Vasilis Vouvoutsis , Fran Casino , Constantinos Patsakis
{"title":"Beyond the sandbox: Leveraging symbolic execution for evasive malware classification","authors":"Vasilis Vouvoutsis , Fran Casino , Constantinos Patsakis","doi":"10.1016/j.cose.2024.104193","DOIUrl":"10.1016/j.cose.2024.104193","url":null,"abstract":"<div><div>Threat actors continuously update their code to incorporate counter-analysis techniques designed to evade detection and hinder the blocking of their malware. The first line of defence for malware authors is often to bypass static analysis, a relatively straightforward task using readily available tools such as packers and cryptors. To address this shortcoming, defenders send potential malware samples for execution in a sandbox environment. While sandboxing can provide valuable insights into the behaviour of software on an information system, advanced techniques like anti-virtualisation and hooking evasion allow malware to escape detection. The primary objective of this work is to complement sandbox execution with symbolic execution frameworks to detect new malware strains efficiently. Symbolic execution offers a distinct advantage over sandboxing by achieving greater coverage of all possible execution traces, as it can explore every potential execution path, regardless of the evasion methods employed by the malware authors. By carefully selecting the samples to be analysed, we can significantly reduce the workload while extracting essential dynamic features in a fraction of the time and with far fewer computational resources compared to sandboxing. To this end, we leverage machine learning in an automated pipeline, enabling the accurate detection of sophisticated malware using a real-world dataset. Our approach yields average F1 scores of 0.93 for the benign class and 0.99 for the malware class in a binary classification setup, surpassing the detection rates reported in the literature. Additionally, our method outperforms a commercial malware sandbox when applied to the same dataset, further highlighting the efficacy of the proposed method.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104193"},"PeriodicalIF":4.8,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654826","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Shifa Shoukat , Tianhan Gao , Danish Javeed , Muhammad Shahid Saeed , Muhammad Adil
{"title":"Trust my IDS: An explainable AI integrated deep learning-based transparent threat detection system for industrial networks","authors":"Shifa Shoukat , Tianhan Gao , Danish Javeed , Muhammad Shahid Saeed , Muhammad Adil","doi":"10.1016/j.cose.2024.104191","DOIUrl":"10.1016/j.cose.2024.104191","url":null,"abstract":"<div><div>Industrial networks are vulnerable to various cyber threats that can compromise their Confidentiality, Integrity, and Availability (CIA). To counter the increasing frequency of such threats, we designed and developed an Explainable Artificial Intelligence (XAI) integrated Deep Learning (DL)-based threat detection system (XDLTDS). We first employ a Long-Short Term Memory-AutoEncoder (LSTM-AE) to encode IIoT data and mitigate inference attacks. Then, we introduce an Attention-based Gated Recurrent Unit (AGRU) with softmax for multiclass threat classification in IIoT networks. To address the black-box nature of DL-based IDS, we use the Shapley Additive Explanations (SHAP) mechanism to provide transparency and trust for the system’s decisions. This interpretation helps SOC analysts understand why specific events are flagged as malicious by the XDLTDS framework. Our approach reduces the risk of sensitive data and reputation loss. We also present a Software-Defined Networking (SDN)-based deployment architecture for the XDLTDS framework. Extensive experiments with the N-BaIoT, Edge-IIoTset, and CIC-IDS2017 datasets confirm the effectiveness of XDLTDS against existing frameworks in addressing modern cybersecurity challenges and protecting industrial networks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104191"},"PeriodicalIF":4.8,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jung-San Lee , Yun-Yi Fan , Chia-Hao Cheng , Chit-Jie Chew , Chung-Wei Kuo
{"title":"ML-based intrusion detection system for precise APT cyber-clustering","authors":"Jung-San Lee , Yun-Yi Fan , Chia-Hao Cheng , Chit-Jie Chew , Chung-Wei Kuo","doi":"10.1016/j.cose.2024.104209","DOIUrl":"10.1016/j.cose.2024.104209","url":null,"abstract":"<div><div>As more and more documents are converted from hard copies to digital formats and move to cloud storage, securing data access has become a critical and emergent security concern. Without a doubt, intrusion detection system (IDS) has become the primary defense mechanism for governments and enterprises to identify network attacks. However, the emergence of Advanced Persistent Threat (APT) has brought heightened challenges for an IDS, since malicious hackers can deploy various attacks to penetrate information systems invisibly over extended periods of time. Thus, the authors aim to design a High Discrimination APT Intrusion Detection System (HDAPT-IDS); consisting of Cyber Clustering Module (CCM) and Clustering Analysis Module (CAM). CCM conducts a preliminary classification of traffic packets and utilizes the random forest algorithm to predict the main-class, while CAM selects the applicable Deep Neural Network (DNN) based on the prediction results of CCM to derive the sub-class of traffic packets as the final result. Aside from laying out a high detection rate, HDAPT-IDS can effectively reduce the number of categories during classification to achieve better performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104209"},"PeriodicalIF":4.8,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142704925","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Assessing cybersecurity awareness among bank employees: A multi-stage analytical approach using PLS-SEM, ANN, and fsQCA in a developing country context","authors":"Razib Chandra Chanda , Ali Vafaei-Zadeh , Haniruzila Hanifah , Davoud Nikbin","doi":"10.1016/j.cose.2024.104208","DOIUrl":"10.1016/j.cose.2024.104208","url":null,"abstract":"<div><div>The financial sector is a prime target for cybercriminals which increases the need for banks to enhance employee cybersecurity awareness. This study examines the critical factors that enhance cybersecurity awareness among bank employees in the context of developing countries, focusing on Bangladesh. By collecting 355 valid responses through purposive sampling from bank employees across major districts, the research employs a multi-stage analytical approach that integrates Partial Least Squares Structural Equation Modeling (PLS-SEM), Artificial Neural Networks (ANN), and Fuzzy-set Qualitative Comparative Analysis (fsQCA). Findings reveal a positive correlation between response cost, information security awareness, knowledge of cyber threats, and employees' perceived threat and vulnerability, indicating their significance in shaping cybersecurity awareness. The study's methodological novelty lies in its combined use of linear and non-linear analytical techniques which optimize prediction accuracy and contribute to the robustness of cybersecurity awareness research. Its implications are vital for developing nations where technological dependence for safeguarding IT resources is critical. The outcomes highlight the need for an informed approach to cyber threat management and the promotion of cybersecurity awareness among bank employees as a shield against social engineering and other cyberattacks.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104208"},"PeriodicalIF":4.8,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654829","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Dongping Zhang, Mengting Wang, Yuzhen Bu, Jiabin Yu, Li Yang
{"title":"PdGAT-ID: An intrusion detection method for industrial control systems based on periodic extraction and spatiotemporal graph attention","authors":"Dongping Zhang, Mengting Wang, Yuzhen Bu, Jiabin Yu, Li Yang","doi":"10.1016/j.cose.2024.104210","DOIUrl":"10.1016/j.cose.2024.104210","url":null,"abstract":"<div><div>The stable operation of Industrial Control Systems (ICS) is critical to industrial production. However, with the advancement of industrialization and informatization, ICS face increasing security threats, particularly from cyber-attacks. As a core technology for ICS security, intrusion detection has garnered significant attention in recent years. Traditional intrusion detection methods typically rely on models constructed from network event logs, but these methods have notable limitations in capturing the spatiotemporal correlations among multiple variables (sensors/actuators) and the periodicity of data within the system. To address these challenges, this paper proposes an ICS intrusion detection method, PdGAT-ID, which integrates periodicity extraction with spatiotemporal graph attention networks. This method aggregates multi-scale periodic information from time series and utilizes spatiotemporal graph attention networks to capture the system's spatiotemporal features, thereby enhancing the accuracy and reliability of detection. Experimental results on three publicly available datasets, SWaT, WADI, and Gas Pipeline Dataset, demonstrate that PdGAT-ID performs exceptionally well in detecting abnormal behaviors and intrusion events. Specifically, its F1 score outperforms the best existing models by 1.55 % to 5.51 %, significantly improving the effectiveness and reliability of ICS anomaly detection.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104210"},"PeriodicalIF":4.8,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654825","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yefei Zhang , Sadegh Torabi , Jun Yan , Chadi Assi
{"title":"Dynamic trigger-based attacks against next-generation IoT malware family classifiers","authors":"Yefei Zhang , Sadegh Torabi , Jun Yan , Chadi Assi","doi":"10.1016/j.cose.2024.104187","DOIUrl":"10.1016/j.cose.2024.104187","url":null,"abstract":"<div><div>The evolution of IoT malware and the effectiveness of defense strategies, e.g., leveraging malware family classification, have driven the development of advanced classification learning models. These models, particularly those that utilize model-extracted features, significantly enhance classification performance while minimizing the need for extensive expert knowledge from developers. However, a critical challenge lies in the interpretability of these learning models, which can obscure potential security risks. Among these risks are backdoor attacks, a sophisticated and deceptive threat where attackers induce malicious behaviors in the model under specific triggers.</div><div>In response to the growing need for integrity and reliability in these models, this work assesses the vulnerability of state-of-the-art IoT malware classification models to backdoor attacks. Given the complexities of attacking model-based classifiers, we propose a novel trigger generation framework, B-CTG, supported by a specialized training procedure. This framework enables B-CTG to dynamically poison or attack samples to achieve specific objectives. From an attacker’s perspective, the design and training of B-CTG incorporate knowledge from the IoT domain to ensure the attack’s effectiveness. We conduct experiments under two distinct knowledge assumptions: the main evaluation, which assesses the attack method’s performance when the attacker has limited control over the model training pipeline, and the transferred setting, which further explores the significance of knowledge in predicting attacks in real-world scenarios.</div><div>Our in-depth analysis focuses on attack performance in specific scenarios rather than a broad examination across multiple scenarios. Results from the main evaluation demonstrate that the proposed attack strategy can achieve high success rates even with low poisoning ratios, though stability remains a concern. Additionally, the inconsistent trends in model performance suggest that designers may struggle to detect the poisoned state of a model based on its performance alone. The transferred setting highlights the critical importance of model and feature knowledge for successful attack predictions, with feature knowledge proving particularly crucial. This insight prompts further investigation into model-agnostic mitigation methods and their effectiveness against the proposed attack strategy, with findings indicating that stability remains a significant concern for both attackers and defenders.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104187"},"PeriodicalIF":4.8,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654827","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Hyper attack graph: Constructing a hypergraph for cyber threat intelligence analysis","authors":"Junbo Jia , Li Yang , Yuchen Wang , Anyuan Sang","doi":"10.1016/j.cose.2024.104194","DOIUrl":"10.1016/j.cose.2024.104194","url":null,"abstract":"<div><div>Cybersecurity experts are actively exploring and implementing automated technologies to extract and present attack information from Cyber Threat Intelligence. However, there are multiple relations among security entities within Cyber Threat Intelligence, a feature that existing technologies often overlook. Additionally, integrating external security knowledge into cyber threat intelligence intuitively during analysis and presentation poses challenges. We propose the Hyper Attack Graph (HAG) framework, the first work to apply hypergraph data structures in the analysis of cyber threat intelligence. Our approach uses a joint extraction model that incorporates a multi-head selection mechanism, effectively addressing the extraction of multiple relations among security entities. We use hypergraph to display tactics and techniques in cyber threat intelligence. Our evaluation of the HAG framework on 685 real-world cyber threat intelligence reports shows an increase in the F1 score for security entity extraction by 11.12% and for relation extraction by 6.71% over existing efforts. Furthermore, HAG’s ability to visually represent external security knowledge on hypergraphs demonstrates its potential as a valuable tool in cybersecurity analysis.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104194"},"PeriodicalIF":4.8,"publicationDate":"2024-11-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142704924","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Uzma Kiran , Naurin Farooq Khan , Hajra Murtaza , Ali Farooq , Henri Pirkkalainen
{"title":"Explanatory and predictive modeling of cybersecurity behaviors using protection motivation theory","authors":"Uzma Kiran , Naurin Farooq Khan , Hajra Murtaza , Ali Farooq , Henri Pirkkalainen","doi":"10.1016/j.cose.2024.104204","DOIUrl":"10.1016/j.cose.2024.104204","url":null,"abstract":"<div><h3>Context</h3><div>Protection motivation theory (PMT) is the most frequently used theory in understanding cyber security behaviors. However, most studies have used a cross-sectional design with symmetrical analysis techniques such as structure equation modeling (SEM) and regression. A data-driven approach, such as predictive modeling, is lacking and can potentially evaluate and validate the predictive power of PMT for cybersecurity behaviors.</div></div><div><h3>Objective</h3><div>The objective of this study is to assess the explanatory and predictive power of PMT for cyber security behaviors related to computers and smartphone.</div></div><div><h3>Method</h3><div>An online survey was employed to collect data from 1027 participants. The relationship of security behaviors with <em>threat appraisal (severity and vulnerability)</em> and <em>coping appraisal (response efficacy, self-efficacy and response cost)</em> components were tested via explanatory and predictive modeling. Explanatory modeling was employed via SEM, whereas three machine learning algorithms, namely Decision Tree (DT), Support Vector Machine (SVM), and K Nearest Neighbor (KNN) were used for predictive modeling. Wrapper feature selection was employed to understand the most important factors of PMT in predictive modeling.</div></div><div><h3>Results</h3><div>The results revealed that the <em>threat severity</em> from the <em>threat appraisal</em> component of PMT significantly influenced computer security and smartphone security behaviors. From the <em>coping appraisal, response efficacy</em> and <em>self-efficacy</em> significantly influenced computer and smartphone security behaviors. The ML analysis showed that the highest predictive power of PMT for computer security was 76 % and for smartphone security 68 % by KNN algorithm. The wrapper feature selection approach revealed that <em>the most important features in predicting security behaviors are self-efficacy, response efficacy and intention to secure device</em>s. Thus, the findings indicate the complementarity of the cross-sectional and data driven methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104204"},"PeriodicalIF":4.8,"publicationDate":"2024-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654820","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Samuel Ansong, Windhya Rankothge, Somayeh Sadeghi, Hesamodin Mohammadian, Farrukh Bin Rashid, Ali Ghorbani
{"title":"Role of cybersecurity for a secure global communication eco-system: A comprehensive cyber risk assessment for satellite communications","authors":"Samuel Ansong, Windhya Rankothge, Somayeh Sadeghi, Hesamodin Mohammadian, Farrukh Bin Rashid, Ali Ghorbani","doi":"10.1016/j.cose.2024.104156","DOIUrl":"10.1016/j.cose.2024.104156","url":null,"abstract":"<div><div>In an age where global connectivity has become pivotal to socio-economic development, satellite communication (SATCOM) systems have become the backbone of modern telecommunication infrastructure. However, the increasing reliance on SATCOM also elevates the potential impact of cyber threats. Cyber risk assessment is a critical component of any satellite communications risk management strategy. It plays a pivotal role in identifying and managing risks to satellite communications, which helps stakeholders isolate the most critical threats and select the appropriate cybersecurity measures. To the best of our knowledge, the field of satellite communications lacks an established framework for cyber risk assessment. Moreover, previous research work has focused only on a limited number of security threats and categories. Therefore, in this paper, we propose a comprehensive risk assessment methodology to qualitatively assess the risk associated with satellite communications cyber threats, following the NIST special publication 800-30: Guide for Conducting Risk Assessments. We analyze existing literature and real-world scenarios to identify potential satellite communications cyber threats and employ the STRIDE threat model for threat modeling. We validate the proposed methodology by performing a risk assessment for the cyber threats identified. Finally, we discuss existing challenges and open research problems for satellite communications cyber risk assessment.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104156"},"PeriodicalIF":4.8,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zhiyuan Li , Lingbin Bu , Yifan Wang , Qiming Ma , Lin Tan , Fanliang Bu
{"title":"Hierarchical Perception for Encrypted Traffic Classification via Class Incremental Learning","authors":"Zhiyuan Li , Lingbin Bu , Yifan Wang , Qiming Ma , Lin Tan , Fanliang Bu","doi":"10.1016/j.cose.2024.104195","DOIUrl":"10.1016/j.cose.2024.104195","url":null,"abstract":"<div><div>The rapid evolution of internet technology has resulted in an ongoing update of the types of encrypted network traffic. Therefore, efficient Encrypted Traffic Classification (ETC) is of significant importance for the security of user data and computer systems. Incremental Learning (IL) strategies for ETC methods allow them to evolve with the network environment, achieving remarkable results in real-world scenarios. However, existing IL frameworks for ETC tasks face issues of low computational efficiency and insufficient incremental capability, making it difficult to achieve satisfactory performance. In this work, we introduce an incremental ETC scheme, HCA-Net, which uses hierarchical perception to evolve with traffic flows. We design a feature-reweighted Depthwise separable convolution that ensures computational efficiency without compromising feature extraction capabilities. Additionally, our IL framework comprises a carefully constructed contrastive loss and a representative exemplar selection strategy, enabling the distillation of knowledge from learning old traffic categories to the parameters of learning new knowledge, mitigating the inevitable catastrophic forgetting problem in IL methods. Comprehensive experimental results on three public datasets show that our scheme outperforms the state-of-the-art methods, demonstrating exceptional performance in ETC tasks. By acquiring specific traffic samples at each training stage, our approach achieves incremental ETC, showcasing robust incremental capability and computational efficiency.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"149 ","pages":"Article 104195"},"PeriodicalIF":4.8,"publicationDate":"2024-11-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142654823","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}