Computers & Security最新文献_第5页

SecureQwen: Leveraging LLMs for vulnerability detection in python codebases SecureQwen：利用 LLMs 检测 python 代码库中的漏洞

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-15 DOI: 10.1016/j.cose.2024.104151

Abdechakour Mechri , Mohamed Amine Ferrag , Merouane Debbah

Identifying vulnerabilities in software code is crucial for ensuring the security of modern systems. However, manual detection requires expert knowledge and is time-consuming, underscoring the need for automated techniques. In this paper, we present SecureQwen, a novel vulnerability detection tool leveraging large language models (LLMs) with a context length of 64K tokens to identify potential security threats in large-scale Python codebases. Utilizing a decoder-only transformer architecture, SecureQwen captures complex relationships between code tokens, enabling accurate classification of vulnerable code sequences across 14 common weakness enumerations (CWEs), including OS Command Injection, SQL Injection, Improper Check or Handling of Exceptional Conditions, Path Traversal, Broken or Risky Cryptographic Algorithm, Deserialization of Untrusted Data, and Cleartext Transmission of Sensitive Information. Therefore, we evaluate SecureQwen on a large Python dataset with over 1.875 million function-level code snippets from different sources, including GitHub repositories, Codeparrot’s dataset, and synthetic data generated by GPT4-o. The experimental evaluation demonstrates high accuracy, with F1 scores ranging from 84% to 99%. The results indicate that SecureQwen effectively detects vulnerabilities in human-written and AI-generated code.

识别软件代码中的漏洞对于确保现代系统的安全性至关重要。然而，人工检测需要专家知识，而且耗时较长，这就凸显了对自动化技术的需求。在本文中，我们介绍了 SecureQwen，这是一种新颖的漏洞检测工具，它利用上下文长度为 64K 标记的大型语言模型（LLM）来识别大规模 Python 代码库中的潜在安全威胁。SecureQwen 利用仅解码器的转换器架构，捕捉代码标记之间的复杂关系，从而能够对 14 种常见弱点枚举（CWE）中的脆弱代码序列进行准确分类，包括操作系统命令注入、SQL 注入、异常情况的不当检查或处理、路径遍历、破损或有风险的加密算法、不受信任数据的反序列化以及敏感信息的明文传输。因此，我们在一个大型 Python 数据集上对 SecureQwen 进行了评估，该数据集包含超过 187.5 万个函数级代码片段，这些代码片段来自不同来源，包括 GitHub 代码库、Codeparrot 数据集和由 GPT4-o 生成的合成数据。实验评估结果表明，SecureQwen 的准确率很高，F1 分数从 84% 到 99% 不等。结果表明，SecureQwen 能有效检测人工编写和人工智能生成的代码中的漏洞。

{"title":"SecureQwen: Leveraging LLMs for vulnerability detection in python codebases","authors":"Abdechakour Mechri , Mohamed Amine Ferrag , Merouane Debbah","doi":"10.1016/j.cose.2024.104151","DOIUrl":"10.1016/j.cose.2024.104151","url":null,"abstract":"<div><div>Identifying vulnerabilities in software code is crucial for ensuring the security of modern systems. However, manual detection requires expert knowledge and is time-consuming, underscoring the need for automated techniques. In this paper, we present SecureQwen, a novel vulnerability detection tool leveraging large language models (LLMs) with a context length of 64K tokens to identify potential security threats in large-scale Python codebases. Utilizing a decoder-only transformer architecture, SecureQwen captures complex relationships between code tokens, enabling accurate classification of vulnerable code sequences across 14 common weakness enumerations (CWEs), including OS Command Injection, SQL Injection, Improper Check or Handling of Exceptional Conditions, Path Traversal, Broken or Risky Cryptographic Algorithm, Deserialization of Untrusted Data, and Cleartext Transmission of Sensitive Information. Therefore, we evaluate SecureQwen on a large Python dataset with over 1.875 million function-level code snippets from different sources, including GitHub repositories, Codeparrot’s dataset, and synthetic data generated by GPT4-o. The experimental evaluation demonstrates high accuracy, with F1 scores ranging from 84% to 99%. The results indicate that SecureQwen effectively detects vulnerabilities in human-written and AI-generated code.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104151"},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Adaptive sensor attack detection and defense framework for autonomous vehicles based on density 基于密度的自动驾驶汽车自适应传感器攻击检测和防御框架

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-15 DOI: 10.1016/j.cose.2024.104149

Zujia Miao , Cuiping Shao , Huiyun Li , Yunduan Cui , Zhimin Tang

The security of autonomous vehicles heavily depends on localization systems that integrate multiple sensors, which are vulnerable to sensor attacks and increase the risk of accidents. Given the diversity of sensor attacks and the dynamic changing of driving scenarios of autonomous vehicles, an adaptive and effective attack detection and defense framework faces a considerable challenge. This paper proposes a novel real-time adaptive attack detection and defense framework based on density, which can detect and identify attacked sensors and effectively recover data. We first develop a reinforcement learning multi-armed Bandit-based Density-Based Spatial Clustering of Applications with Noise (BDBSCAN) algorithm that selects hyperparameters adaptively. The Adaptive Extended Kalman Filter (AEKF) combines with the vehicle dynamic model on the localization system and extracts data features used for the BDBSCAN algorithm to monitor potential sensor attacks. If attack detection indicates possible system compromise, AEKF is further employed on localization sensors with anomalies identified through the BDBSCAN algorithm of the attacked sensors. To ensure precision and reliability, the data recovery incorporates a redundancy mechanism to apply a decision tree to select the optimal state estimation between AEKF and Extended Kalman Filter (EKF) to replace corrupted sensor data. To evaluate the effectiveness and adaptability of the proposed framework, we conducted 15,000 experiments using the real-world KITTI and V2V4Real datasets across various driving and sensor attack scenarios. The results demonstrate that our proposed framework achieves 100% accuracy and 0% false alarm rate in various driving scenarios for attack detection within 0.15 s, with a recovery time of 0.08 s.

自动驾驶汽车的安全性在很大程度上依赖于集成了多个传感器的定位系统，而这些系统很容易受到传感器攻击并增加事故风险。鉴于传感器攻击的多样性和自动驾驶车辆行驶场景的动态变化，一个自适应的、有效的攻击检测和防御框架面临着相当大的挑战。本文提出了一种新颖的基于密度的实时自适应攻击检测和防御框架，可以检测和识别被攻击的传感器并有效恢复数据。我们首先开发了一种基于强化学习的多臂匪特算法（Density-Based Spatial Clustering of Applications with Noise，BDBSCAN），该算法可自适应地选择超参数。自适应扩展卡尔曼滤波器（AEKF）与定位系统上的车辆动态模型相结合，提取用于 BDBSCAN 算法的数据特征，以监控潜在的传感器攻击。如果攻击检测表明系统可能受到破坏，则会在定位传感器上进一步使用 AEKF，并通过受攻击传感器的 BDBSCAN 算法识别异常情况。为确保精确性和可靠性，数据恢复采用冗余机制，应用决策树在 AEKF 和扩展卡尔曼滤波器 (EKF) 之间选择最佳状态估计，以替换损坏的传感器数据。为了评估所提出框架的有效性和适应性，我们使用真实世界的 KITTI 和 V2V4Real 数据集，在各种驾驶和传感器攻击场景下进行了 15000 次实验。结果表明，在各种驾驶场景中，我们提出的框架在 0.15 秒内实现了 100% 的攻击检测准确率和 0% 的误报率，恢复时间为 0.08 秒。

{"title":"Adaptive sensor attack detection and defense framework for autonomous vehicles based on density","authors":"Zujia Miao , Cuiping Shao , Huiyun Li , Yunduan Cui , Zhimin Tang","doi":"10.1016/j.cose.2024.104149","DOIUrl":"10.1016/j.cose.2024.104149","url":null,"abstract":"<div><div>The security of autonomous vehicles heavily depends on localization systems that integrate multiple sensors, which are vulnerable to sensor attacks and increase the risk of accidents. Given the diversity of sensor attacks and the dynamic changing of driving scenarios of autonomous vehicles, an adaptive and effective attack detection and defense framework faces a considerable challenge. This paper proposes a novel real-time adaptive attack detection and defense framework based on density, which can detect and identify attacked sensors and effectively recover data. We first develop a reinforcement learning multi-armed Bandit-based Density-Based Spatial Clustering of Applications with Noise (BDBSCAN) algorithm that selects hyperparameters adaptively. The Adaptive Extended Kalman Filter (AEKF) combines with the vehicle dynamic model on the localization system and extracts data features used for the BDBSCAN algorithm to monitor potential sensor attacks. If attack detection indicates possible system compromise, AEKF is further employed on localization sensors with anomalies identified through the BDBSCAN algorithm of the attacked sensors. To ensure precision and reliability, the data recovery incorporates a redundancy mechanism to apply a decision tree to select the optimal state estimation between AEKF and Extended Kalman Filter (EKF) to replace corrupted sensor data. To evaluate the effectiveness and adaptability of the proposed framework, we conducted 15,000 experiments using the real-world KITTI and V2V4Real datasets across various driving and sensor attack scenarios. The results demonstrate that our proposed framework achieves 100% accuracy and 0% false alarm rate in various driving scenarios for attack detection within 0.15 s, with a recovery time of 0.08 s.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104149"},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142446410","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests TrojanProbe：通过主动探测伪造的 HTTP 请求，对木马隧道实现进行指纹识别

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-15 DOI: 10.1016/j.cose.2024.104147

Liuying Lv, Peng Zhou

Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose TrojanProbe, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.

特洛伊木马是一种著名的隐藏隧道协议，被广泛用于绕过互联网审查制度，因此给透明网络管理和取证带来了巨大挑战。正如协议设计者所称，木马通过代理真正的 HTTPS/TLS 流量来应对未经验证的请求，消除木马流量与合法 HTTPS 流量之间的任何细微差别，从而保持其反识别性。尽管这样的协议在设计上看似不可识别，但采用不同编程语言的各种木马实现可能会有不同的编码逻辑和网络 API 调用，这就为从实现层面进行识别和指纹识别打开了一扇新的大门。在本文中，我们提出了 TrojanProbe，这是一类新的主动探测方法，可通过触发木马的可识别响应来对木马实现进行指纹识别。我们的基本思路是审计木马程序的源代码，发现其与合法 HTTPS 程序在逻辑上的细微差别，然后制作特定的 HTTP 请求作为探针，触发这些差异以进行指纹识别。根据这一思路，我们选择了现成的五种最流行的开源木马程序作为审计目标，涵盖了木马市场的大部分份额，以及从传统的 C++ 到前沿的 Go 和 Rust 等主流编程语言，并设计了一套新颖的 HTTP 探测器，以将它们与其网络服务器伪装区分开来。我们的探针利用了对畸形 HTTP 请求和不同 HTTP 版本的不同响应/缓冲逻辑，或者利用了不同网络 API 默认设置的不同超时。为此，我们进行了大量实验，针对一系列配置和网络条件对 TrojanProbe 进行评估。实验结果表明，我们的 TrojanProbe 可以在大多数条件下有效地对我们选定的木马目标进行指纹识别，但留下了一个单一的 Rust 实现，其市场被少数人占领，只能在某些限制情况下识别。尽管存在这样的例外情况，但我们的研究揭示了一种新的可能性，即从木马的实现层面对其进行指纹识别，即使这种隐藏隧道在协议层面是众所周知无法识别的。

{"title":"TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests","authors":"Liuying Lv, Peng Zhou","doi":"10.1016/j.cose.2024.104147","DOIUrl":"10.1016/j.cose.2024.104147","url":null,"abstract":"<div><div>Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose <em>TrojanProbe</em>, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104147"},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142552117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

From Dis-empowerment to empowerment: Crafting a healthcare cybersecurity self-assessment 从失权到授权：制定医疗保健网络安全自我评估计划

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-14 DOI: 10.1016/j.cose.2024.104148

Wendy Burke , Andrew Stranieri , Taiwo Oseni

Due to the valuable and sensitive nature of its data, the Australian healthcare sector is increasingly targeted by cyberattacks. Existing cybersecurity evaluation methods often lack the specificity required to address the unique vulnerabilities within this sector, especially in terms of engaging stakeholders and fostering a proactive security culture. These evaluations often overlook psychological empowerment, which enhances individuals’ confidence in managing cybersecurity.

This study aims to develop a tailored cybersecurity self-assessment index for the Australian healthcare system. It will focus on enhancing psychological empowerment alongside technical assessments to improve overall sector resilience against cyber threats.

Using a design science research approach, the index was developed using expert reviews, online surveys, and in-depth interviews with key stakeholders, including healthcare providers, consumers, and government entities. This iterative process involved identifying gaps in existing cybersecurity measures and designing an index to address technical and human factors.

The index’s evaluation through a pilot study revealed that it effectively raised awareness and empowered individuals within the healthcare sector to take ownership of cybersecurity practices. Participants reported increased confidence in managing cybersecurity risks and found the index’s actionable recommendations helpful in improving their security posture. However, challenges related to its applicability across diverse healthcare environments and regulatory constraints were identified.

The Australian Healthcare Cybersecurity Self-Assessment Index shows promise as a tool for strengthening cybersecurity in the healthcare sector by integrating psychological empowerment with technical assessments. Further research is needed to refine the tool, incorporate quantitative data, and explore its scalability across different healthcare settings and global applications.

由于其数据的宝贵性和敏感性，澳大利亚医疗保健行业日益成为网络攻击的目标。现有的网络安全评估方法往往缺乏针对性，无法解决该行业特有的脆弱性问题，特别是在吸引利益相关者参与和培养积极主动的安全文化方面。本研究旨在为澳大利亚医疗系统量身定制网络安全自我评估指数。本研究旨在为澳大利亚医疗保健系统开发量身定制的网络安全自我评估指数，在进行技术评估的同时，还将重点加强心理赋权，以提高医疗保健行业抵御网络威胁的整体能力。该指数采用设计科学研究方法，通过专家评审、在线调查以及与医疗保健提供商、消费者和政府实体等主要利益相关方的深入访谈来开发。这一迭代过程包括确定现有网络安全措施中的差距，并设计一个指数来解决技术和人为因素。通过试点研究对该指数进行评估后发现，该指数有效地提高了医疗保健行业内个人对网络安全实践的认识，并增强了他们对网络安全实践的主人翁意识。参与者表示对管理网络安全风险的信心有所增强，并认为指数中的可行建议有助于改善他们的安全态势。澳大利亚医疗保健网络安全自我评估指数将心理授权与技术评估相结合，有望成为加强医疗保健行业网络安全的工具。还需要进一步研究，以完善该工具，纳入定量数据，并探索其在不同医疗环境和全球应用中的可扩展性。

{"title":"From Dis-empowerment to empowerment: Crafting a healthcare cybersecurity self-assessment","authors":"Wendy Burke , Andrew Stranieri , Taiwo Oseni","doi":"10.1016/j.cose.2024.104148","DOIUrl":"10.1016/j.cose.2024.104148","url":null,"abstract":"<div><div>Due to the valuable and sensitive nature of its data, the Australian healthcare sector is increasingly targeted by cyberattacks. Existing cybersecurity evaluation methods often lack the specificity required to address the unique vulnerabilities within this sector, especially in terms of engaging stakeholders and fostering a proactive security culture. These evaluations often overlook psychological empowerment, which enhances individuals’ confidence in managing cybersecurity.</div><div>This study aims to develop a tailored cybersecurity self-assessment index for the Australian healthcare system. It will focus on enhancing psychological empowerment alongside technical assessments to improve overall sector resilience against cyber threats.</div><div>Using a design science research approach, the index was developed using expert reviews, online surveys, and in-depth interviews with key stakeholders, including healthcare providers, consumers, and government entities. This iterative process involved identifying gaps in existing cybersecurity measures and designing an index to address technical and human factors.</div><div>The index’s evaluation through a pilot study revealed that it effectively raised awareness and empowered individuals within the healthcare sector to take ownership of cybersecurity practices. Participants reported increased confidence in managing cybersecurity risks and found the index’s actionable recommendations helpful in improving their security posture. However, challenges related to its applicability across diverse healthcare environments and regulatory constraints were identified.</div><div>The Australian Healthcare Cybersecurity Self-Assessment Index shows promise as a tool for strengthening cybersecurity in the healthcare sector by integrating psychological empowerment with technical assessments. Further research is needed to refine the tool, incorporate quantitative data, and explore its scalability across different healthcare settings and global applications.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104148"},"PeriodicalIF":4.8,"publicationDate":"2024-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532338","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Advancing IoMT security: A two-factor authentication model employing PUF and Fuzzy logic techniques 推进 IoMT 安全：采用 PUF 和模糊逻辑技术的双因素认证模型

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-11 DOI: 10.1016/j.cose.2024.104138

Sidra Kalam, Ajit Kumar Keshri

The rapid integration of Internet of Things technologies in healthcare has catalyzed the development of the Internet of Medical Things, markedly enhanced patient care while posing significant security risks. This paper introduces a comprehensive computational framework to safeguard Internet of Medical Things devices and healthcare providers through a sophisticated registration and authentication process. Our model incorporates cryptographic technologies such as Physical Unclonable Functions, fuzzy extractors, and hash functions to bolster the security during the registration and authentication processes for Internet of Medical Things devices and healthcare providers. The Physical Unclonable Function module enhances device security by producing unique, non-replicable responses for device authentication, significantly reinforcing the system's defense against physical and cloning attacks. Furthermore, the model leverages fuzzy logic for the real-time classification of patient health states, enhancing the decision-making accuracy. A comparative analysis confirms that our model exceeds existing models in communication cost, computational efficiency and security. The proposed scheme has been rigorously tested against various attacks using the Scyther tool. By employing a unique identifier generation method through Physical Unclonable Function and utilizing fuzzy logic for secure data transmission and patient classification, our framework addresses vulnerabilities such as man-in-the-middle, denial of service, impersonation, identity guessing, password guessing and replay attacks, which are prevalent in current Internet of Medical Things frameworks.

物联网技术在医疗保健领域的快速融合催化了医疗物联网的发展，在显著提高患者护理水平的同时也带来了巨大的安全风险。本文介绍了一个全面的计算框架，通过复杂的注册和认证流程来保护医疗物联网设备和医疗服务提供商的安全。我们的模型采用了物理不可克隆函数、模糊提取器和哈希函数等加密技术，以加强医疗物联网设备和医疗服务提供商在注册和认证过程中的安全性。物理不可克隆函数模块通过产生唯一的、不可复制的设备验证响应来增强设备的安全性，从而大大加强了系统对物理攻击和克隆攻击的防御能力。此外，该模型还利用模糊逻辑对病人的健康状况进行实时分类，提高了决策的准确性。对比分析证实，我们的模型在通信成本、计算效率和安全性方面都超过了现有模型。我们使用 Scyther 工具针对各种攻击对所提出的方案进行了严格测试。通过采用物理不可克隆函数生成唯一标识符的方法，并利用模糊逻辑进行安全数据传输和患者分类，我们的框架解决了当前医疗物联网框架中普遍存在的中间人、拒绝服务、冒充、身份猜测、密码猜测和重放攻击等漏洞。

{"title":"Advancing IoMT security: A two-factor authentication model employing PUF and Fuzzy logic techniques","authors":"Sidra Kalam, Ajit Kumar Keshri","doi":"10.1016/j.cose.2024.104138","DOIUrl":"10.1016/j.cose.2024.104138","url":null,"abstract":"<div><div>The rapid integration of Internet of Things technologies in healthcare has catalyzed the development of the Internet of Medical Things, markedly enhanced patient care while posing significant security risks. This paper introduces a comprehensive computational framework to safeguard Internet of Medical Things devices and healthcare providers through a sophisticated registration and authentication process. Our model incorporates cryptographic technologies such as Physical Unclonable Functions, fuzzy extractors, and hash functions to bolster the security during the registration and authentication processes for Internet of Medical Things devices and healthcare providers. The Physical Unclonable Function module enhances device security by producing unique, non-replicable responses for device authentication, significantly reinforcing the system's defense against physical and cloning attacks. Furthermore, the model leverages fuzzy logic for the real-time classification of patient health states, enhancing the decision-making accuracy. A comparative analysis confirms that our model exceeds existing models in communication cost, computational efficiency and security. The proposed scheme has been rigorously tested against various attacks using the Scyther tool. By employing a unique identifier generation method through Physical Unclonable Function and utilizing fuzzy logic for secure data transmission and patient classification, our framework addresses vulnerabilities such as man-in-the-middle, denial of service, impersonation, identity guessing, password guessing and replay attacks, which are prevalent in current Internet of Medical Things frameworks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104138"},"PeriodicalIF":4.8,"publicationDate":"2024-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142442822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A trust model for VANETs using malicious-aware multiple routing 使用恶意感知多重路由的 VANET 信任模型

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-10 DOI: 10.1016/j.cose.2024.104145

Xiaorui Dang , Guiqi Zhang , Ke Sun , Yufeng Li

Vehicular ad hoc networks (VANETs) enable multi-hop communication among vehicles, promoting information sharing and smarter collaborative driving. However, VANETs are facing several challenges due to the open wireless communication environment. Attackers may maliciously drop or alter packets so that the receiver cannot obtain correct information. In addition, the high mobility of vehicles may lead to link failures, consequently resulting in packet loss. In this paper, we propose a multipath-based trust model (MPTM), in which the reliability of packet transmission is guaranteed by data redundancy and the detection of potential attackers is achieved by trust evaluation. Specifically, we present a route discovery mechanism to find multiple routes that avoid potential attackers, which reduces the risk of attacks on redundant packets. The receivers identify correct information based on two factors including content consistency and route information. An attacker detection module is presented to evaluate the trustworthiness of vehicles involved in packet transmission and vehicles with trust value below a threshold are detected as attackers. We conducted extensive experiments using OMNeT++ simulation platform, considering various attack scenarios. Experiment results show that MPTM can reach 90% packet delivery ratio and effectively detect attackers in terms of 90% detection precision.

车载特设网络（VANET）实现了车辆之间的多跳通信，促进了信息共享和更智能的协同驾驶。然而，由于开放的无线通信环境，VANET 正面临着一些挑战。攻击者可能会恶意丢弃或更改数据包，使接收者无法获得正确的信息。此外，车辆的高流动性可能导致链路故障，从而造成数据包丢失。在本文中，我们提出了一种基于多路径的信任模型（MPTM），通过数据冗余来保证数据包传输的可靠性，并通过信任评估来检测潜在的攻击者。具体来说，我们提出了一种路由发现机制，以找到避开潜在攻击者的多条路由，从而降低冗余数据包受到攻击的风险。接收器根据内容一致性和路由信息等两个因素识别正确信息。我们还提出了一个攻击者检测模块，用于评估参与数据包传输的车辆的可信度，并将信任值低于阈值的车辆检测为攻击者。我们使用 OMNeT++ 仿真平台进行了大量实验，考虑了各种攻击场景。实验结果表明，MPTM 可以达到 90% 的数据包传送率，并以 90% 的检测精度有效地检测到攻击者。

{"title":"A trust model for VANETs using malicious-aware multiple routing","authors":"Xiaorui Dang , Guiqi Zhang , Ke Sun , Yufeng Li","doi":"10.1016/j.cose.2024.104145","DOIUrl":"10.1016/j.cose.2024.104145","url":null,"abstract":"<div><div>Vehicular ad hoc networks (VANETs) enable multi-hop communication among vehicles, promoting information sharing and smarter collaborative driving. However, VANETs are facing several challenges due to the open wireless communication environment. Attackers may maliciously drop or alter packets so that the receiver cannot obtain correct information. In addition, the high mobility of vehicles may lead to link failures, consequently resulting in packet loss. In this paper, we propose a multipath-based trust model (MPTM), in which the reliability of packet transmission is guaranteed by data redundancy and the detection of potential attackers is achieved by trust evaluation. Specifically, we present a route discovery mechanism to find multiple routes that avoid potential attackers, which reduces the risk of attacks on redundant packets. The receivers identify correct information based on two factors including content consistency and route information. An attacker detection module is presented to evaluate the trustworthiness of vehicles involved in packet transmission and vehicles with trust value below a threshold are detected as attackers. We conducted extensive experiments using OMNeT++ simulation platform, considering various attack scenarios. Experiment results show that MPTM can reach 90% packet delivery ratio and effectively detect attackers in terms of 90% detection precision.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104145"},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Detection of cyberattack in Industrial Control Networks using multiple adaptive local kernel learning 利用多重自适应局部内核学习检测工业控制网络中的网络攻击

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-10 DOI: 10.1016/j.cose.2024.104152

Fei Lv , Hangyu Wang , Rongkang Sun , Zhiwen Pan , Shuaizong Si , Meng Zhang , Weidong Zhang , Shichao Lv , Limin Sun

The data of Industrial Control Networks presents high-dimensional and nonlinear characteristics, making cyberattack detection a challenging problem. Multiple kernel learning (MKL) provided an attractive performance in dealing with the problem through the kernel trick. However, each kernel in traditional MKL usually adopts global features for high-dimensional space mapping. The local-related feature whereas, is ignored, resulting in the missing of the local implicit information. To tackle this problem, this article proposes an MKL-based cyberattack detection method combining both global and local kernels. First, information theory-based feature selection is used for local feature grouping. After that, different kinds of deep neural networks are used to generate local kernels for each group. Moreover, an adaptive method is designed for ensembling the local kernels into the global kernel during the learning process. Extensive experiments are conducted on diverse datasets and the performances are comprehensively evaluated. The results indicate that our proposed method is outstanding in the cyberattack detection of Industrial Control Networks.

工业控制网络的数据具有高维和非线性的特点，因此网络攻击检测是一个具有挑战性的问题。多核学习（MKL）通过核技巧在处理该问题时提供了极具吸引力的性能。然而，传统 MKL 中的每个核通常采用全局特征进行高维空间映射。而与局部相关的特征则被忽略，导致局部隐含信息的缺失。针对这一问题，本文提出了一种结合全局和局部核的基于 MKL 的网络攻击检测方法。首先，基于信息论的特征选择用于局部特征分组。然后，使用不同类型的深度神经网络为每个组生成局部核。此外，还设计了一种自适应方法，用于在学习过程中将局部内核组合成全局内核。我们在不同的数据集上进行了广泛的实验，并对其性能进行了综合评估。结果表明，我们提出的方法在工业控制网络的网络攻击检测中表现出色。

{"title":"Detection of cyberattack in Industrial Control Networks using multiple adaptive local kernel learning","authors":"Fei Lv , Hangyu Wang , Rongkang Sun , Zhiwen Pan , Shuaizong Si , Meng Zhang , Weidong Zhang , Shichao Lv , Limin Sun","doi":"10.1016/j.cose.2024.104152","DOIUrl":"10.1016/j.cose.2024.104152","url":null,"abstract":"<div><div>The data of Industrial Control Networks presents high-dimensional and nonlinear characteristics, making cyberattack detection a challenging problem. Multiple kernel learning (MKL) provided an attractive performance in dealing with the problem through the <em>kernel trick</em>. However, each kernel in traditional MKL usually adopts global features for high-dimensional space mapping. The local-related feature whereas, is ignored, resulting in the missing of the local implicit information. To tackle this problem, this article proposes an MKL-based cyberattack detection method combining both global and local kernels. First, information theory-based feature selection is used for local feature grouping. After that, different kinds of deep neural networks are used to generate local kernels for each group. Moreover, an adaptive method is designed for ensembling the local kernels into the global kernel during the learning process. Extensive experiments are conducted on diverse datasets and the performances are comprehensively evaluated. The results indicate that our proposed method is outstanding in the cyberattack detection of Industrial Control Networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104152"},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532341","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK 使用 MITRE ATT&CK 的网络欺骗主动诱饵选择方案

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-10 DOI: 10.1016/j.cose.2024.104144

Marco Zambianco , Claudio Facchinetti , Domenico Siracusa

Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

网络欺骗可以弥补防御者对攻击者不断变化的战术、技术和程序（TTPs）的反应迟缓。这种主动防御策略采用与合法系统组件相似的诱饵，在防御者环境中引诱隐蔽的攻击者，减缓和/或阻止他们实现目标。在这方面，选择能暴露恶意用户所使用技术的诱饵对激励他们参与起着核心作用。然而，这在实践中是很难实现的，因为这需要对攻击者的能力及其可能的目标进行准确而现实的建模。在这项工作中，我们应对了这一挑战，并设计了一种诱饵选择方案，该方案由基于现实世界攻击者经验观察的对抗建模提供支持。我们利用 MITRE ATT&CK© 框架的特定领域威胁建模语言作为攻击者针对企业系统的 TTPs 的来源。具体来说，我们提取了每种技术的执行前提条件及其对环境可能产生的影响等信息，生成了模拟对手能力的攻击图。在此基础上，我们提出了一个图分割问题，该问题可最大限度地减少在针对特定目标的各种攻击路径中检测到相应数量技术的诱饵数量。我们将基于优化的诱饵选择方法与几种忽略不同攻击步骤之间先决条件的基准方案进行了比较。结果表明，所提出的方案使用最低数量的诱饵提供了最高的攻击路径拦截率。

{"title":"A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK","authors":"Marco Zambianco , Claudio Facchinetti , Domenico Siracusa","doi":"10.1016/j.cose.2024.104144","DOIUrl":"10.1016/j.cose.2024.104144","url":null,"abstract":"<div><div>Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104144"},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533348","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A hybrid CNN-LSTM approach for intelligent cyber intrusion detection system 用于智能网络入侵检测系统的混合 CNN-LSTM 方法

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104146

Sukhvinder Singh Bamber , Aditya Vardhan Reddy Katkuri , Shubham Sharma , Mohit Angurala

As the technology is advancing more and more in the era of increasing digitalization, safeguarding networks from cyber threats is crucial. As cyber-attacks on critical infrastructure are becoming more and more sophisticated, enhancing cyber intrusion detection systems (IDS) is imperative. This paper proposes and evaluates a deep learning-based IDS using the NSL-KDD dataset, a benchmark for intrusion detection. The system pre-processes data with Recursive Feature Elimination (RFE) and a Decision Tree classifier to identify the most significant features, optimizing model performance. Various deep learning models, including ANN, LSTM, BiLSTM, CNN-LSTM, GRU, and BiGRU, have been evaluated. The CNN-LSTM model outperformed the others, with 95 % accuracy, 0.89 recall, and 0.94 f1-score. These results prove the effectiveness of the proposed IDS in accurately distinguishing between malicious and benign network traffic. Future research can explore ensemble techniques like boosting or bagging to further enhance IDS performance.

在日益数字化的时代，技术发展日新月异，保护网络免受网络威胁至关重要。随着对关键基础设施的网络攻击越来越复杂，加强网络入侵检测系统（IDS）势在必行。本文利用入侵检测的基准数据集 NSL-KDD，提出并评估了一种基于深度学习的 IDS。该系统利用递归特征消除（RFE）和决策树分类器对数据进行预处理，以识别最重要的特征，优化模型性能。对各种深度学习模型进行了评估，包括 ANN、LSTM、BiLSTM、CNN-LSTM、GRU 和 BiGRU。CNN-LSTM 模型的准确率为 95%，召回率为 0.89，f1 分数为 0.94，表现优于其他模型。这些结果证明了所提出的 IDS 在准确区分恶意和良性网络流量方面的有效性。未来的研究可以探索提升或装袋等集合技术，以进一步提高 IDS 性能。

引用次数: 0

Testing the limits of SPDM: Authentication of intermittently connected devices 测试 SPDM 的极限：间歇性连接设备的身份验证

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104142

Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.

The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to

900 \times

faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.

安全协议和数据模型（SPDM）是一种开放式标准，用于 CPU 和外围设备等硬件单元之间的身份验证、证明和密钥交换。从原理上讲，SPDM 是为在一定程度上稳定的通信信道上运行而设计的，这意味着连接中断通常需要重新执行整个协议。这就对 SPDM 是否适用于电池供电设备提出了质疑，因为电池供电设备可能只保持间歇性通信，以节省能源。为了解决这个问题，我们评估了不同的验证方法，这些方法基于并扩展了 SPDM 的本地密钥引导功能，以处理间歇性验证。我们特别指出，SPDM 和基于时间的一次性密码 (TOTP) 协议的结合是解决这种情况的一个很有前景的方案。我们使用概念验证虚拟设备分析了所建议的验证方案的性能。结果表明，基于 TOTP 的方案速度最快，其重新连接步骤比直接应用 SPDM 至少快两倍，最多可快 900 倍。此外，我们的方案运行所需的内存更少。最后，我们讨论了将间歇验证功能集成到 SPDM 标准本身的可能性。

{"title":"Testing the limits of SPDM: Authentication of intermittently connected devices","authors":"Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.","doi":"10.1016/j.cose.2024.104142","DOIUrl":"10.1016/j.cose.2024.104142","url":null,"abstract":"<div><div>The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to <span><math><mrow><mn>900</mn><mo>×</mo></mrow></math></span> faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104142"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142438345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0