Computers & Security最新文献

Android malware is a major cyber threat to the popular Android platform which may influence millions of end users. To battle against Android malware, a large number of machine learning-based approaches have been developed, and have achieved promising results. However, the vast majority of the existing work relies on a large number of labeled samples which are unfortunately not available for the newly reported Android malware families. This poses a critical challenge to classify such few-shot Android malware families. In this paper, we propose FAMCF, a novel few-shot learning-based classification pipeline to solve the problem. Faced with insufficient labeled samples from few-shot malware families, we learn how to extract features by training on another base dataset which is of a much larger scale but has disjoint label space with the few-shot families. We consider three types of features based on static analysis, namely permissions, API calls, and opcodes. We train a classifier for each type of features, utilizing a metric-based few-shot learning approach, and get an ensemble decision. Specifically, for each classifier, given a query sample to be classified, we propose to compare it to the prototypes of all the families, which are generated in a query-dependent way. We compared the classification performance of FAMCF to that of the existing solutions of multiple categories, including those traditional machine learning-based approaches, few-shot Android malware classification approaches, and also state-of-the-art few-shot learning methods from other fields. We also analyzed robustness of FAMCF against multiple popular obfuscation techniques. The extensive experiments on the popular Drebin and CICInvesAndMal2019 datasets confirm the effectiveness and robustness of FAMCF in classifying few-shot Android malware families, e.g., we achieve at least 4.86% improvement on classification accuracy for Drebin and successfully kept the decrease in accuracy within 1% under the seven common types of obfuscation techniques.

Network Intrusion Detection Systems (NIDSes) are crucial for securing various networks from malicious attacks. Recent developments in Deep Neural Networks (DNNs) have encouraged researchers to incorporate DNNs as the underlying detection engine for NIDS. However, DNNs are susceptible to adversarial attacks, where subtle modifications to input data result in misclassification, posing a significant threat to security-sensitive domains such as NIDS. Existing efforts in adversarial defenses predominantly focus on supervised classification tasks in Computer Vision, differing substantially from the unsupervised outlier detection tasks in NIDS. To bridge this gap, we introduce a novel method of generalized adversarial robustness and present NIDS-Vis, an innovative black-box algorithm that traverses the decision boundary of DNN-based NIDSes near given inputs. Through NIDS-Vis, we can visualize the geometry of the decision boundaries and examine their impact on performance and adversarial robustness. Our experiment uncovers a tradeoff between performance and robustness, and we propose two novel training techniques, feature space partition and distributional loss function, to enhance the generalized adversarial robustness of DNN-based NIDSes without significantly compromising performance.

Recently, fog computing has been developed to complement cloud computing, which can provide cloud services at the edge of the network with real-time processing. However, the computational power of fog nodes is limited and this leads to security issues. On the other hand, cyber-attacks have become common with the exponential growth of Internet of Things (IoT) connected devices. This fact necessitates the development of Intrusion Detection Systems (IDSs) in fog environments with the aim of detecting attacks. In this paper, we develop an IDS named GAN-LSTM for fog environments that uses Generative Adversarial Networks (GANs) and Long Short-Term Memory Networks (LSTMs). GAN-LSTM is used to identify anomalies in network traffic to specific types of attacks or non-attacks. In general, GAN-LSTM consists of three components: data preprocessing, generation of real traffic patterns, and sequence analysis of real traffic data. Data preprocessing ensures data quality by removing noise and irrelevant features. The pre-processed data is fed to the GAN to generate real traffic as a baseline for normal behavior. Finally, the LSTM component is applied to detect anomalous anomalies in fog computing. The proposed algorithm was evaluated on public databases and experimental results showed that GAN-LSTM improves the accuracy of attack detection compared to equivalent approaches.

Controller Area Network (CAN) serves as the neural system of modern cars, connecting and coordinating various electronic control units (ECUs) responsible for vehicle operation. However, the inherent features of CAN, such as broadcast communication and lack of authentication, make it increasingly vulnerable to cyberattacks. Although existing intrusion detection systems (IDSs) perform well in detecting malicious attacks, they often lack the ability to accurately locate the senders of these malicious messages. In this paper, we propose an efficient sender identification method called Voltage Inspector, which leverages physical voltage signal slice to accurately identify the source of messages for CAN bus. We start by extracting voltage slices from the raw physical signals of the CAN bus. Next, we leverage clustering technology to infer the ECU mapping information, which is typically considered confidential. This mapping information, combined with a machine learning classifier, is then utilized to construct an identification model capable of accurately identifying the sender of each message. To validate the effectiveness of our proposed method, we conducted extensive experiments using a publicly available voltage dataset collected from ten real vehicles. The experimental results demonstrate the remarkable accuracy of our approach, achieving a minimum identification accuracy of 99%. Furthermore, our method significantly reduces the data volume by half and reduces the identification time by a quarter when compared to state-of-the-art methods. Our research reveals that even a small portion of the voltage signal can be used to uniquely fingerprint an ECU. We emphasize that our method serves as an alternative identification approach and can complement existing works in the field.

Zero Trust is the new cybersecurity model that challenges the traditional one by promoting continuous verification of users, devices, and applications, whatever their position or origin. This model is critical for reducing the attack surface and preventing lateral movement without relying on implicit trust. Adopting the zero trust principle in Intelligent Transportation Systems (ITS), especially in the context of connected vehicles (CVs), presents an adequate solution in the face of increasing cyber threats, thereby strengthening the ITS environment. This paper offers an understanding of Zero Trust security through a comprehensive review of existing literature, principles, and challenges. It specifically examines its applications in emerging technologies, particularly within connected vehicles, addressing potential issues and cyber threats faced by CVs. Inclusion/exclusion criteria for the systematic literature review were planned alongside a bibliometric analysis. Moreover, keywords co-occurrence analysis has been done, which indicates trends and general themes in the whole for Zero Trust model, Zero Trust implementation, and Zero Trust application. Furthermore, the paper explores various ZT models proposed in the literature for connected vehicles, shedding light on the challenges associated with their integration into CV systems. Future directions of this research will focus on incorporating Zero Trust principles within Vehicle-to-Vehicle (V2V) and Vehicle-to-Infrastructure (V2I) communication paradigms. This initiative intends to enhance the security posture and safety protocols within interconnected vehicular networks. The proposed research seeks to address the unique cybersecurity vulnerabilities inherent in the highly dynamic nature of vehicular communication systems.

Defect prediction based on deep learning is proposed to provide practitioners with reliable and practical tools to determine whether an area of code is defective. Compared with traditional code features, semantic features of source codes automatically extracted by neural networks can better reflect the semantic differences between codes. However, the small difference between some bug codes and clean codes poses a challenge for deep learning models in distinguishing them, leading to a low accuracy in defect prediction. In this paper, we propose bjCnet, a software defect prediction framework based on contrastive learning. It fine-tunes the pre-trained Transformer-based code large language model via a supervised contrastive learning network, achieving accurate defect prediction. We evaluate the prediction effect of bjCnet, the results demonstrate that the highest accuracy and f1-score achieved by bjCnet are both 0.948, surpassing the performance of the state-of-the-art approaches selected for comparison.

Encrypted network traffic classification plays an important role in enhancing network security and improving network performance. However, the imbalanced nature of traffic data makes the classification of encrypted network traffic challenging and may result in poor classification performance. Existing encrypted network traffic classification studies attempt to rebalance the data distribution through resampling strategies, which suffer from information loss, overfitting, and increased model complexity. Motivated by this, we propose an improved supervised contrastive learning approach to improve the classification performance of supervised contrastive learning classifiers for the traffic class imbalance problem in encrypted network traffic classification. Our method consists of two parts: data processing and traffic classification. In the data processing stage, we transform the raw network traffic data into grayscale images. In the traffic classification stage, we design optimized class-complement and class-averaging schemes in supervised contrastive learning. The construction of contrastive tasks is a critical link in contrastive learning. However, when constructing the set of positive and negative samples of network traffic, the samples generated by traditional methods do not conform to the salient features of network traffic. Traditional methods typically involve color modification, cropping, rotation, noise injection, and random erasure. When these traditional methods are applied to images generated from network traffic data, they may alter significant features of the network traffic data, such as changing the distribution of packet sizes. This is detrimental to maintaining the characteristics of traffic classes and does not aid the learning process. Therefore, we preprocess the traffic into images in a particular format suitable for contrastive learning, and then design a novel contrastive task construction method. The evaluation results on public datasets show that the proposed method can significantly improve the classification performance of encrypted traffic classification on imbalanced datasets.

With the increasing complexity of cyber threats and the expanding scope of cyberspace, there exist progressively more challenges in cyber threat detection. It is proven that most previous threat detection models may become inadequate due to the escalation of hacker attacks. However, recent research has shown that some of these problems can be effectively addressed by Large Language Models (LLMs) directly or indirectly. Nowadays, a growing number of security researchers are adopting LLMs for analyzing various cyber threats. According to the investigation, we found that while there are numerous emerging reviews on the utilization of LLMs in some fields of cyber security, there is currently a lack of a comprehensive review on the application of LLMs in the threat detection stage. Through retrieving and collating existing works in recent years, we examined various threat detection and monitoring tasks for which LLMs may be well-suited, including cyber threat intelligence, phishing email detection, threat prediction, logs analysis, and so on. Additionally, the review explored the specific stages of different detection tasks in which LLMs are involved, evaluating the points at which LLMs are optimized. For instance, LLMs have been found to enhance the interpretability of log analysis in real-time anomaly event discovery. Additionally, we discussed some tasks where LLMs may not be suitable and explored future directions and challenges in this field. By providing a detailed status update and comprehensive insights, this review aims to assist security researchers in leveraging LLMs to enhance existing detection frameworks or develop domain-specific LLMs.

Autonomous and connected vehicles are rapidly evolving, integrating numerous technologies and software. This progress, however, has made them appealing targets for cybersecurity attacks. As the risk of cyber threats escalates with this advancement, the focus is shifting from solely preventing these attacks to also mitigating their impact. Current solutions rely on vehicle security operation centers, where attack information is analyzed before deciding on a response strategy. However, this process can be time-consuming and faces scalability challenges, along with other issues stemming from vehicle connectivity. This paper proposes a dynamic intrusion response system integrated within the vehicle. This system enables the vehicle to respond to a variety of incidents almost instantly, thereby reducing the need for interaction with the vehicle security operation center. The system offers a comprehensive list of potential responses, a methodology for response evaluation, and various response selection methods. The proposed solution was implemented on an embedded platform. Two distinct cyberattack use cases served as the basis for evaluating the system. The evaluation highlights the system’s adaptability, its ability to respond swiftly, its minimal memory footprint, and its capacity for dynamic system parameter adjustments. The proposed solution underscores the necessity and feasibility of incorporating dynamic response mechanisms in smart vehicles. This is a crucial factor in ensuring the safety and resilience of future smart mobility.

Domain Generation Algorithms (DGAs) are highly effective strategies employed by malware to establish connections with Command and Control (C2) servers. Mitigating DGAs in high-speed networks can be challenging, as it often requires resource-intensive tasks such as extracting high-dimensional features from domain names or collecting extensive network heuristics. In this paper, we propose an innovative framework leveraging the flexibility, per-packet granularity, and Terabits per second (Tbps) processing capabilities of P4 programmable data plane switches for the rapid and accurate detection and classification of DGA families. Specifically, we use P4 switches to extract a combination of unique network heuristics and domain name features through shallow and Deep Packet Inspection (DPI) with minimal impact on throughput. We employ a two-fold approach, comprising a line-rate compact Machine Learning (ML) classifier in the data plane for DGA detection and a more comprehensive classifier in the control plane for DGA detection and classification. To validate our approach, we collected malware samples totaling hundreds of Gigabytes (GBs), representing over 50 DGA families, and utilized campus traffic from normal benign users. Our results demonstrate that our proposed approach can swiftly and accurately detect DGAs with an accuracy of 97% and 99% in the data plane and the control plane, respectively. Furthermore, we present promising findings and preliminary results for detecting DGAs in encrypted Domain Name System (DNS) traffic. Our framework enables the immediate halting of malicious communications, empowering network operators to implement effective mitigation, incident management, and provisioning strategies.