classic financial audit model. In order to perform this research, a survey of the related works in the existing literature was carried out, with the purpose of establishing our own framework. In this context, this paper presents FraudFind, a conceptual framework that allows to identify and outline a group of people inside an banking organization who commit fraud, supported by the fraud triangle theory. FraudFind works in the approach of continuous audit that will be in charge of collecting information of agents installed in user's equipment. It is based on semantic techniques applied through the collection of phrases typed by the users under study for later being transferred to a repository for later analysis. This proposal encourages to contribute with the field of cybersecurity, in the reduction of cases of financial fraud.

Capturing the patterns in adversarial movement can provide valuable information regarding how the adversaries progress through cyberattacks. This information can be further employed for making comparisons and interpretations of decision making of the adversaries. In this study, we propose a framework based on concepts of social networks to characterize and compare the patterns, variations and shifts in the movements made by an adversarial team during a real-time cybersecurity exercise. We also explore the possibility of movement association with the skill sets using topological sort networks. This research provides preliminary insight on adversarial movement complexity and linearity and decision-making as cyberattacks unfold.

As the Internet of Things (IoT) era raise, billions of additional connected devices in new locations and applications will create new challenges. Security and privacy are among the major challenges in IoT as any breaches and misuse in those aspects will have the adverse impact on users. Among many factors that determine the security of any system, human factor is the most important aspect to be considered; as it is renowned that human is the weakest link in the information security cycle. Experts express the need to increase cyber resilience culture and a focus on the human factors involved in cybersecurity to counter cyber risks. The aim of this study is to propose a conceptual model to improve cyber resilience in IoT users that is adapted from a model in public health sector. Cyber resilience is improved through promoting security behavior by gathering the existing knowledge and gain understanding about every contributing aspects. The proposed approach is expected to be used as foundation for government, especially in Indonesia, to derive strategies in improving cyber resilience of IoT users.

Recognising user behaviour in real time is an important element of providing appropriate information and help to take suitable action or decision regarding cybersecurity threats. A user's security behaviour profile is a set of structured data and information to describe a user in an interactive environment between the user and computer. The first step for behaviour profiling is user behaviour model development including data collection. The data collection should be transparent as much as possible with minimum user interaction. Monitoring individual actions to obtain labelled training data is less costly and more effective in creating a behaviour profile. The most challenging issue in computer user security can be identifying suitable data. This research aims to determine required observation measures to capture user-system interactions to understand user's behaviour and create a user profile for cybersecurity purposes.

Human is the weakest link in information security. Even with strong cyber security policies an organization can still be hacked because of a human error. Even if people are aware of the policies and their importance they might not behave accordingly. This shows to the importance of studying and measuring human behavior toward cyber security policies. This paper introduces a new instrument that can be used to measure human behavior toward cybersecurity policies through creative measures. The goal is to gather data about human behaviors toward cybersecurity policies in natural environment. This method of gathering information allows people to behave normally and don't feel the need to answer perfectly. The paper illustrates all the previous work related to the subject, summarizing previous work in order to improve what have been previously done. The methodology seeks on measuring behavior based on specific measures. These measures are the password, email, identity, sensitive data, and physical/resource security. Each measure has a number of policies used to measure behavior. These policies were selected among several policies based on literature from the same field and the opinion of experts in the field. These question that went through several rounds of check were used to build the proposed-instrument. This instrument then shall be used by researchers to collect data and perform the required analysis. This paper discusses the behavior pattern in a detail and concise manner. The paper demonstrates that it is posable to measure behavior if the right we questions were asked in the right way.

Cybersecurity is a growing concern for private individuals and professional entities. Thereby, reports have shown that the majority of cybersecurity incidents occur because users fail to behave securely. Research on human cybersecurity (HCS) behavior suggests that time pressure is one of the important driving factors behind insecure HCS behavior. However, as our review reveals, studies on the role of time pressure in HCS are scant and there is no framework that can inform researchers and practitioners on this matter. In this paper, we present a conceptual framework consisting of contexts, psychological constructs, and boundary conditions pertaining to the role time pressure plays on HCS behavior. The framework is also validated and extended by findings from semi-structured interviews of different stakeholder groups comprising of cybersecurity experts, professionals, and general users. The framework will serve as a guideline for future studies exploring different aspects of time pressure in cybersecurity contexts and also to identify potential countermeasures for the detrimental impact of time pressure on HCS behavior.

Model validation, though a process that's continuous and complex, establishes confidence in the soundness and usefulness of a model. Making sure that the model behaves similar to the modes of behavior seen in real systems, allows the builder of said model to assure accumulation of confidence in the model and thus validating the model. While doing this, the model builder is also required to build confidence from a target audience in the model through communicating to the bases. The basis of the system dynamics model validation, both in general and in the field of cyber security, relies on a casual loop diagram of the system being agreed upon by a group of experts. Model validation also uses formal quantitative and informal qualitative tools in addition to the validation techniques used by system dynamics. Amongst others, the usefulness of a model, in a user's eyes, is a valid standard by which we can evaluate them. To validate our system dynamics cyber security model, we used empirical structural and behavior tests. This paper describes tests of model structure and model behavior, which includes each test's purpose, the ways the tests were conducted, and empirical validation results using a proof-of-concept cyber security model.

Technical debt is an analogy introduced in 1992 by Cunningham to help explain how intentional decisions not to follow a gold standard or best practice in order to save time or effort during creation of software can later on lead to a product of lower quality in terms of product quality itself, reliability, maintainability or extensibility. Little work has been done so far that applies this analogy to cyber physical (production) systems (CP(P)S). Also there is only little work that uses this analogy for security related issues. This work aims to fill this gap: We want to find out which security related symptoms within the field of cyber physical production systems can be traced back to TD items during all phases, from requirements and design down to maintenance and operation. This work shall support experts from the field by being a first step in exploring the relationship between not following security best practices and concrete increase of costs due to TD as consequence.

As the connectivity within manufacturing processes increases in light of Industry 4.0, information security becomes a pressing issue for product suppliers, systems integrators, and asset owners. Reaching new heights in digitizing the manufacturing industry also provides more targets for cyber attacks, hence, cyber-physical production systems (CPPSs) must be adequately secured to prevent malicious acts. To achieve a sufficient level of security, proper defense mechanisms must be integrated already early on in the systems' lifecycle and not just eventually in the operation phase. Although standardization efforts exist with the objective of guiding involved stakeholders toward the establishment of a holistic industrial security concept (e.g., IEC 62443), a dedicated security development lifecycle for systems integrators is missing. This represents a major challenge for engineers who lack sufficient information security knowledge, as they may not be able to identify security-related activities that can be performed along the production systems engineering (PSE) process. In this paper, we propose a novel methodology named Security Development Lifecycle for Cyber-Physical Production Systems (SDL-CPPS) that aims to foster security by design for CPPSs, i.e., the engineering of smart production systems with security in mind. More specifically, we derive security-related activities based on (i) security standards and guidelines, and (ii) relevant literature, leading to a security-improved PSE process that can be implemented by systems integrators. Furthermore, this paper informs domain experts on how they can conduct these security-enhancing activities and provides pointers to relevant works that may fill the potential knowledge gap. Finally, we review the proposed approach by means of discussions in a workshop setting with technical managers of an Austrian-based systems integrator to identify barriers to adopting the SDL-CPPS.

The new instrumentation and control (I&C) systems of the nuclear power plants (NPPs) improve the ability to operate the plant enhance the safety and performance of the NPP. However, they bring a new type of threat to the NPP's industry-cyber threat. The early fault diagnostic system (EDS) is one of the decision support systems that might be used online during the operation stage. The EDS aim is to prevent the incident/accident evolution by a timely troubleshooting process during any plant operational modes. It means that any significative deviation of plant parameters from normal values is pointed-out to plant operators well before reaching any undesired threshold potentially leading to a prohibited plant state, together with the cause that has generated the deviation. The paper lists the key benefits using the EDS to counter the cyber threat and proposes the framework for cybersecurity assessment using EDS during the operational stage.

Smart Grid cyber-security sounds to be a critical issue, because of widespread development of information technology. To achieve secure and reliable operation, the complexity of human automation interaction (HAI) necessitates more sophisticated and intelligent methodologies. In this paper, an adaptive autonomy fuzzy expert system is developed using gradient descent algorithm to determine the Level of Automation (LOA), based on the changing of Performance Shaping Factors (PSF). These PSFs indicate the effects of environmental conditions on the performance of HAI. The major advantage of this method is that the fuzzy rule or membership function can be learnt without changing the form of the fuzzy rule in conventional fuzzy control. Because of data shortage, Leave-One-Out Cross-Validation (LOOCV) technique is applied for assessing how the results of proposed system generalizes to the new contingency situations. The expert system database is extracted from superior experts' judgments. In order to regard the importance of each PSF, weighted rules are also considered. In addition, some new environmental conditions are introduced that has not been seen before. Nine scenarios are discussed to reveal the performance of the proposed system. Results confirm that the presented fuzzy expert system can effectively calculates the proper LOA even in the new contingency situations.

The use of biometric-based authentication systems spread over daily life consumer electronics. Over the years, researchers' interest shifted from hard (such as fingerprints, voice and keystroke dynamics) to soft biometrics (such as age, ethnicity and gender), mainly by using the latter to improve the authentication systems effectiveness. While newer approaches are constantly being proposed by domain experts, in the last years Deep Learning has raised in many computer vision tasks, also becoming the current state-of-art for several biometric approaches. However, since the automatic processing of data rich in sensitive information could expose users to privacy threats associated to their unfair use (i.e. gender or ethnicity), in the last years researchers started to focus on the development of defensive strategies in the view of a more secure and private AI. The aim of this work is to exploit Adversarial Perturbation, namely approaches able to mislead state-of-the-art CNNs by injecting a suitable small perturbation over the input image, to protect subjects against unwanted soft biometrics-based identification by automatic means. In particular, since ethnicity is one of the most critical soft biometrics, as a case of study we will focus on the generation of adversarial stickers that, once printed, can hide subjects ethnicity in a real-world scenario.

Trust mechanisms are considered the logical protection of software systems, preventing malicious people from taking advantage or cheating others. Although these concepts are widely used, most applications in this field do not consider affective aspects to aid in trust computation. Researchers of Psychology, Neurology, Anthropology, and Computer Science argue that affective aspects are essential to human's decision-making processes. So far, there is a lack of understanding about how these aspects impact user's trust, particularly when they are inserted in an evaluation system. In this paper, we propose a trust model that accounts for personality using three personality models: Big Five, Needs, and Values. We tested our approach by extracting personality aspects from texts provided by two online human-fed evaluation systems and correlating them to reputation values. The empirical experiments show statistically significant better results in comparison to non-personality-wise approaches.

Currently, the guidelines for business entities to collect and use consumer information from online sources is guided by the Fair Information Practice Principles set forth by the Federal Trade Commission in the United States. These guidelines are inadequate, outdated, and provide little protection for consumers. Moreover, there are many techniques to anonymize the stored data that was collected by large companies and governments. However, what does not exist is a framework that is capable of evaluating and scoring the effects of this information in the event of a data breach. In this work, a framework for scoring and evaluating the vulnerability of private data is presented. This framework is created to be used in parallel with currently adopted frameworks that are used to score and evaluate other areas of deficiencies within the software, including CVSS and CWSS. It is dubbed the Privacy Assessment Vulnerability Scoring System (PAVSS) and quantifies the privacy-breach vulnerability an individual takes on when using an online platform. This framework is based on a set of hypotheses about user behavior, inherent properties of an online platform, and the usefulness of available data in performing a cyber attack. The weight each of these metrics has within our model is determined by surveying cybersecurity experts. Finally, we test the validity of our user-behavior based hypotheses, and indirectly our model by analyzing user posts from a large twitter data set.

This project develops techniques to protect against sensor attacks on cyber-physical systems. Specifically, a resilient version of the Kalman filtering technique accompanied with a watermarking approach is proposed to detect cyber-attacks and estimate the correct state of the system. The defense techniques are used in conjunction and validated on two case studies: i) an unmanned ground vehicle (UGV) in which an attacker alters the reference angle and ii) a Cube Satellite (CubeSat) in which an attacker modifies the orientation of the satellite degrading its performance. Based on this work, we show that the proposed techniques in conjunction achieve better resiliency and defense capability than either technique alone against spoofing and replay attacks.

Modern power systems today are protected and controlled increasingly by embedded systems of computing technologies with a great degree of collaboration enabled by communication. Energy cyber-physical systems such as power systems infrastructures are increasingly vulnerable to cyber-attacks on the protection and control layer. We present a method of securing protective relays from malicious change in protective relay settings via collaboration of devices. Each device checks the proposed setting changes of its neighboring devices for consistency and coordination with its own settings using setting rules based on relay coordination principles. The method is enabled via peer-to-peer communication between IEDs. It is validated in a cyber-physical test bed containing a real time digital simulator and actual relays that communicate via IEC 61850 GOOSE messages. Test results showed improvement in cyber physical security by using domain based rules to block malicious changes in protection settings caused by simulated cyber-attacks. The method promotes the use of defense systems that are aware of the physical systems which they are designed to secure.

Risk assessment of cyber-physical systems, such as power plants, connected devices and IT-infrastructures has always been challenging: safety (i.e., absence of unintentional failures) and security (i. e., no disruptions due to attackers) are conditions that must be guaranteed. One of the traditional tools used to help considering these problems is attack trees, a tree-based formalism inspired by fault trees, a well-known formalism used in safety engineering. In this paper we define and implement the translation of attack-fault trees (AFTs) to a new extension of timed automata, called parametric weighted timed automata. This allows us to parametrize constants such as time and discrete costs in an AFT and then, using the model-checker IMITATOR, to compute the set of parameter values such that a successful attack is possible. Using the different sets of parameter values computed, different attack and fault scenarios can be deduced depending on the budget, time or computation power of the attacker, providing helpful data to select the most efficient counter-measure.

Concurrency vulnerabilities are extremely harmful and can be frequently exploited to launch severe attacks. Due to the non-determinism of multithreaded executions, it is very difficult to detect them. Recently, data race detectors and techniques based on maximal casual model have been applied to detect concurrency vulnerabilities. However, the former are ineffective and the latter report many false negatives. In this paper, we present CONVUL, an effective tool for concurrency vulnerability detection. CONVUL is based on exchangeable events, and adopts novel algorithms to detect three major kinds of concurrency vulnerabilities. In our experiments, CONVUL detected 9 of 10 known vulnerabilities, while other tools only detected at most 2 out of these 10 vulnerabilities. The 10 vulnerabilities are available at https://github.com/mryancai/ConVul.

Cyber-event-triggered power grid blackout compels utility operators to intensify cyber-aware and physics-constrained recovery and restoration process. Recently, coordinated cyber attacks on the Ukrainian grid witnessed such a cyber-event-triggered power system blackout. Various cyber-physical system (CPS) testbeds have attempted with multitude designs to analyze such interdependent events and evaluate remedy measures. However, resource constraints and modular integration designs have been significant barriers while modeling large-scale grid models (scalability) and multi-grid isolated models (concurrency) under a single real-time execution environment for the hardware-in-the-loop (HIL) CPS security testbeds. This paper proposes a meticulous design and effective modeling for simulating large-scale grid models and multi-grid isolated models in a HIL realtime digital simulator environment integrated with industry-grade hardware and software systems. We have used our existing HIL CPS security testbed to demonstrate scalability by the realtime performance of a Texas-2000 bus US synthetic grid model and concurrency by the real-time performance of simultaneous ten IEEE-39 bus grid models and an IEEE-118 bus grid model. The experiments demonstrated significant results by 100% realtime performance with zero overruns, low latency while receiving and executing control signals from SEL Relays via IEC-61850 protocol and low latency while computing and transmitting grid data streams including stability measures via IEEE C37.118 synchrophasor data protocol to SEL Phasor Data Concentrators.

Localizing concurrency faults that occur in production is hard because, (1) detailed field data, such as user input, file content and interleaving schedule, may not be available to developers to reproduce the failure; (2) it is often impractical to assume the availability of multiple failing executions to localize the faults using existing techniques; (3) it is challenging to search for buggy locations in an application given limited runtime data; and, (4) concurrency failures at the system level often involve multiple processes or event handlers (e.g., software signals), which can not be handled by existing tools for diagnosing intra-process(thread-level) failures. To address these problems, we present SCMiner, a practical online bug diagnosis tool to help developers understand how a system-level concurrency fault happens based on the logs collected by the default system audit tools. SCMiner achieves online bug diagnosis to obviate the need for offline bug reproduction. SCMiner does not require code instrumentation on the production system or rely on the assumption of the availability of multiple failing executions. Specifically, after the system call traces are collected, SCMiner uses data mining and statistical anomaly detection techniques to identify the failure-inducing system call sequences. It then maps each abnormal sequence to specific application functions. We have conducted an empirical study on 19 real-world benchmarks. The results show that SCMiner is both effective and efficient at localizing system-level concurrency faults.

Smart contracts have been widely used on Ethereum to enable business services across various application domains. However, they are prone to different forms of security attacks due to the dynamic and non-deterministic blockchain runtime environment. In this work, we highlighted a general miner-side type of exploit, called concurrency exploit, which attacks smart contracts via generating malicious transaction sequences. Moreover, we designed a systematic algorithm to automatically detect such exploits. In our preliminary evaluation, our approach managed to identify real vulnerabilities that cannot be detected by other tools in the literature.

The proliferation of IoT devices in smart homes, hospitals, and enterprise networks is wide-spread and continuing to increase in a superlinear manner. The question is: how can one assess the security of an IoT network in a holistic manner? In this paper, we have explored two dimensions of security assessment- using vulnerability information and attack vectors of IoT devices and their underlying components (compositional security scores) and using SIEM logs captured from the communications and operations of such devices in a network (dynamic activity metrics). These measures are used to evaluate the security of IoT devices and the overall IoT network, demonstrating the effectiveness of attack circuits as practical tools for computing security metrics (exploitability, impact, and risk to confidentiality, integrity, and availability) of the network. We decided to approach threat modeling using attack graphs. To that end, we propose the notion of attack circuits, which are generated from input/output pairs constructed from CVEs using NLP, and an attack graph composed of these circuits. Our system provides insight into possible attack paths an adversary may utilize based on their exploitability, impact, or overall risk. We have performed experiments on IoT networks to demonstrate the efficacy of the proposed techniques.