Computers & Security最新文献

Intrusion Detection Systems (IDS) are crucial in cybersecurity for monitoring network traffic and identifying potential attacks. Existing IDS research largely focuses on known attack detection, leaving a significant gap in research regarding unknown attack detection, where achieving a balance between false alarm rate (identifying normal traffic as attack traffic) and recall rate of unknown attack detection remains challenging. To address these gaps, we propose a novel IDS based on Sigmoid Kernel Transformation and Encoder-Decoder architecture, namely SKT-IDS, where SKT stands for Sigmoid Kernel Transformation. We start with pre-training an attention-based encoder for coarse-grained intrusion detection. Then, we use this encoder to build an encoder–decoder model specifically for 0-day attack detection, training it solely on known traffic using the cosine similarity loss function. To enhance detection, we introduce a Sigmoid Kernel Transformation for feature engineering, improving the discriminative ability between normal traffic and 0-day attacks. Finally, we conducted a series of ablation and comparative experiments on the NSL-KDD and CSE-CIC-IDS2018 datasets, confirming the effectiveness of our proposed method. With a false alarm rate of 1%, we achieved recall rates for unknown attack detection of 65% and 69% on the two datasets, respectively, demonstrating significant performance improvements compared to existing state-of-the-art models.

Despite considerable investments in database security, global statistics indicate an exponential increase in data breaches. Organizations are often unaware of data breaches for weeks, months, or even years. Sufficient for adversaries to compromise and ex-filtrate business or mission-critical data. Recent research suggests using honeytokens for early detection of data breaches in organizations. Existing honeytoken generation methods rely on regular expressions, rule mining, constraint satisfaction, or representation learning, which are complex and limited to a few attributes. We created a framework for generating and deploying honeytokens in relational databases that actively monitor sensitive records and quickly detect data breaches and their misuse. To generate the honeytoken we have used the hierarchical machine learning algorithm which uses a recursive technique to model the parent–child relationships of multi-table databases. The proposed method enables the organization to take remedial action to reduce the impact of data breaches and complement existing database security solutions.

Malicious webshells are the most common attack scripts used by attackers in web penetration. Attackers typically obfuscate strings of PHP-based malicious webshells and encrypt communication traffic to bypass security devices. In this case, the opcode sequences of the PHP-based malicious webshells become excessively long and contain many irrelevant features, which affect the efficacy of the detection method. This study proposes a new PHP-based malicious webshell detection method. The proposed method introduces three simplification strategies for the three main types of nodes in the abstract syntax trees of PHP scripts to reduce the length and noise of opcode sequences of PHP-based malicious webshells. An explicit duration recurrent network (EDRN), a recurrent neural network based on an extended hidden semi-Markov model, is used to detect malicious webshells. Word2vec is adopted to convert the opcode sequences of the PHP scripts into vectors that serve as the input for the EDRN. Experiments were conducted using public datasets collected from GitHub. The experimental results indicated that EDRN outperformed popular recurrent neural networks. The proposed method demonstrated superior performance compared with several state-of-the-art approaches and mainstream tools, achieving an accuracy of 0.993, an F1 score of 0.990, and a recall rate of 0.991. When only 20% of the datasets were used for training, the proposed method achieved accuracy, recall, and F1 scores of 0.985, 0.983, and 0.980, respectively, significantly outperforming existing approaches.

Manned-unmanned teaming (MUM-T) is an emerging network system which interconnects manned aerial vehicles (MAVs) with unmanned aerial vehicles (UAVs) to enhance mission effectiveness and reduce workloads. Like other wireless systems, MUM-T is prone to attacks from the open communication channel. Therefore, an authentication scheme is required to establish secure and trusted communication between the MAV and the UAV. However, existing schemes fail to provide adequate security features and necessary efficiency, mostly due to their incomprehensive threat modeling and improper use of authentication techniques. Moreover, traditional centralized architecture of the authentication server leads to the single point of failure (SPOF) problem, which jeopardizes the robustness and scalability of MUM-T. In this paper, we propose a fault-tolerant authentication scheme for MUM-T that will solve these problems. To enhance its security, we construct a new threat model consisting of adversary's capabilities, security features, and security challenges to ensure the security of a scheme under combination attacks. To preserve the highest possible efficiency, we propose the design principle of using lightweight primitives for authentication and applying public key operations in key establishment. To address the SPOF problem, we employ a distributed fault-tolerant mechanism to share registration information within authentication servers and defend against faulty nodes. As is demonstrated by the security proof and performance comparison, our scheme succeeds in improving security and reducing overall costs, which provides a better solution than existing schemes.

Virtualization obfuscation is a very effective method used to protect programs from malicious analysis by obscuring their code. Due to the fixed scheduling structures, typical virtualization obfuscation schemes can be compromised by automated analysis tools. To enhance the protection strength of virtualization obfuscation, additional protection techniques of the virtualization structure have been proposed. However, previously proposed solutions incur significant performance overhead or require a strong assumption in software-protection techniques. We present COVER, a novel virtualization obfuscation technique in conjunction with the flash controller. COVER enhances the obfuscation and protects the secret parameters of the virtualization structure with a flash controller-based secure module. We implement a prototype of COVER and describe a prototype implementation of a flash controller-based secure module on a Solid State Drive (SSD). We demonstrate COVER’s efficacy against various code analysis methods, and evaluate COVER’s performance using a set of real-world applications. The evaluation results demonstrate that COVER effectively protects the secret parameters of the virtualization structure and increases the effort involved in deobfuscation. Compared with two commercial obfuscators, COVER provides additional protection strength without incurring significantly more overhead in terms of runtime and code size.

The exponential increase of Android malware creates a severe threat, motivating the development of machine learning and especially deep learning-based classifiers to detect and mitigate malicious applications. However, these classifiers are susceptible to adversarial attacks that manipulate input data to deceive the classifier and compromise performance. This paper investigates the vulnerability of deep learning-based Android malware classifiers against two adversarial attacks: Data Poisoning with Noise Injection (DP-NI) and Gradient-based Data Poisoning (GDP). In these attacks, we explore the utilization of differential privacy techniques by attackers aiming to compromise the effectiveness of deep learning based Android malware classifiers. We propose and evaluate a novel defense mechanism, Differential Privacy-Based Noise Clipping (DP-NC), designed to enhance the robustness of Android malware classifiers against these adversarial attacks. By leveraging deep neural networks and adversarial training techniques, DP-NC demonstrates remarkable efficacy in mitigating the impact of both DP-NI and GDP attacks. Through extensive experimentation on three diverse Android datasets (Drebin, Contagio, and Genome), we evaluate the performance of DP-NC against proposed adversarial attacks. Our results show that DP-NC significantly reduces the false-positive rate and improves classification accuracy across all datasets and attack scenarios. For instance, our findings on the Drebin dataset reveal a significant decrease in accuracy to 51% and 30% after applying DP-NI and GDP techniques, respectively. However, upon applying the DP-NC defense mechanism, the accuracy in both cases improved to approximately 70%. Furthermore, employing DP-NC defense against DP-NI and GDP attacks leads to a notable reduction in false positive rates by 45.46% and 7.67%, respectively. Similar results have been obtained in two other datasets, Contagio and Genome. These results underscore the effectiveness of DP-NC in enhancing the robustness of deep learning-based Android malware classifiers against adversarial attacks.

Data is ubiquitous, powerful and valuable today. With vast instalments of Industrial Internet-of-Things (IIoT) infrastructure, data is in abundance albeit sitting in organizational silos. Data Marketplaces have emerged to allow monetization of data by trading it with interested buyers. While centralized marketplaces are common, they are controlled by few and are non-transparent. Decentralized data marketplaces allow the democratization of rates, trading terms and fine control to participants. However, in such a marketplace, ensuring privacy and security is crucial. Existing data exchange schemes depend on a trusted third party for key management during authentication and rely on a ‘one-time-off’ approach to authorization. This paper proposes a user-empowered, privacy-aware, authentication and usage-controlled access protocol for IIoT data marketplace. The proposed protocol leverages the concept of Self-Sovereign Identity (SSI) and is based on the standards of Decentralized Identifier (DID) and Verifiable Credential (VC). DIDs empower buyers and give them complete control over their identities. The buyers authenticate and prove claims to access data securely using VC. The proposed protocol also implements a dynamic user-revocation policy. Usage-controlled based access provides secure ongoing authorization during data exchange. A detailed performance and security analysis is provided to show its feasibility.

Securing Internet of Things (IoT) devices is paramount to mitigate unauthorised access and potential cyber threats, safeguarding the integrity of transmitted and processed data within interconnected devices. Identifying malicious IoT devices necessitates vigilant monitoring of network traffic, behaviour analysis, and implementing security measures, including Anomaly Detection Systems (ADSs), Intrusion Detection Systems (IDSs), and regular firmware updates. Traditional security approaches need to be revised for safeguarding IoT systems due to their inherent limitations in accommodating the resource-constrained nature of these devices.

We introduce IoTPredictor, an advanced security approach designed to predict and detect malicious activities in IoT devices. Leveraging Hidden Markov Models (HMMs), IoTPredictor integrates an ADS to proactively detect and thwart attacks within the complex IoT-fog computing landscape. Our conceptual approach begins with categorising IoT devices into genuine, compromised, and counterfeit. We propose an HMM-based state transition model that captures potential transitions between states, such as normal, compromised, or counterfeit operations. We introduce an algorithm for estimating probabilities associated with next-state predictions to facilitate predictive analysis. Furthermore, we present a formal approach for analysing communications between different states, enhancing the precision of the security framework. To validate the effectiveness of IoTPredictor, we conduct a series of experiments and provide a comprehensive evaluation. The results demonstrate the robustness and efficiency of our proposed security framework in predicting and preventing malicious activities, thereby contributing to the overall security enhancement of IoT devices within the complex IoT-fog computing network.

With the widespread adoption of edge computing, compressing deep neural networks (DNNs) via knowledge distillation (KD) has emerged as a popular technique for resource-limited scenarios. Among various KD methods, feature-based KD, which leverages the feature representations from intermediate layers of the teacher model to supervise the training of the student model, has shown superior performance and enjoyed wide application. However, users often overlook potential backdoor threats when using knowledge distillation (KD) to extract knowledge. To address the issue, this paper mainly contributes to three aspects: (1) we try the first step of exploring the security risks in feature-based KD, where implanted backdoors in teacher models can survive and transfer to student models. (2) We propose a backdoor attack method targeting feature distillation, achieved by encoding backdoor knowledge into specific neuron activation layers. Specifically, we optimize triggers to induce consistent feature map values in the teacher model and transfer the backdoor knowledge to student models through these features. We also design an adaptive defense method against this attack. (3) Extensive experiments on four common datasets and six sets of different teacher and student models validate that our attack outperforms the state-of-the-art (SOTA) baselines, with an average attack success rate of ($\sim \times 1.5$). Additionally, we discuss effective defense methods against such backdoor attacks.