{"title":"An Interpretable Generalization Mechanism for Accurately Detecting Anomaly and Identifying Networking Intrusion Techniques","authors":"Hao-Ting Pai;Yu-Hsuan Kang;Wen-Cheng Chung","doi":"10.1109/TIFS.2024.3488967","DOIUrl":"10.1109/TIFS.2024.3488967","url":null,"abstract":"The increasing complexity of modern network environments presents formidable challenges to Intrusion Detection Systems (IDS) in effectively mitigating cyber-attacks. Recent advancements in IDS research, integrating Explainable AI (XAI) methodologies, have led to notable improvements in system performance via precise feature selection. However, a thorough understanding of cyber-attacks requires inherently explainable decision-making processes within IDS. In this paper, we present the Interpretable Generalization Mechanism (IG), poised to revolutionize IDS capabilities. IG discerns coherent patterns, making it interpretable in distinguishing between normal and anomalous network traffic. Further, the synthesis of coherent patterns sheds light on intricate intrusion pathways, providing essential insights for cybersecurity forensics. By experiments with real-world datasets NSL-KDD, UNSW-NB15, and UKM-IDS20, IG is accurate even at a low ratio of training-to-test. With 10%-to-90%, IG achieves Precision (PRE) =0.93, Recall (REC) =0.94, and Area Under Curve (AUC) =0.94 in NSL-KDD; PRE =0.98, REC =0.99, and AUC =0.99 in UNSW-NB15; and PRE =0.98, REC =0.98, and AUC =0.99 in UKM-IDS20. Notably, in UNSW-NB15, IG achieves REC =1.0 and at least PRE =0.98 since 40%-to-60%; in UKM-IDS20, IG achieves REC =1.0 and at least PRE =0.88 since 20%-to-80%. Importantly, in UKM-IDS20, IG successfully identifies all three anomalous instances without prior exposure, demonstrating its generalization capabilities. These results and inferences are reproducible. In sum, IG showcases superior generalization by consistently performing well across diverse datasets and training-to-test ratios (from 10%-to-90% to 90%-to-10%), and excels in identifying novel anomalies without prior exposure. Its interpretability is enhanced by coherent evidence that accurately distinguishes both normal and anomalous activities, significantly improving detection accuracy and reducing false alarms, thereby strengthening IDS reliability and trustworthiness.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10302-10313"},"PeriodicalIF":6.3,"publicationDate":"2024-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=10740319","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142561911","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"LAN: Learning Adaptive Neighbors for Real-Time Insider Threat Detection","authors":"Xiangrui Cai;Yang Wang;Sihan Xu;Hao Li;Ying Zhang;Zheli Liu;Xiaojie Yuan","doi":"10.1109/TIFS.2024.3488527","DOIUrl":"10.1109/TIFS.2024.3488527","url":null,"abstract":"Enterprises and organizations are faced with potential threats from insider employees that may lead to serious consequences. Previous studies on insider threat detection (ITD) mainly focus on detecting abnormal users or abnormal time periods (e.g., a week or a day). However, a user may have hundreds of thousands of activities in the log, and even within a day there may exist thousands of activities for a user, requiring a high investigation budget to verify abnormal users or activities given the detection results. On the other hand, existing works are mainly post-hoc methods rather than real-time detection, which can not report insider threats in time before they cause loss. In this paper, we conduct the first study towards real-time ITD at activity level, and present a fine-grained and efficient framework LAN. Specifically, LAN simultaneously learns the temporal dependencies within an activity sequence and the relationships between activities across sequences with graph structure learning. Moreover, to mitigate the data imbalance problem in ITD, we propose a novel hybrid prediction loss, which integrates self-supervision signals from normal activities and supervision signals from abnormal activities into a unified loss for anomaly detection. We evaluate the performance of LAN on two widely used datasets, i.e., CERT r4.2 and CERT r5.2. Extensive and comparative experiments demonstrate the superiority of LAN, outperforming 9 state-of-the-art baselines by at least 8.43% and 6.35% in AUC for real-time ITD on CERT r4.2 and r5.2, respectively. Moreover, LAN can be also applied to post-hoc ITD, surpassing 8 competitive baselines by at least 7.70% and 4.03% in AUC on two datasets. Finally, the ablation study, parameter analysis, and compatibility analysis evaluate the impact of each module and hyper-parameter in LAN. The source code can be obtained from \u0000<uri>https://github.com/Li1Neo/LAN</uri>\u0000.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10157-10172"},"PeriodicalIF":6.3,"publicationDate":"2024-10-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142561910","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Ruyi: A Configurable and Efficient Secure Multi-Party Learning Framework With Privileged Parties","authors":"Lushan Song;Zhexuan Wang;Guopeng Lin;Weili Han","doi":"10.1109/TIFS.2024.3488507","DOIUrl":"10.1109/TIFS.2024.3488507","url":null,"abstract":"Secure multi-party learning (MPL) enables multiple parties to train machine learning models with privacy preservation. MPL frameworks typically follow the peer-to-peer architecture, where each party has the same chance to handle the results. However, the cooperative parties in business scenarios usually have unequal statuses. Thus, Song et al. (CCS’22) presented \u0000<monospace>pMPL</monospace>\u0000, a hierarchical MPL framework with a privileged party. Nonetheless, \u0000<monospace>pMPL</monospace>\u0000 has two limitations: (i) it has limited configurability requiring manually finding a public matrix that satisfies four constraints, which is difficult when the number of parties increases, and (ii) it is inefficient due to the huge online communication overhead. In this paper, we are motivated to propose \u0000<monospace>Ruyi</monospace>\u0000, a configurable and efficient MPL framework with privileged parties. Firstly, we reduce the public matrix constraints from four to two while ensuring the same privileged guarantees by extending the standard resharing paradigm to vector space secret sharing in order to implement the share conversion protocol and performing all the computations over a prime field rather than a ring. This enhances the configurability so that the Vandermonde matrix can always satisfy the public matrix constraints when given the number of parties, including privileged parties, assistant parties, and assistant parties allowed to drop out. Secondly, we reduce the online communication overhead by adapting the masked evaluation paradigm to vector space secret sharing. Experimental results demonstrate that \u0000<monospace>Ruyi</monospace>\u0000 is configurable with multiple parties and outperforms \u0000<monospace>pMPL</monospace>\u0000 by up to \u0000<inline-formula> <tex-math>$ 53.87 times $ </tex-math></inline-formula>\u0000, \u0000<inline-formula> <tex-math>$13.91 times $ </tex-math></inline-formula>\u0000, and \u0000<inline-formula> <tex-math>$2.76 times $ </tex-math></inline-formula>\u0000 for linear regression, logistic regression, and neural networks, respectively.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10355-10370"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556172","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yafang Yang;Lei Zhang;Yunlei Zhao;Kim-Kwang Raymond Choo;Yan Zhang
{"title":"Rebuttal to “On the Unforgeability of ‘Privacy-Preserving Aggregation-Authentication Scheme for Safety Warning System in Fog-Cloud Based VANET”’","authors":"Yafang Yang;Lei Zhang;Yunlei Zhao;Kim-Kwang Raymond Choo;Yan Zhang","doi":"10.1109/TIFS.2024.3488520","DOIUrl":"10.1109/TIFS.2024.3488520","url":null,"abstract":"Lin recently claimed that the privacy-preserving aggregation authentication scheme (PPAAS) based on a certificateless aggregation signcryption scheme (CASS) proposed in our paper (IEEE Transactions on Information Forensics and Security, vol.17, pp.317-331, Jan.2022) suffers from a forgery attack from type II adversary. In this paper, we show that this attack is not valid since the adversary outputs a trivial forged ciphertext. Specifically, the adversary has the master secret key and randomly selects the secret values of all users.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10373-10374"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556169","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Eyes on Federated Recommendation: Targeted Poisoning With Competition and Its Mitigation","authors":"Yurong Hao;Xihui Chen;Wei Wang;Jiqiang Liu;Tao Li;Junyong Wang;Witold Pedrycz","doi":"10.1109/TIFS.2024.3488500","DOIUrl":"10.1109/TIFS.2024.3488500","url":null,"abstract":"Federated recommendation (FR) addresses privacy concerns in recommender systems by training a global model without requiring raw user data to leave individual devices. A server, known as the aggregator, integrates users’ local gradients and updates the global model parameters. However, FR is vulnerable to attacks where malicious users manipulate these updates, known as model poisoning attacks. In this work, we propose a new targeted attack called \u0000<monospace>StairClimbing</monospace>\u0000 to promote specific items through model poisoning, and a new defence mechanism \u0000<monospace>CrossEU. StairClimbing</monospace>\u0000 adopts a new strategy resembling stair climbing to enable target items to beat competitive items and increase their popularity level by level. Compared to prior attacks, \u0000<monospace>StairClimbing</monospace>\u0000 guarantees balanced effectiveness, efficiency and stealthiness simultaneously. Our defence mechanism \u0000<monospace>CrossEU</monospace>\u0000 leverages two patterns regarding the lists of items updated by benign users between iterative epochs. Extensive experiments on six real-world datasets demonstrate \u0000<monospace>StairClimbing</monospace>\u0000’s superiority across all three desirable attack properties, even with a small proportion of malicious users (1%). In addition, \u0000<monospace>CrossEU</monospace>\u0000 effectively delays the impact of all tested attacks and even eliminates their damage entirely.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10173-10188"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556170","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zheng Wan;Kexin Liu;Yajun Chen;Kaizhi Huang;Hui-Ming Wang;Zheng Chu;Ming Yi;Liang Jin
{"title":"Resource Allocation for STAR-RIS-Assisted MIMO Physical-Layer Key Generation","authors":"Zheng Wan;Kexin Liu;Yajun Chen;Kaizhi Huang;Hui-Ming Wang;Zheng Chu;Ming Yi;Liang Jin","doi":"10.1109/TIFS.2024.3488509","DOIUrl":"10.1109/TIFS.2024.3488509","url":null,"abstract":"Due to the limited coverage of reflecting-only reconfigurable intelligent surfaces (RIS), the existing RIS-assisted physical-layer key generation (PKG) scheme limits its overall performance in the full space. This paper proposes a novel simultaneously transmitting and reflecting (STAR)-RIS-assisted PKG protocol for multiple-input multiple-output (MIMO) systems, where the closed-form sum secret key rate is derived in the presence of full-space eavesdroppers. Two optimization problems are formulated to maximize the sum secret key rate by designing the transmit beamforming (TBF) and transmitting and reflecting coefficients (TRCs) for energy splitting (ES) with coupled phase-shift and mode switching (MS) mode. For ES mode with coupled phase-shift, a penalty-based alternating optimization (AO) algorithm is proposed to address its non-convexity. For MS mode, the semidefinite relaxation-successive convex approximation-based AO algorithm is utilized to achieve continuous solutions and then quantize to binary value for the MS mode. Simulation results demonstrate that the coupled phase-shift STAR-RIS incurs a slight KGR loss in comparison to the independent phase-shift STAR-RIS. Additionally, the ES mode outperforms the MS mode in terms of KGR performance. Finally, STAR-RIS can achieve a higher sum secret key rate than traditional reflecting-only RIS.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10328-10338"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Robust Tracking-Based PHY-Authentication in mmWave MIMO Systems","authors":"Liza Afeef;Haji M. Furqan;Hüseyin Arslan","doi":"10.1109/TIFS.2024.3488362","DOIUrl":"10.1109/TIFS.2024.3488362","url":null,"abstract":"Physical Layer Authentication (PLA) is a topic of considerable interest in ensuring strong security for upcoming wireless networks. However, existing PLA methods face challenges in maintaining performance in dynamic environments. To overcome this, we propose a novel tracking-based PLA approach, utilizing properties of the beamspace multiple-input multiple-output (MIMO) channel in narrowband millimeter-wave (mmWave) networks. Specifically, In particular, the proposed technique involves extracting a distance signature vector from the positions of the principal components within the beamspace MIMO channel representation. These components are then sorted in descending order based on their indices. To address mobility concerns in dynamic settings, a tracking filter is introduced. This filter allows the authentication system to continuously track and update the stored signature, enhancing overall authentication performance. Additionally, the proposed technique is extended to ultra-wideband signaling. In this extension, the richness of the derived signature is further improved by exploiting the beam squint effect, contributing to a more robust authentication process. Simulation results demonstrate that our approach overcomes the limitations of previous methods, resulting in improved authentication performance measured by detection and false alarm rates.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10375-10386"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556171","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Aymar Le Père Tchimwa Bouom;Jean-Pierre Lienou;Wilson Ejuh Geh;Frederica Free Nelson;Sachin Shetty;Charles Kamhoua
{"title":"TriAssetRank: Ranking Vulnerabilities, Exploits, and Privileges for Countermeasures Prioritization","authors":"Aymar Le Père Tchimwa Bouom;Jean-Pierre Lienou;Wilson Ejuh Geh;Frederica Free Nelson;Sachin Shetty;Charles Kamhoua","doi":"10.1109/TIFS.2024.3488533","DOIUrl":"10.1109/TIFS.2024.3488533","url":null,"abstract":"Network defence practices have no standardized mechanism for determining the priority of threat events. Prioritization of cyber vulnerabilities intends to make network administrators focus on the most critical points within the system to mitigate potential damages produced by attackers. More likely, in managing vulnerabilities, current approaches always focus on the common vulnerability exposures (CVE), which are not the only existing vulnerabilities in a network. Also, while the Common Vulnerability Scoring System (CVSS) effectively scores individual vulnerabilities, it fails to consider the relationships between them but considers each vulnerability in isolation. Existing research, such as the ‘AssetRank’ algorithm, has made progress in exploring these relationships. Building on this foundation, in this paper we propose TriAssetRank, a tripartite ranking algorithm that evaluates three key elements within a logical attack graph: vulnerabilities, privileges, and potential attack exploits. Since each node type has its unique characteristics and potential impact on the system’s security, we rank them in concert, taking into account the dependencies between nodes in the attack graph. The proposed ranking scheme computes a numerical value for each node based on its type, which is a clear indication of how valuable it is to a potential attacker. Several tests on various model networks have empirically validated the effectiveness of the algorithm, which enables organizations to prioritize countermeasures by identifying the most critical vulnerabilities, exploits, and privilege escalation risks, allowing efficient allocation of resources to mitigate high-impact threats and reduce overall risk exposure effectively.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10189-10205"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556167","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A New Shift-Add Secret Sharing Scheme for Partial Data Protection With Parallel Zigzag Decoding","authors":"Jiajun Chen;Yichen Shen;Chi Wan Sung","doi":"10.1109/TIFS.2024.3488498","DOIUrl":"10.1109/TIFS.2024.3488498","url":null,"abstract":"This paper studies distributed storage for protecting the confidentiality of partial data in the presence of storage node failures. It is required that not only the original data can be reconstructed from the remaining surviving nodes, but also the data lost by a failed node can be repaired from as few nodes as possible. The minimum number of surviving nodes required to repair a failed node is called the repair degree. Inspired by the zigzag-decodable secret sharing scheme, we propose a new shift-add secret sharing scheme based on the XOR and bitwise-shift operations, in which confidential data is protected by using random keys generated from non-confidential data. The reliability and repairability of the proposed scheme are measured by the message loss probability and the maximum repair degree among all nodes, respectively, and then compared with three benchmark schemes. In contrast to conventional zigzag-decodable codes, the special structure of our proposed scheme allows the design of fast parallel algorithms for modern devices with multi-core processors, which have a linear speedup in decoding time compared with various versions of serial zigzag decoding. Experiments are implemented on a multi-core computer, and the empirical results on decoding time are consistent with our theoretical observations.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10221-10232"},"PeriodicalIF":6.3,"publicationDate":"2024-10-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142556168","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Distributed Robust Artificial-Noise-Aided Secure Precoding for Wiretap MIMO Interference Channels","authors":"Zhengmin Kong;Jing Song;Shaoshi Yang;Li Gan;Weizhi Meng;Tao Huang;Sheng Chen","doi":"10.1109/TIFS.2024.3486548","DOIUrl":"10.1109/TIFS.2024.3486548","url":null,"abstract":"We propose a distributed artificial noise-assisted precoding scheme for secure communications over wiretap multi-input multi-output (MIMO) interference channels, where K legitimate transmitter-receiver pairs communicate in the presence of a sophisticated eavesdropper having more receive-antennas than the legitimate user. Realistic constraints are considered by imposing statistical error bounds for the channel state information of both the eavesdropping and interference channels. Based on the asynchronous distributed pricing model, the proposed scheme maximizes the total utility of all the users, where each user’s utility function is defined as the secrecy rate minus the interference cost imposed on other users. Using the weighted minimum mean square error, Schur complement and sign-definiteness techniques, the original non-concave optimization problem is approximated with high accuracy as a quasi-concave problem, which can be solved by the alternating convex search method. Simulation results consolidate our theoretical analysis and show that the proposed scheme outperforms the artificial noise-assisted interference alignment and minimum total mean-square error-based schemes.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10130-10140"},"PeriodicalIF":6.3,"publicationDate":"2024-10-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142490316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}