Pub Date : 2024-07-22DOI: 10.1016/j.cose.2024.104015
This article presents a novel survey-based cybersecurity risk assessment model, CRAMMTS (Cyber Risk Analysis Method for Maritime Transportation Systems), specifically designed for the maritime sector, addressing a critical gap in the literature. Our study contributes significantly in three ways: firstly, through a comprehensive critical literature review of 31 maritime guidelines and 95 scholarly articles, identifying the need for a new cybersecurity risk assessment method; secondly, by developing CRAMMTS, an adaptation of the ISRAM risk analysis method, incorporating the International Maritime Organization's criteria and enabling participation from maritime professionals, especially policymakers and leaders. The third contribution is a case study, the practical application of CRAMMTS in surveying 80 maritime professionals, assessing their perception of cybersecurity risks, and identifying varying risk levels, with the highest associated with cyber threat actors. This approach proved effective in assessing risks at both tactical and strategic levels and providing a clear, quantitative risk metric for decision-making. Our research underscores the maritime sector's need for a holistic, easily implementable cybersecurity risk analysis method that engages leaders and adapts to various Maritime Transportation System scopes, thereby enhancing cybersecurity risk assessment in this crucial domain.
{"title":"Charting new waters with CRAMMTS: A survey-driven cybersecurity risk analysis method for maritime stakeholders","authors":"","doi":"10.1016/j.cose.2024.104015","DOIUrl":"10.1016/j.cose.2024.104015","url":null,"abstract":"<div><p>This article presents a novel survey-based cybersecurity risk assessment model, CRAMMTS (Cyber Risk Analysis Method for Maritime Transportation Systems), specifically designed for the maritime sector, addressing a critical gap in the literature. Our study contributes significantly in three ways: firstly, through a comprehensive critical literature review of 31 maritime guidelines and 95 scholarly articles, identifying the need for a new cybersecurity risk assessment method; secondly, by developing CRAMMTS, an adaptation of the ISRAM risk analysis method, incorporating the International Maritime Organization's criteria and enabling participation from maritime professionals, especially policymakers and leaders. The third contribution is a case study, the practical application of CRAMMTS in surveying 80 maritime professionals, assessing their perception of cybersecurity risks, and identifying varying risk levels, with the highest associated with cyber threat actors. This approach proved effective in assessing risks at both tactical and strategic levels and providing a clear, quantitative risk metric for decision-making. Our research underscores the maritime sector's need for a holistic, easily implementable cybersecurity risk analysis method that engages leaders and adapts to various Maritime Transportation System scopes, thereby enhancing cybersecurity risk assessment in this crucial domain.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141847860","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-20DOI: 10.1016/j.cose.2024.104005
Network intrusion detection systems (NIDS) play a pivotal role in safeguarding critical digital infrastructures against cyber threats. Machine learning-based detection models applied in NIDS are prevalent today. However, the effectiveness of these machine learning-based models is often limited by the evolving and sophisticated nature of intrusion techniques as well as the lack of diverse and updated training samples. In this research, a novel approach for enhancing the performance of an NIDS through the integration of Generative Adversarial Networks (GANs) is proposed. By harnessing the power of GANs in generating synthetic network traffic data that closely mimics real-world network behavior, we address a key challenge associated with NIDS training datasets, which is the data scarcity. Three distinct GAN models (Vanilla GAN, Wasserstein GAN and Conditional Tabular GAN) are implemented in this work to generate authentic network traffic patterns specifically tailored to represent the anomalous activity. We demonstrate how this synthetic data resampling technique can significantly improve the performance of the NIDS model for detecting such activity. By conducting comprehensive experiments using the CIC-IDS2017 benchmark dataset, augmented with GAN-generated data, we offer empirical evidence that shows the effectiveness of our proposed approach. Our findings show that the integration of GANs into NIDS can lead to enhancements in intrusion detection performance for attacks with limited training data, making it a promising avenue for bolstering the cybersecurity posture of organizations in an increasingly interconnected and vulnerable digital landscape.
网络入侵检测系统(NIDS)在保护关键数字基础设施免受网络威胁方面发挥着举足轻重的作用。目前,网络入侵检测系统普遍采用基于机器学习的检测模型。然而,这些基于机器学习的模型的有效性往往受限于不断发展和复杂的入侵技术,以及缺乏多样化和更新的训练样本。在这项研究中,提出了一种通过集成生成对抗网络(GANs)来提高 NIDS 性能的新方法。通过利用 GANs 在生成合成网络流量数据方面的强大功能(该数据与真实世界的网络行为非常相似),我们解决了与 NIDS 训练数据集相关的一个关键挑战,即数据稀缺问题。在这项工作中,我们采用了三种不同的 GAN 模型(Vanilla GAN、Wasserstein GAN 和 Conditional Tabular GAN)来生成专门用于表示异常活动的真实网络流量模式。我们展示了这种合成数据重采样技术如何显著提高 NIDS 模型检测此类活动的性能。通过使用 CIC-IDS2017 基准数据集进行综合实验,并使用 GAN 生成的数据进行扩充,我们提供了实证证据,证明了我们提出的方法的有效性。我们的研究结果表明,将 GAN 集成到 NIDS 中可以提高对训练数据有限的攻击的入侵检测性能,使其成为在日益互联和脆弱的数字环境中增强组织网络安全态势的一种有前途的途径。
{"title":"Enhancing network intrusion detection performance using generative adversarial networks","authors":"","doi":"10.1016/j.cose.2024.104005","DOIUrl":"10.1016/j.cose.2024.104005","url":null,"abstract":"<div><p>Network intrusion detection systems (NIDS) play a pivotal role in safeguarding critical digital infrastructures against cyber threats. Machine learning-based detection models applied in NIDS are prevalent today. However, the effectiveness of these machine learning-based models is often limited by the evolving and sophisticated nature of intrusion techniques as well as the lack of diverse and updated training samples. In this research, a novel approach for enhancing the performance of an NIDS through the integration of Generative Adversarial Networks (GANs) is proposed. By harnessing the power of GANs in generating synthetic network traffic data that closely mimics real-world network behavior, we address a key challenge associated with NIDS training datasets, which is the data scarcity. Three distinct GAN models (Vanilla GAN, Wasserstein GAN and Conditional Tabular GAN) are implemented in this work to generate authentic network traffic patterns specifically tailored to represent the anomalous activity. We demonstrate how this synthetic data resampling technique can significantly improve the performance of the NIDS model for detecting such activity. By conducting comprehensive experiments using the CIC-IDS2017 benchmark dataset, augmented with GAN-generated data, we offer empirical evidence that shows the effectiveness of our proposed approach. Our findings show that the integration of GANs into NIDS can lead to enhancements in intrusion detection performance for attacks with limited training data, making it a promising avenue for bolstering the cybersecurity posture of organizations in an increasingly interconnected and vulnerable digital landscape.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141944827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-20DOI: 10.1016/j.cose.2024.103997
As the digital age advances, the collection, usage, and dissemination of personal data have become critical concerns for users, regulators, and the cybersecurity community. Questions surrounding the extent of identifiable data collection, its usage, sharing, selling, and the mechanisms of consent are increasingly central to discussions on user data privacy. These issues highlight the need for effective management and comprehension of privacy policies. To this end, this paper introduces Privacify— a production-ready web application designed to enhance the accessibility and understandability of privacy policies, thus empowering users to make more informed decisions about their data. At its backend, Privacify leverages a combination of text segmentation, summarization using Large Language Model (LLM), and map-reduce technologies to facilitate BASE analysis for single-document insights and WRT and REV for comprehensive cross-document analysis. Designed with a user-centric approach, Privacify features an intuitive interface that presents all relevant user privacy information in easy-to-understand language, complete with a detailed explainability component. This design not only simplifies privacy policies but also aids users in effortlessly navigating complex privacy terms, significantly boosting their ability to protect and manage their personal information. Our evaluation employs robust methodologies, including reliability and accuracy assessments, alongside rigorous functionality verification through ROUGE metrics and human analysis, validating the system’s efficacy and performance. Privacify’s architecture promotes scalability, replicability, and seamless deployment, advancing the domain of user data protection through improved privacy comprehension.
{"title":"Enhancing privacy policy comprehension through Privacify: A user-centric approach using advanced language models","authors":"","doi":"10.1016/j.cose.2024.103997","DOIUrl":"10.1016/j.cose.2024.103997","url":null,"abstract":"<div><p>As the digital age advances, the collection, usage, and dissemination of personal data have become critical concerns for users, regulators, and the cybersecurity community. Questions surrounding the extent of identifiable data collection, its usage, sharing, selling, and the mechanisms of consent are increasingly central to discussions on user data privacy. These issues highlight the need for effective management and comprehension of privacy policies. To this end, this paper introduces <em>Privacify</em>— a production-ready web application designed to enhance the accessibility and understandability of privacy policies, thus empowering users to make more informed decisions about their data. At its backend, <em>Privacify</em> leverages a combination of text segmentation, summarization using Large Language Model (LLM), and map-reduce technologies to facilitate BASE analysis for single-document insights and WRT and REV for comprehensive cross-document analysis. Designed with a user-centric approach, <em>Privacify</em> features an intuitive interface that presents all relevant user privacy information in easy-to-understand language, complete with a detailed explainability component. This design not only simplifies privacy policies but also aids users in effortlessly navigating complex privacy terms, significantly boosting their ability to protect and manage their personal information. Our evaluation employs robust methodologies, including reliability and accuracy assessments, alongside rigorous functionality verification through ROUGE metrics and human analysis, validating the system’s efficacy and performance. <em>Privacify</em>’s architecture promotes scalability, replicability, and seamless deployment, advancing the domain of user data protection through improved privacy comprehension.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141851853","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-19DOI: 10.1016/j.cose.2024.103990
With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense.
This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.
随着网络攻击的日益复杂和频繁,企业认识到需要采取积极主动和有针对性的方法来保护其数字资产和运营。每个行业都面临着一系列不同的威胁,这些威胁受其行业目标、地理覆盖范围、员工规模、收入、合作关系以及数字资产规模等因素的影响。这就造成了威胁环境的广泛异质性,因此需要量身定制的威胁情报源。虽然一些安全从业人员可能会倾向于广泛的情报来源,但仅仅依靠基于数量的解决方案往往会导致 "警报疲劳"。因此,针对特定组织的威胁情报在网络安全防御中的重要性与日俱增。这项工作提出了一个名为 OSTIS(特定组织威胁情报系统)的完整而新颖的框架,用于生成和管理针对特定组织的网络威胁情报(CTI)数据。我们的方法识别可靠的安全博客,并通过定制的重点网络爬虫从中收集 CTI 数据。然后,使用自动深度学习模型识别和提取这些来源的相关内容。此外,我们的人工智能驱动解决方案将 CTI 数据映射到特定的领域场景,如教育、金融、政府、医疗保健、工业控制系统和物联网。为了验证训练有素的模型并从中获得洞察力,我们还利用 SHapley Additive exPlanations(SHAP)工具执行了一项可解释的人工智能(简称 XAI)任务。这使我们能够解释预测过程,并从数据中找出有影响力的内容。我们框架的最后一步是生成组织特定威胁情报知识图谱(OSTIKG),使组织能够及时识别和可视化攻击模式和事件。为创建该图,我们开发并调整了多种技术,以提取各种实体,包括恶意软件群组、活动、攻击类型、恶意软件类型、软件工具等,并识别它们之间的关系。最后,通过广泛的实验活动,我们证明了框架所有组件的有效性和性能,在识别相关内容方面的 F1 分数为 0.84,在领域分类方面的 F1 分数为 0.93,在识别实体和关系以构建 OSTIKG 图表方面的 F1 分数分别为 0.95 和 0.89。
{"title":"OSTIS: A novel Organization-Specific Threat Intelligence System","authors":"","doi":"10.1016/j.cose.2024.103990","DOIUrl":"10.1016/j.cose.2024.103990","url":null,"abstract":"<div><p>With the increasing complexity and frequency of cyber attacks, organizations recognize the need for a proactive and targeted approach to safeguard their digital assets and operations. Every industry faces a distinct array of threats shaped by factors such as its industrial objective, geographic footprint, workforce size, revenue, partnerships, and the extent of its digital assets. This results in a wide heterogeneity in threat landscapes, which necessitates tailored threat intelligence sources. While some security practitioners may gravitate towards extensive sources, relying solely on volume-based solutions often leads to “alert fatigue”. For this reason, organization-specific threat intelligence has acquired a growing importance in cybersecurity defense.</p><p>This work presents a complete and novel framework called OSTIS (Organization-Specific Threat Intelligence System) for generating and managing organization-specific Cyber Threat Intelligence (CTI) data. Our approach identifies reliable security blogs from which we gather CTI data through a custom and focused Web Crawler. Relevant content from such sources is, then, identified and extracted using automated deep-learning models. Moreover, our AI-driven solution maps CTI data to specific domain scenarios, such as education, finance, government, healthcare, industrial control systems, and IoT. To validate and gain insights from the trained models, we also include an explainable AI (XAI, for short) task carried out by leveraging the SHapley Additive exPlanations (SHAP) tool. This allows us to interpret the prediction process and discern influential content from data. The last step of our framework consists of the generation of an Organization Specific Threat Intelligence Knowledge Graph (OSTIKG), empowering organizations to identify and visualize attack patterns and incidents, promptly. To create this graph, we develop and adapt several techniques to extract diverse entities, including malware groups, campaigns, attack types, malware types, software tools, and so forth, and to identify relationships among them. Finally, through an extensive experimental campaign, we certify the validity and performance of all the components of our framework, which shows a 0.84 F1-score in the identification of relevant content, a 0.93 F1-score for the domain classification, and a 0.95 and 0.89 F1-score in the identification of entities and relations to build our OSTIKG graph.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141844653","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-17DOI: 10.1016/j.cose.2024.103988
Adversarial Machine Learning (AML) discusses the act of attacking and defending Machine Learning (ML) Models, an essential building block of Artificial Intelligence (AI). ML is applied in many software-intensive products and services and introduces new opportunities and security challenges. AI and ML will gain even more attention from the industry in the future, but threats caused by already-discovered attacks specifically targeting ML models are either overseen, ignored, or mishandled. Current AML research investigates attack and defense scenarios for ML in different industrial settings with a varying degree of maturity with regard to academic rigor and practical relevance. However, to the best of our knowledge, a synthesis of the state of academic rigor and practical relevance is missing. This literature study reviews studies in the area of AML in the context of industry, measuring and analyzing each study’s rigor and relevance scores. Overall, all studies scored a high rigor score and a low relevance score, indicating that the studies are thoroughly designed and documented but miss the opportunity to include touch points relatable for practitioners.
对抗式机器学习(AML)讨论的是攻击和防御机器学习(ML)模型的行为,这是人工智能(AI)的重要组成部分。许多软件密集型产品和服务都应用了 ML,这带来了新的机遇和安全挑战。未来,人工智能和 ML 将获得业界更多的关注,但已经发现的专门针对 ML 模型的攻击所造成的威胁,要么被忽视、忽略,要么处理不当。目前的反洗钱研究调查了不同行业环境中的 ML 攻击和防御场景,在学术严谨性和实际相关性方面的成熟度各不相同。然而,据我们所知,目前还缺少对学术严谨性和实用性的综合研究。本文献研究回顾了反洗钱领域在工业背景下的研究,衡量并分析了每项研究的严谨性和相关性得分。总体而言,所有研究的严谨性得分都很高,而相关性得分都很低,这表明这些研究的设计和记录都很全面,但错失了纳入与从业人员相关的触点的机会。
{"title":"Adversarial Machine Learning in Industry: A Systematic Literature Review","authors":"","doi":"10.1016/j.cose.2024.103988","DOIUrl":"10.1016/j.cose.2024.103988","url":null,"abstract":"<div><p>Adversarial Machine Learning (AML) discusses the act of attacking and defending Machine Learning (ML) Models, an essential building block of Artificial Intelligence (AI). ML is applied in many software-intensive products and services and introduces new opportunities and security challenges. AI and ML will gain even more attention from the industry in the future, but threats caused by already-discovered attacks specifically targeting ML models are either overseen, ignored, or mishandled. Current AML research investigates attack and defense scenarios for ML in different industrial settings with a varying degree of maturity with regard to academic rigor and practical relevance. However, to the best of our knowledge, a synthesis of the state of academic rigor and practical relevance is missing. This literature study reviews studies in the area of AML in the context of industry, measuring and analyzing each study’s rigor and relevance scores. Overall, all studies scored a high rigor score and a low relevance score, indicating that the studies are thoroughly designed and documented but miss the opportunity to include touch points relatable for practitioners.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824002931/pdfft?md5=a4b0427fd2f32dea4e959de2e314829e&pid=1-s2.0-S0167404824002931-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141841072","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-15DOI: 10.1016/j.cose.2024.103994
Detecting vulnerabilities in source code is crucial for protecting software systems from cyberattacks. Pre-trained language models such as CodeBERT and GraphCodeBERT have been applied in multiple code-related downstream tasks such as code search and code translation and have achieved notable success. Recently, this pre-trained and fine-tuned paradigm has also been applied to detect code vulnerabilities. However, fine-tuning pre-trained language models using cross-entropy loss has several limitations, such as poor generalization performance and lack of robustness to noisy labels. In particular, when the vulnerable code and the benign code are very similar, it is difficult for deep learning methods to differentiate them accurately. In this context, we introduce a novel approach for code vulnerability detection using supervised contrastive learning, namely SCL-CVD, which leverages GraphCodeBERT. This method aims to enhance the effectiveness of existing vulnerable code detection approaches. SCL-CVD represents the source code as data flow graphs. These graphs are then processed by GraphCodeBERT, which has been fine-tuned using a supervised contrastive loss function combined with R-Drop. This fine-tuning process is designed to generate more resilient and representative code embedding. Additionally, we incorporate LoRA (Low-Rank Adaptation) to streamline the fine-tuning process, significantly reducing the time required for model training. Finally, a Multilayer Perceptron (MLP) is employed to detect vulnerable code leveraging the learned representation of code. We designed and conducted experiments on three public benchmark datasets, i.e., Devign, Reveal, Big-Vul, and a combined dataset created by merging these sources. The experimental results demonstrate that SCL-CVD can effectively improve the performance of code vulnerability detection. Compared with the baselines, the proposed approach has a relative improvement of 0.48%3.42% for accuracy, 0.93%45.99% for precision, 35.68%67.48% for recall, and 16.31%49.67% for F1-score, respectively. Furthermore, compared to baselines, the model fine-tuning time of the proposed approach is reduced by 16.67%93.03%. In conclusion, our approach SCL-CVD offers significantly greater cost-effectiveness over existing approaches.
{"title":"SCL-CVD: Supervised contrastive learning for code vulnerability detection via GraphCodeBERT","authors":"","doi":"10.1016/j.cose.2024.103994","DOIUrl":"10.1016/j.cose.2024.103994","url":null,"abstract":"<div><p>Detecting vulnerabilities in source code is crucial for protecting software systems from cyberattacks. Pre-trained language models such as CodeBERT and GraphCodeBERT have been applied in multiple code-related downstream tasks such as code search and code translation and have achieved notable success. Recently, this pre-trained and fine-tuned paradigm has also been applied to detect code vulnerabilities. However, fine-tuning pre-trained language models using cross-entropy loss has several limitations, such as poor generalization performance and lack of robustness to noisy labels. In particular, when the vulnerable code and the benign code are very similar, it is difficult for deep learning methods to differentiate them accurately. In this context, we introduce a novel approach for code vulnerability detection using supervised contrastive learning, namely SCL-CVD, which leverages GraphCodeBERT. This method aims to enhance the effectiveness of existing vulnerable code detection approaches. SCL-CVD represents the source code as data flow graphs. These graphs are then processed by GraphCodeBERT, which has been fine-tuned using a supervised contrastive loss function combined with R-Drop. This fine-tuning process is designed to generate more resilient and representative code embedding. Additionally, we incorporate LoRA (Low-Rank Adaptation) to streamline the fine-tuning process, significantly reducing the time required for model training. Finally, a Multilayer Perceptron (MLP) is employed to detect vulnerable code leveraging the learned representation of code. We designed and conducted experiments on three public benchmark datasets, i.e., Devign, Reveal, Big-Vul, and a combined dataset created by merging these sources. The experimental results demonstrate that SCL-CVD can effectively improve the performance of code vulnerability detection. Compared with the baselines, the proposed approach has a relative improvement of 0.48%<span><math><mo>∼</mo></math></span>3.42% for accuracy, 0.93%<span><math><mo>∼</mo></math></span>45.99% for precision, 35.68%<span><math><mo>∼</mo></math></span>67.48% for recall, and 16.31%<span><math><mo>∼</mo></math></span>49.67% for F1-score, respectively. Furthermore, compared to baselines, the model fine-tuning time of the proposed approach is reduced by 16.67%<span><math><mo>∼</mo></math></span>93.03%. In conclusion, our approach SCL-CVD offers significantly greater cost-effectiveness over existing approaches.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141710715","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-15DOI: 10.1016/j.cose.2024.104003
Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.
高级持续威胁(APT)对拥有丰富数字资产的组织构成严重威胁。旨在快速发现可能被劫持的主机的 APT 检测程序现在已经可以在市场上买到。这大大减少了 APT 防御的工作量。实际上,识别和修复被 APT 劫持的主机超出了系统管理员的能力范围,必须外包给成熟的网络安全公司。由于安全预算有限,APT 防御只能在少量维护期内外包。我们将这些维护期内支付的外包费用序列称为冲动防御(ID)策略。另一方面,APT 是时间连续的。我们将攻击成本随时间变化的增长率函数称为持续攻击(CA)策略。在 APT 行为者具有战略眼光并追求具有成本效益的 CA 战略的情况下,组织面临着寻找具有成本效益的 ID 战略的问题(单次冲动防御 (SID) 问题)。本文通过博弈论建模来解决 SID 问题。基于冲动状态演化模型,SID 问题被归结为单冲动微分博弈模型(SID 模型)。通过应用单冲微分博弈论,提出了一种解决 SID 问题的迭代算法。在纳什均衡解概念下,运行该算法得到的 ID 策略被证实是经济有效的。因此,我们推荐使用 ID 策略。这项工作迈出了在战略攻击者存在的情况下进行 APT 防御外包理论研究的第一步。
{"title":"Modeling and study of defense outsourcing against advanced persistent threat through impulsive differential game approach","authors":"","doi":"10.1016/j.cose.2024.104003","DOIUrl":"10.1016/j.cose.2024.104003","url":null,"abstract":"<div><p>Advanced persistent threat (APT) poses serious threat to organizations with rich digital assets. APT detection programs designed for quickly finding possibly hijacked hosts are now commercially available. This greatly reduces the workload of APT defense. In practice, the identification and repair of APT-hijacked hosts are out of a system administrator’s capability and have to be outsourced to an established cybersecurity firm. Owing to the limited security budget, the APT defense can be outsourced only in a small number of maintenance periods. We refer to the sequence of outsourcing costs paid in these maintenance periods as an impulsive defense (ID) strategy. On the other hand, APT is time-continuous. We refer to the growth rate function of the attack cost over time as a continuous attack (CA) strategy. In the context that the APT actor is strategic and pursues a cost-effective CA strategy, the organization faces the problem of finding a cost-effective ID strategy (the single-impulsive defense (SID) problem). This paper addresses the SID problem through game-theoretic modeling. Based on an impulsive state evolutionary model, the SID problem is boiled down to a single-impulsive differential game model (the SID model). By applying single-impulsive differential game theory, an iterative algorithm of solving the SID problem is presented. The ID strategy obtained by running the algorithm is corroborated to be cost-effective under the Nash equilibrium solution concept. Therefore, we recommend the ID strategy. This work takes the first step toward the theoretic study of APT defense outsourcing in the presence of strategic attacker.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141689378","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-14DOI: 10.1016/j.cose.2024.104000
Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a test to distinguish humans and computers. Since attackers can achieve high accuracy in recognizing the CAPTCHAs using deep learning models, geometric transformations are added to the CAPTCHAs to disturb deep learning model recognition. However, excessive geometric transformations might also affect humans’ recognition of the CAPTCHA. Adversarial CAPTCHAs are special CAPTCHAs that can disrupt deep learning models without affecting humans. Previous works of adversarial CAPTCHAs mainly focus on defending the filtering attack. In real-world scenarios, the attackers’ models are inaccessible when generating adversarial CAPTCHAs, and the attackers may use models with different architectures, thus it is crucial to improve the transferability of the adversarial CAPTCHAs. We propose CFA, a method to generate more transferable adversarial CAPTCHAs focusing on altering content features in the original CAPTCHA. We use the attack success rate as our metric to evaluate the effectiveness of our method when attacking various models. A higher attack success rate means a higher level of preventing models from recognizing the CAPTCHAs. The experiment shows that our method can effectively attack various models, even when facing possible defense methods that the attacker might use. Our method outperforms other feature space attacks and provides a more secure version of adversarial CAPTCHAs.
区分计算机和人类的完全自动公共图灵测试(CAPTCHA)是一种区分人类和计算机的测试。由于攻击者可以利用深度学习模型实现高精度的验证码识别,因此在验证码中添加了几何变换,以干扰深度学习模型的识别。然而,过多的几何变换也可能影响人类对验证码的识别。对抗式验证码是一种特殊的验证码,可以在不影响人类的情况下破坏深度学习模型。以往关于对抗性验证码的研究主要集中在防御过滤攻击上。在现实场景中,生成对抗式验证码时无法访问攻击者的模型,而且攻击者可能使用不同架构的模型,因此提高对抗式验证码的可移植性至关重要。我们提出的 CFA 是一种生成可移植性更强的对抗性验证码的方法,重点在于改变原始验证码的内容特征。我们使用攻击成功率作为衡量标准,评估我们的方法在攻击各种模型时的有效性。攻击成功率越高,说明阻止模型识别验证码的程度越高。实验表明,即使面对攻击者可能使用的防御方法,我们的方法也能有效地攻击各种模型。我们的方法优于其他特征空间攻击,并提供了一个更安全的对抗性验证码版本。
{"title":"Boosting the transferability of adversarial CAPTCHAs","authors":"","doi":"10.1016/j.cose.2024.104000","DOIUrl":"10.1016/j.cose.2024.104000","url":null,"abstract":"<div><p>Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a test to distinguish humans and computers. Since attackers can achieve high accuracy in recognizing the CAPTCHAs using deep learning models, geometric transformations are added to the CAPTCHAs to disturb deep learning model recognition. However, excessive geometric transformations might also affect humans’ recognition of the CAPTCHA. Adversarial CAPTCHAs are special CAPTCHAs that can disrupt deep learning models without affecting humans. Previous works of adversarial CAPTCHAs mainly focus on defending the filtering attack. In real-world scenarios, the attackers’ models are inaccessible when generating adversarial CAPTCHAs, and the attackers may use models with different architectures, thus it is crucial to improve the transferability of the adversarial CAPTCHAs. We propose CFA, a method to generate more transferable adversarial CAPTCHAs focusing on altering content features in the original CAPTCHA. We use the attack success rate as our metric to evaluate the effectiveness of our method when attacking various models. A higher attack success rate means a higher level of preventing models from recognizing the CAPTCHAs. The experiment shows that our method can effectively attack various models, even when facing possible defense methods that the attacker might use. Our method outperforms other feature space attacks and provides a more secure version of adversarial CAPTCHAs.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141713735","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-14DOI: 10.1016/j.cose.2024.104002
The development of machine-to-machine (M2M) technologies is becoming increasingly important in the rapidly growing domain of wireless sensor networks (WSNs) and the Internet of Things (IoT). Adopting IPv6 over 6LoWPANs (Low-Power Wireless Personal Area Networks) is instrumental in communicating across diverse domains within WSNs, albeit with its challenges. Particularly, resource limitations and security vulnerabilities remain significant concerns. 6LoWPAN-based M2M protocols that rely on authentication and key establishment schemes (AKE) often fall short due to inadequate security issues and excessive resource requirements. This paper addresses these challenges by introducing a secure and resource-efficient framework—Lightweight AKE for 6LoWPAN Nodes (LAKE-6LN). LAKE-6LN capitalizes on the clustering architecture's merits and contrasts conventional router-centric approaches. To ensure lightweight and efficient operation, it uses hash functions, XOR functions, and symmetric encryption techniques. Pseudo-identity, sequence tracking numbers, and secure parameters ensure privacy and protection against attacks, including traceability, perfect forward secrecy, ephemeral secret leakage, and secure the session key. An informal analysis of LAKE-6LN's security confirms that compliance with all essential security properties has been achieved. In addition, the framework's logical robustness and security analysis are rigorously verified using BAN logic, AVISPA, and Scyther tools. LAKE-6LN has demonstrated superior performance over related schemes, demonstrating a reduction in storage costs (by 33.33 % to 85.71 %), computational overhead (by 14.28 % to 95.97 %), communication overhead (by 16.12 % to 51.85 %), and energy consumption (by 22.04 % to 99.40 %). In our comparative analysis, LAKE-6LN demonstrates its resilience against various security threats, demonstrating its potential to secure 6LoWPAN networks in M2M.
{"title":"Secured lightweight authentication for 6LoWPANs in machine-to-machine communications","authors":"","doi":"10.1016/j.cose.2024.104002","DOIUrl":"10.1016/j.cose.2024.104002","url":null,"abstract":"<div><p>The development of machine-to-machine (M2M) technologies is becoming increasingly important in the rapidly growing domain of wireless sensor networks (WSNs) and the Internet of Things (IoT). Adopting IPv6 over 6LoWPANs (Low-Power Wireless Personal Area Networks) is instrumental in communicating across diverse domains within WSNs, albeit with its challenges. Particularly, resource limitations and security vulnerabilities remain significant concerns. 6LoWPAN-based M2M protocols that rely on authentication and key establishment schemes (AKE) often fall short due to inadequate security issues and excessive resource requirements. This paper addresses these challenges by introducing a secure and resource-efficient framework—Lightweight AKE for 6LoWPAN Nodes (LAKE-6LN). LAKE-6LN capitalizes on the clustering architecture's merits and contrasts conventional router-centric approaches. To ensure lightweight and efficient operation, it uses hash functions, XOR functions, and symmetric encryption techniques. Pseudo-identity, sequence tracking numbers, and secure parameters ensure privacy and protection against attacks, including traceability, perfect forward secrecy, ephemeral secret leakage, and secure the session key. An informal analysis of LAKE-6LN's security confirms that compliance with all essential security properties has been achieved. In addition, the framework's logical robustness and security analysis are rigorously verified using BAN logic, AVISPA, and Scyther tools. LAKE-6LN has demonstrated superior performance over related schemes, demonstrating a reduction in storage costs (by 33.33 % to 85.71 %), computational overhead (by 14.28 % to 95.97 %), communication overhead (by 16.12 % to 51.85 %), and energy consumption (by 22.04 % to 99.40 %). In our comparative analysis, LAKE-6LN demonstrates its resilience against various security threats, demonstrating its potential to secure 6LoWPAN networks in M2M.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141714165","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-07-14DOI: 10.1016/j.cose.2024.103992
The rapid development of artificial intelligence (AI) has led to the introduction of numerous software vulnerability detection methods based on deep learning algorithms. However, a significant challenge is their dependency on large volumes of code samples for effective training. This requirement poses a considerable hurdle, particularly when adapting to diverse software application scenarios and various vulnerability types, where gathering sufficient and relevant training data for different classification tasks is often arduous. To address the challenge, this paper introduces Few-VulD, a novel framework for software vulnerability detection based on few-shot learning. This framework is designed to be efficiently trained with a minimal number of samples from a variety of existing classification tasks. Its key advantage lies in its ability to rapidly adapt to new vulnerability detection tasks, such as identifying new types of vulnerabilities, with only a small set of learning samples. This capability is particularly beneficial in scenarios where available vulnerability samples are limited. We compare Few-VulD with five state-of-the-art methods on the SySeVR and Big-Vul datasets. On the SySeVR dataset, Few-VulD outperforms all other methods, achieving a recall rate of 87.9% and showing an improvement of 11.7% to 57.8%. On the Big-Vul dataset, Few-VulD outperforms three of the methods, including one that utilizes a pretrained large language model (LLM), with recall improvements ranging from 8.5% to 40.1%. The other two methods employ pretrained LLMs from Microsoft CodeXGLUE (Lu et al., 2021). Few-VulD reaches 78.7% and 95.5% of their recall rates without the need for extensive data pretraining. The performance proves the effectiveness of Few-VulD in vulnerability detection tasks with limited samples.
{"title":"Few-VulD: A Few-shot learning framework for software vulnerability detection","authors":"","doi":"10.1016/j.cose.2024.103992","DOIUrl":"10.1016/j.cose.2024.103992","url":null,"abstract":"<div><p>The rapid development of artificial intelligence (AI) has led to the introduction of numerous software vulnerability detection methods based on deep learning algorithms. However, a significant challenge is their dependency on large volumes of code samples for effective training. This requirement poses a considerable hurdle, particularly when adapting to diverse software application scenarios and various vulnerability types, where gathering sufficient and relevant training data for different classification tasks is often arduous. To address the challenge, this paper introduces Few-VulD, a novel framework for software vulnerability detection based on few-shot learning. This framework is designed to be efficiently trained with a minimal number of samples from a variety of existing classification tasks. Its key advantage lies in its ability to rapidly adapt to new vulnerability detection tasks, such as identifying new types of vulnerabilities, with only a small set of learning samples. This capability is particularly beneficial in scenarios where available vulnerability samples are limited. We compare Few-VulD with five state-of-the-art methods on the SySeVR and Big-Vul datasets. On the SySeVR dataset, Few-VulD outperforms all other methods, achieving a recall rate of 87.9% and showing an improvement of 11.7% to 57.8%. On the Big-Vul dataset, Few-VulD outperforms three of the methods, including one that utilizes a pretrained large language model (LLM), with recall improvements ranging from 8.5% to 40.1%. The other two methods employ pretrained LLMs from Microsoft CodeXGLUE (Lu et al., 2021). Few-VulD reaches 78.7% and 95.5% of their recall rates without the need for extensive data pretraining. The performance proves the effectiveness of Few-VulD in vulnerability detection tasks with limited samples.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-07-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141637247","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}