Computers & Security最新文献

Biometric authentication is a very convenient and user-friendly method. The popularity of this method requires strong privacy-preserving technology to prevent the disclosure of template information. Most of the existing privacy protection technologies rely on classic encryption techniques, such as homomorphic encryption, which incur huge system overhead and cannot be popularized. To address these issues, we propose a novel biometric authentication scheme with privacy protection based on support vector machine and zero knowledge proof (BioAu–SVM+ZKP). BioAu–SVM+ZKP allows users to authenticate themselves to different service providers without disclosing any biometric template information. The evidence is generated through the zero-knowledge proof utilizing polynomial commitments. Our approach for generating a unique and repeatable biometric identifier from the user’s fingerprint image leverages the multi-classification property of SVM. Notably, our scheme not only reduces the communication overhead but also provides the privacy protection features. Besides, the communication overhead of BioAu–SVM+ZKP is constant. We have simulated the authentication scheme on the common dataset NIST, analyzed the performance and proved the security.

The cyber threat intelligence (CTI) knowledge graph is a valuable tool for aiding security practitioners in the identification and analysis of cyberattacks. These graphs are constructed from CTI data, organized into relational triples, where each triple comprises two entities linked by a particular relation. However, as the volume of CTI data is expanding at a faster rate than predicted, existing technologies are unable to extract relational triples quickly and accurately. This work mainly focuses on the extraction of relational triples in CTI data, which is achieved by an enhanced representation and binary tagging framework (ERBTF). Firstly, we introduce embedding representations for relations and concatenate these with word embeddings to obtain the initial hidden representation. Subsequently, we employ a novel dilated convolutional encoder that consists of a dilated convolution neural network, gate mechanism and residual connection to enhance the learned contextual representation. Afterwards, we adopt an attention module that includes multi-head self-attention and position-wise feed-forward neural network to allocate greater attention to words that significantly influence the specific relation. Additionally, we utilize the straightforward yet efficient binary entity tagger to identify subject and object entities under different relations for constructing relational triples. We conduct massive experiments on relational triple extraction from CTI data, the results show that ERBTF is superior to the existing relation extraction models, and achieves state-of-the-art performance.

In Wireless Sensor Networks (WSNs), one of the most significant threats is vampire attacks in sensor nodes. These attacks are marked by malicious behaviors within sensor nodes, often exploiting vulnerabilities inherent in routing protocols. These attacks can disrupt the connectivity of the network and significantly impact the energy resources. However, these intermediate nodes can introduce security vulnerabilities, making network security in WSN is challenging task. To address this issue, a novel deep learning-based vampire attack detection model is proposed. The developed deep learning-based vampire attack detection model is performed by following steps like data collection, attack detection, mitigation, and optimal path selection. Initially, the data attributes for all sensor nodes in the WSN system are collected. Further, the vampire attack detection is carried out by a Weighted Recurrent Neural Network (WRNN), here the weight values are optimized using Enhanced Golf Optimization Algorithm (EGOA). The detected vampire nodes are effectively separated based on different characteristics of nodes like node broadcast count, node energy, and node Packet Received Ratio (PRR). The attack mitigation process is executed by the separation of the vampire nodes from the network, the remaining nodes are considered for the routing process. The optimal paths are chosen by the proposed EGOA. Finally, the result of the suggested vampire attack detection model is compared with the conventional techniques in terms of various evaluation indices.

A cyber security organisation needs to ensure that its workforce possesses the necessary knowledge to fulfil its cyber security business functions. Similarly, where an organisation chooses to delegate their cyber security tasks to a third-party provider, they must ensure that the chosen entity possesses robust knowledge capabilities to effectively carry out the assigned tasks. Building a comprehensive cyber security knowledge profile is a distinct challenge; the field is ever evolving with a range of professional certifications, academic qualifications and on-the-job training. So far, there has been a lack of a well-defined methodology for systematically evaluating an organisation’s cyber security knowledge, specifically derived from its workforce, against a standardised reference point. Prior research on knowledge profiling across various disciplines has predominantly utilised established frameworks such as SWEBOK. However, within the domain of cyber security, the absence of a standardised reference point is notable. In this paper, we advance a framework leveraging Cyber Security Body of Knowledge (CyBOK), to construct an organisation’s knowledge profile. The framework enables a user to identify areas of coverage and where gaps may lie, so that an organisation can consider targeted recruitment or training or, where such expertise may be outsourced, drawing in knowledge capability from third parties. In the latter case, the framework can also be used as a basis for assessing the knowledge capability of such a third party. We present the knowledge profiling framework, discussing three case studies in organisational teams underpinning its initial development, followed by its refinement through workshops with cyber security practitioners.

Open-source threat intelligence is often unstructured and cannot be directly applied to the next detection and defense. By constructing a knowledge graph through open-source threat intelligence, we can better apply this information to intrusion detection. However, the current methods for constructing knowledge graphs face limitations due to the domain-specific attributes of entities and the analysis of lengthy texts, and they require large amounts of labeled data. Furthermore, there is a lack of authoritative open-source annotated threat intelligence datasets, which require significant manual effort. Moreover, it is noteworthy that current research often neglects the textual descriptions of attack behaviors, resulting in the loss of vital information to understand intricate cyber threats. To address these issues, we propose LLM-TIKG that applies the large language model to construct a knowledge graph from unstructured open-source threat intelligence. The few-shot learning capability of GPT is leveraged to achieve data annotation and augmentation, thereby creating the datasets for fine-tuning a smaller language model (7B). Using the fine-tuned model, we perform topic classification on the collected reports, extract entities and relationships, and extract TTPs from the attack description. This process results in the construction of a threat intelligence knowledge graph, enabling automated and universal analysis of textualized threat intelligence. The experimental results demonstrate improved performance in both named entity recognition and TTP classification, achieving the precision of 87.88% and 96.53%, respectively.

Short Message Service (SMS) spamming is a harmful phishing attack on mobile phones. That is, fraudsters are trying to misuse personal user information, using tricky text messages, sometimes included with a fake URL that asks for this personal information, such as passwords, usernames, etc. In the world of Machine Learning, several approaches have tried to attitudinize this problem, but the lack of available data resources was commonly the main drawback towards a good enough solution. Therefore, in this paper, we suggest a dataset extension technique for small datasets, based on an Out Of Distribution (OOD) metric. Hence, different approaches such as Generative Adversarial Networks (GANs) were suggested, yet GANs are hard to train whenever datasets are limited in terms of sample size. In this paper, we present a GAN-like method that imitates the generator concept of GANs for the purpose of limited datasets extension, using the OOD concept. By using a sophisticated text generation method, we show how to apply it over datasets from the domain of fraud and spam detection in SMS messages, and achieve over 25% relative improvement, compared to two other solutions. In addition, due to the class imbalance in typical spam datasets, our approach is being examined over another dataset, in order to verify that the false alarm rate is low enough.

Information security policy (ISP) compliance is recognized as a key measure for dealing with human errors when protecting information. A considerable and growing body of literature has studied the persuasive, deterrent, and coercive antecedents of compliant and noncompliant behaviour. Simultaneously, research indicates that real life situations are too complex and varied to prescribe in terms of a priori rules of acceptable behaviour, and create situations where compliance is in fact harmful for achieving organisational security and business goals. Thus, regarding ISP compliance as inherently “correct” and noncompliance as inherently “incorrect”, may contribute to creating problems that compliance research seeks to alleviate. In this research perspective, we argue that ISP compliance and noncompliance cannot be universally and invariably determined as “correct” or “incorrect” but that they become meaningful only when evaluated against organisational outcomes. We draw on organisational accident theorists to develop our arguments and propose a framework of rule-related information security behaviour (RISB) in order to conceptualize different types of ISP compliant and noncompliant behaviour and their organisational outcomes. Our research argues that compliance and noncompliance are nor inherently correct or incorrect and that making the judgement on the correctness of these actions requires considering the rule, the action, and the outcome.

The development of Network Intrusion Detection Systems (NIDS) requires labeled network traffic, especially to train and evaluate machine learning approaches. Besides the recording of traffic, the generation of traffic via generative models is a promising approach to obtain vast amounts of labeled data. There exist various machine learning approaches for data generation, but the assessment of the data quality is complex and not standardized. The lack of common quality criteria complicates the comparison of synthetic data generation approaches and synthetic data.

Our work addresses this gap in multiple steps. Firstly, we review and categorize existing approaches for evaluating synthetic data in the network traffic domain and other data domains as well. Secondly, based on our review, we compile a setup of metrics that are suitable for the NetFlow domain, which we aggregate into two metrics Data Dissimilarity Score and Domain Dissimilarity Score. Thirdly, we evaluate the proposed metrics on real world data sets, to demonstrate their ability to distinguish between samples from different data sets. As a final step, we conduct a case study to demonstrate the application of the metrics for the evaluation of synthetic data. We calculate the metrics on samples from real NetFlow data sets to define an upper and lower bound for inter- and intra-data set similarity scores. Afterward, we generate synthetic data via Generative Adversarial Network (GAN) and Generative Pre-trained Transformer 2 (GPT-2) and apply the metrics to these synthetic data and incorporate these lower bound baseline results to obtain an objective benchmark. The application of the benchmarking process is demonstrated on three NetFlow benchmark data sets, NF-CSE-CIC-IDS2018, NF-ToN-IoT and NF-UNSW-NB15. Our demonstration indicates that this benchmark framework captures the differences in similarity between real world data and synthetic data of varying quality well, and can therefore be used to assess the quality of generated synthetic data.

Open-source software (OSS) libraries have become popular among developers due to their ability to reduce development time and costs. However, OSS can also be exploited and used as a means of conducting OSS supply chain attacks. In OSS attacks, malicious code is injected into libraries used by the target. Previous studies have proposed various methods for preventing and detecting such attacks, however most of them focused on untargeted attacks. In contrast, this paper focuses on targeted OSS supply chain attacks which are performed by skilled and persistent attackers with strong technical aptitude. Targeted OSS attacks are crafted towards a specific target (i.e., developer). Since these attacks do not target general OSS repositories, they tend to go under the radar for a long period of time, allowing an attacker to gain access to sensitive data or systems. In this paper, we propose ${\left(SC\right)}^{2}V$ — secure crowdsource-based code verification, a novel distributed and scalable framework for verifying OSS libraries. ${\left(SC\right)}^{2}V$ is aimed at preventing targeted supply chain attacks and is integrated in the build phase of software production, serving as an additional code verification step before packaging the application and deploying it. ${\left(SC\right)}^{2}V$ involves both users (developers seeking to verify an OSS library) and verifiers that contribute to the collaborative verification effort. ${\left(SC\right)}^{2}V$ considers a library as verified and safe when a consensus is reached among the verifiers. We evaluated the proposed method using eight different attack scenarios (including cold start and edge cases), on around 900 popular OSS libraries and their dependencies, each of which included an average of 10 files and was verified by at least five participants; a total of 127,000 files were evaluated, and the results indicate that it took our framework an average of just 26 s to issue an alert against the attacks.

With the increasing occurrence of incidents causing significant damage due to attacks on Industrial Control Systems (ICSs), people pay attention to the cyber security of ICSs. This study improves existing active detection mechanisms and proposes an integrated passive-active detection system to detect False Data Injection Attacks (FDIA) for ICS. Since it is challenging to detect FDIA in current operational practices, the method presented in this research not only compares passive received system data with predefined rules to detect attacks but also launches active detection by controlling actuators to find attackers and achieve comprehensive detection of FDIA targeting ICS. This work dynamically adjusts the frequency of launching active detection through risk assessment, aiming to minimize the impact on operational efficiency during low-risk periods and reduce the time required for detecting attacks during high-risk periods. The experimental results show that using the proposed system, when false data differs by 10 % from accurate data, the detection rate can reach 99.9 %, which is 22.5 % higher than active detection by the random launch method when false data differs by 5 % from accurate data, the detection rate can reach 95.4 %, which is 18.2 % higher than active detect by randomly launch method, and even if false data only differs by 3 % from accurate data, the detection rate can reach 92.9 %, which is 16.5 % higher than active detect by randomly launch method.