Computers & Security最新文献

Intelligent diagnostic modeling of industrial equipment (IDMIE) addresses various industrial challenges, yet concerns about data privacy security have been raised by many organizations. However, the reliance on third-party trust and the stringent privacy requirements pose obstacles to ensuring privacy. To tackle these issues, this study proposes a generative model based on the framework of differential privacy and one-dimensional operational generative adversarial networks (DP1D-OpGAN), in which, in order to reduce the privacy budget and ensure the privacy of the generative model, a method involving training the learning parameters with perturbed gradient vectors is proposed. Additionally, the classification model of discrete multi-wavelet transforms convolutional neural network (DMWA-CNN) is integrated to enhance the diagnostic performance of the model. The model's safety, high performance, and generalizability are validated through multiple comprehensive experiments.

Cyber attacks against power grids, interrupting utility service and causing blackouts are on the rise, and increasingly motivate researchers to investigate this topic. Thereby, models of real-world power grids are an indispensable prerequisite, but operators do not make them available, allegedly for reasons of protection. This security-by-obscurity strategy appears futile as grid artifacts (lines, plants, substations) are large and cannot be easily hidden. It seems promising to infer real-world model data from publicly available data, and indeed, multiple models were generated through Open Source Intelligence (OSINT). Questions on the models’ quality remain, however, open but are of utter importance for research building on these models, especially as the results might have considerable impact on society and national security. This paper approaches this particular point and investigates whether OSINT leads to data on real-world power grids of sufficient quality; by the example of the European country of Austria, we investigate whether all parameters that are relevant for power flow analysis, a standard approach in power engineering, can be inferred from publicly available data (OpenStreetMap, national statistics, etc.), and validate this data against ground truths, including governmental land use plans, Google Street View and the power sector’s information material. Our validation shows that the inferred data meets reality well — among others, the extra-high voltage level is 100% (lines) rsp. 98% (substations) complete. Beyond, the inferred data is up-to-date as the construction of lines or substations is always documented in OSM, in 76% of the cases even before finalization of the construction works. An analysis of 24 other European countries revealed that electric systems, substations, and power plants are documented in OSM to a similar extent as in Austria, motivating the application of our approach also to these countries. The contribution of our OSINT-based approach is twofold: First, it facilitates the development of models of real-world power grids, fostering research and discussion that is independent of the power grid operators, in the security domain and beyond. Second, our method represents an attack itself, challenging the energy sector’s security-by-obscurity approach.

Despite extensive academic research in anomaly detection within the cybersecurity domain, its successful adoption in real-world settings remains limited. This paper addresses the challenges of applying outlier detection techniques for threat detection within the context of Security Information and Event Management (SIEM) systems. It particularly highlights the significance of contextualization and explainability, while challenging the assumption that outliers invariably indicate malicious activity. It proposes a simple yet effective outlier detection technique designed to mimic a Security Operation Center (SOC) analyst’s reasoning process in finding anomalies/outliers and deciding maliciousness. The approach emphasizes explainability and simplicity, achieved by combining the output of simple, context-aware univariate submodels that calculate an outlier score for each entry.

The proposed technique is first evaluated on a public dataset, demonstrating its ability to achieve high performance in detecting outliers compared to other well-known algorithms. Furthermore, to assess the practicality in a real-world scenario, the approach is deployed in production alongside the SIEM of a large international enterprise with over 100,000 assets, utilizing 20 terabytes of Endpoint Detection and Response (EDR) logs to detect Living-off-the-Land Binaries (LOLBins). The proposed framework can empower SOC analysts in developing scalable, effective, and interpretable outlier-based threat detection use cases.

Truth discovery technology is widely used in the field of data collection in crowdsourcing; however, with the deepening of people’s privacy awareness, ordinary truth discovery can no longer meet the current user demand for privacy protection, and solving the privacy problem is one of the critical challenges of truth discovery. A number of works have been proposed as the truth discovery mechanism of differential privacy. However, the privacy budget allocation in the known differential privacy truth discovery mechanisms does not consider the data precision differences of multi-source datasets and the anomalous results of small-value data after aggregation. We propose a precision division based on a differential privacy two-layer truth discovery framework to ensure privacy security while considering data precision and can also ensure high-accuracy truth discovery. The main challenges of this paper are how to obtain highly accurate truth values in sparse data scenarios without exposing the original values to the cloud server when performing error correction of aggregated anomalies after noise addition, as well as to improve the precision of truth value estimation of perturbed streaming data based on the refinement of the privacy protection level based on the accuracy of the data. Specifically, we first formulate a data-sampling algorithm to get the data precision of different users and to sieve out the anomalous data and duplicate data to obtain the quality of user-uploaded data. Then, we formulate a new privacy budget allocation mechanism, which synthesizes the sampling situation during data preprocessing and fully considers the data precision to quantify user privacy and turn it into specific values. We provide a quadratic truth discovery mechanism based on a predictive interpolation algorithm when dealing with small-value data, ensuring the reliability of small data aggregation results. We demonstrate that our framework achieves differential privacy for user-supplied data while we conduct extensive experiments on three real-world datasets to prove the effectiveness of our system framework.

The Internet of Things (IoT) devices have been integrated into almost all everyday applications of human life such as healthcare, transportation and agriculture. This widespread adoption of IoT has opened a large threat landscape to computer networks, leaving security gaps in IoT-enabled networks. These resource-constrained devices lack sufficient security mechanisms and become the weakest link in our in computer networks and jeopardize systems and data. To address this issue, Intrusion Detection Systems (IDS) have been proposed as one of many tools to mitigate IoT related intrusions. While IDS have proven to be a crucial tools for threat detection, their dependence on labeled data and their high computational costs have become obstacles to real life adoption. In this work, we present IoT-PRIDS, a new framework equipped with a host-based anomaly-based intrusion detection system that leverages “packet representations” to understand the typical behavior of devices, focusing on their communications, services, and packet header values. It is a lightweight non-ML model that relies solely on benign network traffic for intrusion detection and offers a practical way for securing IoT environments. Our results show that this model can detect the majority of abnormal flows while keeping false alarms at a minimum and is promising to be used in real-world applications.

The increasing dependence on satellite technology for critical applications, such as telecommunications, Earth observation, and navigation, underscores the need for robust security measures to safeguard these assets from potential cyber threats. Moreover, as many satellite systems rely on the Controller Area Network (CAN) protocol for efficient data exchange among onboard subsystems, they become prime targets for cyberattacks. While contributions present various options for detecting attacks in the CAN bus, no one proposes an architecture suitable for satellite systems. To address this concern, this paper presents a novel approach to develop an adaptive distributed Intrusion Detection System (IDS) for satellites, which integrates machine and deep learning techniques for the classification of CAN frames. This system is specifically designed to overcome the inherent power and computational challenges of satellite operations by executing time-based anomaly detection on board, and content-based detection at the ground segment. To evaluate the effectiveness of the proposed solution, experiments are conducted using representative Datasets. The obtained results demonstrate that the distributed IDS presented in this research offers a promising solution to improve the security of satellite systems by achieving high detection rates ranging from 91.12% to 99.86% (F1-score).

The digital landscape faces an escalating wave of sophisticated malware threats to organizations and individuals, and it is increasingly vulnerable to cyber attacks. The dominance of Windows operating systems across corporate and individual computing environments renders Windows a prime target for cyber threats. As malware increasingly employs advanced code obfuscation and packing techniques to evade static detection, dynamic analysis through API calls has become more helpful in identifying malicious behavior. The deep learning techniques emerge as a promising strategy, significantly advancing the field of malware detection in response to the ever-evolving cyber threat landscape. Leveraging advanced deep learning techniques, we introduce a cutting-edge malware detection framework that utilizes the Longformer model, specifically designed to handle extensive text sequences. Our novel approach transforms API call sequences into detailed natural language descriptions with the help of API descriptions and arguments, thereby enabling a deeper understanding of software behaviors. This transformation allows the Longformer model to identify malicious patterns, offering enhanced detection accuracy efficiently. Comparative analyses with state-of-the-art techniques and conventional deep learning models reveal that our proposed method showcases significant performance improvements in terms of accuracy, precision, recall, and F1 score. The proposed model achieves an accuracy of 0.992, highlighting its efficacy in accurately identifying and classifying malicious behavior.

Due to their open architecture, collaborative filtering recommender systems are susceptible to recommendation attacks, in which attackers inject fake rating data into the system to affect the accuracy of recommendation results. To detect these attacks, numerous detection methods have been designed and proven effective. However, in recent years, deep learning-based recommendation attack models such as GSA-GAN have shown higher concealment, posing new challenges to existing detection methods. Motivated by the need for improved detection, in this paper we propose a new approach called CNN-BAG, which integrates convolutional neural network (CNN) and Bagging (BAG) techniques. CNN-BAG can enhance the detection performance by simultaneously leveraging the deep learning capabilities of CNN and the ensemble learning strengths of Bagging. Firstly, we construct a deep neural network based on CNN as the base learner to automatically extract and learn features of recommendation attacks. Secondly, we use the Bagging algorithm to perform bootstrap sampling on the training data to generate multiple diverse training subsets. The above constructed base learners are then trained on these generated training subsets to produce multiple base classifiers for classifying recommendation attacks. Finally, we combine the base classifiers’ outputs using a majority voting method to obtain the final detection results. To assess the performance of CNN-BAG in detecting recommendation attacks, we compared it against several well-established detection methods on the Movielens-10M and Amazon datasets. Our experiments revealed that CNN-BAG is adept at identifying various attack types, including the deep learning-based recommendation attack models.

This study was prompted by the scarcity of focused quantitative research on the cybersecurity of SMBs. Our research aimed to understand the factors influencing SMBs' approach to cybersecurity, their level of threat awareness and the importance placed on cybersecurity. It also explored the extent to which NIST CSF practices are implemented by SMBs while also detecting and ranking the prevalent challenges faced by SMBs. Additionally, resources that SMBs turn to for help and guidance were also evaluated. While the survey-based study was on Western Australian SMBs, the results are of more general and wider interest. Our study found the lack of funds to be the biggest hindrance to cybersecurity, along with a lack of knowledge on where to start implementing good security practices. SMBs also lacked familiarity with relevant regulations and frameworks. The study highlights areas for improvement, such as access control mechanisms, individual user accounts, formalised policies and procedures, and dedicated budgets. SMBs heavily rely on Google search for cybersecurity information, emphasising the need for optimised search results from authoritative sources. IT service providers and informal networks also emerge as important sources of cybersecurity guidance, while local universities could assist SMBs but remain underutilised in this regard. Interestingly, factors such as organisational size, industry sector, and revenue level did not significantly impact SMBs' perception of vulnerability to cyber threats. However, further investigation is needed to evaluate the effectiveness of different IT service models for SMBs' cybersecurity needs. Overall, the research provides valuable insights into the specific gaps and challenges faced by SMBs in the cybersecurity domain, as well as their preferred methods of seeking and consuming cybersecurity assistance. The findings can guide the development of targeted strategies and policies to enhance the cybersecurity posture of SMBs.

Binary vulnerability detection is a significant area of research in computer security. The existing methods for detecting binary vulnerabilities primarily rely on binary code similarity analysis, detecting vulnerabilities by comparing the similarities embedded in binary codes. Recently, Transformer-based models have achieved significant progress in this field, leveraging their advantage in handling sequential data to better understand the semantics of assembly code. However, to prevent the out-of-vocabulary (OOV) problems, assembly code typically needs to be normalized, which would lose some important numerical and jump information. In this paper, we propose HAformer, a Transformer-based model, which semantically fuses hexadecimal machine codes and assembly codes to extract richer semantic information from binary codes. By incorporating the hexadecimal machine code and a newly designed assembly code normalization method, HAformer can alleviate the problem of numerical information loss caused by traditional assembly code normalization, thereby addressing the issue of OOV. Evaluation results demonstrate that our HAformer outperforms the baseline method in the Recall@1 metric by 16.9%, 25.5% and 19.2% in cross-optimization level, cross-compiler and cross-architecture environments, respectively. In real-world vulnerability detection experiments, HAformer exhibits the highest accuracy.