Under false flag:using technical artifacts for cyber attack attribution

The attribution of cyber attacks is often neglected.The consensus still is that little can be done to prosecute the perpetrators–and unfortunately,this might be right in many cases.What is however only of limited interest for the private industry is in the center of interest for nation states.Investigating if an attack was carried out in the name of a nation state is a crucial task for secret services.Many methods,tools and processes exist for network-and computer forensics that allow the collection of traces and evidences.They are the basis to associate adversarial actions to threat actors.However,a serious problem which has not got the appropriate attention from research yet,are false flag campaigns,cyber attacks which apply covert tactics to deceive or misguide attribution attempts–either to hide traces or to blame others.In this paper we provide an overview of prominent attack techniques along the cyber kill chain.We investigate traces left by attack techniques and which questions in course of the attribution process are answered by investigating these traces.Eventually,we assess how easily traces can be spoofed and rate their relevancy with respect to identifying false flag campaigns.

Review and insight on the behavioral aspects of cybersecurity

Stories of cyber attacks are becoming a routine in which cyber attackers show new levels of intention by sophisticated attacks on networks.Unfortunately,cybercriminals have figured out profitable business models and they take advantage of the online anonymity.A serious situation that needs to improve for networks’defenders.Therefore,a paradigm shift is essential to the effectiveness of current techniques and practices.Since the majority of cyber incidents are human enabled,this shift requires expanding research to underexplored areas such as behavioral aspects of cybersecurity.It is more vital to focus on social and behavioral issues to improve the current situation.This paper is an effort to provide a review of relevant theories and principles,and gives insights including an interdisciplinary framework that combines behavioral cybersecurity,human factors,and modeling and simulation.

One-way information reconciliation schemes of quantum key distribution

With the rapid improvement of quantum computing technology,quantum key distribution(QKD)is a hot technology.Information reconciliation is a key step of QKD which is useful for correcting key error.Classical message interaction is necessary in a practical information reconciliation scheme,which makes the efficiency of these protocols decreased.Therefore,some one-way information reconciliation schemes based on low-density parity-check(LDPC)codes and polar codes are proposed.Here we propose a concatenated method of IR schemes which can achieve any given error rate level without the need of interactions.Compared with the one-way IR schems based on LDPC codes and polar codes,the IR schemes based on the proposed concatenated method can get lower bit error rates after error correction,which can also reduce the communication delay and system complexity of QKD,improve the final key generation rate and enhance the practicability of QKD system.

A lightweight cryptographic algorithm for the transmission of images from road environments in self-driving

With the large-scale application of 5G in industrial production,the Internet of Things has become an important technology for various industries to achieve efficiency improvement and digital transformation with the help of the mobile edge computing.In the modern industry,the user often stores data collected by IoT devices in the cloud,but the data at the edge of the network involves a large of the sensitive information,which increases the risk of privacy leakage.In order to address these two challenges,we propose a security strategy in the edge computing.Our security strategy combines the Feistel architecture and short comparable encryption based on sliding window(SCESW).Compared to existing security strategies,our proposed security strategy guarantees its security while significantly reducing the computational overhead.And our GRC algorithm can be successfully deployed on a hardware platform.

PathMarker:protecting web contents against inside crawlers

Web crawlers have been misused for several malicious purposes such as downloading server data without permission from the website administrator.Moreover,armoured crawlers are evolving against new anti-crawler mechanisms in the arm races between crawler developers and crawler defenders.In this paper,based on one observation that normal users and malicious crawlers have different short-term and long-term download behaviours,we develop a new anti-crawler mechanism called PathMarker to detect and constrain persistent distributed crawlers.By adding a marker to each Uniform Resource Locator(URL),we can trace the page that leads to the access of this URL and the user identity who accesses this URL.With this supporting information,we can not only perform more accurate heuristic detection using the path related features,but also develop a Support Vector Machine based machine learning detection model to distinguish malicious crawlers from normal users via inspecting their different patterns of URL visiting paths and URL visiting timings.In addition to effectively detecting crawlers at the earliest stage,PathMarker can dramatically suppress the scraping efficiency of crawlers before they are detected.We deploy our approach on an online forum website,and the evaluation results show that PathMarker can quickly capture all 6 open-source and in-house crawlers,plus two external crawlers(i.e.,Googlebots and Yahoo Slurp).

Optimal monitoring and attack detection of networks modeled by Bayesian attack graphs

Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.

On the combination of data augmentation method and gated convolution model for building effective and robust intrusion detection

Deep learning(DL)has exhibited its exceptional performance in fields like intrusion detection.Various augmentation methods have been proposed to improve data quality and eventually to enhance the performance of DL models.However,the classic augmentation methods cannot be applied to those DL models which exploit the system-call sequences to detect intrusion.Previously,the seq2seq model has been explored to augment system-call sequences.Following this work,we propose a gated convolutional neural network(GCNN)model to thoroughly extract the potential information of augmented sequences.Also,in order to enhance themodel’s robustness,we adopt adversarial training to reduce the impact of adversarial examples on the model.Adversarial examples used in adversarial training are generated by the proposed adversarial sequence generation algorithm.The experimental results on different verified models show that GCNN model can better obtain the potential information of the augmented data and achieve the best performance.Furthermore,GCNN with adversarial training can enhance robustness significantly.

Generic,efficient and isochronous Gaussian sampling over the integers

Gaussian sampling over the integers is one of the fundamental building blocks of lattice-based cryptography.Among the extensively used trapdoor sampling algorithms,it is ineluctable until now.Under the influence of numerous side-channel attacks,it is still challenging to construct a Gaussian sampler that is generic,efficient,and resistant to timing attacks.In this paper,our contribution is three-fold.First,we propose a secure,efficient exponential Bernoulli sampling algorithm.It can be applied to Gaussian samplers based on rejection samplings.We apply it to FALCON,a candidate of round 3 of the NIST post-quantum cryptography standardization project,and reduce its signature generation time by 13–14%.Second,we develop an isochronous Gaussian sampler based on rejection sampling.Our Algorithm can securely sample from Gaussian distributions with different standard deviations and arbitrary centers.We apply it to PALISADE(S&P 2018),an open-source lattice-based cryptography library.During the online phase of trapdoor sampling,the running time of the G-lattice sampling algorithm is reduced by 44.12%while resisting timing attacks.Third,we improve the efficiency of the COSAC sampler(PQC 2020).The new COSAC sampler is 1.46x-1.63x faster than the original and has the lowest expected number of trials among all Gaussian samplers based on rejection samplings.But it needs a more efficient algorithm sampling from the normal distribution to improve its performance.

A DGA domain names detection modeling method based on integrating an attention mechanism and deep neural network

Command and control(C2)servers are used by attackers to operate communications.To perform attacks,attackers usually employee the Domain Generation Algorithm(DGA),with which to confirm rendezvous points to their C2 servers by generating various network locations.The detection of DGA domain names is one of the important technologies for command and control communication detection.Considering the randomness of the DGA domain names,recent research in DGA detection applyed machine learning methods based on features extracting and deep learning architectures to classify domain names.However,these methods are insufficient to handle wordlist-based DGA threats,which generate domain names by randomly concatenating dictionary words according to a special set of rules.In this paper,we proposed a a deep learning framework ATT-CNN-BiLSTMfor identifying and detecting DGA domains to alleviate the threat.Firstly,the Convolutional Neural Network(CNN)and bidirectional Long Short-Term Memory(BiLSTM)neural network layer was used to extract the features of the domain sequences information;secondly,the attention layer was used to allocate the corresponding weight of the extracted deep information from the domain names.Finally,the different weights of features in domain names were put into the output layer to complete the tasks of detection and classification.Our extensive experimental results demonstrate the effectiveness of the proposed model,both on regular DGA domains and DGA that hard to detect such as wordlist-based and part-wordlist-based ones.To be precise,we got a F1 score of 98.79%for the detection and macro average precision and recall of 83%for the classification task of DGA domain names.

Group topic-author model for efficient discovery of latent social astroturfing groups in tourism domain

Astroturfing is a phenomenon in which sponsors of fake messages or reviews are masked because their intentions are not genuine.Astroturfing reviews are intentionally made to influence people to take decisions in favour of or against a target service or product or organization.The tourism sector being one of the sectors that is flourishing and witnessing unprecedented growth is affected by the activities of astroturfers.Astroturfing reviews can cause many problems to tourists who make decisions based on available online reviews.However,authentic and genuine reviews help people make informed decisions.In this paper a Latent Dirichlet Allocation(LDA)based Group Topic-Author model is proposed for efficient discovery of social astroturfing groups within the tourism domain.An algorithm named Astroturfing Group Topic Detection(AGTD)is defined for the implementation of the proposed model.The experimental results of this study revealed the utility of the proposed system for the discovery of social astroturfing groups within the tourism domain.

A convolutional neural network to detect possible hidden data in spatial domain images

Hiding secret data in digital multimedia has been essential to protect the data.Nevertheless,attackers with a steganalysis technique may break them.Existing steganalysis methods have good results with conventional Machine Learning(ML)techniques;however,the introduction of Convolutional Neural Network(CNN),a deep learning paradigm,achieved better performance over the previously proposed ML-based techniques.Though the existing CNN-based approaches yield good results,they present performance issues in classification accuracy and stability in the network training phase.This research proposes a new method with a CNN architecture to improve the hidden data detection accuracy and the training phase stability in spatial domain images.The proposed method comprises three phases:pre-processing,feature extraction,and classification.Firstly,in the pre-processing phase,we use spatial rich model filters to enhance the noise within images altered by data hiding;secondly,in the feature extraction phase,we use two-dimensional depthwise separable convolutions to improve the signal-to-noise and regular convolutions to model local features;and finally,in the classification,we use multi-scale average pooling for local features aggregation and representability enhancement regardless of the input size variation,followed by three fully connected layers to form the final feature maps that we transform into class probabilities using the softmax function.The results identify an improvement in the accuracy of the considered recent scheme ranging between 4.6 and 10.2%with reduced training time up to 30.81%.

Data and knowledge-driven named entity recognition for cyber security

Named Entity Recognition(NER)for cyber security aims to identify and classify cyber security terms from a large number of heterogeneous multisource cyber security texts.In the field of machine learning,deep neural networks automatically learn text features from a large number of datasets,but this data-driven method usually lacks the ability to deal with rare entities.Gasmi et al.proposed a deep learning method for named entity recognition in the field of cyber security,and achieved good results,reaching an F1 value of 82.8%.But it is difficult to accurately identify rare entities and complex words in the text.To cope with this challenge,this paper proposes a new model that combines data-driven deep learning methods with knowledge-driven dictionary methods to build dictionary features to assist in rare entity recognition.In addition,based on the data-driven deep learning model,an attentionmechanism is adopted to enrich the local features of the text,better models the context,and improves the recognition effect of complex entities.Experimental results show that our method is better than the baseline model.Our model is more effective in identifying cyber security entities.The Precision,Recall and F1 value reached 90.19%,86.60%and 88.36%respectively.

Sifu-a cybersecurity awareness platform with challenge assessment and intelligent coach

Software vulnerabilities,when actively exploited by malicious parties,can lead to catastrophic consequences.Proper handling of software vulnerabilities is essential in the industrial context,particularly when the software is deployed in critical infrastructures.Therefore,several industrial standards mandate secure coding guidelines and industrial software developers’training,as software quality is a significant contributor to secure software.CyberSecurity Challenges(CSC)form a method that combines serious game techniques with cybersecurity and secure coding guidelines to raise secure coding awareness of software developers in the industry.These cybersecurity awareness events have been used with success in industrial environments.However,until now,these coached events took place on-site.In the present work,we briefly introduce cybersecurity challenges and propose a novel platform that allows these events to take place online.The introduced cybersecurity awareness platform,which the authors call Sifu,performs automatic assessment of challenges in compliance to secure coding guidelines,and uses an artificial intelligence method to provide players with solution-guiding hints.Furthermore,due to its characteristics,the Sifu platform allows for remote(online)learning,in times of social distancing.The CyberSecurity Challenges events based on the Sifu platform were evaluated during four online real-life CSC events.We report on three surveys showing that the Sifu platform’s CSC events are adequate to raise industry software developers awareness on secure coding.

Generic attacks on small-state stream cipher constructions in the multi-user setting

Small-state stream ciphers(SSCs),which violate the principle that the state size should exceed the key size by a factor of two,still demonstrate robust security properties while maintaining a lightweight design.These ciphers can be clas-sifed into several constructions and their basic security requirement is to resist generic attacks,ie.,the time-mem-ory-data tradeoff(TMDTO)attack.In this paper,we investigate the security of small-state constructions in the multi-user setting.Based on it,the TMDTO distinguishing attack and the TMDTO key recovery attack are developed for such a setting.It is shown that SSCs which continuously use the key can not resist the TMDTO distinguishing attack.Moreover,SSCs based on the continuous-IV-key-use construction cannot withstand the TMDTO key recovery attack when the key length is shorter than the IV length,no matter whether the keystream length is limited or not.Finally,We apply these two generic attacks to TinyJAMBU and DRACO in the multi-user setting.The TMDTO distinguish-ing attack on TinyJAMBU with a 128-bit key can be mounted with time,memory,and data complexities of 264,248,and 232,respectively.This attack is comparable with a recent work on ToSC 2022,where partial key bits of TinyJAMBU are recovered with more than 250 users(or keys).As DRACO's IV length is smaller than its key length,itis vulnerable to the TMDTO key recovery attack.The resulting attack has a time and memory complexity of both 2112,which means DRACO does not provide 128-bit security in the multi-user setting.

A buffer overflow detection and defense method based on RiSC-V instruction set extension

Buffer overflow poses a serious threat to the memory security of modern operating systems.It overwrites the con-tents of other memory areas by breaking through the buffer capacity limit,destroys the system execution environ-ment,and provides implementation space for various system attacks such as program control flow hijacking.That makes it a wide range of harms.A variety of security technologies have been proposed to deal with system security problems including buffer overflow.For example,No eXecute(NX for short)is a memory management technology commonly used in Harvard architecture.It can refuse the execution of code which residing in a specific memory,and can effectively suppress the abnormal impact of buffer overflow on control flow.Therefore,in recent years,it has also been used in the field of system security,deriving a series of solutions based on NX technology,such as ExecShield,DEP,StackGuard,etc.However,these security solutions often rely too much on the processor archi-tecture so that the protection coverage is insufficient and the accuracy is limited.Especially in the emerging system architecture field represented by RiSC-V,there is still a lack of effective solutions for buffer overflow vulnerabilities.With the continuous rapid development of the system architecture,it is urgent to develop defense methods that are applicable to different system application environments and oriented to all executable memory spaces to meet the needs of system security development.Therefore,we propose BOP,A new system memory security design method based on RISC-V extended instructions,to build a RISC-V buffer overflow detection and defense system and deal with the buffer overflow threat in RIsC-V.According to this method,NX technology can be combined with program control flow analysis,and Nx bit mechanism can be used to manage the executability of memory space,so as to achieve a more granular detection and defense of buffer overflow attacks that may occur in RISC-V system environment.In addition,The memory management and control function of BOP is not only very suitable for solving the security problems in the existing single architecture system,but also widely applicable to the combina-tion of multiple heterogeneous systems.

Graph-based visual analytics for cyber threat intelligence

The ever-increasing amount of major security incidents has led to an emerging interest in cooperative approaches to encounter cyber threats.To enable cooperation in detecting and preventing attacks it is an inevitable necessity to have structured and standardized formats to describe an incident.Corresponding formats are complex and of an extensive nature as they are often designed for automated processing and exchange.These characteristics hamper the readability and,therefore,prevent humans from understanding the documented incident.This is a major problem since the success and effectiveness of any security measure rely heavily on the contribution of security experts.To meet these shortcomings we propose a visual analytics concept enabling security experts to analyze and enrich semi-structured cyber threat intelligence information.Our approach combines an innovative way of persisting this data with an interactive visualization component to analyze and edit the threat information.We demonstrate the feasibility of our concept using the Structured Threat Information eXpression,the state-ofthe-art format for reporting cyber security issues.

RBFK cipher:a randomized butterfly architecture‑based lightweight block cipher for IoT devices in the edge computing environment

Internet security has become a major concern with the growing use of the Internet of Things(IoT)and edge computing technologies.Even though data processing is handled by the edge server,sensitive data is generated and stored by the IoT devices,which are subject to attack.Since most IoT devices have limited resources,standard security algorithms such as AES,DES,and RSA hamper their ability to run properly.In this paper,a lightweight symmetric key cipher termed randomized butterfly architecture of fast Fourier transform for key(RBFK)cipher is proposed for resource-constrained IoT devices in the edge computing environment.The butterfly architecture is used in the key scheduling system to produce strong round keys for five rounds of the encryption method.The RBFK cipher has two key sizes:64 and 128 bits,with a block size of 64 bits.The RBFK ciphers have a larger avalanche effect due to the butterfly architecture ensuring strong security.The proposed cipher satisfies the Shannon characteristics of confusion and diffusion.The memory usage and execution cycle of the RBFK cipher are assessed using the fair evaluation of the lightweight cryptographic systems(FELICS)tool.The proposed ciphers were also implemented using MATLAB 2021a to test key sensitivity by analyzing the histogram,correlation graph,and entropy of encrypted and decrypted images.Since the RBFK ciphers with minimal computational complexity provide better security than recently proposed competing ciphers,these are suitable for IoT devices in an edge computing environment.

Confidential computing and related technologies:a critical review

This research critically reviews the definition of confidential computing(CC)and the security comparison of CC with other related technologies by the Confidential Computing Consortium(CCC).We demonstrate that the definitions by CCC are ambiguous,incomplete and even conflicting.We also demonstrate that the security comparison of CC with other technologies is neither scientific nor fair.We highlight the issues in the definitions and comparisons and provide initial recommendations for fixing the issues.These recommendations are the first step towards more precise definitions and reliable comparisons in the future.

On the combination of data augmentation method and gated convolution model for building effective and robust intrusion detection

Deep learning(DL)has exhibited its exceptional performance in fields like intrusion detection.Various augmentation methods have been proposed to improve data quality and eventually to enhance the performance of DL models.However,the classic augmentation methods cannot be applied to those DL models which exploit the system-call sequences to detect intrusion.Previously,the seq2seq model has been explored to augment system-call sequences.Following this work,we propose a gated convolutional neural network(GCNN)model to thoroughly extract the potential information of augmented sequences.Also,in order to enhance themodel’s robustness,we adopt adversarial training to reduce the impact of adversarial examples on the model.Adversarial examples used in adversarial training are generated by the proposed adversarial sequence generation algorithm.The experimental results on different verified models show that GCNN model can better obtain the potential information of the augmented data and achieve the best performance.Furthermore,GCNN with adversarial training can enhance robustness significantly.