Computers & Security最新文献

{"title":"DMSCTS: Dynamic measurement scheme for the containers-hybrid-deployment based on trusted subsystem","authors":"Yufei Han ,&nbsp;Chao Li ,&nbsp;Jianbiao Zhang ,&nbsp;Yifan Wang ,&nbsp;Lehao Yu ,&nbsp;Yihao Cao ,&nbsp;Hong Shen ,&nbsp;Weixing Hou ,&nbsp;Hailin Luo","doi":"10.1016/j.cose.2024.104158","DOIUrl":"10.1016/j.cose.2024.104158","url":null,"abstract":"<div><div>Hybrid deployment of containers with different kernel types offers a novel solution for cloud service providers. While extensive research has been conducted on shared kernel containers, the security risks associated with diverse kernel types in hybrid deployment scenarios present more complex challenges. Establishing trusted relationships from hardware to containers for hybrid deployment has become a primary concern. Additional challenges include the lack of measurement and communication methods for independent kernel containers and insufficient dynamic measurement capabilities for containers. To address these issues, we propose a novel approach of achieving secure hybrid deployment of containers through the provision of trusted assurance in three layers: container infrastructure, container application environment, and container runtime. We propose the corresponding measurement schemes for each trust layer. Through functional verification and performance evaluation, we demonstrate that our architecture exhibits improved feasibility and effectiveness.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MIDAS: Multi-layered attack detection architecture with decision optimisation","authors":"Kieran Rendall ,&nbsp;Alexios Mylonas ,&nbsp;Stilianos Vidalis ,&nbsp;Dimitris Gritzalis","doi":"10.1016/j.cose.2024.104154","DOIUrl":"10.1016/j.cose.2024.104154","url":null,"abstract":"<div><div>The proliferation of cyber attacks has led to the use of data-driven detection countermeasures, in an effort to mitigate this threat. Machine learning techniques, such as the use of neural networks, have become mainstream and proven effective in attack detection. However, these data-driven solutions are limited by: <em>a)</em> high computational overhead associated with data pre-processing and inference cost, <em>b)</em> inability to scale beyond a centralised deployment to cope with environmental variances, and c) requirement to use multiple bespoke detection models for effective attack detection coverage across the cyber kill chain. In this context, this paper introduces MIDAS, a cost-effective framework for attack detection, which introduces a dynamic decision boundary that is used in a multi-layered detection architecture. This is achieved by modelling the decision confidence of the participating detection models and judging its benefits using a novel reward policy. Specifically, a reward is assigned to a set of available actions, corresponding to a decision boundary, based on its cost-to-performance, where an <em>overall</em> cost-saving is prioritised. We evaluate our approach on two widely used datasets representing two of the most common threats today, <em>i.e.,</em> phishing and malware. MIDAS shows that it effectively reduces the expenditure on detection inference and processing costs by controlling the frequency of expensive detection operations. This is achieved without significant sacrifice of attack detection performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532339","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SecureQwen: Leveraging LLMs for vulnerability detection in python codebases","authors":"Abdechakour Mechri ,&nbsp;Mohamed Amine Ferrag ,&nbsp;Merouane Debbah","doi":"10.1016/j.cose.2024.104151","DOIUrl":"10.1016/j.cose.2024.104151","url":null,"abstract":"<div><div>Identifying vulnerabilities in software code is crucial for ensuring the security of modern systems. However, manual detection requires expert knowledge and is time-consuming, underscoring the need for automated techniques. In this paper, we present SecureQwen, a novel vulnerability detection tool leveraging large language models (LLMs) with a context length of 64K tokens to identify potential security threats in large-scale Python codebases. Utilizing a decoder-only transformer architecture, SecureQwen captures complex relationships between code tokens, enabling accurate classification of vulnerable code sequences across 14 common weakness enumerations (CWEs), including OS Command Injection, SQL Injection, Improper Check or Handling of Exceptional Conditions, Path Traversal, Broken or Risky Cryptographic Algorithm, Deserialization of Untrusted Data, and Cleartext Transmission of Sensitive Information. Therefore, we evaluate SecureQwen on a large Python dataset with over 1.875 million function-level code snippets from different sources, including GitHub repositories, Codeparrot’s dataset, and synthetic data generated by GPT4-o. The experimental evaluation demonstrates high accuracy, with F1 scores ranging from 84% to 99%. The results indicate that SecureQwen effectively detects vulnerabilities in human-written and AI-generated code.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"TrojanProbe: Fingerprinting Trojan tunnel implementations by actively probing crafted HTTP requests","authors":"Liuying Lv,&nbsp;Peng Zhou","doi":"10.1016/j.cose.2024.104147","DOIUrl":"10.1016/j.cose.2024.104147","url":null,"abstract":"<div><div>Trojan is a well-known hidden tunnel protocol widely used to bypass Internet censorship and thus presents a big challenge to transparent network management and forensics. As claimed by the protocol designer, Trojan maintains its anti-identifiability by proxying real HTTPS/TLS traffic to react to unauthenticated requests, eliminating any subtle differences between the Trojan traffic and the legitimate HTTPS. Despite such a protocol seeming unidentifiable by design, the diverse Trojan implementations adopting very different programming languages will likely have varied coding logic and networking API calls, opening a new door to be identified and fingerprinted from the implementation level. In this paper, we propose <em>TrojanProbe</em>, a new class of active probing methods that can be used to fingerprint Trojan implementations by triggering their identifiable responses. Our basic idea is to audit the source code of the Trojan programs and discover the subtle logic discrepancy compared with the legitimate HTTPS counterparts, to craft specific HTTP requests as probes to trigger these differences for fingerprinting. By this idea, we choose the five most popular open-source Trojan programs off-the-shelf as our targets to audit, covering the majority of Trojan market share and the mainstream programming languages from traditional C++ to the cutting-edge Go and Rust, and design a suite of novel HTTP probes to differentiate them from their web server masquerades. Our probes exploit either the different responding/buffering logic to the malformed HTTP requests and the different HTTP versions, or the varied timeouts set in the different networking APIs by default. To this end, we have conducted extensive experiments to evaluate the TrojanProbe against a comprehensive set of configuration and networking conditions. The experimental results show that our TrojanProbe can effectively fingerprint our selected Trojan targets in most conditions, but leave a single Rust implementation with a minority market occupied that can only be identified in some constraint cases. Despite such an exception, our research sheds light on a new kind of possibility to fingerprint Trojans at their implementation level, even if such a hidden tunnel is widely known as unidentifiable at the protocol level.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142552117","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Adaptive sensor attack detection and defense framework for autonomous vehicles based on density","authors":"Zujia Miao ,&nbsp;Cuiping Shao ,&nbsp;Huiyun Li ,&nbsp;Yunduan Cui ,&nbsp;Zhimin Tang","doi":"10.1016/j.cose.2024.104149","DOIUrl":"10.1016/j.cose.2024.104149","url":null,"abstract":"<div><div>The security of autonomous vehicles heavily depends on localization systems that integrate multiple sensors, which are vulnerable to sensor attacks and increase the risk of accidents. Given the diversity of sensor attacks and the dynamic changing of driving scenarios of autonomous vehicles, an adaptive and effective attack detection and defense framework faces a considerable challenge. This paper proposes a novel real-time adaptive attack detection and defense framework based on density, which can detect and identify attacked sensors and effectively recover data. We first develop a reinforcement learning multi-armed Bandit-based Density-Based Spatial Clustering of Applications with Noise (BDBSCAN) algorithm that selects hyperparameters adaptively. The Adaptive Extended Kalman Filter (AEKF) combines with the vehicle dynamic model on the localization system and extracts data features used for the BDBSCAN algorithm to monitor potential sensor attacks. If attack detection indicates possible system compromise, AEKF is further employed on localization sensors with anomalies identified through the BDBSCAN algorithm of the attacked sensors. To ensure precision and reliability, the data recovery incorporates a redundancy mechanism to apply a decision tree to select the optimal state estimation between AEKF and Extended Kalman Filter (EKF) to replace corrupted sensor data. To evaluate the effectiveness and adaptability of the proposed framework, we conducted 15,000 experiments using the real-world KITTI and V2V4Real datasets across various driving and sensor attack scenarios. The results demonstrate that our proposed framework achieves 100% accuracy and 0% false alarm rate in various driving scenarios for attack detection within 0.15 s, with a recovery time of 0.08 s.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142446410","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"From Dis-empowerment to empowerment: Crafting a healthcare cybersecurity self-assessment","authors":"Wendy Burke ,&nbsp;Andrew Stranieri ,&nbsp;Taiwo Oseni","doi":"10.1016/j.cose.2024.104148","DOIUrl":"10.1016/j.cose.2024.104148","url":null,"abstract":"<div><div>Due to the valuable and sensitive nature of its data, the Australian healthcare sector is increasingly targeted by cyberattacks. Existing cybersecurity evaluation methods often lack the specificity required to address the unique vulnerabilities within this sector, especially in terms of engaging stakeholders and fostering a proactive security culture. These evaluations often overlook psychological empowerment, which enhances individuals’ confidence in managing cybersecurity.</div><div>This study aims to develop a tailored cybersecurity self-assessment index for the Australian healthcare system. It will focus on enhancing psychological empowerment alongside technical assessments to improve overall sector resilience against cyber threats.</div><div>Using a design science research approach, the index was developed using expert reviews, online surveys, and in-depth interviews with key stakeholders, including healthcare providers, consumers, and government entities. This iterative process involved identifying gaps in existing cybersecurity measures and designing an index to address technical and human factors.</div><div>The index’s evaluation through a pilot study revealed that it effectively raised awareness and empowered individuals within the healthcare sector to take ownership of cybersecurity practices. Participants reported increased confidence in managing cybersecurity risks and found the index’s actionable recommendations helpful in improving their security posture. However, challenges related to its applicability across diverse healthcare environments and regulatory constraints were identified.</div><div>The Australian Healthcare Cybersecurity Self-Assessment Index shows promise as a tool for strengthening cybersecurity in the healthcare sector by integrating psychological empowerment with technical assessments. Further research is needed to refine the tool, incorporate quantitative data, and explore its scalability across different healthcare settings and global applications.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532338","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Advancing IoMT security: A two-factor authentication model employing PUF and Fuzzy logic techniques","authors":"Sidra Kalam,&nbsp;Ajit Kumar Keshri","doi":"10.1016/j.cose.2024.104138","DOIUrl":"10.1016/j.cose.2024.104138","url":null,"abstract":"<div><div>The rapid integration of Internet of Things technologies in healthcare has catalyzed the development of the Internet of Medical Things, markedly enhanced patient care while posing significant security risks. This paper introduces a comprehensive computational framework to safeguard Internet of Medical Things devices and healthcare providers through a sophisticated registration and authentication process. Our model incorporates cryptographic technologies such as Physical Unclonable Functions, fuzzy extractors, and hash functions to bolster the security during the registration and authentication processes for Internet of Medical Things devices and healthcare providers. The Physical Unclonable Function module enhances device security by producing unique, non-replicable responses for device authentication, significantly reinforcing the system's defense against physical and cloning attacks. Furthermore, the model leverages fuzzy logic for the real-time classification of patient health states, enhancing the decision-making accuracy. A comparative analysis confirms that our model exceeds existing models in communication cost, computational efficiency and security. The proposed scheme has been rigorously tested against various attacks using the Scyther tool. By employing a unique identifier generation method through Physical Unclonable Function and utilizing fuzzy logic for secure data transmission and patient classification, our framework addresses vulnerabilities such as man-in-the-middle, denial of service, impersonation, identity guessing, password guessing and replay attacks, which are prevalent in current Internet of Medical Things frameworks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142442822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A trust model for VANETs using malicious-aware multiple routing","authors":"Xiaorui Dang ,&nbsp;Guiqi Zhang ,&nbsp;Ke Sun ,&nbsp;Yufeng Li","doi":"10.1016/j.cose.2024.104145","DOIUrl":"10.1016/j.cose.2024.104145","url":null,"abstract":"<div><div>Vehicular ad hoc networks (VANETs) enable multi-hop communication among vehicles, promoting information sharing and smarter collaborative driving. However, VANETs are facing several challenges due to the open wireless communication environment. Attackers may maliciously drop or alter packets so that the receiver cannot obtain correct information. In addition, the high mobility of vehicles may lead to link failures, consequently resulting in packet loss. In this paper, we propose a multipath-based trust model (MPTM), in which the reliability of packet transmission is guaranteed by data redundancy and the detection of potential attackers is achieved by trust evaluation. Specifically, we present a route discovery mechanism to find multiple routes that avoid potential attackers, which reduces the risk of attacks on redundant packets. The receivers identify correct information based on two factors including content consistency and route information. An attacker detection module is presented to evaluate the trustworthiness of vehicles involved in packet transmission and vehicles with trust value below a threshold are detected as attackers. We conducted extensive experiments using OMNeT++ simulation platform, considering various attack scenarios. Experiment results show that MPTM can reach 90% packet delivery ratio and effectively detect attackers in terms of 90% detection precision.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532336","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Detection of cyberattack in Industrial Control Networks using multiple adaptive local kernel learning","authors":"Fei Lv ,&nbsp;Hangyu Wang ,&nbsp;Rongkang Sun ,&nbsp;Zhiwen Pan ,&nbsp;Shuaizong Si ,&nbsp;Meng Zhang ,&nbsp;Weidong Zhang ,&nbsp;Shichao Lv ,&nbsp;Limin Sun","doi":"10.1016/j.cose.2024.104152","DOIUrl":"10.1016/j.cose.2024.104152","url":null,"abstract":"<div><div>The data of Industrial Control Networks presents high-dimensional and nonlinear characteristics, making cyberattack detection a challenging problem. Multiple kernel learning (MKL) provided an attractive performance in dealing with the problem through the <em>kernel trick</em>. However, each kernel in traditional MKL usually adopts global features for high-dimensional space mapping. The local-related feature whereas, is ignored, resulting in the missing of the local implicit information. To tackle this problem, this article proposes an MKL-based cyberattack detection method combining both global and local kernels. First, information theory-based feature selection is used for local feature grouping. After that, different kinds of deep neural networks are used to generate local kernels for each group. Moreover, an adaptive method is designed for ensembling the local kernels into the global kernel during the learning process. Extensive experiments are conducted on diverse datasets and the performances are comprehensively evaluated. The results indicate that our proposed method is outstanding in the cyberattack detection of Industrial Control Networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142532341","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK","authors":"Marco Zambianco ,&nbsp;Claudio Facchinetti ,&nbsp;Domenico Siracusa","doi":"10.1016/j.cose.2024.104144","DOIUrl":"10.1016/j.cose.2024.104144","url":null,"abstract":"<div><div>Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&amp;CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533348","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}