Computers & Security最新文献

{"title":"Enhanced neural network-based attack investigation framework for network forensics: Identification, detection, and analysis of the attack","authors":"Sonam Bhardwaj,&nbsp;Mayank Dave","doi":"10.1016/j.cose.2023.103521","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103521","url":null,"abstract":"<div><p>Network forensics<span> aids in the identification of distinct network-based attacks through packet-level analysis of collected network traffic. It also unveils the attacker's intentions and operations. After identification, it is inevitable to design an efficient network attack detection model. Therefore, this work modifies the generic network forensic framework for attack investigation with two primary objectives i.e., Analysis and detection of attacks. In the proposed framework, a three-level analysis is performed. First, packet-level analysis is performed to study the attack behavior. Second, a graphical analysis is completed to determine both the attack flow and whether a node is an attacker or a victim. Moreover, it also assigns a score to the node indicating the severity of the attack. Finally, forensics exploratory data analysis (FEDA) is performed to distinguish the distribution of different features during attack and normal scenarios. For attack detection, the framework uses a convolution neural network (CNN-1D). CSE-CIC-IDS2018 (CIC2018), UNSW-NB15 and CIC-Darknet2020 datasets are used to test the performance of the proposed framework, wherein, it classifies distinct classes of attacks with an accuracy of 99.4%, 99.0%, and 90% on each dataset respectively. The results show that the proposed framework is more effective than previous works in attack detection and network traffic classification.</span></p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"135 ","pages":"Article 103521"},"PeriodicalIF":5.6,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49713579","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"SGBA: A stealthy scapegoat backdoor attack against deep neural networks","authors":"Ying He,&nbsp;Zhili Shen,&nbsp;Chang Xia,&nbsp;Jingyu Hua,&nbsp;Wei Tong,&nbsp;Sheng Zhong","doi":"10.1016/j.cose.2023.103523","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103523","url":null,"abstract":"<div><p>Outsourced deep neural networks have been demonstrated to suffer from patch-based trojan attacks, in which an adversary poisons the training sets to inject a backdoor in the obtained model so that regular inputs can be still labeled correctly while those carrying a specific trigger are falsely given a target label. Due to the severity of such attacks, many backdoor detection and containment systems have recently, been proposed for deep neural networks. One major category among them are various model inspection schemes, which hope to detect backdoors before deploying models from non-trusted third-parties. In this paper, we show that such state-of-the-art schemes can be defeated by a so-called Scapegoat Backdoor Attack, which introduces a benign scapegoat trigger in data poisoning to prevent the defender from reversing the real abnormal trigger. In addition, it confines the values of network parameters within the same variances of those from clean model during training, which further significantly enhances the difficulty of the defender to learn the differences between legal and illegal models through machine-learning approaches. Our experiments on 3 popular datasets show that it can escape detection by all five state-of-the-art model inspection schemes. Moreover, this attack brings almost no side-effects on the attack effectiveness and guarantees the universal feature of the trigger compared with original patch-based trojan attacks.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"136 ","pages":"Article 103523"},"PeriodicalIF":5.6,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49711708","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VMIFresh: Efficient and fresh caches for virtual machine introspection","authors":"Thomas Dangl ,&nbsp;Stewart Sentanoe ,&nbsp;Hans P. Reiser","doi":"10.1016/j.cose.2023.103527","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103527","url":null,"abstract":"<div><p>Virtual machine introspection (VMI) is the process of extracting knowledge about the inner state of a virtual machine from the outside. Traditional <em>passive</em> introspection mechanisms have proved themselves ineffective in many application domains due to their low performance. As a remedy for this issue, caching at the level of the introspection application was introduced. However, this sacrificed the freshness of VMI and led to an inconsistent outside view.</p><p><span>In this work, we propose a multi-purpose hybrid caching scheme with freshness and consistency guarantees that is interleaved with the guest's MMU. This scheme can easily be integrated into existing applications and frameworks such as </span><em>libvmi</em> and <em>Volatility 3</em>. We demonstrate its feasibility by developing a prototype for such applications. Furthermore, the experimental evaluation of our approach suggests that it even significantly exceeds the performance of previous inconsistent caches.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"135 ","pages":"Article 103527"},"PeriodicalIF":5.6,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49713582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"You are your friends: Detecting malware via guilt-by-association and exempt-by-reputation","authors":"Pejman Najafi,&nbsp;Wenzel Puenter,&nbsp;Feng Cheng,&nbsp;Christoph Meinel","doi":"10.1016/j.cose.2023.103519","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103519","url":null,"abstract":"<div><p>With the increase in the prevalence of Security Information and Event Management Systems (SIEMs) in today's organizations, there is a growing interest in data-driven threat detection.</p><p><span>In this research, we formulate malware detection as a large-scale graph mining and inference problem using host-level system events/logs. Our approach is built on two basic principles: </span><em>guilt-by-association</em> and <em>exempt-by-reputation</em>, with the intuition, that an adversary's resources are limited; hence, reusing infrastructures and techniques is inevitable. We present MalLink, a system that models all host-level process activities as a Heterogeneous Information Network (HIN). The HIN emphasizes shared characteristics of processes/files across the enterprise, e.g., parent/sub-processes, written/read files, loaded libraries, registry entries, and network connections. MalLink then propagates maliciousness from a set of previously known malicious entities to obtain a set of previously unknowns.</p><p>MalLink was deployed in a real-world setting, next to the SIEM system of a large international enterprise, and evaluated using 8 days (20 TB) of EDR logs collected from all endpoints within the organization. The results demonstrate high detection performance (F1-score of 0.83), particularly when manually investigating the 50 highest scored files with no prior, 37 are found malicious. This demonstrates MalLink's capability to detect previously unknown malicious files.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"136 ","pages":"Article 103519"},"PeriodicalIF":5.6,"publicationDate":"2023-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49725437","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Multi head self-attention gated graph convolutional network based multi‑attack intrusion detection in MANET","authors":"R Reka ,&nbsp;R Karthick ,&nbsp;R Saravana Ram ,&nbsp;Gurkirpal Singh","doi":"10.1016/j.cose.2023.103526","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103526","url":null,"abstract":"<div><p><span><span>Designing of intrusion detection system<span> (IDS), and mobile ad hoc networks (MANET) prevention technique with examined detection rate, memory consumption with minimum overhead are vital concerns. Node mobility and node energy are the two </span></span>optimization problems in MANETs wherein nodes travel uncertainly in any direction, evolving in a continuous change of topology. With the proposed approach, a Centrality Coati </span>Optimization Algorithm<span><span> based Cluster Gradient for multi attack intrusion identification is devised. This study focuses on the problems of node mobility and energy to develop a clustering algorithm<span> for cluster head selection in MANET that is incited by Dual Network Centrality. </span></span>Compact cluster<span><span> formation is carried out by Coati Optimization Algorithm (COA). The Multi-head Self-Attention based Gated Graph Convolutional Network (MSA-GCNN) with a hybrid type of IDS recognizes several attacks, including </span>DoS<span> and Zero-Day attacks. The proposed technique is implemented in NS-2 network simulator<span><span>. The performance of proposed approach is examined under some parameters, like attack detection rate, memory consumption, computational time for detecting the intruder. The outcomes display that the proposed technique decreases the IDS traffic and entire consumption of memory and sustains a higher attack identification rate with less computational time. The proposed technique attains 4.299 %, 10.375 % and 6.935 % Accuracy, 5.262 %, 8.375 % and 7.945 % Precision, 7.282 %, 10.365 % and 5.935 % Recall, 9.272 %, 5.355 % and 8.965 % ROC is higher compared with the existing methods such as, Epsilon Swarm Optimized Cluster Gradient along deep belief classifier for multiple attack intrusion detection<span> (ESOC-MA-ID-MANET), Intrusion Detection secure solution for intrusion detection in cloud computing utilizing hybrid </span></span>deep learning approach called EOS-IDS and improved heap optimization (IHO-MA-ID-MANET) for induction detection technique respectively.</span></span></span></span></p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"136 ","pages":"Article 103526"},"PeriodicalIF":5.6,"publicationDate":"2023-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49711503","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evaluating the applicability of hardware trust anchors for automotive applications","authors":"Christian Plappert ,&nbsp;Dominik Lorych ,&nbsp;Michael Eckel ,&nbsp;Lukas Jäger ,&nbsp;Andreas Fuchs ,&nbsp;Ronald Heddergott","doi":"10.1016/j.cose.2023.103514","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103514","url":null,"abstract":"<div><p>The automotive trend towards autonomous driving and advanced connected services increases both complexity of the vehicle internal network and the connections to its environment. This introduced complexity further broadens the vehicle cyberattack surface.</p><p>As mitigation strategy, state-of-the-art security mechanisms utilize so-called hardware trust anchors (HTAs) to protect security-sensitive data and processes in shielded locations that are isolated utilizing hardware security mechanisms. However, there is a variety of different HTAs with different functionality and security guarantees and there is currently no work done that compares and evaluates them against current and emerging automotive requirements.</p><p>In this work, we evaluate the applicability of various HTAs to secure modern as well as upcoming future automotive applications. For this, we analyze and evaluate HTAs that are already established in the automotive field as well as promising HTAs from other domains. We extend our preliminary work (<span>Plappert et al., 2022b</span>) by increasing the range of the analyzed HTAs with solutions that are feasible for the most resource constrained automotive controllers and technologies that become feasible to be utilized by the introduction of high-performance controllers in future automotive architectures. We assess the different HTAs based on the evaluation criteria and in accordance to automotive requirements.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"135 ","pages":"Article 103514"},"PeriodicalIF":5.6,"publicationDate":"2023-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49713953","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dynamic multi-scale topological representation for enhancing network intrusion detection","authors":"Meihui Zhong,&nbsp;Mingwei Lin,&nbsp;Zhu He","doi":"10.1016/j.cose.2023.103516","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103516","url":null,"abstract":"<div><p>Network intrusion detection systems<span> (NIDS) play a crucial role in maintaining network security<span><span>. However, current NIDS techniques tend to neglect the topological structures<span> of network traffic to varying degrees. This fundamental oversight leads to challenges in handling class-imbalanced and highly dynamic network traffic. In this paper, we propose a novel dynamic multi-scale topological representation (DMTR) method for improving network intrusion detection performance. Our DMTR method achieves the perception of multi-scale topology and exhibits strong robustness. It provides accurate and stable representations even in the presence of data distribution shifts and </span></span>class imbalance problems. The multi-scale topology is obtained through multiple topology lenses, which reveal topological structures from different dimensional aspects. Furthermore, to address the limitations of existing detection models based on static network traffic, the DMTR method also achieves dynamic topological representation through our proposed group shuffle operation (GSO) strategy. When new traffic data arrives, the topological representation is updated by preserving a portion of the original information without reprocessing all data. Experiments on four publicly available network traffic datasets demonstrate the feasibility and effectiveness of the proposed DMTR method in handling class imbalanced and highly dynamic network traffic.</span></span></p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"135 ","pages":"Article 103516"},"PeriodicalIF":5.6,"publicationDate":"2023-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49713945","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A framework for analyzing authentication risks in account networks","authors":"Daniela Pöhn ,&nbsp;Nils Gruschka ,&nbsp;Leonhard Ziegler ,&nbsp;Andre Büttner","doi":"10.1016/j.cose.2023.103515","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103515","url":null,"abstract":"<div><p><span>Our everyday life depends more and more on online services and, therefore, access to related user accounts. The security of user accounts, again, is tied to the security of the corresponding primary and fallback authentication methods. Accounts can be linked to each other – by fallback authentication, through SSO, or by using the same </span>authentication devices<span> – creating an account network. These account networks enhance login comfort and are needed in case of account recovery, but they also increase each account's attack surface. In addition, misconfigurations might result in account inaccessibility. However, these problems can only be detected by analyzing single accounts first and then the resulting account networks. Despite the importance to understand account security and accessibility, almost no analysis methods exist.</span></p><p><span>To address this need, this article presents the Authentication Analysis Framework (AAF). AAF evaluates account types and primary and fallback authentication methods for each account, before analyzing the overall account network. By detecting transitive risks, weak links can be discovered and subsequently strengthened. We further propose maturity models to rank the primary and fallback authentication methods based on risks and a description language to exchange the required information. AAF is implemented as a plugin for the </span>password manager KeePass to assist end users and as a standalone tool for researchers.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"135 ","pages":"Article 103515"},"PeriodicalIF":5.6,"publicationDate":"2023-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49714009","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Thwarting code-reuse and side-channel attacks in embedded systems","authors":"Rodothea Myrsini Tsoupidi,&nbsp;Elena Troubitsyna,&nbsp;Panagiotis Papadimitratos","doi":"10.1016/j.cose.2023.103405","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103405","url":null,"abstract":"<div><p>Embedded devices are increasingly present in our everyday life. They often process critical information, and hence, rely on cryptographic protocols to achieve security. However, embedded devices remain particularly vulnerable to attackers seeking to hijack their operation and extract sensitive information by exploiting side channels and code reuse. Code-Reuse Attack (CRAs) can steer the execution of a program to malicious outcomes, altering existing on-board code without direct access to the device memory. Moreover, Side-Channel Attacks (SCAs) may reveal secret information to the attacker based on mere observation of the device. Thwarting CRAs and SCAs against embedded devices is especially challenging because embedded devices are usually resource constrained. Fine-grained code diversification can hinder CRAs by introducing uncertainty to the binary code; while software mechanisms can thwart timing or power SCAs. The resilience to either attack may come at the price of the overall efficiency. Moreover, a unified approach that preserves these mitigations against both CRAs and SCAs is not available. In this paper, we propose a novel SecDivCon approach that tackles this challenge. SecDivCon is a combinatorial compiler-based approach that combines software diversification against CRAs with software mitigations against SCAs. SecDivCon restricts the performance overhead introduced by the generated code that thwarts the attacks and hence, offers a secure-by-design approach enabling control over the performance-security trade-off. Our experiments, using 16 benchmark programs, show that SCA-aware diversification is effective against CRAs, while preserving SCA mitigation properties at a low, controllable overhead. Given the combinatorial nature of our approach, SecDivCon is suitable for small, performance-critical functions that are sensitive to SCAs. SecDivCon may be used as a building block to whole-program code diversification or in a re-randomization scheme of cryptographic code.</p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"133 ","pages":"Article 103405"},"PeriodicalIF":5.6,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49711476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MUD-PQFed: Towards Malicious User Detection on model corruption in Privacy-preserving Quantized Federated learning","authors":"Hua Ma ,&nbsp;Qun Li ,&nbsp;Yifeng Zheng ,&nbsp;Zhi Zhang ,&nbsp;Xiaoning Liu ,&nbsp;Yansong Gao ,&nbsp;Said F. Al-Sarawi ,&nbsp;Derek Abbott","doi":"10.1016/j.cose.2023.103406","DOIUrl":"https://doi.org/10.1016/j.cose.2023.103406","url":null,"abstract":"<div><p><span>The use of cryptographic privacy-preserving techniques in Federated Learning (FL) inadvertently induces a security dilemma because tampered local model parameters are encrypted and thus prevented from auditing. This work firstly demonstrates the triviality of performing model corruption attacks against privacy-preserving FL. We consider the scenario where the model updates are </span><em>quantized</em><span> to reduce the communication overhead<span>, whilst the adversary can simply provide local parameters out of a legitimate range to corrupt the model. We then propose MUD-PQFed, a protocol that can precisely detect malicious attacks<span> and enforce fair penalties on malicious clients. By deleting the contributions from the detected malicious clients, the global model utility is preserved as compared to the baseline global model in the absence of the corruption attack. Extensive experiments on MNIST, CIFAR-10, and CelebA benchmark datasets validate the efficacy in terms of retaining the baseline accuracy and effectiveness in terms of detecting malicious clients in a fine-grained manner.</span></span></span></p></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"133 ","pages":"Article 103406"},"PeriodicalIF":5.6,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49711499","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}