Computers & Security最新文献_第7页

A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK 使用 MITRE ATT&CK 的网络欺骗主动诱饵选择方案

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-10 DOI: 10.1016/j.cose.2024.104144

Marco Zambianco , Claudio Facchinetti , Domenico Siracusa

{"title":"A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK","authors":"Marco Zambianco , Claudio Facchinetti , Domenico Siracusa","doi":"10.1016/j.cose.2024.104144","DOIUrl":"10.1016/j.cose.2024.104144","url":null,"abstract":"<div><div>Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104144"},"PeriodicalIF":4.8,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533348","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

A hybrid CNN-LSTM approach for intelligent cyber intrusion detection system 用于智能网络入侵检测系统的混合 CNN-LSTM 方法

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104146

Sukhvinder Singh Bamber , Aditya Vardhan Reddy Katkuri , Shubham Sharma , Mohit Angurala

引用次数: 0

Testing the limits of SPDM: Authentication of intermittently connected devices 测试 SPDM 的极限：间歇性连接设备的身份验证

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104142

Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.

{"title":"Testing the limits of SPDM: Authentication of intermittently connected devices","authors":"Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.","doi":"10.1016/j.cose.2024.104142","DOIUrl":"10.1016/j.cose.2024.104142","url":null,"abstract":"<div><div>The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to <span><math><mrow><mn>900</mn><mo>×</mo></mrow></math></span> faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104142"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142438345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ICS-LTU2022: A dataset for ICS vulnerabilities ICS-LTU2022：ICS 漏洞数据集

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104143

Manar Alanazi, Abdun Mahmood, Mohammad Jabed Morshed Chowdhury

{"title":"ICS-LTU2022: A dataset for ICS vulnerabilities","authors":"Manar Alanazi, Abdun Mahmood, Mohammad Jabed Morshed Chowdhury","doi":"10.1016/j.cose.2024.104143","DOIUrl":"10.1016/j.cose.2024.104143","url":null,"abstract":"<div><div>Industrial control systems (ICS) are a collection of control systems and associated instrumentation for controlling and monitoring industrial processes. Critical infrastructure relies on supervisory control and data acquisition (SCADA), a subset of ICS specifically designed for monitoring and controlling industrial processes over large geographic areas. Cyberattacks like the Colonial Pipeline ransomware case have demonstrated how an adversary may compromise critical infrastructure. The Colonial Pipeline ransomware attack led to a week’s pipeline shutdown, causing a gas shortage in the United States. As existing vulnerability assessment tools cannot be used in the context of ICS systems, vulnerability datasets specified for ICSs are needed to evaluate the security weaknesses. Our secondary metadata, ICS-LTU2022, consists of multiple features that can be used for vulnerability assessment and risk evaluation in industrial control systems. A description of the dataset, its characteristics, and data analysis are also presented in this paper. Vulnerability analysis was conducted based on the top 10 vulnerabilities in terms of severity, frequency by year, impact, components of the ICS, and common weaknesses. The ICS-LTU2022 vulnerabilities dataset is updated biannually. Our proposed dataset provides security researchers with the most recent ICS critical vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104143"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Dealing with uncertainty in cybersecurity decision support 应对网络安全决策支持中的不确定性

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-09 DOI: 10.1016/j.cose.2024.104153

Yunxiao Zhang , Pasquale Malacaria

{"title":"Dealing with uncertainty in cybersecurity decision support","authors":"Yunxiao Zhang , Pasquale Malacaria","doi":"10.1016/j.cose.2024.104153","DOIUrl":"10.1016/j.cose.2024.104153","url":null,"abstract":"<div><div>The mathematical modeling of cybersecurity decision-making heavily relies on cybersecurity metrics. However, achieving precision in these metrics is notoriously challenging, and their inaccuracies can significantly influence model outcomes. This paper explores resilience to uncertainties in the effectiveness of security controls. We employ probabilistic attack graphs to model threats and introduce two resilient models: minmax regret and min-product of risks, comparing their performance.</div><div>Building on previous Stackelberg game models for cybersecurity, our approach leverages totally unimodular matrices and linear programming (LP) duality to provide efficient solutions. While minmax regret is a well-known approach in robust optimization, our extensive simulations indicate that, in this context, the lesser-known min-product of risks offers superior resilience.</div><div>To demonstrate the practical utility and robustness of our framework, we include a multi-dimensional decision support case study focused on home IoT cybersecurity investments, highlighting specific insights and outcomes. This study illustrates the framework’s effectiveness in real-world settings.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104153"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533349","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

PenGym: Realistic training environment for reinforcement learning pentesting agents PenGym：强化学习五项测试代理的真实训练环境

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-05 DOI: 10.1016/j.cose.2024.104140

Huynh Phuong Thanh Nguyen , Kento Hasegawa , Kazuhide Fukushima , Razvan Beuran

{"title":"PenGym: Realistic training environment for reinforcement learning pentesting agents","authors":"Huynh Phuong Thanh Nguyen , Kento Hasegawa , Kazuhide Fukushima , Razvan Beuran","doi":"10.1016/j.cose.2024.104140","DOIUrl":"10.1016/j.cose.2024.104140","url":null,"abstract":"<div><div>Penetration testing, or pentesting, refers to assessing network system security by trying to identify and exploit any existing vulnerabilities. Reinforcement Learning (RL) has recently become an effective method for creating autonomous pentesting agents. However, RL agents are typically trained in a simulated network environment. This can be challenging when deploying them in a real network infrastructure due to the lack of realism of the simulation-trained agents.</div><div>In this paper, we present PenGym, a framework for training pentesting RL agents in realistic network environments. The most significant features of PenGym are its support for real pentesting actions, full automation of the network environment creation, and good execution performance. The results of our experiments demonstrated the advantages and effectiveness of using PenGym as a realistic training environment in comparison with a simulation approach (NASim). For the largest scenario, agents trained in the original NASim environment behaved poorly when tested in a real environment, having a high failure rate. In contrast, agents trained in PenGym successfully reached the pentesting goal in all our trials. Even after fixing logical modeling issues in simulation to create the revised version NASim(rev.), experiment results with the largest scenario indicated that agents trained in PenGym slightly outperformed, and were more stable, than those trained in NASim(rev.). Thus, the average number of steps required to reach the pentesting goal was 1.4 to 8 steps better for PenGym. Consequently, PenGym provides a reliable and realistic training environment for pentesting RL agents, eliminating the need to model agent actions via simulation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104140"},"PeriodicalIF":4.8,"publicationDate":"2024-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

TIMFuser: A multi-granular fusion framework for cyber threat intelligence TIMFuser：网络威胁情报多粒度融合框架

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-10-04 DOI: 10.1016/j.cose.2024.104141

Chunyan Ma , Zhengwei Jiang , Kai Zhang , Zhiting Ling , Jun Jiang , Yizhe You , Peian Yang , Huamin Feng

{"title":"TIMFuser: A multi-granular fusion framework for cyber threat intelligence","authors":"Chunyan Ma , Zhengwei Jiang , Kai Zhang , Zhiting Ling , Jun Jiang , Yizhe You , Peian Yang , Huamin Feng","doi":"10.1016/j.cose.2024.104141","DOIUrl":"10.1016/j.cose.2024.104141","url":null,"abstract":"<div><div>Cyber attack campaigns with multiple technical variants are becoming increasingly sophisticated and diverse, posing great threats to institutions and every individual. Cyber Threat Intelligence (CTI) offers a novel technical solution to transition from passive to active defense against cyber attacks. To counter these attacks, security practitioners need to condense CTIs from extensive CTI sources, primarily in the form of unstructured CTI reports. Unstructured CTI reports provide detailed threat information and describe multi-step attack behaviors, which are essential for uncovering complete attack scenarios. Nevertheless, automatic analysis of unstructured CTI reports is challenging. Furthermore, manual analysis is often limited to a few CTI sources. In this paper, we propose a multi-granular fusion framework for CTIs from massive CTI sources, comprising a comprehensive pipeline with six subtasks. Many current CTI extraction systems are limited by mining intelligence from a single source, thereby leading to challenges such as producing a fragmented view of attack campaigns and lower value density. We fuse the attack behaviors and attack techniques of the attack campaigns using innovative and improved multi-granular fusion methods and offer a comprehensive view of the attack. TIMFuser fills a critical gap in the automated analysis and fusion of multi-source CTIs, especially in the multi-granularity aspect. In our evaluation of 739 real-world CTI reports from 542 sources, experimental results demonstrate that TIMFuser can enable security analysts to obtain a complete view of real-world attack campaigns, in terms of fused attack behaviors and attack techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104141"},"PeriodicalIF":4.8,"publicationDate":"2024-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

VulTR: Software vulnerability detection model based on multi-layer key feature enhancement VulTR：基于多层关键特征增强的软件漏洞检测模型

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-09-29 DOI: 10.1016/j.cose.2024.104139

Haitao He , Sheng Wang , Yanmin Wang , Ke Liu , Lu Yu

{"title":"VulTR: Software vulnerability detection model based on multi-layer key feature enhancement","authors":"Haitao He , Sheng Wang , Yanmin Wang , Ke Liu , Lu Yu","doi":"10.1016/j.cose.2024.104139","DOIUrl":"10.1016/j.cose.2024.104139","url":null,"abstract":"<div><div>Software vulnerabilities pose a huge threat to current network security, which continues to lead to data leaks and system damage. In order to effectively identify and patch these vulnerabilities, researchers have proposed automated detection methods based on deep learning. However, most of the existing methods only rely on single-dimensional data representation and fail to fully explore the composite characteristics of the code. Among them, the sequence embedding method fails to effectively capture the structural characteristics of the code, while the graph embedding method focuses more on the global characteristics of the overall graph structure and is still insufficient in optimizing the representation of nodes. In view of this, this paper constructs the VulTR model, which incorporates an importance assessment mechanism to strengthen the key syntax levels of the source code (from lexical elements to nodes and graph-level structures), significantly improving the importance of key vulnerability features in classification decisions. At the same time, a relationship connection diagram is constructed to describe the spatial characteristics of the correlations between functions. Experimentally verified, VulTR's F1 scores on both synthetic and real data sets exceed those of the compared models (VulDeePecker, SySeVR, Devign, VulCNN, IVDetect, and mVulPreter).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104139"},"PeriodicalIF":4.8,"publicationDate":"2024-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

ZKSA: Secure mutual Attestation against TOCTOU Zero-knowledge Proof based for IoT Devices ZKSA：基于 TOCTOU 零知识证明的物联网设备安全互证

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-09-28 DOI: 10.1016/j.cose.2024.104136

Fenhua Bai , Zikang Wang , Kai Zeng , Chi Zhang , Tao Shen , Xiaohui Zhang , Bei Gong

{"title":"ZKSA: Secure mutual Attestation against TOCTOU Zero-knowledge Proof based for IoT Devices","authors":"Fenhua Bai , Zikang Wang , Kai Zeng , Chi Zhang , Tao Shen , Xiaohui Zhang , Bei Gong","doi":"10.1016/j.cose.2024.104136","DOIUrl":"10.1016/j.cose.2024.104136","url":null,"abstract":"<div><div>With the widespread adoption of Internet of Things (IoT) devices, remote attestation is crucial for ensuring their security. However, current schemes that require a central verifier or interactive approaches are expensive and inefficient for collaborative autonomous systems. Furthermore, the security of the software state cannot be guaranteed before or between successive attestations, leaving devices vulnerable to Time-Of-Check-Time-Of-Use (TOCTOU) attacks, as well as confidentiality issues arising from pre-sharing software information with the verifier. Therefore, we propose the Secure mutual Attestation against TOCTOU Zero-Knowledge proof based for IoT devices (ZKSA), which allows devices to mutually attest without a central verifier, and the attestation result is transparent while preserving confidentiality. We implement a ZKSA prototype on a Raspberry Pi 3B, demonstrating its feasibility and security. Even if malware is removed before the next attestation, it will be detected and the detection time is typically constant. Simulations show that compared to other schemes for mutual attestation, such as DIAT and CFRV, ZKSA exhibits scalability. When the prover attests to numerous verifier devices, ZKSA reduces the verification time from linear to constant.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104136"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419450","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study 在现实环境中使用 SOAR 措施降低社会工程学攻击的风险：案例研究

IF 4.8 2区计算机科学

Computers & Security Pub Date : 2024-09-28 DOI: 10.1016/j.cose.2024.104137

Sandro Waelchli , Yoshija Walter

{"title":"Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study","authors":"Sandro Waelchli , Yoshija Walter","doi":"10.1016/j.cose.2024.104137","DOIUrl":"10.1016/j.cose.2024.104137","url":null,"abstract":"<div><div>The global cost of successful cyberattacks is increasing annually, with there being a shift towards social engineering threats in recent years. Cybercriminals are increasingly targeting humans rather than technical systems, recognizing data as a critical resource, especially in the finance industry where breaches can lead to substantial losses and reputational damage. The present case study proposes measures to reduce human susceptibility to social engineering attacks, leveraging SOAR (Security Automation, Orchestration, and Response) technology for incident response automation. The study covers various issues in cybersecurity, SOAR, and social engineering, through analyzing interviews with expert practitioners in the field, addressing cybersecurity skills shortages and current cyber threats. Four social engineering vignettes were developed, representing real threats, along with specific SOAR measures implemented using Microsoft Sentinel. These measures were simulated to demonstrate their effectiveness by reducing the employee's vulnerability to social engineering attacks. The risk of social engineering attacks was successfully reduced by implementing a responsive approach through the developed SOAR measures. Some of the measures reduced the risk by locking user accounts or forcing password changes after a detected cyber incident while another measure was developed for awareness enhancements. Given the current shortage of cybersecurity professionals, technologies like SOAR are becoming increasingly relevant for security teams. However, SOAR alone cannot address all challenges posed by social engineering and should be viewed as a complementary measure rather than a standalone solution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104137"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0