{"title":"A hybrid CNN-LSTM approach for intelligent cyber intrusion detection system","authors":"Sukhvinder Singh Bamber , Aditya Vardhan Reddy Katkuri , Shubham Sharma , Mohit Angurala","doi":"10.1016/j.cose.2024.104146","DOIUrl":"10.1016/j.cose.2024.104146","url":null,"abstract":"<div><div>As the technology is advancing more and more in the era of increasing digitalization, safeguarding networks from cyber threats is crucial. As cyber-attacks on critical infrastructure are becoming more and more sophisticated, enhancing cyber intrusion detection systems (IDS) is imperative. This paper proposes and evaluates a deep learning-based IDS using the NSL-KDD dataset, a benchmark for intrusion detection. The system pre-processes data with Recursive Feature Elimination (RFE) and a Decision Tree classifier to identify the most significant features, optimizing model performance. Various deep learning models, including ANN, LSTM, BiLSTM, CNN-LSTM, GRU, and BiGRU, have been evaluated. The CNN-LSTM model outperformed the others, with 95 % accuracy, 0.89 recall, and 0.94 f1-score. These results prove the effectiveness of the proposed IDS in accurately distinguishing between malicious and benign network traffic. Future research can explore ensemble techniques like boosting or bagging to further enhance IDS performance.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104146"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142442823","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.
{"title":"Testing the limits of SPDM: Authentication of intermittently connected devices","authors":"Renan C.A. Alves, Otávio F. Freitas, Bruno C. Albertini, Marcos A. Simplicio Jr.","doi":"10.1016/j.cose.2024.104142","DOIUrl":"10.1016/j.cose.2024.104142","url":null,"abstract":"<div><div>The Security Protocol and Data Model (SPDM) is an open standard for authentication, attestation, and key exchange among hardware units, such as CPUs and peripheral components. In principle, SPDM was designed to operate over a somewhat stable communication channel, meaning that connection losses usually require the re-execution of the entire protocol. This puts into question SPDM’s suitability for battery-powered devices, which may keep only intermittent communications aiming to save energy. To address this question, we evaluate different authentication approaches that build upon and extend SPDM’s native key bootstrapping capabilities to handle intermittent authentication. In particular, we show that the combination of SPDM and a Time-based One-Time Password (TOTP) protocol is a promising solution for this scenario. We analyze the performance of the proposed authentication schemes using a proof-of-concept virtual device. The TOTP-based scheme was shown to be the fastest, the reconnection step being at least twice and up to <span><math><mrow><mn>900</mn><mo>×</mo></mrow></math></span> faster than possible straightforward applications of SPDM. Also, our scheme requires less memory to operate. Finally, we discuss the possibility of integrating intermittent authentication capabilities into the SPDM standard itself.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104142"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142438345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Manar Alanazi, Abdun Mahmood, Mohammad Jabed Morshed Chowdhury
{"title":"ICS-LTU2022: A dataset for ICS vulnerabilities","authors":"Manar Alanazi, Abdun Mahmood, Mohammad Jabed Morshed Chowdhury","doi":"10.1016/j.cose.2024.104143","DOIUrl":"10.1016/j.cose.2024.104143","url":null,"abstract":"<div><div>Industrial control systems (ICS) are a collection of control systems and associated instrumentation for controlling and monitoring industrial processes. Critical infrastructure relies on supervisory control and data acquisition (SCADA), a subset of ICS specifically designed for monitoring and controlling industrial processes over large geographic areas. Cyberattacks like the Colonial Pipeline ransomware case have demonstrated how an adversary may compromise critical infrastructure. The Colonial Pipeline ransomware attack led to a week’s pipeline shutdown, causing a gas shortage in the United States. As existing vulnerability assessment tools cannot be used in the context of ICS systems, vulnerability datasets specified for ICSs are needed to evaluate the security weaknesses. Our secondary metadata, ICS-LTU2022, consists of multiple features that can be used for vulnerability assessment and risk evaluation in industrial control systems. A description of the dataset, its characteristics, and data analysis are also presented in this paper. Vulnerability analysis was conducted based on the top 10 vulnerabilities in terms of severity, frequency by year, impact, components of the ICS, and common weaknesses. The ICS-LTU2022 vulnerabilities dataset is updated biannually. Our proposed dataset provides security researchers with the most recent ICS critical vulnerabilities.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104143"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419454","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Dealing with uncertainty in cybersecurity decision support","authors":"Yunxiao Zhang , Pasquale Malacaria","doi":"10.1016/j.cose.2024.104153","DOIUrl":"10.1016/j.cose.2024.104153","url":null,"abstract":"<div><div>The mathematical modeling of cybersecurity decision-making heavily relies on cybersecurity metrics. However, achieving precision in these metrics is notoriously challenging, and their inaccuracies can significantly influence model outcomes. This paper explores resilience to uncertainties in the effectiveness of security controls. We employ probabilistic attack graphs to model threats and introduce two resilient models: minmax regret and min-product of risks, comparing their performance.</div><div>Building on previous Stackelberg game models for cybersecurity, our approach leverages totally unimodular matrices and linear programming (LP) duality to provide efficient solutions. While minmax regret is a well-known approach in robust optimization, our extensive simulations indicate that, in this context, the lesser-known min-product of risks offers superior resilience.</div><div>To demonstrate the practical utility and robustness of our framework, we include a multi-dimensional decision support case study focused on home IoT cybersecurity investments, highlighting specific insights and outcomes. This study illustrates the framework’s effectiveness in real-world settings.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104153"},"PeriodicalIF":4.8,"publicationDate":"2024-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142533349","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"PenGym: Realistic training environment for reinforcement learning pentesting agents","authors":"Huynh Phuong Thanh Nguyen , Kento Hasegawa , Kazuhide Fukushima , Razvan Beuran","doi":"10.1016/j.cose.2024.104140","DOIUrl":"10.1016/j.cose.2024.104140","url":null,"abstract":"<div><div>Penetration testing, or pentesting, refers to assessing network system security by trying to identify and exploit any existing vulnerabilities. Reinforcement Learning (RL) has recently become an effective method for creating autonomous pentesting agents. However, RL agents are typically trained in a simulated network environment. This can be challenging when deploying them in a real network infrastructure due to the lack of realism of the simulation-trained agents.</div><div>In this paper, we present PenGym, a framework for training pentesting RL agents in realistic network environments. The most significant features of PenGym are its support for real pentesting actions, full automation of the network environment creation, and good execution performance. The results of our experiments demonstrated the advantages and effectiveness of using PenGym as a realistic training environment in comparison with a simulation approach (NASim). For the largest scenario, agents trained in the original NASim environment behaved poorly when tested in a real environment, having a high failure rate. In contrast, agents trained in PenGym successfully reached the pentesting goal in all our trials. Even after fixing logical modeling issues in simulation to create the revised version NASim(rev.), experiment results with the largest scenario indicated that agents trained in PenGym slightly outperformed, and were more stable, than those trained in NASim(rev.). Thus, the average number of steps required to reach the pentesting goal was 1.4 to 8 steps better for PenGym. Consequently, PenGym provides a reliable and realistic training environment for pentesting RL agents, eliminating the need to model agent actions via simulation.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104140"},"PeriodicalIF":4.8,"publicationDate":"2024-10-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419452","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chunyan Ma , Zhengwei Jiang , Kai Zhang , Zhiting Ling , Jun Jiang , Yizhe You , Peian Yang , Huamin Feng
{"title":"TIMFuser: A multi-granular fusion framework for cyber threat intelligence","authors":"Chunyan Ma , Zhengwei Jiang , Kai Zhang , Zhiting Ling , Jun Jiang , Yizhe You , Peian Yang , Huamin Feng","doi":"10.1016/j.cose.2024.104141","DOIUrl":"10.1016/j.cose.2024.104141","url":null,"abstract":"<div><div>Cyber attack campaigns with multiple technical variants are becoming increasingly sophisticated and diverse, posing great threats to institutions and every individual. Cyber Threat Intelligence (CTI) offers a novel technical solution to transition from passive to active defense against cyber attacks. To counter these attacks, security practitioners need to condense CTIs from extensive CTI sources, primarily in the form of unstructured CTI reports. Unstructured CTI reports provide detailed threat information and describe multi-step attack behaviors, which are essential for uncovering complete attack scenarios. Nevertheless, automatic analysis of unstructured CTI reports is challenging. Furthermore, manual analysis is often limited to a few CTI sources. In this paper, we propose a multi-granular fusion framework for CTIs from massive CTI sources, comprising a comprehensive pipeline with six subtasks. Many current CTI extraction systems are limited by mining intelligence from a single source, thereby leading to challenges such as producing a fragmented view of attack campaigns and lower value density. We fuse the attack behaviors and attack techniques of the attack campaigns using innovative and improved multi-granular fusion methods and offer a comprehensive view of the attack. TIMFuser fills a critical gap in the automated analysis and fusion of multi-source CTIs, especially in the multi-granularity aspect. In our evaluation of 739 real-world CTI reports from 542 sources, experimental results demonstrate that TIMFuser can enable security analysts to obtain a complete view of real-world attack campaigns, in terms of fused attack behaviors and attack techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104141"},"PeriodicalIF":4.8,"publicationDate":"2024-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142572052","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Haitao He , Sheng Wang , Yanmin Wang , Ke Liu , Lu Yu
{"title":"VulTR: Software vulnerability detection model based on multi-layer key feature enhancement","authors":"Haitao He , Sheng Wang , Yanmin Wang , Ke Liu , Lu Yu","doi":"10.1016/j.cose.2024.104139","DOIUrl":"10.1016/j.cose.2024.104139","url":null,"abstract":"<div><div>Software vulnerabilities pose a huge threat to current network security, which continues to lead to data leaks and system damage. In order to effectively identify and patch these vulnerabilities, researchers have proposed automated detection methods based on deep learning. However, most of the existing methods only rely on single-dimensional data representation and fail to fully explore the composite characteristics of the code. Among them, the sequence embedding method fails to effectively capture the structural characteristics of the code, while the graph embedding method focuses more on the global characteristics of the overall graph structure and is still insufficient in optimizing the representation of nodes. In view of this, this paper constructs the VulTR model, which incorporates an importance assessment mechanism to strengthen the key syntax levels of the source code (from lexical elements to nodes and graph-level structures), significantly improving the importance of key vulnerability features in classification decisions. At the same time, a relationship connection diagram is constructed to describe the spatial characteristics of the correlations between functions. Experimentally verified, VulTR's F1 scores on both synthetic and real data sets exceed those of the compared models (VulDeePecker, SySeVR, Devign, VulCNN, IVDetect, and mVulPreter).</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104139"},"PeriodicalIF":4.8,"publicationDate":"2024-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419451","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Fenhua Bai , Zikang Wang , Kai Zeng , Chi Zhang , Tao Shen , Xiaohui Zhang , Bei Gong
{"title":"ZKSA: Secure mutual Attestation against TOCTOU Zero-knowledge Proof based for IoT Devices","authors":"Fenhua Bai , Zikang Wang , Kai Zeng , Chi Zhang , Tao Shen , Xiaohui Zhang , Bei Gong","doi":"10.1016/j.cose.2024.104136","DOIUrl":"10.1016/j.cose.2024.104136","url":null,"abstract":"<div><div>With the widespread adoption of Internet of Things (IoT) devices, remote attestation is crucial for ensuring their security. However, current schemes that require a central verifier or interactive approaches are expensive and inefficient for collaborative autonomous systems. Furthermore, the security of the software state cannot be guaranteed before or between successive attestations, leaving devices vulnerable to Time-Of-Check-Time-Of-Use (TOCTOU) attacks, as well as confidentiality issues arising from pre-sharing software information with the verifier. Therefore, we propose the Secure mutual Attestation against TOCTOU Zero-Knowledge proof based for IoT devices (ZKSA), which allows devices to mutually attest without a central verifier, and the attestation result is transparent while preserving confidentiality. We implement a ZKSA prototype on a Raspberry Pi 3B, demonstrating its feasibility and security. Even if malware is removed before the next attestation, it will be detected and the detection time is typically constant. Simulations show that compared to other schemes for mutual attestation, such as DIAT and CFRV, ZKSA exhibits scalability. When the prover attests to numerous verifier devices, ZKSA reduces the verification time from linear to constant.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104136"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419450","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Reducing the risk of social engineering attacks using SOAR measures in a real world environment: A case study","authors":"Sandro Waelchli , Yoshija Walter","doi":"10.1016/j.cose.2024.104137","DOIUrl":"10.1016/j.cose.2024.104137","url":null,"abstract":"<div><div>The global cost of successful cyberattacks is increasing annually, with there being a shift towards social engineering threats in recent years. Cybercriminals are increasingly targeting humans rather than technical systems, recognizing data as a critical resource, especially in the finance industry where breaches can lead to substantial losses and reputational damage. The present case study proposes measures to reduce human susceptibility to social engineering attacks, leveraging SOAR (Security Automation, Orchestration, and Response) technology for incident response automation. The study covers various issues in cybersecurity, SOAR, and social engineering, through analyzing interviews with expert practitioners in the field, addressing cybersecurity skills shortages and current cyber threats. Four social engineering vignettes were developed, representing real threats, along with specific SOAR measures implemented using Microsoft Sentinel. These measures were simulated to demonstrate their effectiveness by reducing the employee's vulnerability to social engineering attacks. The risk of social engineering attacks was successfully reduced by implementing a responsive approach through the developed SOAR measures. Some of the measures reduced the risk by locking user accounts or forcing password changes after a detected cyber incident while another measure was developed for awareness enhancements. Given the current shortage of cybersecurity professionals, technologies like SOAR are becoming increasingly relevant for security teams. However, SOAR alone cannot address all challenges posed by social engineering and should be viewed as a complementary measure rather than a standalone solution.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104137"},"PeriodicalIF":4.8,"publicationDate":"2024-09-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142419453","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mónica P. Arenas, Georgios Fotiadis, Gabriele Lenzini, Mohammadamin Rakeei
{"title":"Remote secure object authentication: Secure sketches, fuzzy extractors, and security protocols","authors":"Mónica P. Arenas, Georgios Fotiadis, Gabriele Lenzini, Mohammadamin Rakeei","doi":"10.1016/j.cose.2024.104131","DOIUrl":"10.1016/j.cose.2024.104131","url":null,"abstract":"<div><div>Coating objects with microscopic droplets of liquid crystals makes it possible to identify and authenticate objects as if they had biometric-like features: this is extremely valuable as an anti-counterfeiting measure. How to extract features from images has been studied elsewhere, but exchanging data about features is not enough if we wish to build secure cryptographic authentication protocols. What we need are authentication tokens (i.e., bitstrings), strategies to cope with noise, always present when processing images, and solutions to protect the original features so that it is impossible to reproduce them from the tokens. Secure sketches and fuzzy extractors are the cryptographic toolkits that offer these functionalities, but they must be instantiated to work with the peculiar specific features extracted from images of liquid crystals. We show how this can work and how we can obtain uniform, error-tolerant, and random strings, and how they are used to authenticate liquid crystal coated objects. Our protocol reminds an existing biometric-based protocol, but only apparently. Using the original protocol as-it-is would make the process vulnerable to an attack that exploits certain physical peculiarities of our liquid crystal coatings. Instead, our protocol is robust against the attack. We prove all our security claims formally, by modeling and verifying in Proverif, our protocol and its cryptographic schemes. We implement and benchmark our solution, measuring both the performance and the quality of authentication.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104131"},"PeriodicalIF":4.8,"publicationDate":"2024-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"142356817","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}