A Review of Hybrid Cyber Threats Modelling and Detection Using Artificial Intelligence in IIoT

The Industrial Internet of Things(IIoT)has brought numerous benefits,such as improved efficiency,smart analytics,and increased automation.However,it also exposes connected devices,users,applications,and data generated to cyber security threats that need to be addressed.This work investigates hybrid cyber threats(HCTs),which are now working on an entirely new level with the increasingly adopted IIoT.This work focuses on emerging methods to model,detect,and defend against hybrid cyber attacks using machine learning(ML)techniques.Specifically,a novel ML-based HCT modelling and analysis framework was proposed,in which L1 regularisation and Random Forest were used to cluster features and analyse the importance and impact of each feature in both individual threats and HCTs.A grey relation analysis-based model was employed to construct the correlation between IIoT components and different threats.

Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises

As cyber threats keep changing and business environments adapt, a comprehensive approach to disaster recovery involves more than just defensive measures. This research delves deep into the strategies required to respond to threats and anticipate and mitigate them proactively. Beginning with understanding the critical need for a layered defense and the intricacies of the attacker’s journey, the research offers insights into specialized defense techniques, emphasizing the importance of timely and strategic responses during incidents. Risk management is brought to the forefront, underscoring businesses’ need to adopt mature risk assessment practices and understand the potential risk impact areas. Additionally, the value of threat intelligence is explored, shedding light on the importance of active engagement within sharing communities and the vigilant observation of adversary motivations. “Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises” is a comprehensive guide for organizations aiming to fortify their cybersecurity posture, marrying best practices in proactive and reactive measures in the ever-challenging digital realm.

Analysis and Simulations of Open-Source Intelligence Process System Dynamics from User’s Perspective

In today’s society with advanced Internet,the amount of information increases dramatically with each passing day,which leads to increasingly complex processes of open-source intelligence.Therefore,it is more important to rationalize the operation mode and improve the operation efficiency of open-source intelligence under the premise of satisfying users’needs.This paper focuses on the simulation study of the process system of opensource intelligence from the user’s perspective.First,the basic concept and development status of open-source intelligence are introduced in details.Second,six existing intelligence operation process models are summarized and their advantages and disadvantages are compared in focus.Based on users’preference,the open-source intelligence system simulation theory model is constructed from four aspects:intelligence collection,intelligence processing,intelligence analysis,and intelligence delivery.Meanwhile,the dynamics model of the open-source intelligence process system is constructed based on the open-source intelligence system simulation theoretical model,which specifically includes five parts:determination of system boundary,construction of causal loop diagram,construction of stock flow diagram,writing ofmathematical equations,and system sensitivity test.Finally,the system simulation results were analyzed.It was found that improving the system of intelligence agencies,opening up government affairs,improving the professional level of intelligence personnel,strengthening the communication and cooperation among personnel of various intelligence departments,and expressing intelligence products through diverse forms can effectively improve the operational efficiency of the open-source intelligence process system.

Network Security Situation Awareness Framework based on Threat Intelligence

Network security situation awareness is an important foundation for network security management,which presents the target system security status by analyzing existing or potential cyber threats in the target system.In network offense and defense,the network security state of the target system will be affected by both offensive and defensive strategies.According to this feature,this paper proposes a network security situation awareness method using stochastic game in cloud computing environment,uses the utility of both sides of the game to quantify the network security situation value.This method analyzes the nodes based on the network security state of the target virtual machine and uses the virtual machine introspection mechanism to obtain the impact of network attacks on the target virtual machine,then dynamically evaluates the network security situation of the cloud environment based on the game process of both attack and defense.In attack prediction,cyber threat intelligence is used as an important basis for potential threat analysis.Cyber threat intelligence that is applicable to the current security state is screened through the system hierarchy fuzzy optimization method,and the potential threat of the target system is analyzed using the cyber threat intelligence obtained through screening.If there is no applicable cyber threat intelligence,using the Nash equilibrium to make predictions for the attack behavior.The experimental results show that the network security situation awareness method proposed in this paper can accurately reflect the changes in the network security situation and make predictions on the attack behavior.

Research on University’s Cyber Threat Intelligence Sharing Platform Based on New Types of STIX and TAXII Standards

With the systematization of cyber threats, the variety of intrusion tools and intrusion methods has greatly reduced the cost of attackers’ threats to network security. Due to a large number of colleges and universities, teachers and students are highly educated and the Internet access rate is nearly 100%. The social status makes the university network become the main target of threat. The traditional defense method cannot cope with the current complex network attacks. In order to solve this problem, the threat intelligence sharing platform based on various threat intelligence sharing standards is established, which STIX and TAXII It is a widely used sharing standard in various sharing platforms. This paper analyzes the existing standards of STIX and TAXII, improves the STIX and TAXII standards based on the analysis results, and proposes a new type of STIX and TAXII based on the improved results. The standard design scheme of threat intelligence sharing platform suitable for college network environment features. The experimental results show that the threat intelligence sharing platform designed in this paper can be effectively applied to the network environment of colleges and universities.

Chinese Cyber Threat Intelligence Named Entity Recognition via RoBERTa-wwm-RDCNN-CRF

In recent years,cyber attacks have been intensifying and causing great harm to individuals,companies,and countries.The mining of cyber threat intelligence(CTI)can facilitate intelligence integration and serve well in combating cyber attacks.Named Entity Recognition(NER),as a crucial component of text mining,can structure complex CTI text and aid cybersecurity professionals in effectively countering threats.However,current CTI NER research has mainly focused on studying English CTI.In the limited studies conducted on Chinese text,existing models have shown poor performance.To fully utilize the power of Chinese pre-trained language models(PLMs)and conquer the problem of lengthy infrequent English words mixing in the Chinese CTIs,we propose a residual dilated convolutional neural network(RDCNN)with a conditional random field(CRF)based on a robustly optimized bidirectional encoder representation from transformers pre-training approach with whole word masking(RoBERTa-wwm),abbreviated as RoBERTa-wwm-RDCNN-CRF.We are the first to experiment on the relevant open source dataset and achieve an F1-score of 82.35%,which exceeds the common baseline model bidirectional encoder representation from transformers(BERT)-bidirectional long short-term memory(BiLSTM)-CRF in this field by about 19.52%and exceeds the current state-of-the-art model,BERT-RDCNN-CRF,by about 3.53%.In addition,we conducted an ablation study on the encoder part of the model to verify the effectiveness of the proposed model and an in-depth investigation of the PLMs and encoder part of the model to verify the effectiveness of the proposed model.The RoBERTa-wwm-RDCNN-CRF model,the shared pre-processing,and augmentation methods can serve the subsequent fundamental tasks such as cybersecurity information extraction and knowledge graph construction,contributing to important applications in downstream tasks such as intrusion detection and advanced persistent threat(APT)attack detection.

Attack Behavior Extraction Based on Heterogeneous Cyberthreat Intelligence and Graph Convolutional Networks

The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cyber Threat Intelligence(CTI)can facilitate APT actors’profiling for an immediate response.However,it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature.Based on the Adversarial Tactics,Techniques and Common Knowledge(ATT&CK)of threat behavior description,this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network(HTN)and Graph Convolutional Network(GCN)to solve this issue.It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence.With the help of the Bidirectional EncoderRepresentation fromTransformers(BERT)pretraining model to analyze the contextual semantics of cyber threat intelligence,the task of threat behavior identification is transformed into a text classification task,which automatically extracts attack behavior in CTI,then identifies the malware and advanced threat actors.The experimental results show that F1 achieve 94.86%and 92.15%for the multi-label classification tasks of tactics and techniques.Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks.The F1 for malware and advanced threat actors identification task reached 98.45%and 99.48%,which are better than the benchmark model in the experiment and achieve state of the art.The model can effectivelymodel threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.

Artificial Intelligence Based Threat Detection in Industrial Internet of Things Environment

Internet of Things(IoT)is one of the hottest research topics in recent years,thanks to its dynamic working mechanism that integrates physical and digital world into a single system.IoT technology,applied in industries,is termed as Industrial IoT(IIoT).IIoT has been found to be highly susceptible to attacks from adversaries,based on the difficulties observed in IIoT and its increased dependency upon internet and communication network.Intentional or accidental attacks on these approaches result in catastrophic effects like power outage,denial of vital health services,disruption to civil service,etc.,Thus,there is a need exists to develop a vibrant and powerful for identification and mitigation of security vulnerabilities in IIoT.In this view,the current study develops an AI-based Threat Detection and Classification model for IIoT,abbreviated as AITDC-IIoT model.The presented AITDC-IIoT model initially pre-processes the input data to transform it into a compatible format.In addition,WhaleOptimizationAlgorithm based Feature Selection(WOA-FS)is used to elect the subset of features.Moreover,Cockroach Swarm Optimization(CSO)is employed with Random Vector Functional Link network(RVFL)technique for threat classification.Finally,CSO algorithm is applied to appropriately adjust the parameters related to RVFL model.The performance of the proposed AITDC-IIoT model was validated under benchmark datasets.The experimental results established the supremacy of the proposed AITDC-IIoT model over recent approaches.

A Research and Analysis Method of Open Source Threat Intelligence Data

As the form of cyber threats becomes more complex,which leads to a widespread concern about how to promote network security active defense system by using the exploding cyber threat intelligence.Basing on the content analysis method,introduces the precision,recall rate and timely rate on the basis of the change of time dimension,and analyzes the threat intelligence provider from three aspects.The validity of this method is verified by the test of massive source of threat data,which improves the efficiency of CIF analysis and makes it easy to analyze and extract the threat intelligence information quickly.

The Economics of Sharing Unclassified Cyber Threat Intelligence by Government Agencies and Departments

This paper extends the literature on the economics of sharing cybersecurity information by and among profit-seeking firms by modeling the case where a government agency or department publicly shares unclassified cyber threat information with all organizations. In prior cybersecurity information sharing models a common element was reciprocity—i.e., firms receiving shared information are also asked to share their private cybersecurity information with all other firms (via an information sharing arrangement). In contrast, sharing of unclassified cyber threat intelligence (CTI) by a government agency or department is not based on reciprocal sharing by the recipient organizations. After considering the government’s cost of preparing and disseminating CTI, as well as the benefits to the recipients of the CTI, we provide sufficient conditions for sharing of CTI to result in an increase in social welfare. Under a broad set of general conditions, sharing of CTI will increase social welfare gross of the costs to the government agency or department sharing the information. Thus, if the entity can keep the sharing costs low, sharing cybersecurity information will result in an increase in net social welfare.

Cyber Resilience through Real-Time Threat Analysis in Information Security

This paper examines how cybersecurity is developing and how it relates to more conventional information security. Although information security and cyber security are sometimes used synonymously, this study contends that they are not the same. The concept of cyber security is explored, which goes beyond protecting information resources to include a wider variety of assets, including people [1]. Protecting information assets is the main goal of traditional information security, with consideration to the human element and how people fit into the security process. On the other hand, cyber security adds a new level of complexity, as people might unintentionally contribute to or become targets of cyberattacks. This aspect presents moral questions since it is becoming more widely accepted that society has a duty to protect weaker members of society, including children [1]. The study emphasizes how important cyber security is on a larger scale, with many countries creating plans and laws to counteract cyberattacks. Nevertheless, a lot of these sources frequently neglect to define the differences or the relationship between information security and cyber security [1]. The paper focus on differentiating between cybersecurity and information security on a larger scale. The study also highlights other areas of cybersecurity which includes defending people, social norms, and vital infrastructure from threats that arise from online in addition to information and technology protection. It contends that ethical issues and the human factor are becoming more and more important in protecting assets in the digital age, and that cyber security is a paradigm shift in this regard [1].

网络威胁技战术情报识别提取生成式技术研究

MITREATT&CK定义了网络攻击全过程14类战术625类技术,逐步成为网络威胁技战术情报(TTP)的事实标准,现有研究基于此分类将TTP识别提取问题转化为句子级别的战、技术类别多分类任务,利用深度学习、基于提示工程的大语言模型进行问题研究。但限于数据集小样本类别占比大、多分类模型性能瓶颈问题,类别识别覆盖率与精度较低。提出结合ChatGPT数据增强和指令监督微调大语言模型的方法,较好地解决了句子级别技术类别多分类问题。ChatGPT数据增强方法在保留原始样本语义基础上更好地丰富了样本多样性,为小样本学习高性能识别提供了高质量训练数据支撑,实验结果也证明了本数据增强方法的优越性;指令监督微调大语言模型,突破了深度学习多分类模型的性能瓶颈,实现625类技术类别识别全覆盖,Precision、Recall和F1值分别达到了86.2%、89.9%和88.0%,优于已有研究。

Unstructured Big Data Threat Intelligence Parallel Mining Algorithm

To efficiently mine threat intelligence from the vast array of open-source cybersecurity analysis reports on the web,we have developed the Parallel Deep Forest-based Multi-Label Classification(PDFMLC)algorithm.Initially,open-source cybersecurity analysis reports are collected and converted into a standardized text format.Subsequently,five tactics category labels are annotated,creating a multi-label dataset for tactics classification.Addressing the limitations of low execution efficiency and scalability in the sequential deep forest algorithm,our PDFMLC algorithm employs broadcast variables and the Lempel-Ziv-Welch(LZW)algorithm,significantly enhancing its acceleration ratio.Furthermore,our proposed PDFMLC algorithm incorporates label mutual information from the established dataset as input features.This captures latent label associations,significantly improving classification accuracy.Finally,we present the PDFMLC-based Threat Intelligence Mining(PDFMLC-TIM)method.Experimental results demonstrate that the PDFMLC algorithm exhibits exceptional node scalability and execution efficiency.Simultaneously,the PDFMLC-TIM method proficiently conducts text classification on cybersecurity analysis reports,extracting tactics entities to construct comprehensive threat intelligence.As a result,successfully formatted STIX2.1 threat intelligence is established.

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.

Generic Attribute Scoring for Information Decay in Threat Information Sharing Platform

Cyber Threat Intelligence(CTI)has gained massive attention to collect hidden knowledge for a better understanding of the various cyber-attacks and eventually paving the way for predicting the future of such attacks.The information exchange and collaborative sharing through different platforms have a significant contribution towards a global solution.While CTI and the information exchange can help a lot in focusing and prioritizing on the use of the large volume of complex information among different organizations,there exists a great challenge ineffective processing of large count of different Indicators of Threat(IoT)which appear regularly,and that can be solved only through a collaborative approach.Collaborative approach and intelligence sharing have become the mandatory element in the entire world of processing the threats.In order to covet the complete needs of having a definite standard of information exchange,various initiatives have been taken in means of threat information sharing platforms like MISP and formats such as SITX.This paper proposes a scoring model to address information decay,which is shared within TISP.The scoring model is implemented,taking the use case of detecting the Threat Indicators in a phishing data network.The proposed method calculates the rate of decay of an attribute through which the early entries are removed.

Threat Modeling and Application Research Based on Multi-Source Attack and Defense Knowledge

Cyber Threat Intelligence(CTI)is a valuable resource for cybersecurity defense,but it also poses challenges due to its multi-source and heterogeneous nature.Security personnel may be unable to use CTI effectively to understand the condition and trend of a cyberattack and respond promptly.To address these challenges,we propose a novel approach that consists of three steps.First,we construct the attack and defense analysis of the cybersecurity ontology(ADACO)model by integrating multiple cybersecurity databases.Second,we develop the threat evolution prediction algorithm(TEPA),which can automatically detect threats at device nodes,correlate and map multisource threat information,and dynamically infer the threat evolution process.TEPA leverages knowledge graphs to represent comprehensive threat scenarios and achieves better performance in simulated experiments by combining structural and textual features of entities.Third,we design the intelligent defense decision algorithm(IDDA),which can provide intelligent recommendations for security personnel regarding the most suitable defense techniques.IDDA outperforms the baseline methods in the comparative experiment.

Multiclass Classification for Cyber Threats Detection on Twitter

The advances in technology increase the number of internet systems usage.As a result,cybersecurity issues have become more common.Cyber threats are one of the main problems in the area of cybersecurity.However,detecting cybersecurity threats is not a trivial task and thus is the center of focus for many researchers due to its importance.This study aims to analyze Twitter data to detect cyber threats using a multiclass classification approach.The data is passed through different tasks to prepare it for the analysis.Term Frequency and Inverse Document Frequency(TFIDF)features are extracted to vectorize the cleaned data and several machine learning algorithms are used to classify the Twitter posts into multiple classes of cyber threats.The results are evaluated using different metrics including precision,recall,F-score,and accuracy.This work contributes to the cyber security research area.The experiments revealed the promised results of the analysis using the Random Forest(RF)algorithm with(F-score=81%).This result outperformed the existing studies in the field of cyber threat detection and showed the importance of detecting cyber threats in social media posts.There is a need for more investigation in the field of multiclass classification to achieve more accurate results.In the future,this study suggests applying different data representations for the feature extraction other than TF-IDF such as Word2Vec,and adding a new phase for feature selection to select the optimum features subset to achieve higher accuracy of the detection process.

Poisoning attacks and countermeasures in intelligent networks:Status quo and prospects

Over the past years,the emergence of intelligent networks empowered by machine learning techniques has brought great facilitates to different aspects of human life.However,using machine learning in intelligent networks also presents potential security and privacy threats.A common practice is the so-called poisoning attacks where malicious users inject fake training data with the aim of corrupting the learned model.In this survey,we comprehensively review existing poisoning attacks as well as the countermeasures in intelligent networks for the first time.We emphasize and compare the principles of the formal poisoning attacks employed in different categories of learning algorithms,and analyze the strengths and limitations of corresponding defense methods in a compact form.We also highlight some remaining challenges and future directions in the attack-defense confrontation to promote further research in this emerging yet promising area.

Machine Learning Based Cybersecurity Threat Detection for Secure IoT Assisted Cloud Environment

The Internet of Things(IoT)is determine enormous economic openings for industries and allow stimulating innovation which obtain between domains in childcare for eldercare,in health service to energy,and in developed to transport.Cybersecurity develops a difficult problem in IoT platform whereas the presence of cyber-attack requires that solved.The progress of automatic devices for cyber-attack classifier and detection employing Artificial Intelligence(AI)andMachine Learning(ML)devices are crucial fact to realize security in IoT platform.It can be required for minimizing the issues of security based on IoT devices efficiently.Thus,this research proposal establishes novel mayfly optimized with Regularized Extreme Learning Machine technique called as MFO-RELM model for Cybersecurity Threat classification and detection fromthe cloud and IoT environments.The proposed MFORELM model provides the effective detection of cybersecurity threat which occur in the cloud and IoT platforms.To accomplish this,the MFO-RELM technique pre-processed the actual cloud and IoT data as to meaningful format.Besides,the proposed models will receive the pre-processing data and carry out the classifier method.For boosting the efficiency of the proposed models,theMFOtechnique was utilized to it.The experiential outcome of the proposed technique was tested utilizing the standard CICIDS 2017 dataset,and the outcomes are examined under distinct aspects.

融合威胁情报与知识图谱的网络攻击溯源方法

[研究目的]攻击溯源是网络空间安全保障的重要组成部分,面对网络空间数据海量、异质多元、结构松散等特点,亟需大数据分析与人工智能相结合,有效识别敌手攻击威胁,溯源攻击链和背后的攻击组织,并实施针对性防御。[研究方法]针对攻击威胁特征识别难的问题,提出了知识图谱驱动的网络攻击溯源方法,以脆弱性利用动作为核心构建攻击事件框架,并以事件为单位实施告警关联,重构攻击场景。在此基础上,利用威胁指纹知识图谱,整合已公开的威胁情报知识,并抽取攻击场景中的威胁特征作为指纹,分析两者相似性,溯源攻击者。[研究结论]实验结果表明,该方法能够利用攻击事件框架充实攻击行为的上下文信息,并基于知识图谱有效溯源攻击者,从而利用攻击者已有的威胁情报,增强高级可持续攻击威胁特征识别的全面性。