D. Paul Joseph,P. Viswanathan

DOI: https://doi.org/10.1109/access.2023.3234434

IF: 3.9

2023-01-13

IEEE Access

Abstract:Most traditional digital forensic techniques identify irrelevant files in a corpus using keyword search, frequent hashes, frequent paths, and frequent size methods. These methods are based on Message Digest and Secure Hash Algorithm-1, which result in a hash collision. The threshold criteria of files based on frequent sizes will lead to imprecise threshold values that result in an increased evaluation of irrelevant files. The blacklisted keywords used in forensic search are based on literal and non-lexical, thus resulting in increased false-positive search results and failure to disambiguate unstructured text. Due to this, many extraneous files are also being considered for further investigations, exacerbating the time lag. Moreover, the non-availability of standardized forensic labeled data results in time complexity during the file classification process. This research proposes a three-tier Keyword Metadata Pattern framework to overcome these significant concerns. Initially, Secure Hash algorithm-256 hash for the entire corpus is constructed along with custom regex and stop-words module to overcome hash collision, imprecise threshold values, and eliminate recurrent files. Then blacklisted keywords are constructed by identifying vectorized words that have proximity to overcome traditional keyword search's drawbacks and to overcome false positive results. Dynamic forensic relevant patterns based on massive password datasets are designed to search for unique, relevant patterns to identify the significant files and overcome the time lag. Based on tier-2 results, files are preliminarily classified automatically in O(log n) complexity, and the system is trained with a machine learning model. Finally, when experimentally evaluated, the overall proposed system was found to be very effective, outperforming the existing two-tier model in terms of finding relevant files - y automated labeling and classification in O(nlog n) complexity. Our proposed model could eliminate 223K irrelevant files and reduce the corpus by 4.1% in tier-1, identify 16.06% of sensitive files in tier-2, and classify files with 91% precision, 95% sensitivity, 91% accuracy, and 0.11% Hamming loss compared to the two-tier system.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaoyu Du,Mark Scanlon

DOI: https://doi.org/10.1145/3339252.3340517

2019-07-02

Abstract:The ever increasing volume of data in digital forensic investigation is one of the most discussed challenges in the field. Usually, most of the file artefacts on seized devices are not pertinent to the investigation. Manually retrieving suspicious files relevant to the investigation is akin to finding a needle in a haystack. In this paper, a methodology for the automatic prioritisation of suspicious file artefacts (i.e., file artefacts that are pertinent to the investigation) is proposed to reduce the manual analysis effort required. This methodology is designed to work in a human-in-the-loop fashion. In other words, it predicts/recommends that an artefact is likely to be suspicious rather than giving the final analysis result. A supervised machine learning approach is employed, which leverages the recorded results of previously processed cases. The process of features extraction, dataset generation, training and evaluation are presented in this paper. In addition, a toolkit for data extraction from disk images is outlined, which enables this method to be integrated with the conventional investigation process and work in an automated fashion.

Cryptography and Security,Machine Learning

Yoan Chabot,Aurélie Bertaux,Christophe Nicollea,Tahar Kechadi

DOI: https://doi.org/10.1016/j.diin.2014.05.009

2019-02-21

Abstract:Having a clear view of events that occurred over time is a difficult objective to achieve in digital investigations (DI). Event reconstruction, which allows investigators to understand the timeline of a crime, is one of the most important step of a DI process. This complex task requires exploration of a large amount of events due to the pervasiveness of new technologies nowadays. Any evidence produced at the end of the investigative process must also meet the requirements of the courts, such as reproducibility, verifiability, validation, etc. For this purpose, we propose a new methodology, supported by theoretical concepts, that can assist investigators through the whole process including the construction and the interpretation of the events describing the case. The proposed approach is based on a model which integrates knowledge of experts from the fields of digital forensics and software development to allow a semantically rich representation of events related to the incident. The main purpose of this model is to allow the analysis of these events in an automatic and efficient way. This paper describes the approach and then focuses on the main conceptual and formal aspects: a formal incident modelization and operators for timeline reconstruction and analysis.

Computers and Society,Cryptography and Security,Machine Learning

Joshua I. James,Alejandra Lopez-Fernandez,Pavel Gladyshev

DOI: https://doi.org/10.48550/arXiv.1502.05186

2015-02-18

Computers and Society

Abstract:This work presents a method for the measurement of the accuracy of evidential artifact extraction and categorization tasks in digital forensic investigations. Instead of focusing on the measurement of accuracy and errors in the functions of digital forensic tools, this work proposes the application of information retrieval measurement techniques that allow the incorporation of errors introduced by tools and analysis processes. This method uses a `gold standard' that is the collection of evidential objects determined by a digital investigator from suspect data with an unknown ground truth. This work proposes that the accuracy of tools and investigation processes can be evaluated compared to the derived gold standard using common precision and recall values. Two example case studies are presented showing the measurement of the accuracy of automated analysis tools as compared to an in-depth analysis by an expert. It is shown that such measurement can allow investigators to determine changes in accuracy of their processes over time, and determine if such a change is caused by their tools or knowledge.

Yiheng Duan,Xiao Fu,Bin Luo,Ziqi Wang,Jin Shi,Xiaojiang (James) Du

DOI: https://doi.org/10.1109/icc.2015.7249229

2015-01-01

Abstract:Current memory forensic methods mainly focus on evidence collection and data recovery. A little work is about how to automatically identify malwares from many unknown processes and analyze their behaviors in high semantic level so as to collect related evidences. In fact, in real cases, investigators are often faced with large number of processes that they have no knowledge of. Although current malware detection tools could provide some help, they usually can't illustrate the purposes, abilities and behavior details of malwares and are thus often not fit for the forensic requirements. In this paper, we present a framework named Detective to cope with these issues. Given a set of unknown processes, Detective can classify benign and malware processes automatically. This is implemented by HNB classifying algorithm and a Dynamic-Link Libraries-based model. Detective could then explain malware behaviors in high semantic level through clustering and frequent item sets mining techniques. Besides, Detective sheds light on evidence collection by the information obtained from previous steps. Detective is applicable for both online and offline forensic scenarios. Experiments on real-world malware set have proved that the accuracy of Detective is above 90% and the time cost is only several seconds.

Raymond Y. K. Lau,Yunqing Xia

DOI: https://doi.org/10.7763/ijfcc.2013.v2.187

2013-01-01

International Journal of Future Computer and Communication

Abstract:Recent research reveals that the number of cyber-attacks has been doubled in the past three years. This is a devastating growth of the number of cyber-attacks, and it reveals a serious business problem around the world. Existing intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and anti-malware systems mainly rely on low-level network traffic features or program code signatures to detect cyber-attacks. However, since hackers can constantly change their attack tactics by, it is extremely difficult for existing security solutions to detect cyber-attacks. There are increasing more evidences showing that cybercriminals tend to exchange cybercrime knowledge and transact via online social media. Accordingly, it presents unprecedented opportunities for security intelligence experts to tap into online social media to extract the vital security intelligence for cyber-attack forensics. The main contributions of this paper are the design, development, and evaluation of a Latent Dirichlet Allocation (LDA)-based latent text mining model for cyber-attack forensics. Our preliminary evaluation of the proposed latent text mining model based on a real-world data set crawled from Twitter and Blog sites shows that it significantly outperforms the probabilistic latent semantic indexing (pLSI) method in terms of extracting more relevant and richer concepts describing real-world cyber-attack incidents.

Sara Abdellaoui,Emil Dumitrescu,Cédric Escudero,Eric Zamaï

2024-05-02

Abstract:Monitored data collected from railway turnouts are vulnerable to cyberattacks: attackers may either conceal failures or trigger unnecessary maintenance actions. To address this issue, a cyberattack investigation method is proposed based on predictions made from the temporal evolution of the turnout behavior. These predictions are then compared to the field acquired data to detect any discrepancy. This method is illustrated on a collection of real-life data.

Cryptography and Security,Machine Learning,Systems and Control

ZengRi Zeng,Peng Xun,Wei Peng,BaoKang Zhao

DOI: https://doi.org/10.1016/j.jisa.2023.103644

IF: 4.96

2023-12-07

Journal of Information Security and Applications

Abstract:The main methods for protecting user privacy and addressing cybersecurity problems caused by encrypted traffic are non-decryption detection approaches. However, these methods face problems such as the small number of trainable features and imbalanced training datasets, which seriously affect the robustness of existing malicious encrypted traffic detection systems (TDSs). To address these issues, we identify malicious encrypted traffic with a causality explainable detection system (METCXDS). Our detection tasks increase the number of noncryptographic features and eliminate noise features to improve interpretability . First, we extract and recombine temporal and statistical features to increase the number of trainable features. Then, the influence of causal features on the results is enhanced by weighting causal reasoning features, and noise features with low weights are removed to improve the causal interpretability of the detection results. Furthermore, samples are generated through a Wasserstein generative adversarial network (WGAN) that learns the causal feature distribution to balance the training samples. Finally, the METCXDS performance is evaluated through the detection balance index and causal feature index. On the CICIDS2017 and DoHBrw2020 datasets, compared with previous TDSs, our system improves the overall F1 score by up to >10 %. And the causality of the detection results is verified by the causal effects, which identify the causes of anomalies in encrypted traffic and clarify the decision-making process of the detection system.

computer science, information systems

Nikita Rana,Gunjan Sansanwal,Kiran Khatter,Sukhdev Singh

DOI: https://doi.org/10.48550/arXiv.1709.06529

2017-08-17

Abstract:In today's world of computers, any kind of information can be made available within few clicks for different endeavors. The information may be tampered by changing the statistical properties and can be further used for criminal activities. These days, Cyber crimes are happening at a very large scale, and possess big threats to the security of an individual, firm, industry and even to developed countries. To combat such crimes, law enforcement agencies and investment institutions are incorporating supportive examination policies, procedures and protocols to address the complete investigation process. The paper entails a detailed review of several cyber crimes followed by various digital forensics processes involved in the cyber crime investigation. Further various digital forensics tools with detail explanation are discussed with their advantages, disadvantages, challenges, and drawbacks. A comparison among all the selected tools is also presented. Finally the paper recommends the need of training programs for the first res ponder and judgement of signature based image authentication.

Computers and Society,Cryptography and Security

Chengyu Song,Linru Ma,Jianming Zheng,Jinzhi Liao,Hongyu Kuang,Lin Yang

2024-08-12

Abstract:Log-based insider threat detection (ITD) detects malicious user activities by auditing log entries. Recently, large language models (LLMs) with strong common sense knowledge have emerged in the domain of ITD. Nevertheless, diverse activity types and overlong log files pose a significant challenge for LLMs in directly discerning malicious ones within myriads of normal activities. Furthermore, the faithfulness hallucination issue from LLMs aggravates its application difficulty in ITD, as the generated conclusion may not align with user commands and activity context. In response to these challenges, we introduce Audit-LLM, a multi-agent log-based insider threat detection framework comprising three collaborative agents: (i) the Decomposer agent, breaking down the complex ITD task into manageable sub-tasks using Chain-of-Thought (COT) reasoning;(ii) the Tool Builder agent, creating reusable tools for sub-tasks to overcome context length limitations in LLMs; and (iii) the Executor agent, generating the final detection conclusion by invoking constructed tools. To enhance conclusion accuracy, we propose a pair-wise Evidence-based Multi-agent Debate (EMAD) mechanism, where two independent Executors iteratively refine their conclusions through reasoning exchange to reach a consensus. Comprehensive experiments conducted on three publicly available ITD datasets-CERT r4.2, CERT r5.2, and PicoDomain-demonstrate the superiority of our method over existing baselines and show that the proposed EMAD significantly improves the faithfulness of explanations generated by LLMs.

Cryptography and Security,Artificial Intelligence

Miguel Ferreira,Muhammad Bilal Zafar,Krishna P. Gummadi

DOI: https://doi.org/10.48550/arXiv.1610.10064

2016-11-01

Abstract:Bringing transparency to black-box decision making systems (DMS) has been a topic of increasing research interest in recent years. Traditional active and passive approaches to make these systems transparent are often limited by scalability and/or feasibility issues. In this paper, we propose a new notion of black-box DMS transparency, named, temporal transparency, whose goal is to detect if/when the DMS policy changes over time, and is mostly invariant to the drawbacks of traditional approaches. We map our notion of temporal transparency to time series changepoint detection methods, and develop a framework to detect policy changes in real-world DMS's. Experiments on New York Stop-question-and-frisk dataset reveal a number of publicly announced and unannounced policy changes, highlighting the utility of our framework.

Machine Learning,Computers and Society

Xiao Fu,Xiaojiang Du,Bin Luo,Jin Shi,Zhitao Guan,Yuhua Wang

DOI: https://doi.org/10.1109/infcomw.2015.7179370

2015-01-01

Abstract:Nowadays in order to process and store many kinds of multimedia data, the storage capability of memory has grown greatly. Moreover the widespread use of mobile devices and cloud computing has made criminal investigators often face a lot of memory dumps. They have to deal with a large quantity of memory data and complex OS data structures which they have little knowledge of. How to analyze memory evidence automatically in order to find hidden criminal behavior and reconstruct the criminal scenario in an understandable way has become an important problem. Current memory analysis methods usually aim at recovering certain data structures. The illegal behavior identification and the event reconstruction are still completed manually by investigators. This paper presents a novel method to correlate processes for automatic memory evidence analysis. Through analyzing key OS data structures and utilizing a clustering algorithm, it can discover the relationships among processes. And by describing these relationships as correlation graphs, our method can display evidence in a high semantic level. Some experiments have proved that these correlation graphs can help investigators find hidden criminal behavior and reconstruct the criminal scenarios.

Shahar Somin,Keeley Erhardt,Alex 'Sandy' Pentland

2024-07-05

Abstract:Technological advancements have significantly transformed communication patterns, introducing a diverse array of online platforms, thereby prompting individuals to use multiple profiles for different domains and objectives. Enhancing the understanding of cross domain identity matching capabilities is essential, not only for practical applications such as commercial strategies and cybersecurity measures, but also for theoretical insights into the privacy implications of data disclosure. In this study, we demonstrate that individual temporal data, in the form of inter-event times distribution, constitutes an individual temporal fingerprint, allowing for matching profiles across different domains back to their associated real-world entity. We evaluate our methodology on encrypted digital trading platforms within the Ethereum Blockchain and present impressing results in matching identities across these privacy-preserving domains, while outperforming previously suggested models. Our findings indicate that simply knowing when an individual is active, even if information about who they talk to and what they discuss is lacking, poses risks to users' privacy, highlighting the inherent challenges in preserving privacy in today's digital landscape.

Cryptography and Security

Ángel Luis Perales Gómez,Enrique Tomás Martínez Beltrán,Pedro Miguel Sánchez Sánchez,Alberto Huertas Celdrán

2023-08-07

Abstract:Industry 4.0 has brought numerous advantages, such as increasing productivity through automation. However, it also presents major cybersecurity issues such as cyberattacks affecting industrial processes. Federated Learning (FL) combined with time-series analysis is a promising cyberattack detection mechanism proposed in the literature. However, the fact of having a single point of failure and network bottleneck are critical challenges that need to be tackled. Thus, this article explores the benefits of the Decentralized Federated Learning (DFL) in terms of cyberattack detection and resource consumption. The work presents TemporalFED, a software module for detecting anomalies in industrial environments using FL paradigms and time series. TemporalFED incorporates three components: Time Series Conversion, Feature Engineering, and Time Series Stationary Conversion. To evaluate TemporalFED, it was deployed on Fedstellar, a DFL framework. Then, a pool of experiments measured the detection performance and resource consumption in a chemical gas industrial environment with different time-series configurations, FL paradigms, and topologies. The results showcase the superiority of the configuration utilizing DFL and Semi-Decentralized Federated Learning (SDFL) paradigms, along with a fully connected topology, which achieved the best performance in anomaly detection. Regarding resource consumption, the configuration without feature engineering employed less bandwidth, CPU, and RAM than other configurations.

Cryptography and Security

Nickson M Karie,Victor R Kebande,H S Venter

DOI: https://doi.org/10.1016/j.fsisyn.2019.03.006

2019-04-04

Abstract:More than ever before, the world is nowadays experiencing increased cyber-attacks in all areas of our daily lives. This situation has made combating cybercrimes a daily struggle for both individuals and organisations. Furthermore, this struggle has been aggravated by the fact that today's cybercriminals have gone a step ahead and are able to employ complicated cyber-attack techniques. Some of those techniques are minuscule and inconspicuous in nature and often camouflage in the facade of authentic requests and commands. In order to combat this menace, especially after a security incident has happened, cyber security professionals as well as digital forensic investigators are always forced to sift through large and complex pools of data also known as Big Data in an effort to unveil Potential Digital Evidence (PDE) that can be used to support litigations. Gathered PDE can then be used to help investigators arrive at particular conclusions and/or decisions. In the case of cyber forensics, what makes the process even tough for investigators is the fact that Big Data often comes from multiple sources and has different file formats. Forensic investigators often have less time and budget to handle the increased demands when it comes to the analysis of these large amounts of complex data for forensic purposes. It is for this reason that the authors in this paper have realised that Deep Learning (DL), which is a subset of Artificial Intelligence (AI), has very distinct use-cases in the domain of cyber forensics, and even if many people might argue that it's not an unrivalled solution, it can help enhance the fight against cybercrime. This paper therefore proposes a generic framework for diverging DL cognitive computing techniques into Cyber Forensics (CF) hereafter referred to as the DLCF Framework. DL uses some machine learning techniques to solve problems through the use of neural networks that simulate human decision-making. Based on these grounds, DL holds the potential to dramatically change the domain of CF in a variety of ways as well as provide solutions to forensic investigators. Such solutions can range from, reducing bias in forensic investigations to challenging what evidence is considered admissible in a court of law or any civil hearing and many more.

Chao Shen,Zhongmin Cai,Roy A. Maxion,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-662-43886-2_16

2014-01-01

Abstract:Demographic information has a rich context from which to make decisions about how to filter or individualize computer users in forensic analysis. Although current explorations into technologies such as face and fingerprint analysis have seen varying rates of success, two main problems limit their applicability in the context of computer crimes: they can be intrusive, and they can require costly equipment. Our solution is to determine users' demographic traits by analyzing the interactions between users and computers. We conducted a field study that gathered users' keystroke and mouse data during interaction with a computer. From user interaction data, we extracted keystroke timing and mouse movement features, and developed weighted random forest classifiers for five demographic traits: gender, age, ethnicity, handedness, and language. Experiments showed that these demographics can be accurately inferred from user interaction behavior, with recognition rates expressed by the area under the ROC curve (AUC) ranging from 82.11 % to 87.32 %.

Xiu Ma,Fangtao Zhang,Weiqing Huang

DOI: https://doi.org/10.1109/IJCNN55064.2022.9892163

2022-07-18

Abstract:Insider threat problems have occurred frequently and caused significant damage to organizations. Many existing techniques represent the user activities recorded in audit data as sequential data to capture the differences between benign and malicious users' behavior. However, multi-granular temporal information of user activity has not been explored adequately, especially for these rare malicious samples. This paper focuses on user behavior Sequences and proposes an Augmentation framework to boost the performance on Insider Threat Detection (SeqA-ITD). SeqA-ITD first embeds temporal information into user behavior sequences and then captures malicious user behavior's temporal and sequential patterns to generate discrete temporal sequences. A multi-granular enhanced Long Short-Term Memory (LSTM) model learns the original and generated temporal sequences with distinct temporal granularities to detect abnormal ones. To verify the effectiveness of our proposed method, we conduct comparison experiments on the Cert 4.2 dataset. Our proposed model achieves an F1-score of 0.9585 in day-level insider threat detection and outperforms baselines.

Computer Science

Gaia Saveri,Luca Bortolussi

2024-05-23

Abstract:The integration of cyber-physical systems (CPS) into everyday life raises the critical necessity of ensuring their safety and reliability. An important step in this direction is requirement mining, i.e. inferring formally specified system properties from observed behaviors, in order to discover knowledge about the system. Signal Temporal Logic (STL) offers a concise yet expressive language for specifying requirements, particularly suited for CPS, where behaviors are typically represented as time series data. This work addresses the task of learning STL requirements from observed behaviors in a data-driven manner, focusing on binary classification, i.e. on inferring properties of the system which are able to discriminate between regular and anomalous behaviour, and that can be used both as classifiers and as monitors of the compliance of the CPS to desirable specifications. We present a novel framework that combines Bayesian Optimization (BO) and Information Retrieval (IR) techniques to simultaneously learn both the structure and the parameters of STL formulae, without restrictions on the STL grammar. Specifically, we propose a framework that leverages a dense vector database containing semantic-preserving continuous representations of millions of formulae, queried for facilitating the mining of requirements inside a BO loop. We demonstrate the effectiveness of our approach in several signal classification applications, showing its ability to extract interpretable insights from system executions and advance the state-of-the-art in requirement mining for CPS.

Machine Learning

Francesco Zola,Lander Segurola,Jan Lukas Bruse,Mikel Galar Idoate

DOI: https://doi.org/10.18239/jornadas_2021.34.12

2021-05-11

Abstract:Graph-based analyses have gained a lot of relevance in the past years due to their high potential in describing complex systems by detailing the actors involved, their relations and their behaviours. Nevertheless, in scenarios where these aspects are evolving over time, it is not easy to extract valuable information or to characterize correctly all the actors. In this study, a two phased approach for exploiting the potential of graph structures in the cybersecurity domain is presented. The main idea is to convert a network classification problem into a graph-based behavioural one. We extract these graph structures that can represent the evolution of both normal and attack entities and apply a temporal dissection approach in order to highlight their micro-dynamics. Further, three clustering techniques are applied to the normal entities in order to aggregate similar behaviours, mitigate the imbalance problem and reduce noisy data. Our approach suggests the implementation of two promising deep learning paradigms for entity classification based on Graph Convolutional Networks.

Machine Learning,Information Theory

Zeliang Kan,Shae McFadden,Daniel Arp,Feargus Pendlebury,Roberto Jordaney,Johannes Kinder,Fabio Pierazzi,Lorenzo Cavallaro

2024-02-02

Abstract:Machine learning (ML) plays a pivotal role in detecting malicious software. Despite the high F1-scores reported in numerous studies reaching upwards of 0.99, the issue is not completely solved. Malware detectors often experience performance decay due to constantly evolving operating systems and attack methods, which can render previously learned knowledge insufficient for accurate decision-making on new inputs. This paper argues that commonly reported results are inflated due to two pervasive sources of experimental bias in the detection task: spatial bias caused by data distributions that are not representative of a real-world deployment; and temporal bias caused by incorrect time splits of data, leading to unrealistic configurations. To address these biases, we introduce a set of constraints for fair experiment design, and propose a new metric, AUT, for classifier robustness in real-world settings. We additionally propose an algorithm designed to tune training data to enhance classifier performance. Finally, we present TESSERACT, an open-source framework for realistic classifier comparison. Our evaluation encompasses both traditional ML and deep learning methods, examining published works on an extensive Android dataset with 259,230 samples over a five-year span. Additionally, we conduct case studies in the Windows PE and PDF domains. Our findings identify the existence of biases in previous studies and reveal that significant performance enhancements are possible through appropriate, periodic tuning. We explore how mitigation strategies may support in achieving a more stable and better performance over time by employing multiple strategies to delay performance decay.

Machine Learning,Cryptography and Security,Performance