Stefano Bistarelli, Emanuele Bosimini, Francesco Santini
We present LOGistICS, a monitoring-framework with the aim to study the security of industrial PLC systems. The architecture encompasses different processing components and probes, with different tasks. In particular, this paper focuses on the description of a new medium-interaction honeypot attracting Modbus and S7comm traffic. With respect to related open-projects (e.g. Conpot), our proposal is highly extensible, configurable, and it allows for interacting more with an attacker while remaining less detectable. With LOGistICS the main objective is to study the behaviour of hosts that are interested in attacking industrial services.
{"title":"A Medium-Interaction Emulation and Monitoring System for Operational Technology","authors":"Stefano Bistarelli, Emanuele Bosimini, Francesco Santini","doi":"10.1145/3465481.3470100","DOIUrl":"https://doi.org/10.1145/3465481.3470100","url":null,"abstract":"We present LOGistICS, a monitoring-framework with the aim to study the security of industrial PLC systems. The architecture encompasses different processing components and probes, with different tasks. In particular, this paper focuses on the description of a new medium-interaction honeypot attracting Modbus and S7comm traffic. With respect to related open-projects (e.g. Conpot), our proposal is highly extensible, configurable, and it allows for interacting more with an attacker while remaining less detectable. With LOGistICS the main objective is to study the behaviour of hosts that are interested in attacking industrial services.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126544201","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
To date, ideal functionalities securely realized with secure multi-party computation (SMPC) mainly considers functions of the private input of a fixed number of a priori known parties. In this paper, we generalize these definitions such that protocols implementing online algorithms in a distributed fashion can be proven to be privacy-preserving. Online algorithms compute online functionalities that allow parties to join and leave over time, to provide multiple inputs and to obtain multiple outputs. In particular, the set of parties participating changes over time, i. e., at different points in time different sets of parties evaluate a function over their private inputs. To this end, we propose the notion of an online trusted third party that allows to prove the security of SMPC protocols implementing online functionalities or online algorithms, respectively. We show that any online functionality can be implemented perfectly secure in the presence of a semi-honest adversary, if strictly less than 1/2 of the parties participating are corrupted. We show that the same result holds in the presence of a malicious adversary if it corrupts strictly less than 1/3 of the parties and always allows the corrupted parties to arrive.
{"title":"Towards Secure Evaluation of Online Functionalities","authors":"Andreas Klinger, Ulrike Meyer","doi":"10.1145/3465481.3469203","DOIUrl":"https://doi.org/10.1145/3465481.3469203","url":null,"abstract":"To date, ideal functionalities securely realized with secure multi-party computation (SMPC) mainly considers functions of the private input of a fixed number of a priori known parties. In this paper, we generalize these definitions such that protocols implementing online algorithms in a distributed fashion can be proven to be privacy-preserving. Online algorithms compute online functionalities that allow parties to join and leave over time, to provide multiple inputs and to obtain multiple outputs. In particular, the set of parties participating changes over time, i. e., at different points in time different sets of parties evaluate a function over their private inputs. To this end, we propose the notion of an online trusted third party that allows to prove the security of SMPC protocols implementing online functionalities or online algorithms, respectively. We show that any online functionality can be implemented perfectly secure in the presence of a semi-honest adversary, if strictly less than 1/2 of the parties participating are corrupted. We show that the same result holds in the presence of a malicious adversary if it corrupts strictly less than 1/3 of the parties and always allows the corrupted parties to arrive.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"7 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121321562","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Alexander Hartl, J. Fabini, Christoph Roschger, Peter Eder-Neuhauser, Marco Petrovic, Roman Tobler, T. Zseby
In highly security-critical network environments, it is a popular design decision to offload cryptographic tasks like encryption or signature generation to a dedicated trusted module or key server with paramount security features, we in this paper refer to with the general term Cryptographic Key Management Device (CKMD). While this network design yields several benefits, we demonstrate that the use of popular counter mode encryption modes like CTR or GCM can show substantial shortcomings in terms of security when used in conjunction with this network design. In particular, we show how the use of authenticated encryption using GCM enables the possibility of establishing a subliminal channel by exploiting the authentication information within messages. We show how decoding of hidden information can proceed in addition to decryption of overt information without raising authentication failures. With an exemplary but typical infrastructure, we show how the subliminal channel might be exploited and discuss approaches to mitigating the threat by preventing the ability to embed hidden information. In contrast to previous work, we conclude that, when using an infrastructure involving a CKMD and GCM is deployed, the use of random, CKMD-generated Initialization Vectors (IVs) is beneficial to avoid the subliminal channel described in this paper. However, the most potent remedy is deploying a different operational mode like GCM-SIV.
{"title":"Subverting Counter Mode Encryption for Hidden Communication in High-Security Infrastructures","authors":"Alexander Hartl, J. Fabini, Christoph Roschger, Peter Eder-Neuhauser, Marco Petrovic, Roman Tobler, T. Zseby","doi":"10.1145/3465481.3470082","DOIUrl":"https://doi.org/10.1145/3465481.3470082","url":null,"abstract":"In highly security-critical network environments, it is a popular design decision to offload cryptographic tasks like encryption or signature generation to a dedicated trusted module or key server with paramount security features, we in this paper refer to with the general term Cryptographic Key Management Device (CKMD). While this network design yields several benefits, we demonstrate that the use of popular counter mode encryption modes like CTR or GCM can show substantial shortcomings in terms of security when used in conjunction with this network design. In particular, we show how the use of authenticated encryption using GCM enables the possibility of establishing a subliminal channel by exploiting the authentication information within messages. We show how decoding of hidden information can proceed in addition to decryption of overt information without raising authentication failures. With an exemplary but typical infrastructure, we show how the subliminal channel might be exploited and discuss approaches to mitigating the threat by preventing the ability to embed hidden information. In contrast to previous work, we conclude that, when using an infrastructure involving a CKMD and GCM is deployed, the use of random, CKMD-generated Initialization Vectors (IVs) is beneficial to avoid the subliminal channel described in this paper. However, the most potent remedy is deploying a different operational mode like GCM-SIV.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125235857","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rosangela Casolare, Giovanni Ciaramella, F. Martinelli, F. Mercaldo, A. Santone
Mobile malware is growing in number and its complexity is constantly increasing. Malware authors are continuously looking new ways to elude anti-malware controls. Anti-malware are not able to detect zero-day malware, because to detect malicious behaviour they need to know its signature, but to have this information the malware must already be widespread. Furthermore, anti-malware are able to scan one application at a time: for this reason a type of malware characterized by the colluding attack, where the malicious action is split in two (or more) applications, can not be recognised. To demonstrate the ineffectiveness of current anti-malware mechanisms in recognizing colluding attacks, in this paper we propose SteælErgon, a framework aimed to inject a malicious payload in two or more different Android applications. Clearly the malicious payload will be executed once all the applications composing the collusive attacks are installed into the infected device. In detail, SteælErgon is able to inject a collusive malicious payload attacking the external storage, allowing the attacker to catch sensitive and private information stored into the infected device. We perform an experimental analysis by submitting the generated colluding application to different 79 anti-malware, by showing that current detection mechanism are not able to detect this kind of threat. To boost research in focusing the attention in colluding attacks we freely release SteælErgon, is available for research purposes at the following url: https://github.com/vigimella/StealErgon.
{"title":"SteælErgon: A Framework for Injecting Colluding Malicious Payload in Android Applications","authors":"Rosangela Casolare, Giovanni Ciaramella, F. Martinelli, F. Mercaldo, A. Santone","doi":"10.1145/3465481.3470077","DOIUrl":"https://doi.org/10.1145/3465481.3470077","url":null,"abstract":"Mobile malware is growing in number and its complexity is constantly increasing. Malware authors are continuously looking new ways to elude anti-malware controls. Anti-malware are not able to detect zero-day malware, because to detect malicious behaviour they need to know its signature, but to have this information the malware must already be widespread. Furthermore, anti-malware are able to scan one application at a time: for this reason a type of malware characterized by the colluding attack, where the malicious action is split in two (or more) applications, can not be recognised. To demonstrate the ineffectiveness of current anti-malware mechanisms in recognizing colluding attacks, in this paper we propose SteælErgon, a framework aimed to inject a malicious payload in two or more different Android applications. Clearly the malicious payload will be executed once all the applications composing the collusive attacks are installed into the infected device. In detail, SteælErgon is able to inject a collusive malicious payload attacking the external storage, allowing the attacker to catch sensitive and private information stored into the infected device. We perform an experimental analysis by submitting the generated colluding application to different 79 anti-malware, by showing that current detection mechanism are not able to detect this kind of threat. To boost research in focusing the attention in colluding attacks we freely release SteælErgon, is available for research purposes at the following url: https://github.com/vigimella/StealErgon.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122487810","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Rupa Chiramdasu, Gautam Srivastava, S. Bhattacharya, Praveen Kumar Reddy Maddikunta, T. Gadekallu
Malicious websites predominantly promote the growth of criminal activities over the Internet restraining the development of web services. Furthermore, we see different types of devices being equipped with WiFi capabilities, that allow web traffic to pass through the device’s data systems with ease. The proposed framework in the present study analyzes the Uniform Resource Locator (URL) through which malicious users can gain access to the content of the websites. It thus eliminates issues of run-time latency and possibilities of users being subjected to browser oriented vulnerabilities. The primary objective of this paper is to detect malicious links on the web using a machine learning classification technique that would help users defend against cyber-crime attacks and related threats of the real world. This may be helpful in the newly expanding Intelligent Infrastructures, where we see more data availability almost daily. The embedding of malicious URLs is a predominant web threat faced by the Internet community in the present day and age. Attackers falsely claim of being a trustworthy entity and lure users to click on compromised links to extract confidential information, victimizing them towards identity theft. The present work explores the various ways of detecting malicious links from the host-based and lexical features of the URL in order to protect users from being subjected to identity theft attacks.
{"title":"A Machine Learning Driven Threat Intelligence System for Malicious URL Detection","authors":"Rupa Chiramdasu, Gautam Srivastava, S. Bhattacharya, Praveen Kumar Reddy Maddikunta, T. Gadekallu","doi":"10.1145/3465481.3470029","DOIUrl":"https://doi.org/10.1145/3465481.3470029","url":null,"abstract":"Malicious websites predominantly promote the growth of criminal activities over the Internet restraining the development of web services. Furthermore, we see different types of devices being equipped with WiFi capabilities, that allow web traffic to pass through the device’s data systems with ease. The proposed framework in the present study analyzes the Uniform Resource Locator (URL) through which malicious users can gain access to the content of the websites. It thus eliminates issues of run-time latency and possibilities of users being subjected to browser oriented vulnerabilities. The primary objective of this paper is to detect malicious links on the web using a machine learning classification technique that would help users defend against cyber-crime attacks and related threats of the real world. This may be helpful in the newly expanding Intelligent Infrastructures, where we see more data availability almost daily. The embedding of malicious URLs is a predominant web threat faced by the Internet community in the present day and age. Attackers falsely claim of being a trustworthy entity and lure users to click on compromised links to extract confidential information, victimizing them towards identity theft. The present work explores the various ways of detecting malicious links from the host-based and lexical features of the URL in order to protect users from being subjected to identity theft attacks.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"82 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131565469","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
On embedded systems, Trusted Computing schemes can be used to detect manipulations of firmware. It is however not possible to detect a wide range of hardware manipulations such as passive listeners, active signal manipulations and circuit modifications. This work extends the Trusted Computing approach of detection through integrity measurement to the analog domain. It examines the step response of a circuit for its suitability as a component’s fingerprint. These fingerprints are combined with statistical comparison methods such as the Manhattan Distance or the Root Mean Square Error in order to provide a reliable fingerprint verification scheme. The fingerprinting and verification techniques are then combined with a remote attestation protocol based on the Device Identifier Composition Engine to yield a remote attestation scheme that covers both a device’s firmware and its peripheral hardware. This scheme is implemented and evaluated on a resource-constrained MCU in order to demonstrate its feasibility for embedded systems.
{"title":"Remote Attestation Extended to the Analog Domain","authors":"Lukas Jäger, Dominik Lorych","doi":"10.1145/3465481.3465762","DOIUrl":"https://doi.org/10.1145/3465481.3465762","url":null,"abstract":"On embedded systems, Trusted Computing schemes can be used to detect manipulations of firmware. It is however not possible to detect a wide range of hardware manipulations such as passive listeners, active signal manipulations and circuit modifications. This work extends the Trusted Computing approach of detection through integrity measurement to the analog domain. It examines the step response of a circuit for its suitability as a component’s fingerprint. These fingerprints are combined with statistical comparison methods such as the Manhattan Distance or the Root Mean Square Error in order to provide a reliable fingerprint verification scheme. The fingerprinting and verification techniques are then combined with a remote attestation protocol based on the Device Identifier Composition Engine to yield a remote attestation scheme that covers both a device’s firmware and its peripheral hardware. This scheme is implemented and evaluated on a resource-constrained MCU in order to demonstrate its feasibility for embedded systems.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133208762","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
George Pantelis, Petros Petrou, Sophia Karagiorgou, D. Alexandrou
During the last decades, Dark Web content has risen in necessity in an increasingly connected world, where international anonymous networks provide access to data marketplaces and illicit multimedia material through the TOR or I2P networks. The motivation behind this paper is to gauge the current state and growth of the Dark Web in relation to the role it plays with special focus on Small and Medium-sized Enterprises (SMEs and MEs). More specifically, we devise Machine Learning and specialised Information Retrieval techniques to extract insights and investigate how the Dark Web enables cybercrime, maintains marketplaces with breached enterprise data collections and pawned email accounts. The research questions that we address concern: a) the role that the Dark Web plays for SMEs, MEs, and society in general; b) the criticality of cybercriminal activities and operations in the Dark Web exploiting threat taxonomies and scoring schemes; and c) the maturity and efficiency of technical tools and methods to curb illegal activities on the Dark Web through raising awareness via efficient text analytics, visual reporting and alerting mechanisms.
{"title":"On Strengthening SMEs and MEs Threat Intelligence and Awareness by Identifying Data Breaches, Stolen Credentials and Illegal Activities on the Dark Web","authors":"George Pantelis, Petros Petrou, Sophia Karagiorgou, D. Alexandrou","doi":"10.1145/3465481.3469201","DOIUrl":"https://doi.org/10.1145/3465481.3469201","url":null,"abstract":"During the last decades, Dark Web content has risen in necessity in an increasingly connected world, where international anonymous networks provide access to data marketplaces and illicit multimedia material through the TOR or I2P networks. The motivation behind this paper is to gauge the current state and growth of the Dark Web in relation to the role it plays with special focus on Small and Medium-sized Enterprises (SMEs and MEs). More specifically, we devise Machine Learning and specialised Information Retrieval techniques to extract insights and investigate how the Dark Web enables cybercrime, maintains marketplaces with breached enterprise data collections and pawned email accounts. The research questions that we address concern: a) the role that the Dark Web plays for SMEs, MEs, and society in general; b) the criticality of cybercriminal activities and operations in the Dark Web exploiting threat taxonomies and scoring schemes; and c) the maturity and efficiency of technical tools and methods to curb illegal activities on the Dark Web through raising awareness via efficient text analytics, visual reporting and alerting mechanisms.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"42 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133069356","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The growth of the internet has significantly increased data breaches (i.e. privacy breaches) in software systems. It could be argued that software developers failed to implement privacy into software systems with the appropriate privacy guidelines or laws such as the General Data Protection Regulation (GDPR). GDPR has a set of guidelines that enables software developers to implement privacy into software systems. Nevertheless, these guidelines have been developed with lawyers in mind, rather than software developers. This could hinder developers from putting GDPR into practice and eventually lead to data breaches through the systems they develop. On the other hand, software developers also need help (e.g. tooling support or educational interventions). Therefore, this paper proposes a game design framework, as an educational intervention, to teach software developers to implement privacy-preserving software systems taking GDPR on-board. The proposed framework focuses on improving developers’ security coding behavior through their motivation. It also ensures software developers can put GDPR into practice when developing privacy-preserving software systems.
{"title":"A Serious Game Design Framework for Software Developers to Put GDPR into Practice","authors":"Abdulrahman Alhazmi, N. Arachchilage","doi":"10.1145/3465481.3470031","DOIUrl":"https://doi.org/10.1145/3465481.3470031","url":null,"abstract":"The growth of the internet has significantly increased data breaches (i.e. privacy breaches) in software systems. It could be argued that software developers failed to implement privacy into software systems with the appropriate privacy guidelines or laws such as the General Data Protection Regulation (GDPR). GDPR has a set of guidelines that enables software developers to implement privacy into software systems. Nevertheless, these guidelines have been developed with lawyers in mind, rather than software developers. This could hinder developers from putting GDPR into practice and eventually lead to data breaches through the systems they develop. On the other hand, software developers also need help (e.g. tooling support or educational interventions). Therefore, this paper proposes a game design framework, as an educational intervention, to teach software developers to implement privacy-preserving software systems taking GDPR on-board. The proposed framework focuses on improving developers’ security coding behavior through their motivation. It also ensures software developers can put GDPR into practice when developing privacy-preserving software systems.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"9 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133363985","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.
{"title":"Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories","authors":"Yuning Jiang, M. Jeusfeld, Jianguo Ding","doi":"10.1145/3465481.3470093","DOIUrl":"https://doi.org/10.1145/3465481.3470093","url":null,"abstract":"Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132903537","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Clemens Sauerwein, D. Fischer, Milena Rubsamen, Guido Rosenberger, D. Stelzer, R. Breu
In the last couple of years, organizations have demonstrated an increasing willingness to share data, information and intelligence regarding emerging threats to collectively protect against today’s sophisticated cyber attacks. Accordingly, several vendors started to implement software solutions that facilitate this exchange and appear under the name cyber threat intelligence sharing platforms. However, recent investigations have shown that these platforms differ significantly in their functional scope and often only provide threat data instead of the promised actionable intelligence. Moreover, it is unclear to what extent the platforms implement the expected intelligence cycle processes. In order to close this gap, we investigate the state-of-the-art in scientific literature and analyze the functional scope of nine threat intelligence sharing platforms with respect to the intelligence cycle. Our study provides a comprehensive list of software functions that should be implemented by cyber threat intelligence sharing platforms in order to support the intelligence cycle to generate actionable threat intelligence.
{"title":"From Threat Data to Actionable Intelligence: An Exploratory Analysis of the Intelligence Cycle Implementation in Cyber Threat Intelligence Sharing Platforms","authors":"Clemens Sauerwein, D. Fischer, Milena Rubsamen, Guido Rosenberger, D. Stelzer, R. Breu","doi":"10.1145/3465481.3470048","DOIUrl":"https://doi.org/10.1145/3465481.3470048","url":null,"abstract":"In the last couple of years, organizations have demonstrated an increasing willingness to share data, information and intelligence regarding emerging threats to collectively protect against today’s sophisticated cyber attacks. Accordingly, several vendors started to implement software solutions that facilitate this exchange and appear under the name cyber threat intelligence sharing platforms. However, recent investigations have shown that these platforms differ significantly in their functional scope and often only provide threat data instead of the promised actionable intelligence. Moreover, it is unclear to what extent the platforms implement the expected intelligence cycle processes. In order to close this gap, we investigate the state-of-the-art in scientific literature and analyze the functional scope of nine threat intelligence sharing platforms with respect to the intelligence cycle. Our study provides a comprehensive list of software functions that should be implemented by cyber threat intelligence sharing platforms in order to support the intelligence cycle to generate actionable threat intelligence.","PeriodicalId":417395,"journal":{"name":"Proceedings of the 16th International Conference on Availability, Reliability and Security","volume":"5 ","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2021-08-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120976777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: