Computers & Security最新文献

{"title":"ICS-LTU2022: A dataset for ICS vulnerabilities","authors":"Manar Alanazi,&nbsp;Abdun Mahmood,&nbsp;Mohammad Jabed Morshed Chowdhury","doi":"10.1016/j.cose.2024.104143","DOIUrl":"10.1016/j.cose.2024.104143","url":null,"abstract":"<div><div>Industrial control systems (ICS) are a collection of control systems and associated instrumentation for controlling and monitoring industrial processes. Critical infrastructure relies on supervisory control and data acquisition (SCADA), a subset of ICS specifically designed for monitoring and controlling industrial processes over large geographic areas. Cyberattacks like the Colonial Pipeline ransomware case have demonstrated how an adversary may compromise critical infrastructure. The Colonial Pipeline ransomware attack led to a week’s pipeline shutdown, causing a gas shortage in the United States. As existing vulnerability assessment tools cannot be used in the context of ICS systems, vulnerability datasets specified for ICSs are needed to evaluate the security weaknesses. Our secondary metadata, ICS-LTU2022, consists of multiple features that can be used for vulnerability assessment and risk evaluation in industrial control systems. A description of the dataset, its characteristics, and data analysis are also presented in this paper. Vulnerability analysis was conducted based on the top 10 vulnerabilities in terms of severity, frequency by year, impact, components of the ICS, and common weaknesses. The ICS-LTU2022 vulnerabilities dataset is updated biannually. Our proposed dataset provides security researchers with the most recent ICS critical vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104143"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Dealing with uncertainty in cybersecurity decision support","authors":"Yunxiao Zhang ,&nbsp;Pasquale Malacaria","doi":"10.1016/j.cose.2024.104153","DOIUrl":"10.1016/j.cose.2024.104153","url":null,"abstract":"<div><div>The mathematical modeling of cybersecurity decision-making heavily relies on cybersecurity metrics. However, achieving precision in these metrics is notoriously challenging, and their inaccuracies can significantly influence model outcomes. This paper explores resilience to uncertainties in the effectiveness of security controls. We employ probabilistic attack graphs to model threats and introduce two resilient models: minmax regret and min-product of risks, comparing their performance.</div><div>Building on previous Stackelberg game models for cybersecurity, our approach leverages totally unimodular matrices and linear programming (LP) duality to provide efficient solutions. While minmax regret is a well-known approach in robust optimization, our extensive simulations indicate that, in this context, the lesser-known min-product of risks offers superior resilience.</div><div>To demonstrate the practical utility and robustness of our framework, we include a multi-dimensional decision support case study focused on home IoT cybersecurity investments, highlighting specific insights and outcomes. This study illustrates the framework’s effectiveness in real-world settings.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104153"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533349","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"PenGym: Realistic training environment for reinforcement learning pentesting agents","authors":"Huynh Phuong Thanh Nguyen ,&nbsp;Kento Hasegawa ,&nbsp;Kazuhide Fukushima ,&nbsp;Razvan Beuran","doi":"10.1016/j.cose.2024.104140","DOIUrl":"10.1016/j.cose.2024.104140","url":null,"abstract":"<div><div>Penetration testing, or pentesting, refers to assessing network system security by trying to identify and exploit any existing vulnerabilities. Reinforcement Learning (RL) has recently become an effective method for creating autonomous pentesting agents. However, RL agents are typically trained in a simulated network environment. This can be challenging when deploying them in a real network infrastructure due to the lack of realism of the simulation-trained agents.</div><div>In this paper, we present PenGym, a framework for training pentesting RL agents in realistic network environments. The most significant features of PenGym are its support for real pentesting actions, full automation of the network environment creation, and good execution performance. The results of our experiments demonstrated the advantages and effectiveness of using PenGym as a realistic training environment in comparison with a simulation approach (NASim). For the largest scenario, agents trained in the original NASim environment behaved poorly when tested in a real environment, having a high failure rate. In contrast, agents trained in PenGym successfully reached the pentesting goal in all our trials. Even after fixing logical modeling issues in simulation to create the revised version NASim(rev.), experiment results with the largest scenario indicated that agents trained in PenGym slightly outperformed, and were more stable, than those trained in NASim(rev.). Thus, the average number of steps required to reach the pentesting goal was 1.4 to 8 steps better for PenGym. Consequently, PenGym provides a reliable and realistic training environment for pentesting RL agents, eliminating the need to model agent actions via simulation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104140"},"PeriodicalIF":4.8,"publicationDate":"2024-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"TIMFuser: A multi-granular fusion framework for cyber threat intelligence","authors":"Chunyan Ma ,&nbsp;Zhengwei Jiang ,&nbsp;Kai Zhang ,&nbsp;Zhiting Ling ,&nbsp;Jun Jiang ,&nbsp;Yizhe You ,&nbsp;Peian Yang ,&nbsp;Huamin Feng","doi":"10.1016/j.cose.2024.104141","DOIUrl":"10.1016/j.cose.2024.104141","url":null,"abstract":"<div><div>Cyber attack campaigns with multiple technical variants are becoming increasingly sophisticated and diverse, posing great threats to institutions and every individual. Cyber Threat Intelligence (CTI) offers a novel technical solution to transition from passive to active defense against cyber attacks. To counter these attacks, security practitioners need to condense CTIs from extensive CTI sources, primarily in the form of unstructured CTI reports. Unstructured CTI reports provide detailed threat information and describe multi-step attack behaviors, which are essential for uncovering complete attack scenarios. Nevertheless, automatic analysis of unstructured CTI reports is challenging. Furthermore, manual analysis is often limited to a few CTI sources. In this paper, we propose a multi-granular fusion framework for CTIs from massive CTI sources, comprising a comprehensive pipeline with six subtasks. Many current CTI extraction systems are limited by mining intelligence from a single source, thereby leading to challenges such as producing a fragmented view of attack campaigns and lower value density. We fuse the attack behaviors and attack techniques of the attack campaigns using innovative and improved multi-granular fusion methods and offer a comprehensive view of the attack. TIMFuser fills a critical gap in the automated analysis and fusion of multi-source CTIs, especially in the multi-granularity aspect. In our evaluation of 739 real-world CTI reports from 542 sources, experimental results demonstrate that TIMFuser can enable security analysts to obtain a complete view of real-world attack campaigns, in terms of fused attack behaviors and attack techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104141"},"PeriodicalIF":4.8,"publicationDate":"2024-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"VulTR: Software vulnerability detection model based on multi-layer key feature enhancement","authors":"Haitao He ,&nbsp;Sheng Wang ,&nbsp;Yanmin Wang ,&nbsp;Ke Liu ,&nbsp;Lu Yu","doi":"10.1016/j.cose.2024.104139","DOIUrl":"10.1016/j.cose.2024.104139","url":null,"abstract":"<div><div>Software vulnerabilities pose a huge threat to current network security, which continues to lead to data leaks and system damage. In order to effectively identify and patch these vulnerabilities, researchers have proposed automated detection methods based on deep learning. However, most of the existing methods only rely on single-dimensional data representation and fail to fully explore the composite characteristics of the code. Among them, the sequence embedding method fails to effectively capture the structural characteristics of the code, while the graph embedding method focuses more on the global characteristics of the overall graph structure and is still insufficient in optimizing the representation of nodes. In view of this, this paper constructs the VulTR model, which incorporates an importance assessment mechanism to strengthen the key syntax levels of the source code (from lexical elements to nodes and graph-level structures), significantly improving the importance of key vulnerability features in classification decisions. At the same time, a relationship connection diagram is constructed to describe the spatial characteristics of the correlations between functions. Experimentally verified, VulTR's F1 scores on both synthetic and real data sets exceed those of the compared models (VulDeePecker, SySeVR, Devign, VulCNN, IVDetect, and mVulPreter).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104139"},"PeriodicalIF":4.8,"publicationDate":"2024-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ZKSA: Secure mutual Attestation against TOCTOU Zero-knowledge Proof based for IoT Devices","authors":"Fenhua Bai ,&nbsp;Zikang Wang ,&nbsp;Kai Zeng ,&nbsp;Chi Zhang ,&nbsp;Tao Shen ,&nbsp;Xiaohui Zhang ,&nbsp;Bei Gong","doi":"10.1016/j.cose.2024.104136","DOIUrl":"10.1016/j.cose.2024.104136","url":null,"abstract":"<div><div>With the widespread adoption of Internet of Things (IoT) devices, remote attestation is crucial for ensuring their security. However, current schemes that require a central verifier or interactive approaches are expensive and inefficient for collaborative autonomous systems. Furthermore, the security of the software state cannot be guaranteed before or between successive attestations, leaving devices vulnerable to Time-Of-Check-Time-Of-Use (TOCTOU) attacks, as well as confidentiality issues arising from pre-sharing software information with the verifier. Therefore, we propose the Secure mutual Attestation against TOCTOU Zero-Knowledge proof based for IoT devices (ZKSA), which allows devices to mutually attest without a central verifier, and the attestation result is transparent while preserving confidentiality. We implement a ZKSA prototype on a Raspberry Pi 3B, demonstrating its feasibility and security. Even if malware is removed before the next attestation, it will be detected and the detection time is typically constant. Simulations show that compared to other schemes for mutual attestation, such as DIAT and CFRV, ZKSA exhibits scalability. When the prover attests to numerous verifier devices, ZKSA reduces the verification time from linear to constant.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104136"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419450","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study","authors":"Sandro Waelchli ,&nbsp;Yoshija Walter","doi":"10.1016/j.cose.2024.104137","DOIUrl":"10.1016/j.cose.2024.104137","url":null,"abstract":"<div><div>The global cost of successful cyberattacks is increasing annually, with there being a shift towards social engineering threats in recent years. Cybercriminals are increasingly targeting humans rather than technical systems, recognizing data as a critical resource, especially in the finance industry where breaches can lead to substantial losses and reputational damage. The present case study proposes measures to reduce human susceptibility to social engineering attacks, leveraging SOAR (Security Automation, Orchestration, and Response) technology for incident response automation. The study covers various issues in cybersecurity, SOAR, and social engineering, through analyzing interviews with expert practitioners in the field, addressing cybersecurity skills shortages and current cyber threats. Four social engineering vignettes were developed, representing real threats, along with specific SOAR measures implemented using Microsoft Sentinel. These measures were simulated to demonstrate their effectiveness by reducing the employee's vulnerability to social engineering attacks. The risk of social engineering attacks was successfully reduced by implementing a responsive approach through the developed SOAR measures. Some of the measures reduced the risk by locking user accounts or forcing password changes after a detected cyber incident while another measure was developed for awareness enhancements. Given the current shortage of cybersecurity professionals, technologies like SOAR are becoming increasingly relevant for security teams. However, SOAR alone cannot address all challenges posed by social engineering and should be viewed as a complementary measure rather than a standalone solution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104137"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Remote secure object authentication: Secure sketches, fuzzy extractors, and security protocols","authors":"Mónica P. Arenas,&nbsp;Georgios Fotiadis,&nbsp;Gabriele Lenzini,&nbsp;Mohammadamin Rakeei","doi":"10.1016/j.cose.2024.104131","DOIUrl":"10.1016/j.cose.2024.104131","url":null,"abstract":"<div><div>Coating objects with microscopic droplets of liquid crystals makes it possible to identify and authenticate objects as if they had biometric-like features: this is extremely valuable as an anti-counterfeiting measure. How to extract features from images has been studied elsewhere, but exchanging data about features is not enough if we wish to build secure cryptographic authentication protocols. What we need are authentication tokens (i.e., bitstrings), strategies to cope with noise, always present when processing images, and solutions to protect the original features so that it is impossible to reproduce them from the tokens. Secure sketches and fuzzy extractors are the cryptographic toolkits that offer these functionalities, but they must be instantiated to work with the peculiar specific features extracted from images of liquid crystals. We show how this can work and how we can obtain uniform, error-tolerant, and random strings, and how they are used to authenticate liquid crystal coated objects. Our protocol reminds an existing biometric-based protocol, but only apparently. Using the original protocol as-it-is would make the process vulnerable to an attack that exploits certain physical peculiarities of our liquid crystal coatings. Instead, our protocol is robust against the attack. We prove all our security claims formally, by modeling and verifying in Proverif, our protocol and its cryptographic schemes. We implement and benchmark our solution, measuring both the performance and the quality of authentication.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104131"},"PeriodicalIF":4.8,"publicationDate":"2024-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142356817","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"A graph representation framework for encrypted network traffic classification","authors":"Zulu Okonkwo,&nbsp;Ernest Foo,&nbsp;Zhe Hou,&nbsp;Qinyi Li,&nbsp;Zahra Jadidi","doi":"10.1016/j.cose.2024.104134","DOIUrl":"10.1016/j.cose.2024.104134","url":null,"abstract":"<div><div>Network Traffic Classification (NTC) is crucial for ensuring internet security, but encryption presents significant challenges to this task. While Machine Learning (ML) and Deep Learning (DL) methods have shown promise, issues such as limited representativeness leading to sub-optimal generalizations and performance remain prevalent. These problems become more pronounced with advanced obfuscation, network security, and privacy technologies, indicating a need for improved model robustness. To address these issues, we focus on <em>feature extraction</em> and <em>representation</em> in NTC by leveraging the expressive power of graphs to represent network traffic at various granularity levels. By modeling network traffic as interconnected graphs, we can analyze both flow-level and packet-level data. Our graph representation method for encrypted NTC effectively preserves crucial information despite encryption and obfuscation. We enhance the robustness of our approach by using cosine similarity to exploit correlations between encrypted network flows and packets, defining relationships between abstract entities. This graph structure enables the creation of structural embeddings that accurately define network traffic across different encryption levels. Our end-to-end process demonstrates significant improvements where traditional NTC methods struggle, such as in Tor classification, which employs anonymization to further obfuscate traffic. Our packet-level classification approach consistently outperforms existing methods, achieving accuracies exceeding 96%.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104134"},"PeriodicalIF":4.8,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142326768","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Beyond the west: Revealing and bridging the gap between Western and Chinese phishing website detection","authors":"Ying Yuan ,&nbsp;Giovanni Apruzzese ,&nbsp;Mauro Conti","doi":"10.1016/j.cose.2024.104115","DOIUrl":"10.1016/j.cose.2024.104115","url":null,"abstract":"<div><div>Phishing attacks are on the rise, and phishing <em>websites</em> are everywhere, denoting the brittleness of security mechanisms reliant on blocklists. To cope with this threat, many works proposed to enhance Phishing Website Detectors (PWD) with data-driven techniques powered by Machine Learning (ML). Despite achieving promising results both in research and practice, existing solutions mostly focus “on the West”, e.g., they consider websites in English, German, or Italian. In contrast, phishing websites targeting “Eastern” countries, such as China, have been mostly neglected—despite phishing being rampant also in this side of the world.</div><div>In this paper, we scrutinize whether current PWD can simultaneously work against Western and Chinese phishing websites. First, after highlighting the difficulties of practically testing PWD on Chinese phishing websites, we create CghPghrg—a dataset which enables assessment of PWD on Chinese websites. Then, we evaluate 72 PWD developed by industry practitioners and 10 ML-based PWD proposed in recent research on Western and Chinese websites: our results highlight that existing solutions, despite achieving low false positive rates, exhibit unacceptably low detection rates (sometimes inferior to 1%) on phishing websites of different <em>regions</em>. Next, to bridge the gap we brought to light, we elucidate the differences between Western and Chinese websites, and devise an enhanced feature set that accounts for the unique characteristics of Chinese websites. We empirically demonstrate the effectiveness of our proposed feature set by replicating (and testing) state-of-the-art ML-PWD: our results show a small but statistically significant improvement over the baselines. Finally, we review all our previous contributions and combine them to develop practical PWD that simultaneously work on Chinese and Western websites, achieving over 0.98 detection rate while maintaining only 0.01 false positive rate in a cross-regional setting. We openly release all our tools, disclose all our benchmark results, and also perform proof-of-concept experiments revealing that the problem tackled by our paper extends to other “Eastern” countries that have been overlooked by prior research on PWD.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104115"},"PeriodicalIF":4.8,"publicationDate":"2024-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142661692","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}