International Journal of Information Security最新文献

A Multi-Channel Man-in-the-Middle (MC-MitM) attack is an advanced form of MitM attack, characterized by its ability to manipulate encrypted wireless communications between the Access Point (AP) and clients within a WiFi network. MC-MitM attacks can target any Wi-Fi client, regardless of the authentication method used with the AP. Notable examples of such attacks include Key Reinstallation Attacks and FragAttacks, which have impacted millions of WiFi systems worldwide, especially those involving Internet of Things devices. Current defense mechanisms are inadequate against these attacks due to interoperability challenges and the need for modifications to devices or protocols within the targeted Wi-Fi networks. This paper introduces a distributed and cooperative signature-based wireless intrusion detection mechanism designed for online passive monitoring to detect malicious traffic patterns during MC-MitM attacks in any environment, from apartments and houses to large areas like hotels, offices or industrial sites. We implemented the proposed framework on Raspberry Pis and evaluated it in real-world settings. Our evaluation demonstrates that this framework can effectively identify MC-MitM attacks with an average accuracy of 98% when deployed across different locations within our experimental testbed.

The complex and rapidly evolving nature of modern software landscapes introduces challenges such as increasingly sophisticated cyber threats, the diversity in programming languages and coding styles, and the need to identify subtle patterns indicative of vulnerabilities. These hurdles underscore the necessity for advanced techniques that can effectively cope with the intricacies of software security. Hence, this paper gives a comparative empirical study in harnessing the potential of cutting-edge natural language processing (NLP) advancements, namely Word2Vec and CodeBERT to detect vulnerabilities in C and C++ programs in the proposed Defect-Scanner framework. With the capability of converting code components and source code into contextual embedding vectors, various potential NLP techniques are combined with several DL models to evaluate the precision and accuracy of identifying vulnerabilities within software systems. Moreover, the experimentations are conducted using datasets with different representation types of codes, aiming to figure out the best combination of NLP techniques and DL models to work with each form of input. As a result, besides the outperformance of CodeBERT-based models with accuracies of approximately 90%, this comparative study also provides a comprehensive evaluation of NLP-based software vulnerability detection in the face of intricate security challenges.

We propose a covert channel and its implementation in Windows OS. This storage channel uses the Initial Sequence Number of TCP to hide four characters of text and the identification field to “sign” the message and thus understand if it has been altered during the transmission. The secret is sent in the first SYN segment to open a connection, and an ACK-RST response acknowledges the receipt. Designed error-correction codes make the protocol more robust and able to handle (IP) packet drops and transmission errors. In this paper, we provide a detailed discussion of the implementation and an evaluation of the stealthiness of the proposed channel: we inspect the generated traffic with two IDSs and RITA, a tool performing statistical analysis to detect malware beaconing.

Software-Defined Networking stands as a pivotal technology in attaining the essential levels of flexibility and scalability demanded by pervasive and high-performance network infrastructure required for digital connected services. Nonetheless, its disaggregated and layered architecture makes it open to the time-based fingerprinting attacks. Besides, limited flow table capacity of the switches alleviates table saturation attacks. In this paper, an automated attacker tool called TASOS is proposed to infer flow table utilization rate, size and replacement algorithm. With this set of information, the attacker can conduct intelligent saturation attacks. Furthermore, a lightweight defense mechanism (LIDISA) for proactively deleting flow rules is described. A comprehensive simulation setup with different network conditions shows that the proposed techniques achieve superior success rate in diverse settings.

With the immense growth of the internet, sensitive, confidential, important corporate and individual data passing through the internet has grown rapidly. Due to the limitation of security systems, potential hackers and attackers have possessed vulnerabilities and attacks for intruding into the network to gain confidential and sensitive information to affect the performance of networks by breaching network confidentiality. Thereby, to counterfeit these attacks and abnormal behaviors, a network intrusion detection system (NIDS), acts as a crucial branch of cybersecurity for analysis and monitoring the network traffic regularly to report and detect abnormal and malicious activities in a network. Currently, various reviews and survey papers have covered various techniques for NIDS, out of which, mostly followed a non-systematic way of approach without an in-depth analysis of techniques and evaluation metrics used by deep learning(DL) based NIDS models. In addition, various reviews focused on machine learning (ML) and DL-based methodology, but with less emphasis on DL techniques (i.e. AE, CNN, DNN, DBN, RNN, and Hybrid DL) based classification. Thereby, the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) methodology was used to accomplish this work by providing a comprehensive and detailed overview of DL-based NIDS. Research papers for this work were collected from five well-known databases (ScienceDirect, IEEE, Hindawi, SpringerNature, and MDPI) which were cut among several reputable conference proceedings and reputable journals. Across the 750 articles identified in the literature, 72 research papers were finally marked and selected for synthesis and analysis to find the answers to research questions. In addition, we identified various potential research challenges in the current domain based on research findings. Lastly, to design an efficient NIDS, we concluded our study by identifying high-impact and promising future research areas in the NIDS domain.

By considering maps and routes as sequences of line segments, their intersections can be computed to find out useful information like the possibility of collision in a military area where the parties do not trust each other. At the first glance, finding the coordinates of the intersections is seemed impossible to be solved securely since having coordinates of two intersection points on the same line reveals the passing line. In this paper, we solve this problem by suggesting a secure two-party protocol in presence of passive adversaries. Additionally, regarding the fact that in some cases, the fixedness of the inputs of the parties in classic security models is an unrealistic assumption, we define the new concept of input-adaptive security and show that our method is secure against such an adversary who is able to select his inputs adaptively. In addition to serve different approaches like oblivious transfer and sometimes homomorphic encryption, we also employ some tricks to prevent the distribution of harmful information between specific parties to achieve our intended security level. We provide formal proofs to show the security of our protocol. Time complexity analysis and implementations show that our protocol finds the intersections in feasible time of ({mathcal {O}}(n log n)) and indicate that our protocol is as good as the unsecure optimal method of line segment intersection computation. In comparison, previous methods require (O(n^2)) to only detect the existence of intersection between two sets of n line segments and are unable to find the coordinates of the intersections.

Ransomware attacks pose a significant threat to information systems. Server hosts, including cloud infrastructure as a service, are prime targets for ransomware developers. To address this, security mechanisms, such as antivirus software, have proven effective. Moreover, research on ransomware detection advocates for behavior-based finding mechanisms while ransomware is in operation. In response to evolving detections, ransomware developers are now adapting an optimized design tailored for CPU architecture (CPU-optimized ransomware). This variant can rapidly encrypt files, potentially evading detection by traditional antivirus methods that rely on fixed time intervals for file scans. In ransomware detection research, numerous files can be encrypted by CPU-optimized ransomware until malicious activity is detected. This study proposes an early mitigation mechanism named CryptoSniffer, which is designed specifically to counter CPU-optimized ransomware attacks on server hosts. CryptoSniffer focuses on the misuse of CPU architecture-specific encryption instructions for swift file encryption by CPU-optimized ransomware. This can be achieved by capturing the ciphertext in user processes and thwarting file encryption by scrutinizing the content intended for writing. To demonstrate the efficacy of CryptoSniffer, the mechanism was implemented in the latest Linux kernel, and its security and performance were systematically evaluated. The experimental results demonstrate that CryptoSniffer successfully prevents real-world CPU-optimized ransomware, and the performance overhead is well-suited for practical applications.

Malware remains a major cybersecurity threat, often evading traditional detection methods. This study builds on our previous research with Tetris to present a more efficient covert channel attack using a Trojanized version of the rhythm game “Guitar Hero”. This new method delivers and executes malicious payloads in under 2.5 min, significantly faster than our previous Tetris-based approach. The engaging and musical nature of the rhythm game makes it more appealing to users, increasing the likelihood of attracting potential victims compared to the more monotonous Tetris. The attack encodes payloads into game levels, compelling users to make specific moves that unknowingly assemble malware on their devices, thereby evading detection. This study is the second to introduce gamification in malware transmission and the first to “force” user actions to achieve the objectives of the attacker. We provide a detailed analysis of this attack and suggest countermeasures, highlighting the necessity of human-based dynamic malware analysis and enhanced user awareness. Our findings underscore the evolving nature of cyber threats and the urgent need for innovative defensive strategies to address such sophisticated covert channel attacks.

Kernel memory corruption, which leads to a privilege escalation attack, has been reported as a security threat to operating systems. To mitigate privilege escalation attacks, several security mechanisms are proposed. Kernel address space layout randomization randomizes kernel code and data virtual address layout on the kernel memory. Privileged information protection methods monitor and restore illegal privilege modifications. Therefore, if an adversary identifies the kernel data containing privileged information, an adversary can achieve the privilege escalation in a running kernel. This paper proposes a kernel data relocation mechanism (KDRM) that dynamically relocates privileged information in the running kernel to mitigate privilege escalation attacks. The KDRM introduces the relocation-only page into the kernel. The relocation-only page allows the virtual address of the privileged information to change by dynamically relocating for the user process. One of the relocation-only pages is randomly selected to store the privileged information at the system call invocations. The evaluation results indicate the possibility of mitigating privilege escalation attacks through direct memory overwriting by user processes on Linux with KDRM. The KDRM showed an acceptable performance cost. The overhead of a system call was up to 11.52%, and the kernel performance score was 0.11%.

As society’s dependence on information and communication systems (ICTs) grows, so does the necessity of guaranteeing the proper functioning and use of such systems. In this context, it is critical to enhance the security and robustness of the DevSecOps pipeline through timely vulnerability detection. Usually, AI-based models enable desirable features such as automation, performance, and efficacy. However, the quality of such models highly depends on the datasets used during the training stage. The latter encompasses a series of challenges yet to be solved, such as access to extensive labelled datasets with specific properties, such as well-represented and balanced samples. This article explores the current state of practice of software vulnerability datasets and provides a classification of the main challenges and issues. After an extensive analysis, it describes a set of guidelines and desirable features that datasets should guarantee. The latter is applied to create a new dataset, which fulfils these properties, along with a descriptive comparison with the state of the art. Finally, a discussion on how to foster good practices among researchers and practitioners sets the ground for further research and continued improvement within this critical domain.