Pub Date : 2024-09-14DOI: 10.1016/j.cose.2024.104113
Xiaoqing Wang , Yuanjing Tian , Keman Huang , Bin Liang
Incorporating LLM into cybersecurity operations, a typical real-world high-stakes task, is critical but non-trivial in practice. Using cybersecurity as the study context, we conduct a three-step mix-method study to incorporate LLM into the vulnerability remediation process effectively. Specifically, we deconstruct the deficiencies in user satisfaction within the existing process (Study 1). This inspires us to design, implement, and empirically validate an LLM-supported collaborative vulnerability remediation process through a field study (Study 2). Given LLM’s diverse contributions, we further investigate LLM’s double-edge roles through the analysis of remediation reports and follow-up interviews (Study 3). In essence, our contribution lies in promoting an efficient LLM-supported collaborative vulnerability remediation process. These first-hand, real-world pieces of evidence suggest that when incorporating LLMs into practical processes, facilitating the collaborations among all associated stakeholders, reshaping LLMs’ roles according to task complexity, as well as approaching the short-term side effects of improved user engagement facilitated by LLMs with a rational mindset.
{"title":"Practically implementing an LLM-supported collaborative vulnerability remediation process: A team-based approach","authors":"Xiaoqing Wang , Yuanjing Tian , Keman Huang , Bin Liang","doi":"10.1016/j.cose.2024.104113","DOIUrl":"10.1016/j.cose.2024.104113","url":null,"abstract":"<div><p>Incorporating LLM into cybersecurity operations, a typical real-world high-stakes task, is critical but non-trivial in practice. Using cybersecurity as the study context, we conduct a three-step mix-method study to incorporate LLM into the vulnerability remediation process effectively. Specifically, we deconstruct the deficiencies in user satisfaction within the existing process (Study 1). This inspires us to design, implement, and empirically validate an LLM-supported collaborative vulnerability remediation process through a field study (Study 2). Given LLM’s diverse contributions, we further investigate LLM’s double-edge roles through the analysis of remediation reports and follow-up interviews (Study 3). In essence, our contribution lies in promoting an efficient LLM-supported collaborative vulnerability remediation process. These first-hand, real-world pieces of evidence suggest that when incorporating LLMs into practical processes, facilitating the collaborations among all associated stakeholders, reshaping LLMs’ roles according to task complexity, as well as approaching the short-term side effects of improved user engagement facilitated by LLMs with a rational mindset.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104113"},"PeriodicalIF":4.8,"publicationDate":"2024-09-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142240714","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-13DOI: 10.1016/j.cose.2024.104109
Prabhat Kumar , Alireza Jolfaei , A.K.M Najmul Islam
The Software-Defined Networking (SDN) powered Internet of Things (IoT) offers a global perspective of the network and facilitates control and access of IoT devices using a centralized high-level network approach called Software Defined-IoT (SD-IoT). However, this integration and high flow of data generated by IoT devices raises serious security issues in the centralized control intelligence of SD-IoT. Motivated by the aforementioned challenges, we present a new Deep-Learning empowered Threat Hunting Framework named DLTHF to protect SD-IoT data and detect (binary and multi-vector) attack vectors. First, an automated unsupervised feature extraction module is designed that combines data perturbation-driven encoding and normalization-driven scaling with the proposed Long Short-Term Memory Contractive Sparse AutoEncoder (LSTMCSAE) method to filter and transform dataset values into the protected format. Second, using the encoded data, a novel Threat Detection System (TDS) using Multi-head Self-attention-based Bidirectional Recurrent Neural Networks (MhSaBiGRNN) is designed to detect cyber threats and their types. In particular, a unique TDS strategy is developed in which each time instances is analyzed and allocated a self-learned weight based on the degree of relevance. Further, we also design a deployment architecture for DLTHF in the SD-IoT network. The framework is rigorously evaluated on two new SD-IoT data sources to show its effectiveness.
{"title":"An enhanced Deep-Learning empowered Threat-Hunting Framework for software-defined Internet of Things","authors":"Prabhat Kumar , Alireza Jolfaei , A.K.M Najmul Islam","doi":"10.1016/j.cose.2024.104109","DOIUrl":"10.1016/j.cose.2024.104109","url":null,"abstract":"<div><p>The Software-Defined Networking (SDN) powered Internet of Things (IoT) offers a global perspective of the network and facilitates control and access of IoT devices using a centralized high-level network approach called Software Defined-IoT (SD-IoT). However, this integration and high flow of data generated by IoT devices raises serious security issues in the centralized control intelligence of SD-IoT. Motivated by the aforementioned challenges, we present a new Deep-Learning empowered Threat Hunting Framework named DLTHF to protect SD-IoT data and detect (binary and multi-vector) attack vectors. First, an automated unsupervised feature extraction module is designed that combines data perturbation-driven encoding and normalization-driven scaling with the proposed Long Short-Term Memory Contractive Sparse AutoEncoder (LSTMCSAE) method to filter and transform dataset values into the protected format. Second, using the encoded data, a novel Threat Detection System (TDS) using Multi-head Self-attention-based Bidirectional Recurrent Neural Networks (MhSaBiGRNN) is designed to detect cyber threats and their types. In particular, a unique TDS strategy is developed in which each time instances is analyzed and allocated a self-learned weight based on the degree of relevance. Further, we also design a deployment architecture for DLTHF in the SD-IoT network. The framework is rigorously evaluated on two new SD-IoT data sources to show its effectiveness.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104109"},"PeriodicalIF":4.8,"publicationDate":"2024-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824004140/pdfft?md5=de59ccc5221434c221b31d43e2a10a0f&pid=1-s2.0-S0167404824004140-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142240713","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-12DOI: 10.1016/j.cose.2024.104108
Heqing Li , Xinde Li , Fir Dunkin , Zhentong Zhang , Xiaoyan Lu
The big data provided by unmanned aerial vehicle (UAV) visual sensors offers essential information resources for activities across various industries. However, various adversarial threats are inevitable throughout the lifecycle of data generation, transmission, and utilization, leading to serious security risks. Trust assessment of visual sensors is a prerequisite for securing UAVs, but the multidimensionality of the trust elements and the uncertainty of the evidence limit its practical application. To advance this research, we innovatively propose a trust management scheme based on multi-granularity evidence fusion within the framework of belief functions (BFs) theory to adaptively respond to both known and unknown threats. We first propose a direct trust assessment model for known threats, which constructs multidimensional coarse-grained trust elements (MCTEs) and integrates multiple lightweight sub-models for basic belief assignment (BBA) to meet the need for fast response. Then, to address the unknown threats, we introduce pre-trained models to build multidimensional fine-grained trust elements (MFTEs) to construct trust recommendation models for indirect trust assessment for visual sensors. In addition, to accurately characterize the trustworthiness of visual sensors, we also introduce a BBA-weighted fusion method to achieve more reasonable trust aggregation by weakening highly conflicting evidence sources. Finally, to validate the effectiveness of the proposed method, we conducted a comprehensive trust assessment and security experiment on UAV aerial images. The results indicate that the proposed method demonstrates excellent performance and is beneficial for enhancing UAV security in adversarial attack scenarios.
{"title":"Adaptive multi-granularity trust management scheme for UAV visual sensor security under adversarial attacks","authors":"Heqing Li , Xinde Li , Fir Dunkin , Zhentong Zhang , Xiaoyan Lu","doi":"10.1016/j.cose.2024.104108","DOIUrl":"10.1016/j.cose.2024.104108","url":null,"abstract":"<div><p>The big data provided by unmanned aerial vehicle (UAV) visual sensors offers essential information resources for activities across various industries. However, various adversarial threats are inevitable throughout the lifecycle of data generation, transmission, and utilization, leading to serious security risks. Trust assessment of visual sensors is a prerequisite for securing UAVs, but the multidimensionality of the trust elements and the uncertainty of the evidence limit its practical application. To advance this research, we innovatively propose a trust management scheme based on multi-granularity evidence fusion within the framework of belief functions (BFs) theory to adaptively respond to both known and unknown threats. We first propose a direct trust assessment model for known threats, which constructs multidimensional coarse-grained trust elements (MCTEs) and integrates multiple lightweight sub-models for basic belief assignment (BBA) to meet the need for fast response. Then, to address the unknown threats, we introduce pre-trained models to build multidimensional fine-grained trust elements (MFTEs) to construct trust recommendation models for indirect trust assessment for visual sensors. In addition, to accurately characterize the trustworthiness of visual sensors, we also introduce a BBA-weighted fusion method to achieve more reasonable trust aggregation by weakening highly conflicting evidence sources. Finally, to validate the effectiveness of the proposed method, we conducted a comprehensive trust assessment and security experiment on UAV aerial images. The results indicate that the proposed method demonstrates excellent performance and is beneficial for enhancing UAV security in adversarial attack scenarios.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104108"},"PeriodicalIF":4.8,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142240712","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-12DOI: 10.1016/j.cose.2024.104117
Yu Cheng , Xiaofang Qi , Yanhui Li , Yumeng Wang
Recently, red packets have appeared widely in various mobile apps. Related security issues like fraud are gradually coming into the public eye. As a new means of fraud, red packet fraud has not yet been explored or addressed. In this paper, based on our empirical study on red packets, we propose a novel approach ReckDroid for red packet fraud detection. Our approach adopts a heuristic algorithm to identify red packets and then detects red packet fraud by analyzing the network traffic dynamically generated during the automated exploration of mobile apps. Our experiments are performed on hundreds of labeled real-world apps. Experimental results show that ReckDroid identifies red packets with a precision of 98.0% and a recall of 93.3%, and detects red packet fraud with a precision of 88.6% and a recall of 92.5%. By applying ReckDroid to over 1000 Android apps in the wild, we find that apps with red packets account for 17.6% of apps from seven app markets (including Google Play) while red packet fraud mainly occurs in Chinese app markets.
{"title":"ReckDroid: Detecting red packet fraud in Android apps","authors":"Yu Cheng , Xiaofang Qi , Yanhui Li , Yumeng Wang","doi":"10.1016/j.cose.2024.104117","DOIUrl":"10.1016/j.cose.2024.104117","url":null,"abstract":"<div><p>Recently, red packets have appeared widely in various mobile apps. Related security issues like fraud are gradually coming into the public eye. As a new means of fraud, red packet fraud has not yet been explored or addressed. In this paper, based on our empirical study on red packets, we propose a novel approach ReckDroid for red packet fraud detection. Our approach adopts a heuristic algorithm to identify red packets and then detects red packet fraud by analyzing the network traffic dynamically generated during the automated exploration of mobile apps. Our experiments are performed on hundreds of labeled real-world apps. Experimental results show that ReckDroid identifies red packets with a precision of 98.0% and a recall of 93.3%, and detects red packet fraud with a precision of 88.6% and a recall of 92.5%. By applying ReckDroid to over 1000 Android apps in the wild, we find that apps with red packets account for 17.6% of apps from seven app markets (including Google Play) while red packet fraud mainly occurs in Chinese app markets.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104117"},"PeriodicalIF":4.8,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142229285","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Deep neural networks have advanced significantly in the last several years and are now widely employed in numerous significant real-world applications. However, recent research has shown that deep neural networks are vulnerable to backdoor attacks. Under such attacks, attackers release backdoor models that achieve satisfactory performance on benign samples while behaving abnormally on inputs with predefined triggers. Successful backdoor attacks can have serious consequences, such as attackers using backdoor generation methods to bypass critical face recognition authentication systems. In this paper, we propose PBADT, a precise backdoor attack with dynamic trigger. Unlike existing work that uses static or random trigger masks, we design an interpretable trigger mask generation framework that places triggers at positions that have the most significant impact on the prediction results. Meanwhile, backdoor attacks are made more efficient by using forgettable events to improve the efficiency of backdoor attacks. The proposed backdoor method is extensively evaluated on three face recognition datasets, LFW, CelebA, and VGGFace, while further evaluated on two general image datasets, CIFAR-10 and GTSRB. Our approach achieves almost perfect attack performance on backdoor data.
{"title":"Precision strike: Precise backdoor attack with dynamic trigger","authors":"Qingyun Li, Wei Chen, Xiaotang Xu, Yiting Zhang, Lifa Wu","doi":"10.1016/j.cose.2024.104101","DOIUrl":"10.1016/j.cose.2024.104101","url":null,"abstract":"<div><p>Deep neural networks have advanced significantly in the last several years and are now widely employed in numerous significant real-world applications. However, recent research has shown that deep neural networks are vulnerable to backdoor attacks. Under such attacks, attackers release backdoor models that achieve satisfactory performance on benign samples while behaving abnormally on inputs with predefined triggers. Successful backdoor attacks can have serious consequences, such as attackers using backdoor generation methods to bypass critical face recognition authentication systems. In this paper, we propose PBADT, a precise backdoor attack with dynamic trigger. Unlike existing work that uses static or random trigger masks, we design an interpretable trigger mask generation framework that places triggers at positions that have the most significant impact on the prediction results. Meanwhile, backdoor attacks are made more efficient by using forgettable events to improve the efficiency of backdoor attacks. The proposed backdoor method is extensively evaluated on three face recognition datasets, LFW, CelebA, and VGGFace, while further evaluated on two general image datasets, CIFAR-10 and GTSRB. Our approach achieves almost perfect attack performance on backdoor data.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104101"},"PeriodicalIF":4.8,"publicationDate":"2024-09-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142240956","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-10DOI: 10.1016/j.cose.2024.104110
Anna Sutton, Lisa Tompson
A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 59 studies were eligible for the final synthesis.
Thematic analysis of the CSC definitions in the included studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour.
Based on the findings of this review, we propose a novel integrated framework of CSC consisting of cultural values, the culture-to-behaviour link, and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.
{"title":"Towards a cybersecurity culture-behaviour framework: A rapid evidence review","authors":"Anna Sutton, Lisa Tompson","doi":"10.1016/j.cose.2024.104110","DOIUrl":"10.1016/j.cose.2024.104110","url":null,"abstract":"<div><p>A strong organisational cybersecurity culture (CSC) is critical to the success of any cybersecurity effort, and understanding and measuring CSC is essential if it is to succeed. To facilitate the framing and measurement of CSC we conducted a rapid evidence assessment (REA) to synthesise relevant studies on CSC. The systematic search identified 1,768 records. 59 studies were eligible for the final synthesis.</p><p>Thematic analysis of the CSC definitions in the included studies highlighted that CSC should not be viewed solely as a technical problem but as a management issue too; CSC requires top management involvement and role modelling, with full organisational support for the desired employee behaviours. We identify both theoretically and empirically derived models of CSC in the REA, along with a range of methods to develop and test these models. Integrative analysis of these models provides detailed information about CSC dimensions, including employee attitudes towards CS; compliance with policies; the role of security education, training and awareness; monitoring of behaviour and top management commitment. The evidence indicates that CSC should be understood both in the context of the wider organisational culture as well as in the shared employee understanding of CS that leads to behaviour.</p><p>Based on the findings of this review, we propose a novel integrated framework of CSC consisting of cultural values, the culture-to-behaviour link, and behaviour itself. We also make measurement recommendations based on this CSC framework, ranging from simple, broad-brush tools through to suggestions for multi-dimensional measures, which can be applied in a variety of sectors and organisations.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104110"},"PeriodicalIF":4.8,"publicationDate":"2024-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824004152/pdfft?md5=e920da67cc55971b81e8e1ee8a0dd0d0&pid=1-s2.0-S0167404824004152-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142172880","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-07DOI: 10.1016/j.cose.2024.104099
Chiheng Wang, Jianshan Peng, Junhu Zhu, Qingxian Wang
Fuzzing is one of the most successful approaches for verifying software functionalities and discovering security vulnerabilities. However, the software with persistent runtime characteristics (e.g., web service programs) cannot be effectively tested by current coverage-based greybox (CG) fuzzers, which strictly rely on the termination state of the target software to feed test cases synchronously and obtain code coverage. The present approach requires delicate analysis and modification of the target to eliminate its persistence, but leads to excessive non-essential restarts during testing, resulting in low throughput.
To improve the convenience and efficiency of CG fuzzing for persistent software, we propose augmenting persistence (AugPersist) as a complementary method. AugPersist introduces the concept of persistent basic block (PBB) to leverage the inherent code features of persistent software. PBB can be found automatically and quickly before fuzzing based on the execution flow graph (EFG). On this basis, we develop a low- delay synchronous communication so that after regular test cases are fed into the target, the fuzzer can derive code coverage without rebooting the target, thus significantly minimizing extraneous restarts. Additionally, by utilizing the self-adaptive forkserver, we can dynamically adjust the re-execution point of the target to the PBB position, which further minimizes losses when test cases trigger exceptions and cause necessary restarts.
To show the potential of augmenting persistence, we create two implementations, AFL-AugPersist and AFLNet-AugPersist, using AFL and AFLNet as baselines. We evaluate both with their respective baselines on different benchmarks. AFL-AugPersist makes stateless persistent software easier to be fuzzed than AFL and provides 4.9 × to 71.1 × throughput improvement compared to AFL. The throughput of AFLNet-AugPersist improves by a maximum of 210.0 × and a minimum of 3.3 × compared to AFLNet. These results show that AugPersist significantly contributes to the convenience and efficiency of CG fuzzing on persistent software.
{"title":"AugPersist: Automatically augmenting the persistence of coverage-based greybox fuzzing for persistent software","authors":"Chiheng Wang, Jianshan Peng, Junhu Zhu, Qingxian Wang","doi":"10.1016/j.cose.2024.104099","DOIUrl":"10.1016/j.cose.2024.104099","url":null,"abstract":"<div><p>Fuzzing is one of the most successful approaches for verifying software functionalities and discovering security vulnerabilities. However, the software with persistent runtime characteristics (e.g., web service programs) cannot be effectively tested by current coverage-based greybox (CG) fuzzers, which strictly rely on the termination state of the target software to feed test cases synchronously and obtain code coverage. The present approach requires delicate analysis and modification of the target to eliminate its persistence, but leads to excessive non-essential restarts during testing, resulting in low throughput.</p><p>To improve the convenience and efficiency of CG fuzzing for persistent software, we propose augmenting persistence (AugPersist) as a complementary method. AugPersist introduces the concept of persistent basic block (PBB) to leverage the inherent code features of persistent software. PBB can be found automatically and quickly before fuzzing based on the execution flow graph (EFG). On this basis, we develop a low- delay synchronous communication so that after regular test cases are fed into the target, the fuzzer can derive code coverage without rebooting the target, thus significantly minimizing extraneous restarts. Additionally, by utilizing the self-adaptive forkserver, we can dynamically adjust the re-execution point of the target to the PBB position, which further minimizes losses when test cases trigger exceptions and cause necessary restarts.</p><p>To show the potential of augmenting persistence, we create two implementations, AFL-AugPersist and AFLNet-AugPersist, using AFL and AFLNet as baselines. We evaluate both with their respective baselines on different benchmarks. AFL-AugPersist makes stateless persistent software easier to be fuzzed than AFL and provides 4.9 × to 71.1 × throughput improvement compared to AFL. The throughput of AFLNet-AugPersist improves by a maximum of 210.0 × and a minimum of 3.3 × compared to AFLNet. These results show that AugPersist significantly contributes to the convenience and efficiency of CG fuzzing on persistent software.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104099"},"PeriodicalIF":4.8,"publicationDate":"2024-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142229286","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-06DOI: 10.1016/j.cose.2024.104082
Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau
The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.
{"title":"Malware classification through Abstract Syntax Trees and L-moments","authors":"Anthony J. Rose, Christine M. Schubert Kabban, Scott R. Graham, Wayne C. Henry, Christopher M. Rondeau","doi":"10.1016/j.cose.2024.104082","DOIUrl":"10.1016/j.cose.2024.104082","url":null,"abstract":"<div><p>The ongoing evolution of malware presents a formidable challenge to cybersecurity: identifying unknown threats. Traditional detection methods, such as signatures and various forms of static analysis, inherently lag behind these evolving threats. This research introduces a novel approach to malware detection by leveraging the robust statistical capabilities of L-moments and the structural insights provided by Abstract Syntax Trees (ASTs) and applying them to PowerShell. L-moments, recognized for their resilience to outliers and adaptability to diverse distributional shapes, are extracted from network analysis measures like degree centrality, betweenness centrality, and closeness centrality of ASTs. These measures provide a detailed structural representation of code, enabling a deeper understanding of its inherent behaviors and patterns. This approach aims to detect not only known malware but also uncover new, previously unidentified threats. A comprehensive comparison with traditional static analysis methods shows that this approach excels in key performance metrics such as accuracy, precision, recall, and <span><math><msub><mrow><mi>F</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> score. These results demonstrate the significant potential of combining L-moments derived from network analysis with ASTs in enhancing malware detection. While static analysis remains an essential tool in cybersecurity, the integration of L-moments and advanced network analysis offers a more effective and efficient response to the dynamic landscape of cyber threats. This study paves the way for future research, particularly in extending the use of L-moments and network analysis into additional areas.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104082"},"PeriodicalIF":4.8,"publicationDate":"2024-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0167404824003870/pdfft?md5=255011e2faf3909f24dc4575c4f50f4f&pid=1-s2.0-S0167404824003870-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142169168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-04DOI: 10.1016/j.cose.2024.104100
Shunliang Zhang, Weiqing Huang, Yinlong Liu
The 6G system is envisioned to support various new applications with diverse requirements in terms of quality and security. To fulfill diverse and stringent requirements, reconfigurable intelligent surfaces (RIS) have been extensively studied as a 6G enabling technology. RIS can be used to secure communications and boost the system performance, but it leads to new security threats as well. Due to the open nature of the wireless channel, smart radio environment, dynamic network topology, and adversarial machine learning (ML), 6G will face various unprecedented security threats. Given stringent requirements on quality of service (QoS), security, and massive low-cost Internet of Thing (IoT) devices, physical layer security (PLS) by exploiting the random nature of the wireless channel and/or intrinsic hardware imperfection emerges as a complementary approach to secure wireless communications. Meanwhile, the rapid development of artificial intelligence (AI) promotes the development of intelligent PLS solutions and smart attacks. In this paper, we make a comprehensive overview of PLS for RIS-based 6G systems from both defensive and offensive perspectives. We first introduce the vision of the RIS-enabled 6G smart radio environment. Then, typical security risks and requirements on RIS-based 6G are analyzed. After that, the state-of-the-art techniques on PLS are presented. Subsequently, major academic works on the physical layer security solution oriented to RIS are systematically reviewed. Moreover, the latest studies on attacks based on adversarial RIS are discussed in depth. Finally, we identify multiple open issues and research opportunities to inspire further studies for more intelligent PLS to secure the RIS-enabled 6G system.
{"title":"A systematic survey on physical layer security oriented to reconfigurable intelligent surface empowered 6G","authors":"Shunliang Zhang, Weiqing Huang, Yinlong Liu","doi":"10.1016/j.cose.2024.104100","DOIUrl":"10.1016/j.cose.2024.104100","url":null,"abstract":"<div><p>The 6G system is envisioned to support various new applications with diverse requirements in terms of quality and security. To fulfill diverse and stringent requirements, reconfigurable intelligent surfaces (RIS) have been extensively studied as a 6G enabling technology. RIS can be used to secure communications and boost the system performance, but it leads to new security threats as well. Due to the open nature of the wireless channel, smart radio environment, dynamic network topology, and adversarial machine learning (ML), 6G will face various unprecedented security threats. Given stringent requirements on quality of service (QoS), security, and massive low-cost Internet of Thing (IoT) devices, physical layer security (PLS) by exploiting the random nature of the wireless channel and/or intrinsic hardware imperfection emerges as a complementary approach to secure wireless communications. Meanwhile, the rapid development of artificial intelligence (AI) promotes the development of intelligent PLS solutions and smart attacks. In this paper, we make a comprehensive overview of PLS for RIS-based 6G systems from both defensive and offensive perspectives. We first introduce the vision of the RIS-enabled 6G smart radio environment. Then, typical security risks and requirements on RIS-based 6G are analyzed. After that, the state-of-the-art techniques on PLS are presented. Subsequently, major academic works on the physical layer security solution oriented to RIS are systematically reviewed. Moreover, the latest studies on attacks based on adversarial RIS are discussed in depth. Finally, we identify multiple open issues and research opportunities to inspire further studies for more intelligent PLS to secure the RIS-enabled 6G system.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104100"},"PeriodicalIF":4.8,"publicationDate":"2024-09-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142148685","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2024-09-03DOI: 10.1016/j.cose.2024.104096
Hao Zhou , Wenting Shen , Jinlu Liu
With the advent of cloud computing, users are increasingly choosing to store their data on cloud. As a result, data integrity and availability have emerged as key concerns for data owners. Users expect to store multiple copies of their data to cloud and ensure the integrity of these data copies. Currently, numerous multi-copy cloud storage auditing schemes have been proposed. However, most of them depend on public key infrastructure, identity-based cryptography, or certificateless cryptography. These schemes encounter challenges such as complicated certificate management, key escrow, or the necessity for a secure channel for distributing keys, respectively. Furthermore, most of them are not resilient to copy-summation attack. To address the above problems, we propose a certificate-based multi-copy cloud storage auditing scheme supporting data dynamics. We design a novel dynamic structure named Leaves Merkle hash tree (LMHT) to achieve multi-copy dynamic updates. Different from traditional Merkle hash trees, LMHT has significant advantages in data deletion. In addition, the proposed scheme can resist copy-summation attack, in which cloud cannot pass the verification if it only stores summation of all copies without storing data blocks’ all copies. Security analysis and performance evaluation demonstrate that the proposed scheme is secure and efficient.
{"title":"Certificate-based multi-copy cloud storage auditing supporting data dynamics","authors":"Hao Zhou , Wenting Shen , Jinlu Liu","doi":"10.1016/j.cose.2024.104096","DOIUrl":"10.1016/j.cose.2024.104096","url":null,"abstract":"<div><div>With the advent of cloud computing, users are increasingly choosing to store their data on cloud. As a result, data integrity and availability have emerged as key concerns for data owners. Users expect to store multiple copies of their data to cloud and ensure the integrity of these data copies. Currently, numerous multi-copy cloud storage auditing schemes have been proposed. However, most of them depend on public key infrastructure, identity-based cryptography, or certificateless cryptography. These schemes encounter challenges such as complicated certificate management, key escrow, or the necessity for a secure channel for distributing keys, respectively. Furthermore, most of them are not resilient to copy-summation attack. To address the above problems, we propose a certificate-based multi-copy cloud storage auditing scheme supporting data dynamics. We design a novel dynamic structure named Leaves Merkle hash tree (LMHT) to achieve multi-copy dynamic updates. Different from traditional Merkle hash trees, LMHT has significant advantages in data deletion. In addition, the proposed scheme can resist copy-summation attack, in which cloud cannot pass the verification if it only stores summation of all copies without storing data blocks’ all copies. Security analysis and performance evaluation demonstrate that the proposed scheme is secure and efficient.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104096"},"PeriodicalIF":4.8,"publicationDate":"2024-09-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142311602","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号