{"title":"CD-Net: Robust mobile traffic classification against apps updating","authors":"Yanan Chen , Botao Hou , Bin Wu , Hao Hu","doi":"10.1016/j.cose.2024.104214","DOIUrl":"10.1016/j.cose.2024.104214","url":null,"abstract":"<div><div>Mobile traffic classification (MTC) is an increasingly important domain in traffic filtering and malware detection. Existing methods have achieved good results in distribution-invariant MTC. However, as apps update rapidly and users’ update time varies, the traffic of a certain app often consists of multiple versions mixed together in the real-world network. This dynamic proportion of new-version app traffic significantly affects the performance of models, even if they have been retrained with new-version app traffic. In this paper, we propose CD-Net, a robust encrypted MTC method designed to classify the mixed traffic of multi-version apps. CD-Net is based on the few-shot framework and primarily comprises two components: the CNN part for feature extraction and the DNN part for classification. When an app is updated, the DNN part is retrained to classify the new-version app, while the CNN part remains unchanged to ensure the ability to classify the original-version app. We collected a real-world dataset to validate the effectiveness of our proposed CD-Net. Before retraining with the new-version app traffic, the accuracy of all models declined during the process of an app update. However, after retraining the DNN part with a few samples of the new-version app traffic, the F1-Score of our model remained above 93.68% throughout the app update process, while the F1-Score of the retrained state-of-the-art method dropped to 88.28%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104214"},"PeriodicalIF":4.8,"publicationDate":"2024-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142723571","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"FuzzAGG: A fuzzing-driven attack graph generation framework for industrial robot systems","authors":"Xiaosheng Liu, Wenqi Jiang, Zhongwei Li, Xianji Jin, Zihan Ma, Qingyang Li","doi":"10.1016/j.cose.2024.104223","DOIUrl":"10.1016/j.cose.2024.104223","url":null,"abstract":"<div><div>As industrial robot systems (IRS) are increasingly utilized in smart factories, their information security issues have become particularly critical. Attack graphs, an essential system-level risk modeling technique, traditionally rely on predefined risk attributes and exploitation rules for their generation. However, this approach fails to meet the needs for attack graph generation and analysis in environments with missing risk data. To address this issue, this paper proposes a fuzzing-driven attack graph generation framework, FuzzAGG. This framework aims to provide an efficient and accurate method for generating attack graphs under conditions of incomplete risk data, thereby supporting information security analysis and risk assessment of IRS. In this paper, a risk data model (RDM) is constructed using the Meta Attack Language to achieve a structured description of the risk data of IRS. A fuzzing test case generation algorithm based on the MU-SeqGAN model is proposed, which can generate test cases suitable for the state machines of IRS and map them to specific Risk Data Model Objects (RDMOs). Additionally, a conversion unit is designed to integrate all RDMOs into a risk description file, which is then used by the generation unit to construct a graphical attack graph. In performance tests, FuzzAGG is able to achieve automated construction of IRS attack graphs containing 1000 state nodes in 42 min and maintain 88 % risk coverage. Taking the IRS of a PCB automated production line the effectiveness of the FuzzAGG framework is validated. The results demonstrate that FuzzAGG can automatically generate and validate an attack graph containing 184 attribute nodes and atomic attack nodes in 8 min with high operational efficiency, proving the practicality and reliability of this method in automated attack graph generation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104223"},"PeriodicalIF":4.8,"publicationDate":"2024-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142747379","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Conditional entropy-based hybrid DDoS detection model for IoT networks","authors":"Nimisha Pandey, Pramod Kumar Mishra","doi":"10.1016/j.cose.2024.104199","DOIUrl":"10.1016/j.cose.2024.104199","url":null,"abstract":"<div><div>In a distributed denial-of-service (DDoS) attack, an attacker channelizes the resources of a botnet to launch denial of service attack on the victim. The increased use of IoT devices and dependence of users on e-services like online shopping and online payments have elevated the liability risks. The entropy provides a significant measure of randomness. The variation in entropy of traffic features determines the presence of abrupt traffic. This paper uses entropy and conditional entropy to achieve insights on data and feeds it to the proposed 2-stage detection approach for multi-class classification. The proposed model employs four classifiers for first hand classification. Further, stacking generalization-based second stage achieves the final detection process. The recently launched CIC IoT 2023 dataset is used to illustrate the findings of the study. The proposed approach produces an accuracy of 99.86%. Further, this paper utilizes relative entropy for the determination of deflection of traffic behavior between the attack and legitimate samples. Comparisons have been made among symmetric versions of information divergence, <span><math><mi>ϕ</mi></math></span>-divergence and Kullback–Leibler divergence along with, Hellinger distance and total variation distance. It is found that the information distance gives a better differentiation between the entropy of legitimate traffic and attack traffic. <strong>Significance Statement</strong> Entropy has been manipulated to define the nature of incoming traffic for any rule-based detection. This work explores the significance of conditional entropy for the ML-based detection of DDoS attacks in a recently launched IoT-based dataset. Additionally, the effectiveness of KL-divergence, information divergence, <span><math><mi>ϕ</mi></math></span>-divergence, Hellinger distance and total variation distance is compared for differentiating between legitimate traffic and attack traffic.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104199"},"PeriodicalIF":4.8,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142707220","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"A hybrid model for detecting intrusions using stacked autoencoders and extreme gradient boosting","authors":"Hari Vinayak M.V. , Jarin T.","doi":"10.1016/j.cose.2024.104212","DOIUrl":"10.1016/j.cose.2024.104212","url":null,"abstract":"<div><div>In the contemporary digital landscape dominated by the internet, a wide array of attacks occurs daily, driven by a large and diverse user base. The field of identifying these cyberattacks is rapidly growing and is mainly accomplished through the utilization of intrusion detection systems (IDS). The IDS is designed to continuously observe data flow and identify any potentially harmful or suspicious acts that could signal a cyberattack. Traditional machine learning (ML) techniques encounter challenges in effectively detecting unknown attacks and dealing with imbalanced data distributions, resulting in reduced detection performance. This paper presents a hybrid IDS model that integrates an ML classifier like XGBoost with a stacked sparse autoencoder (SSAE). The low-dimensional features obtained from the SSAE are utilized for training the classifier. The experimental outcomes indicate that the model surpasses the formerly recommended approaches regarding intrusion detection and decreases the ML classifier’s training and testing times. We have also evaluated our model’s performance by comparing it with other advanced techniques documented in the existing literature.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104212"},"PeriodicalIF":4.8,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142707221","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Generate universal adversarial perturbations by shortest-distance soft maximum direction attack","authors":"Dengbo Liu, Zhi Li, Daoyun Xu","doi":"10.1016/j.cose.2024.104168","DOIUrl":"10.1016/j.cose.2024.104168","url":null,"abstract":"<div><div>Deep neural networks (DNNs) are vulnerable to adversarial attacks. Compared to the instance-specific adversarial examples, Universal Adversarial Perturbation (UAP) can fool the target model of different inputs with only one perturbation. However, previous UAP generation algorithms do not consider the shortest distance to the decision boundary of the Last Linear Operator (LLO), which hampers the UAP’s attackability under a limited perturbation size. In this paper, the LLO is analyzed to obtain several properties based on which the decision space of the LLO is modeled. Then, the UAP generation algorithm for the shortest-distance attack based on LLO is proposed. Moreover, we propose the maximum direction attack and combine it with the shortest-distance attack to obtain the shortest-distance soft maximum attack, which improves the transferability of UAP. To validate the performance of the algorithm proposed in this paper, we conduct UAP white-box and black-box attack experiments using the ImageNet dataset, and the results show that the attack success rate exceeds the latest research results.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104168"},"PeriodicalIF":4.8,"publicationDate":"2024-11-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142706751","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"RanSMAP: Open dataset of Ransomware Storage and Memory Access Patterns for creating deep learning based ransomware detectors","authors":"Manabu Hirano , Ryotaro Kobayashi","doi":"10.1016/j.cose.2024.104202","DOIUrl":"10.1016/j.cose.2024.104202","url":null,"abstract":"<div><div>Ransomware attacks have become significant cyber threats to enterprises and public sectors. Our previous RanSAP dataset, which contained only low-level storage access patterns collected using a thin hypervisor, was used to create behavioral-based ransomware detectors; it provides an additional protection layer when the OS-level ransomware detection systems are compromised. The previous ransomware detector, which used only low-level storage access patterns, could not detect ransomware when Office applications and web browsers were executed simultaneously. This paper presents a new open dataset named RanSMAP, which stands for Ransomware Storage and Memory Access Patterns. It contains low-level storage and memory access patterns collected using a thin hypervisor. We provide an overview of the open RanSMAP dataset, including directory structure and file formats, to guide researchers in using the dataset. We then present our data preprocessing method and deep-learning-based ransomware detector. The RanSMAP datasets consist of storage and memory access patterns of six ransomware samples and six benign applications, seven Conti ransomware variants, and simultaneous execution of ransomware with benign applications collected on the machines with various CPUs, RAM generations, RAM frequencies, and RAM capacities. The experimental results show that low-level memory access patterns improved ransomware detection performance by 2.3% compared to detectors using only storage access patterns. We confirmed that ransomware detectors trained using the RanSMAP dataset can detect ransomware when Office and web browser programs are executed simultaneously. We presented the survey on state-of-the-art ransomware detection research and the availability of open behavioral-feature datasets to discuss the advantages and limitations of our RanSMAP dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104202"},"PeriodicalIF":4.8,"publicationDate":"2024-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142706801","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ali Allami , Tyler Nicewarner , Ken Goss , Ashish Kundu , Wei Jiang , Dan Lin
{"title":"Oblivious and distributed firewall policies for securing firewalls from malicious attacks","authors":"Ali Allami , Tyler Nicewarner , Ken Goss , Ashish Kundu , Wei Jiang , Dan Lin","doi":"10.1016/j.cose.2024.104201","DOIUrl":"10.1016/j.cose.2024.104201","url":null,"abstract":"<div><div>Firewalls are effective in preventing attacks initiated from outside of an organization’s network, but they are vulnerable to external threats, e.g. ransomware attacks may expose sensitive firewall data to malicious entities or disable network protection from the firewall. In this paper, we present Obliv-FW: a novel distributed architecture and a suite of protocols to obliviously manage and evaluate firewall rules and policies to prevent external attacks oriented to the firewall data. Obliv-FW alleviates this issue by obfuscating the blacklist or whitelist and distributing the function of evaluating these lists across multiple servers residing in different access control zones of the organization’s internal network. Thus, both accessing and altering the rules are considerably more difficult thereby providing better protection to the local network as well as greater security for the firewall itself. Obliv-FW is developed by leveraging the existing secure multi-party computation techniques. Our empirical results show that the overhead of Obliv-FW is small, and it can be a very valuable tool to mitigate the ever-increasing threats to a private network from external attacks including ransomware attacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104201"},"PeriodicalIF":4.8,"publicationDate":"2024-11-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142706800","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Fuzzing trusted execution environments with Rust","authors":"Grzegorz Blinowski , Michał Szaknis","doi":"10.1016/j.cose.2024.104196","DOIUrl":"10.1016/j.cose.2024.104196","url":null,"abstract":"<div><div>Fuzzing, a software testing technique, aims to uncover bugs by subjecting the target program to random inputs, thus discerning abnormal program behaviors such as crashes. In this paper, we present the design and implementation of a fuzzing framework designed to test TEEs (Trusted Execution Environment). Our framework leverages established software tools in a novel way: (1) We employ the Rust programming language in a two-way code generator: to translate fuzzer output to a sequence of system calls and in a “reverse translation” process, where sample code snippets are used to seed the fuzzer – a single API specification suffices for both endeavors; (2) Our fuzzer exhibits the ability to iteratively traverse the API's specification, scrutinize object dependencies, and judiciously reuse objects. These features significantly amplify its bug-finding prowess. (3) A versatile Rust <em>proc macro</em> mechanism is used to process the API specification. The fuzzer's code is built with the Rust compiler sans the necessity for additional specialized tools. (4) To enable the efficient stateful execution of TEEs, we have tailored the QEMU system emulator accordingly. To verify the usability and performance of our fuzzer, and to test various configuration options we conducted a series of tests with a popular open-source OP-TEE trusted operating system.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104196"},"PeriodicalIF":4.8,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142746968","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Covert timing channel detection based on isolated binary trees","authors":"Yuwei Lin , Yonghong Chen , Hui Tian , Xiaolong Zhuang","doi":"10.1016/j.cose.2024.104200","DOIUrl":"10.1016/j.cose.2024.104200","url":null,"abstract":"<div><div>As a communication method for concealing information, the covert network channel is often exploited for malicious purposes due to its inherently difficult-to-detect nature, posing potential risks to network security. In this paper, we propose a detection method based on isolated binary trees, aiming to address the problem of the novel covert channel imitating legitimate traffic patterns and injecting additional anomalies to evade detection. This method is based on the Isolation Forest algorithm, which can be classified into different categories by analyzing the stepwise function features of network traffic and using isolation binary trees generated with random split thresholds. At the same time, we validate the proposed detection model using a publicly available dataset. The experimental results demonstrate that eliminating outliers significantly enhances the stepwise function features while preserving the original form of legitimate traffic. Compared to the model without outlier handling, the average AUC scores for TRCTC and Jitterbug improved by 7.37% and 2.23%, respectively. Furthermore, we achieved superior performance on a new channel named <span><math><mi>ϵ</mi></math></span>-<span><math><mi>κ</mi></math></span>libur and <span><math><mi>ϵ</mi></math></span>-<span><math><mi>κ</mi></math></span>libur-O compared to using deep learning-based detection methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104200"},"PeriodicalIF":4.8,"publicationDate":"2024-11-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142746969","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Navigating challenging terrain surrounding DoD response to homeland attacks on critical infrastructure: Case studies of prior incidents utilizing an extended taxonomy of cyber harms","authors":"Louis Nolan , Denise L. Tennant , Deanna House","doi":"10.1016/j.cose.2024.104198","DOIUrl":"10.1016/j.cose.2024.104198","url":null,"abstract":"<div><div>The complexity of DoD response to cyberattacks on critical infrastructure entities is a relatively understudied area, particularly when considering attacks that fall within the nebulous area of response, the cyber grey zone. Reliance on critical infrastructure by private, public, and defense sectors establishes the need for proactive research in this context, particularly learning from prior incidents to inform and plan for future events and responses. This research utilizes an extended taxonomy to categorize harms and thresholds related to cyberattacks on critical infrastructure to understand integrated (rather than divisive) approaches that utilize Department of Defense capabilities. The researchers extend a taxonomy of cyber harms to provide a system of categorization that can assist with determining when a threshold, or cyber red line, is surpassed and provide a starting point to establish future considerations under which an engagement by the Department of Defense is appropriate.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"150 ","pages":"Article 104198"},"PeriodicalIF":4.8,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142706752","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}