Computers & Security最新文献_第6页

LeakFocus: Catching the perpetrator in routing leak event

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-27 DOI: 10.1016/j.cose.2024.104300

Yuancheng Xie, Zhaoxin Zhang, Ning Li, Haoyang Gao

Route leaks pose a significant threat to the Internet, yet traditional machine learning-based detection models often fail to accurately identify the responsible AS, hindering timely alerting. To address this, we introduce LeakFocus, a novel framework that precisely identifies routing leak perpetrators. By analyzing the impact of route leaks on neighboring ASes, we establish a correlation between the severity of impact and proximity to the perpetrator. Leveraging this insight, we collected and optimized a large ground truth dataset using BGPmon and custom filters, significantly enhancing detection accuracy. An IQR-based (interquartile range) feature filtering approach was then employed to select ten key features that effectively differentiate legitimate from illegitimate valley paths. LeakFocus integrates temporal convolutional neural networks (TCNs) and node feature aggregation algorithms for routing leak detection and perpetrator localization. Experimental results show that LeakFocus improves detection precision by over 16% and reduces false positive rates by more than 34% compared to state-of-the-art models. Furthermore, LeakFocus provides network operators with a probabilistic list of likely violators, speeding up response times. This framework offers significant practical value, facilitating faster localization and mitigation of routing leaks, and represents a notable advancement in managing the harmful effects of route leakage.

{"title":"LeakFocus: Catching the perpetrator in routing leak event","authors":"Yuancheng Xie, Zhaoxin Zhang, Ning Li, Haoyang Gao","doi":"10.1016/j.cose.2024.104300","DOIUrl":"10.1016/j.cose.2024.104300","url":null,"abstract":"<div><div>Route leaks pose a significant threat to the Internet, yet traditional machine learning-based detection models often fail to accurately identify the responsible AS, hindering timely alerting. To address this, we introduce LeakFocus, a novel framework that precisely identifies routing leak perpetrators. By analyzing the impact of route leaks on neighboring ASes, we establish a correlation between the severity of impact and proximity to the perpetrator. Leveraging this insight, we collected and optimized a large ground truth dataset using BGPmon and custom filters, significantly enhancing detection accuracy. An IQR-based (interquartile range) feature filtering approach was then employed to select ten key features that effectively differentiate legitimate from illegitimate valley paths. LeakFocus integrates temporal convolutional neural networks (TCNs) and node feature aggregation algorithms for routing leak detection and perpetrator localization. Experimental results show that LeakFocus improves detection precision by over 16% and reduces false positive rates by more than 34% compared to state-of-the-art models. Furthermore, LeakFocus provides network operators with a probabilistic list of likely violators, speeding up response times. This framework offers significant practical value, facilitating faster localization and mitigation of routing leaks, and represents a notable advancement in managing the harmful effects of route leakage.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104300"},"PeriodicalIF":4.8,"publicationDate":"2024-12-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142812","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

RansoGuard: A RNN-based framework leveraging pre-attack sensitive APIs for early ransomware detection

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-26 DOI: 10.1016/j.cose.2024.104293

Mingcan Cen, Frank Jiang, Robin Doss

Ransomware has emerged as a significant security threat in cyberspace, inflicting severe economic losses and privacy breaches on individual users and organizations. Ransomware typically encrypts critical user files and demands a ransom for decryption. Traditional signature-based defense methods effectively identify known ransomware but perform poorly when confronting unknown zero-day attacks. Addressing this challenge, a ransomware detection framework called ‘RansoGuard’ is proposed. This framework aims to achieve timely identification and defense against ransomware by capturing and analyzing the sensitive Application Programming Interface (API) call behavior exhibited before the encryption attack is launched. A real-world ransomware sample dataset was constructed. The dynamic behavioral data during the pre-attack stage was analyzed, and natural language processing techniques were used to represent and extract key features from API call sequences. A Recurrent Neural Network (RNN) classifier was trained on these features to distinguish ransomware from benign software. Experimental results demonstrate that the RansoGuard framework exhibits outstanding early ransomware detection performance across different datasets, achieving a recall of 96.18% and an accuracy of 94.26%. Furthermore, it exhibits robustness in effectively countering zero-day attacks.

{"title":"RansoGuard: A RNN-based framework leveraging pre-attack sensitive APIs for early ransomware detection","authors":"Mingcan Cen, Frank Jiang, Robin Doss","doi":"10.1016/j.cose.2024.104293","DOIUrl":"10.1016/j.cose.2024.104293","url":null,"abstract":"<div><div>Ransomware has emerged as a significant security threat in cyberspace, inflicting severe economic losses and privacy breaches on individual users and organizations. Ransomware typically encrypts critical user files and demands a ransom for decryption. Traditional signature-based defense methods effectively identify known ransomware but perform poorly when confronting unknown zero-day attacks. Addressing this challenge, a ransomware detection framework called ‘RansoGuard’ is proposed. This framework aims to achieve timely identification and defense against ransomware by capturing and analyzing the sensitive Application Programming Interface (API) call behavior exhibited before the encryption attack is launched. A real-world ransomware sample dataset was constructed. The dynamic behavioral data during the pre-attack stage was analyzed, and natural language processing techniques were used to represent and extract key features from API call sequences. A Recurrent Neural Network (RNN) classifier was trained on these features to distinguish ransomware from benign software. Experimental results demonstrate that the RansoGuard framework exhibits outstanding early ransomware detection performance across different datasets, achieving a recall of 96.18% and an accuracy of 94.26%. Furthermore, it exhibits robustness in effectively countering zero-day attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104293"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142950","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

IEA-DMS: An Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-26 DOI: 10.1016/j.cose.2024.104291

Jinfeng Chen , Hua Wu , Xiaohui Wang , Suyue Wang , Guang Cheng , Xiaoyan Hu

Slow HTTP DoS (SHD) is a novel DoS attack that exploits HTTP/HTTPS. SHD often operates at the application layer with encryption and has long packet intervals due to its slow transmission rate, making it more concealed and difficult to detect. Therefore, traditional detection methods for high-speed DDoS are ineffective against SHD. Meanwhile, Existing SHD detection approaches need many generic features or complex models, thus becoming less interpretable and more resource-intensive to meet real-time demands in high-speed networks. Moreover, most methods rely on bidirectional traffic, neglecting the prevalent issue of asymmetric routing in high-speed networks. To overcome these shortcomings, this paper proposes IEA-DMS, an Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks. We first analyze SHD mechanisms and construct a representative feature set based on its traffic characteristics to perform effectively under sampling and asymmetric routing. Then, to fast and accurately record the features, we employ Slow HTTP DoS Sketch and provide a detailed error analysis and suggest appropriate parameters. Experiments using public datasets show that the proposed features are efficient and interpretable. Even with numerous unidirectional flows and a 1/64 sampling rate, IEA-DMS detects SHD accurately within 2 min with low memory usage. Besides, IEA-DMS’s processing performance reaches 13.1 Mpps and can continuously process more than 100 days of traffic without clearing memory.

{"title":"IEA-DMS: An Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks","authors":"Jinfeng Chen , Hua Wu , Xiaohui Wang , Suyue Wang , Guang Cheng , Xiaoyan Hu","doi":"10.1016/j.cose.2024.104291","DOIUrl":"10.1016/j.cose.2024.104291","url":null,"abstract":"<div><div>Slow HTTP DoS (SHD) is a novel DoS attack that exploits HTTP/HTTPS. SHD often operates at the application layer with encryption and has long packet intervals due to its slow transmission rate, making it more concealed and difficult to detect. Therefore, traditional detection methods for high-speed DDoS are ineffective against SHD. Meanwhile, Existing SHD detection approaches need many generic features or complex models, thus becoming less interpretable and more resource-intensive to meet real-time demands in high-speed networks. Moreover, most methods rely on bidirectional traffic, neglecting the prevalent issue of asymmetric routing in high-speed networks. To overcome these shortcomings, this paper proposes IEA-DMS, an Interpretable feature-driven, Efficient and Accurate Detection Method for Slow HTTP DoS in high-speed networks. We first analyze SHD mechanisms and construct a representative feature set based on its traffic characteristics to perform effectively under sampling and asymmetric routing. Then, to fast and accurately record the features, we employ Slow HTTP DoS Sketch and provide a detailed error analysis and suggest appropriate parameters. Experiments using public datasets show that the proposed features are efficient and interpretable. Even with numerous unidirectional flows and a 1/64 sampling rate, IEA-DMS detects SHD accurately within 2 min with low memory usage. Besides, IEA-DMS’s processing performance reaches 13.1 Mpps and can continuously process more than 100 days of traffic without clearing memory.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104291"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142986","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A combined side-channel and transient execution attack scheme on RISC-V processors

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-26 DOI: 10.1016/j.cose.2024.104297

Renhai Dong , Baojiang Cui , Yi Sun , Jun Yang

The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.

In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.

{"title":"A combined side-channel and transient execution attack scheme on RISC-V processors","authors":"Renhai Dong , Baojiang Cui , Yi Sun , Jun Yang","doi":"10.1016/j.cose.2024.104297","DOIUrl":"10.1016/j.cose.2024.104297","url":null,"abstract":"<div><div>The escalating progress of RISC-V processors in both academic and industrial realms has drawn significant attention to its open-source Instruction Set Architecture (ISA) and microarchitecture. Nevertheless, the growing threat of microarchitecture transient execution attacks in recent years has posed a severe challenge to the design of processors. Some studies have proposed that the RISC-V microarchitecture still has some flaws from the perspective of transient execution and pointed out the attack surface, which results in the RISC-V processor being unable to ensure integrated circuit and system security at the microarchitecture level.</div><div>In this paper, we systematically examine RISC-V microarchitecture security issues and put forward a combined side-channel and transient execution attack scheme. The proposed attack scheme comprehensively analyzes cache security, timing side-channel attacks, and Physical Memory Protection (PMP) across diverse microarchitectures. Not surprisingly, we discover an unknown transient execution flaw by PMP security analysis. Moreover, we introduce 4 transient execution attack primitives exploiting microarchitectural speculative execution flaws and PMP transient execution to bypass data protection and privilege isolation which allow attackers to illegally access sensitive data on the microarchitectures and break the PMP rule-based memory isolation scheme. Experimental results demonstrate that the attack scheme on 6 real-world RISC-V processors achieves a high level of accuracy, successfully attacking 6 microarchitectures with approximately 97.52%. The scheme completes 1,000 attacks in less 60 s which leaks about 2,500 bits, showcasing an average efficiency improvement of 34.17% over the state-of-the-art tool. The attack can successfully retrieve the cryptographic keys, rendering this attack applicable in practical scenarios. Finally, we propose several countermeasures to defend against the attack. We reported CVE and CNNVD vulnerabilities and both are confirmed by the developers for security’s sake.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104297"},"PeriodicalIF":4.8,"publicationDate":"2024-12-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142951","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

LDCDroid: Learning data drift characteristics for handling the model aging problem in Android malware detection

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-24 DOI: 10.1016/j.cose.2024.104294

Zhen Liu , Ruoyu Wang , Bitao Peng , Lingyu Qiu , Qingqing Gan , Changji Wang , Wenbin Zhang

The dynamic and evolving nature of malware applications can lead to deteriorating performance in malware detection models, a phenomenon known as the model aging problem. This issue compromises the model’s effectiveness in maintaining mobile security. Model retraining have proven effective in enhancing performance on previously unseen applications. However, the substantial need for annotated data remains a significant challenge in acquiring accurate ground truth for model retraining. Therefore, this paper introduces a new method to address the model aging problem in Android malware detection(AMD). To alleviate the burden of manual annotation, our approach incorporates pseudo-labeled data into the retraining process. Specifically, we introduce a novel method for evaluating the data drift scores of newly emerged samples by learning their data drift characteristics. These scores guide the usage of pseudo-labeled and true-labeled data for retraining the model. Our method significantly reduces the resources required for annotation while maintaining the efficacy of malware detection. In long-term datasets, we demonstrate the efficacy of our models through a series of experiments. Results indicate that our method enhances the F-score by approximately 26% in predicting unseen malware over a span of nine years.

{"title":"LDCDroid: Learning data drift characteristics for handling the model aging problem in Android malware detection","authors":"Zhen Liu , Ruoyu Wang , Bitao Peng , Lingyu Qiu , Qingqing Gan , Changji Wang , Wenbin Zhang","doi":"10.1016/j.cose.2024.104294","DOIUrl":"10.1016/j.cose.2024.104294","url":null,"abstract":"<div><div>The dynamic and evolving nature of malware applications can lead to deteriorating performance in malware detection models, a phenomenon known as the model aging problem. This issue compromises the model’s effectiveness in maintaining mobile security. Model retraining have proven effective in enhancing performance on previously unseen applications. However, the substantial need for annotated data remains a significant challenge in acquiring accurate ground truth for model retraining. Therefore, this paper introduces a new method to address the model aging problem in Android malware detection(AMD). To alleviate the burden of manual annotation, our approach incorporates pseudo-labeled data into the retraining process. Specifically, we introduce a novel method for evaluating the data drift scores of newly emerged samples by learning their data drift characteristics. These scores guide the usage of pseudo-labeled and true-labeled data for retraining the model. Our method significantly reduces the resources required for annotation while maintaining the efficacy of malware detection. In long-term datasets, we demonstrate the efficacy of our models through a series of experiments. Results indicate that our method enhances the F-score by approximately 26% in predicting unseen malware over a span of nine years.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104294"},"PeriodicalIF":4.8,"publicationDate":"2024-12-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142949","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Automated detection of cyber attacks in healthcare systems: A novel scheme with advanced feature extraction and classification

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-22 DOI: 10.1016/j.cose.2024.104288

Ahmad Nasayreh , Haris M. Khalid , Hamza K. Alkhateeb , Jalal Al-Manaseer , Abdulla Ismail , Hasan Gharaibeh

The growing incorporation of interconnected healthcare equipment, software, networks, and operating systems into the Internet of Medical Things (IoMT) poses a risk of security breaches. This is because the IoMT devices lack adequate safeguards against cyberattacks. To address this issue, this article presents a proposed framework for detecting anomalies and cyberattacks. The proposed integrated model employs the 1) K-nearest neighbors (KNN) algorithm for classification, while 2) utilizing long-short term memory (LSTM) for feature extraction, and 3) applying Principal component analysis (PCA) to modify and reduce the features. PCA subsequently enhances the important temporal characteristics identified by the LSTM network. The parameters of the KNN classifier were confirmed by using fivefold cross-validation after making hyperparameter adjustments. The evaluation of the proposed model involved the use of four datasets: 1) telemetry operating system network internet-of-things (TON-IoT), 2) Edith Cowan University-Internet of Health Things (ECU-IoHT) dataset, 3) intensive care unit (ICU) dataset, and 4) Washington University in St. Louis Enhanced Healthcare Surveillance System (WUSTL-EHMS) dataset. The proposed model achieved 99.9% accuracy, recall, F1 score, and precision on the WUSTL-EHMS dataset. The proposed technique efficiently mitigates cyber threats in healthcare environments.

{"title":"Automated detection of cyber attacks in healthcare systems: A novel scheme with advanced feature extraction and classification","authors":"Ahmad Nasayreh , Haris M. Khalid , Hamza K. Alkhateeb , Jalal Al-Manaseer , Abdulla Ismail , Hasan Gharaibeh","doi":"10.1016/j.cose.2024.104288","DOIUrl":"10.1016/j.cose.2024.104288","url":null,"abstract":"<div><div>The growing incorporation of interconnected healthcare equipment, software, networks, and operating systems into the Internet of Medical Things (IoMT) poses a risk of security breaches. This is because the IoMT devices lack adequate safeguards against cyberattacks. To address this issue, this article presents a proposed framework for detecting anomalies and cyberattacks. The proposed integrated model employs the 1) K-nearest neighbors (KNN) algorithm for classification, while 2) utilizing long-short term memory (LSTM) for feature extraction, and 3) applying Principal component analysis (PCA) to modify and reduce the features. PCA subsequently enhances the important temporal characteristics identified by the LSTM network. The parameters of the KNN classifier were confirmed by using fivefold cross-validation after making hyperparameter adjustments. The evaluation of the proposed model involved the use of four datasets: 1) telemetry operating system network internet-of-things (TON-IoT), 2) Edith Cowan University-Internet of Health Things (ECU-IoHT) dataset, 3) intensive care unit (ICU) dataset, and 4) Washington University in St. Louis Enhanced Healthcare Surveillance System (WUSTL-EHMS) dataset. The proposed model achieved 99.9% accuracy, recall, F1 score, and precision on the WUSTL-EHMS dataset. The proposed technique efficiently mitigates cyber threats in healthcare environments.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104288"},"PeriodicalIF":4.8,"publicationDate":"2024-12-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142811","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A review on the static and dynamic risk assessment methods for OT cybersecurity in industry 4.0

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-21 DOI: 10.1016/j.cose.2024.104295

Nourhan Halawi Ghoson , Vincent Meyrueis , Khaled Benfriha , Thomas Guiltat , Stéphane Loubère

The inherent vulnerabilities of Operational Technology (OT) systems to cyberattacks have historically been mitigated through the practice of air-gapping, effectively isolating them from broader industrial networks and thereby maintaining a level of security. However, the beginning of the fourth industrial revolution (Industry 4.0) signs a concept shift towards increased interconnectivity, enhanced visibility, and digital continuity. The transition towards Industry 4.0 has been characterized by a marked increase in security breaches within industrial settings, leading to a variety of hazardous outcomes. These incidents underscore the importance of cybersecurity within OT environments, necessitating the development and implementation of strict cybersecurity measures to safeguard against potential threats. In response to this emerging threat landscape, there has been a notable shift from static risk assessment methodologies towards more dynamic approaches, particularly with the incorporation of Artificial Intelligence (AI) technologies. This paper presents a comprehensive literature review that explores various risk assessment approaches within the context of Industry 4.0, focusing on industrial systems. It outlines the transition from traditional, static risk assessment methods to innovative, dynamic risk assessment strategies facilitated by the integration of AI.

{"title":"A review on the static and dynamic risk assessment methods for OT cybersecurity in industry 4.0","authors":"Nourhan Halawi Ghoson , Vincent Meyrueis , Khaled Benfriha , Thomas Guiltat , Stéphane Loubère","doi":"10.1016/j.cose.2024.104295","DOIUrl":"10.1016/j.cose.2024.104295","url":null,"abstract":"<div><div>The inherent vulnerabilities of Operational Technology (OT) systems to cyberattacks have historically been mitigated through the practice of air-gapping, effectively isolating them from broader industrial networks and thereby maintaining a level of security. However, the beginning of the fourth industrial revolution (Industry 4.0) signs a concept shift towards increased interconnectivity, enhanced visibility, and digital continuity. The transition towards Industry 4.0 has been characterized by a marked increase in security breaches within industrial settings, leading to a variety of hazardous outcomes. These incidents underscore the importance of cybersecurity within OT environments, necessitating the development and implementation of strict cybersecurity measures to safeguard against potential threats. In response to this emerging threat landscape, there has been a notable shift from static risk assessment methodologies towards more dynamic approaches, particularly with the incorporation of Artificial Intelligence (AI) technologies. This paper presents a comprehensive literature review that explores various risk assessment approaches within the context of Industry 4.0, focusing on industrial systems. It outlines the transition from traditional, static risk assessment methods to innovative, dynamic risk assessment strategies facilitated by the integration of AI.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104295"},"PeriodicalIF":4.8,"publicationDate":"2024-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142418","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Edge Implicit Weighting with graph transformers for robust intrusion detection in Internet of Things network

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-21 DOI: 10.1016/j.cose.2024.104299

C. Karpagavalli, M. Kaliappan

In recent years, the Internet of Things devices have progressively deployed in various applications including smart cities, intelligent transportation, healthcare, and agriculture. However, this widespread adaptation of the Internet of Things networks has been vulnerable to several attacks. Lack of security protocols, unauthorized access, and improper device updates lead the Internet of Things environment to several attacks, which impact network security and confidentiality of users. This paper develops an innovative approach that integrates Edge Implicit Weighting and Aggregated Graph Transformer architecture for accurate and timely intrusion detection. The proposed technique aggregates information from both one-hop and two-hop neighbors to derive immediate and extended relational context thereby improving the detection of complex attacks. This approach designs an Edge Implicit Weighting mechanism that allows the model to prioritize structurally significant relationships and enhance the accuracy of attack detection. The multi-head attention mechanism is introduced to enhance the detection of relevant patterns even in highly variable traffic scenarios. Further, the proposed framework incorporates the Synthetic Minority Over-sampling Technique to generate synthetic samples of minority classes to reduce class imbalance problems and attain balanced detection performance across all classes. The performance of the proposed detection technique is analyzed using multiple datasets with standard evaluation parameters. The proposed technique achieves outstanding performance results including an accuracy of 98.87% and a recall of 98.36%. From this experimental validation, it's clear that the proposed framework provides robust performance under diverse network conditions and handles imbalanced data effectively.

{"title":"Edge Implicit Weighting with graph transformers for robust intrusion detection in Internet of Things network","authors":"C. Karpagavalli, M. Kaliappan","doi":"10.1016/j.cose.2024.104299","DOIUrl":"10.1016/j.cose.2024.104299","url":null,"abstract":"<div><div>In recent years, the Internet of Things devices have progressively deployed in various applications including smart cities, intelligent transportation, healthcare, and agriculture. However, this widespread adaptation of the Internet of Things networks has been vulnerable to several attacks. Lack of security protocols, unauthorized access, and improper device updates lead the Internet of Things environment to several attacks, which impact network security and confidentiality of users. This paper develops an innovative approach that integrates Edge Implicit Weighting and Aggregated Graph Transformer architecture for accurate and timely intrusion detection. The proposed technique aggregates information from both one-hop and two-hop neighbors to derive immediate and extended relational context thereby improving the detection of complex attacks. This approach designs an Edge Implicit Weighting mechanism that allows the model to prioritize structurally significant relationships and enhance the accuracy of attack detection. The multi-head attention mechanism is introduced to enhance the detection of relevant patterns even in highly variable traffic scenarios. Further, the proposed framework incorporates the Synthetic Minority Over-sampling Technique to generate synthetic samples of minority classes to reduce class imbalance problems and attain balanced detection performance across all classes. The performance of the proposed detection technique is analyzed using multiple datasets with standard evaluation parameters. The proposed technique achieves outstanding performance results including an accuracy of 98.87% and a recall of 98.36%. From this experimental validation, it's clear that the proposed framework provides robust performance under diverse network conditions and handles imbalanced data effectively.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104299"},"PeriodicalIF":4.8,"publicationDate":"2024-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142804","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

CyberShapley: Explanation, prioritization, and triage of cybersecurity alerts using informative graph representation

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-21 DOI: 10.1016/j.cose.2024.104270

Alon Malach , Prasanna N. Wudali , Satoru Momiyama , Jun Furukawa , Toshinori Araki , Yuval Elovici , Asaf Shabtai

In recent years, the field of cybersecurity has seen significant advancements in the ability to detect anomalies and cyberattacks. This progress can be attributed to the use of deep learning (DL) models. Despite their superior performance, such models are imperfect, and their complex architecture makes them opaque and uninterpretable. Therefore, security analysts cannot effectively analyze the alerts generated by these models. Recently proposed methods that provide an explanation for the predictions of DL-based anomaly detectors tend to focus on the models’ low-level input features which necessitate further analysis to understand the alerts. As a result, when triaging alerts, security analysts spend a great deal of time analyzing the alerts before making a decision whether and how to act. To address this issue and ensure that the explanations produced for DL models’ output are beneficial to security analysts, we propose CyberShapley, an XAI approach that aims to enhance the interpretability of alerts generated by anomaly detectors by providing user-friendly explanations for the decisions made by these models. We evaluated our method on an LSTM-based anomaly detection model that raises alerts on the anomalous event sequences in the DARPA Engagement #3 and PublicArena datasets. Our method explains the anomalous event sequences associated with alerts by visualizing them as human-interpretable subgraphs (i.e., connected components) and highlighting (prioritizing) the most important components. Consequently, analysts can easily triage the event sequences by focusing on the components with high importance while disregarding the components with low importance.

{"title":"CyberShapley: Explanation, prioritization, and triage of cybersecurity alerts using informative graph representation","authors":"Alon Malach , Prasanna N. Wudali , Satoru Momiyama , Jun Furukawa , Toshinori Araki , Yuval Elovici , Asaf Shabtai","doi":"10.1016/j.cose.2024.104270","DOIUrl":"10.1016/j.cose.2024.104270","url":null,"abstract":"<div><div>In recent years, the field of cybersecurity has seen significant advancements in the ability to detect anomalies and cyberattacks. This progress can be attributed to the use of deep learning (DL) models. Despite their superior performance, such models are imperfect, and their complex architecture makes them opaque and uninterpretable. Therefore, security analysts cannot effectively analyze the alerts generated by these models. Recently proposed methods that provide an explanation for the predictions of DL-based anomaly detectors tend to focus on the models’ low-level input features which necessitate further analysis to understand the alerts. As a result, when triaging alerts, security analysts spend a great deal of time analyzing the alerts before making a decision whether and how to act. To address this issue and ensure that the explanations produced for DL models’ output are beneficial to security analysts, we propose CyberShapley, an XAI approach that aims to enhance the interpretability of alerts generated by anomaly detectors by providing user-friendly explanations for the decisions made by these models. We evaluated our method on an LSTM-based anomaly detection model that raises alerts on the anomalous event sequences in the DARPA Engagement #3 and PublicArena datasets. Our method explains the anomalous event sequences associated with alerts by visualizing them as human-interpretable subgraphs (i.e., connected components) and highlighting (prioritizing) the most important components. Consequently, analysts can easily triage the event sequences by focusing on the components with high importance while disregarding the components with low importance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104270"},"PeriodicalIF":4.8,"publicationDate":"2024-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

RBD24 : A labelled dataset with risk activities using log application data

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security

Pub Date : 2024-12-20 DOI: 10.1016/j.cose.2024.104290

Albert Calvo , Santiago Escuder , Nil Ortiz , Josep Escrig , Maxime Compastié

This paper introduces the Risk Activities Dataset 2024 (RBD24), an open-source dataset designed to facilitate the identification and analysis of risk activities within the cybersecurity domain. The RBD24 Dataset is derived from multimodal application logs collected over a two-week period at a Spanish state university, identifying activities aligned with the early stages of the attack scenario. This dataset paves the way for novel User and Entity behaviour Analytics (UEBA) and risk assessment frameworks within the cybersecurity domain. In detail, the dataset offers a fully user-centric approach by providing ground-truth data for various risk behaviours, including cryptocurrency activities, outdated software usage, P2P file sharing, and phishing incidents. These ground-truth data, identified through intrusion detection systems (IDS) and experimental campaigns, are represented as a set of indicators extracted from DNS, HTTP, SSL, and SMTP protocol logs. This dataset is expected to be a valuable resource for developing and benchmarking cybersecurity models, particularly in the realm of risk behaviour assessment.

{"title":"RBD24 : A labelled dataset with risk activities using log application data","authors":"Albert Calvo , Santiago Escuder , Nil Ortiz , Josep Escrig , Maxime Compastié","doi":"10.1016/j.cose.2024.104290","DOIUrl":"10.1016/j.cose.2024.104290","url":null,"abstract":"<div><div>This paper introduces the Risk Activities Dataset 2024 (RBD24), an open-source dataset designed to facilitate the identification and analysis of risk activities within the cybersecurity domain. The RBD24 Dataset is derived from multimodal application logs collected over a two-week period at a Spanish state university, identifying activities aligned with the early stages of the attack scenario. This dataset paves the way for novel User and Entity behaviour Analytics (UEBA) and risk assessment frameworks within the cybersecurity domain. In detail, the dataset offers a fully user-centric approach by providing ground-truth data for various risk behaviours, including cryptocurrency activities, outdated software usage, P2P file sharing, and phishing incidents. These ground-truth data, identified through intrusion detection systems (IDS) and experimental campaigns, are represented as a set of indicators extracted from DNS, HTTP, SSL, and SMTP protocol logs. This dataset is expected to be a valuable resource for developing and benchmarking cybersecurity models, particularly in the realm of risk behaviour assessment.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104290"},"PeriodicalIF":4.8,"publicationDate":"2024-12-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"143142809","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0