Xiuwen Liu,Jianming Fu,Yanjiao Chen

DOI: https://doi.org/10.1016/j.ins.2020.03.048

IF: 8.1

2020-01-01

Information Sciences

Abstract:The rich source of online reports and discussions on social media can be leveraged to investigate the widespread cyber-attacks. In this paper, we study the problem of cybersecurity event mining based on continuous tweet streams. In contrast to traditional static methods that do not consider event evolution, we explore relevance among historical and online events for cyber-attack event discovery and evolution detection. We propose CyberEM, a novel event evolution model with a special focus on cybersecurity events. A pattern clustering algorithm and an NMF-based (non-negative matrix factorization) event aggregation algorithm are devised for cyber-attack indicator extraction and event evolution detection. We leverage both the patterns that belong to the cybersecurity domain and the patterns of the semantic contexts of cybersecurity to refine evolutionary relevance of events across multiple time intervals. Furthermore, we design a dynamic event inference algorithm to discover cybersecurity events and update event aggregation in an online manner. Through extensive evaluations with a large-scale real-world tweet dataset, we demonstrate the superiority of the proposed CyberEM model over existing methods in identifying cybersecurity events and their evolutionary relevance.

Thea Riebe,Tristan Wirth,Markus Bayer,Philipp Kühn,Marc-André Kaufhold,Volker Knauthe,Stefan Guthe,Christian Reuter

DOI: https://doi.org/10.1007/978-3-030-86890-1_24

2021-01-01

Abstract:Receiving relevant information on possible cyber threats, attacks, and data breaches in a timely manner is crucial for early response. The social media platform Twitter hosts an active cyber security community. Their activities are often monitored manually by security experts, such as Computer Emergency Response Teams (CERTs). We thus propose a Twitter-based alert generation system that issues alerts to a system operator as soon as new relevant cyber security related topics emerge. Thereby, our system allows us to monitor user accounts with significantly less workload. Our system applies a supervised classifier, based on active learning, that detects tweets containing relevant information. The results indicate that uncertainty sampling can reduce the amount of manual relevance classification effort and enhance the classifier performance substantially compared to random sampling. Our approach reduces the number of accounts and tweets that are needed for the classifier training, thus making the tool easily and rapidly adaptable to the specific context while also supporting data minimization for Open Source Intelligence (OSINT). Relevant tweets are clustered by a greedy stream clustering algorithm in order to identify significant events. The proposed system is able to work near real-time within the required 15-min time frameand detects up to 93.8% of relevant events with a false alert rate of 14.81%.

Peng Gao,Xiaoyuan Liu,Edward Choi,Bhavna Soman,Chinmaya Mishra,Kate Farris,Dawn Song

DOI: https://doi.org/10.48550/arXiv.2101.07769

2021-02-27

Abstract:To remain aware of the fast-evolving cyber threat landscape, open-source Cyber Threat Intelligence (OSCTI) has received growing attention from the community. Commonly, knowledge about threats is presented in a vast number of OSCTI reports. Despite the pressing need for high-quality OSCTI, existing OSCTI gathering and management platforms, however, have primarily focused on isolated, low-level Indicators of Compromise. On the other hand, higher-level concepts (e.g., adversary tactics, techniques, and procedures) and their relationships have been overlooked, which contain essential knowledge about threat behaviors that is critical to uncovering the complete threat scenario. To bridge the gap, we propose SecurityKG, a system for automated OSCTI gathering and management. SecurityKG collects OSCTI reports from various sources, uses a combination of AI and NLP techniques to extract high-fidelity knowledge about threat behaviors, and constructs a security knowledge graph. SecurityKG also provides a UI that supports various types of interactivity to facilitate knowledge graph exploration.

Cryptography and Security,Artificial Intelligence,Computation and Language,Databases

Lyudmyla Kirichenko,Tamara Radivilova,Anders Carlsson

DOI: https://doi.org/10.48550/arXiv.1805.06680

2018-05-17

Abstract:This article considers a short survey of basic methods of social networks analysis, which are used for detecting cyber threats. The main types of social network threats are presented. Basic methods of graph theory and data mining, that deals with social networks analysis are described. Typical security tasks of social network analysis, such as community detection in network, detection of leaders in communities, detection experts in networks, clustering text information and others are considered.

Social and Information Networks,Cryptography and Security,Computers and Society

Subil Abraham,Suku Nair

DOI: https://doi.org/10.48550/arXiv.1502.01240

2015-02-04

Cryptography and Security

Abstract:Security metrics serve as a powerful tool for organizations to understand the effectiveness of protecting computer networks. However majority of these measurement techniques don't adequately help corporations to make informed risk management decisions. In this paper we present a stochastic security framework for obtaining quantitative measures of security by taking into account the dynamic attributes associated with vulnerabilities that can change over time. Our model is novel as existing research in attack graph analysis do not consider the temporal aspects associated with the vulnerabilities, such as the availability of exploits and patches which can affect the overall network security based on how the vulnerabilities are interconnected and leveraged to compromise the system. In order to have a more realistic representation of how the security state of the network would vary over time, a nonhomogeneous model is developed which incorporates a time dependent covariate, namely the vulnerability age. The daily transition-probability matrices are estimated using Frei's Vulnerability Lifecycle model. We also leverage the trusted CVSS metric domain to analyze how the total exploitability and impact measures evolve over a time period for a given network.

Jinyan Cheng,Xiaobin Tan,Hao Wang,Jian Wang,Xiaofeng Jiang,Zhaoyan Jin

DOI: https://doi.org/10.1109/bigcom61073.2023.00015

2023-01-01

Abstract:Vulnerability assessment is a critical aspect of cybersecurity, and its importance has grown significantly. However, traditional methods based on attack graph are expensive and lack interpretability. And emerging methods based on knowledge graph, there is currently no widely accepted scheme in the industry. To address this issue, we propose a new scheme named KG-Rank, which leverages the correlations between vulnerabilities and assets through a knowledge graph and improves PageRank to assess and rank vulnerabilities. The KG-Rank scheme involves constructing Vulnerability Knowledge Graph (VKG) and Weakness Knowledge Graph (WKG), and obtaining new relations between weaknesses through relational reasoning on WKG by using a relational reasoning model called Doc2TransR to complete VKG. We then transform the nodes and edges in VKG and assess nodes on the transformed graph using a designed random walk strategy. Our experimental results demonstrate the effectiveness and reliability of KG-Rank, which considers not only the severity of vulnerabilities but also the importance of assets and the exposure scope of vulnerabilities and assets.

Elijah Pelofske,Lorie M. Liebrock,Vincent Urias

2024-10-08

Abstract:Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. However the scale of information that is relevant for information security on the internet is always increasing, and is intractable for analysts to parse comprehensively. Therefore methods of condensing the available open source intelligence, and automatically developing connections between disparate sources of information, is incredibly valuable. In this research, we present a system which constructs a Neo4j graph database formed by shared connections between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (e.g., Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (e.g., IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (e.g., CVEs and MITRE ATT&CK Technique ID's), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IoCs is detailed, including the addition of machine learning and metadata which can be used for filtering of the data for a specific domain (for example a specific natural language) when needed. Examples of utilizing the graph database for querying connections between known malicious IoCs and open source intelligence documents, including threat reports, are shown. We show three specific examples of interesting connections found in the graph database; the connections to a known exploited CVE, a known malicious IP address, and a malware hash signature.

Cryptography and Security

C. Pallavi,R. Girija,S.L. Jayalakshmi

DOI: https://doi.org/10.2139/ssrn.3833455

2021-01-01

SSRN Electronic Journal

Abstract:In this modern era, different cyber-attacks are in active mode, due to the progressions in technology. Day-by-day, the hackers are growing exponentially. In last year, the costs in cybercrime reached up to $2.1 trillion. In such a scenario, security plays a vital role and it must be considered as an important aspect in today’s era. Hence, network security tools and techniques are highly needed to defend availability, confidentiality and integrity of the data. Network security discourses a widespread range of threats and attacks. In this paper, we investigate the effort of security in network and indication of several tools which are mandatory to identify the various threats.

Corren McCoy,Ross Gore,Michael L. Nelson,Michele C. Weigle

2024-06-10

Abstract:The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations for organizations to prioritize their vulnerability management strategy will offer significant improvements over using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We test our approach by identifying vulnerabilities in software associated with six universities and four government facilities. Ranking policy performance is measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The return on investment (ROI) of patching using our policies results in a savings of 23.3% - 25.5% in annualized costs. Our results demonstrate the efficacy of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies.

Cryptography and Security

Fares Alharbi,Gautam Siddharth Kashyap,Kashyap, Gautam Siddharth

DOI: https://doi.org/10.1007/s44227-024-00032-1

2024-06-12

International Journal of Networked and Distributed Computing

Abstract:In the never-ending battle against rising malware threats, cybersecurity professionals were constantly challenged by malware researchers. Businesses and institutions that have fallen prey to these threats that have suffered significant financial losses and enormous disruption to countless lives. As a result, security approaches have evolved to include preemptive measures such as the widespread use of HoneyPots. However, data-driven decision-making was required to improve the effectiveness of such approaches. Therefore, this paper describes a quantitative analysis that assesses various malware samples using system metrics and network log data. The goal is to properly visualise this information and analyse if it can aid in decision-making processes, ultimately leading to the construction of more robust and secure networks. To help with this research, a dashboard application was created that allows the installation of virtual machines, the configuration of virtual networks, and the collection of system metric data from outside sources. The findings of this paper can help greatly improve network security and stay ahead of threats in the cat-and-mouse game.

Steve Kim,Anubhav Nagpal.,R. Ian,Anthony Glover,Marilyn H. Silva

Abstract:The usage of Social Network Sites has increased rapidly in recent years. The area of Social Networking currently has many security issues. Since the success of a Social Network Site depends on the number of users it attracts, there is pressure on providers of Social Network sites to design systems that encourage behavior which increases both the number of users and their connections. However, like any fast-growing technology, security has not been a high priority in the development of Social Network Sites. As a result, along with the benefits of Social Network Sites, significant security risks have resulted. Providing Social Network Site users with tools which will help protect them is ideal. Making tools available to users which can provide the ability to retrieve other online user information via chat, website, along other tools which can be installed on the user’s computer will be ideal in helping to tackle such issues. These will be the tools addressed in the paper.

Computer Science,Engineering

V. Balatska,M. Shabatura

DOI: https://doi.org/10.32447/20784643.20.2019.01

2020-01-22

Bulletin of Lviv State University of Life Safety

Abstract:For today, computer networks are an integral part of our daily lives. As the analysis shows, the network is ex-tremely vulnerable, it can serve as a place of information leakage, changes of configuration of settings and modification of data by the attackers. There are many more threats, and the security of the network requires a great deal of attention to ensure the security of the network in order to maintain the confidentiality and integrity of the data. Organizations must regularly assess the vulnerability of the entire network to test the security level and strengthen the network. We use vulnerability scanners to find weaknesses, which are useful for detecting security vulnerabilities on a case-by-case basis and across the network as a whole. The purpose of the work is to explore the computer network for vulnerabilities using the Nessus Professional scanner. Research Methods – network scanning by Nessus Professional vulnerability scanner. The Nessus Professional vulnerability scanner from Tenable Network Security, which is freely available, was used for the research. The Nessus Professional scanner has been found to have better functionality and performance than other available scanners. The only downside to the scanner is its cost per year, as well as scanning a large number of hosts on the network at a time (over 100 hosts). After the scanner was successfully installed, carried out it was in-spected from the moment it was launched to the generation of host test reports. For the work, the Lviv State University of Life Safety network was tested. In the post-scan report, which is displayed in HTML format, you can see scan details for each host; the number and nature of vulnerabilities; the error correction dashboard. According to the results of testing, vulnerabilities of low, medium and high levels of hazards were identified, totaling 376. Vulnerabilities were ana-lyzed based on the obtained results, namely: a brief description and a way to solve the problem.

Bo Yan,Cheng Yang,Chuan Shi,Yong Fang,Qi Li,Yanfang Ye,Junping Du

DOI: https://doi.org/10.1145/3610228

IF: 4.157

2023-07-19

ACM Transactions on Knowledge Discovery from Data

Abstract:The explosive growth of cyber attacks nowadays, such as malware, spam, and intrusions, caused severe consequences on society. Securing cyberspace has become an utmost concern for organizations and governments. Traditional Machine Learning (ML) based methods are extensively used in detecting cyber threats, but they hardly model the correlations between real-world cyber entities. In recent years, with the proliferation of graph mining techniques, many researchers investigated these techniques for capturing correlations between cyber entities and achieving high performance. It is imperative to summarize existing graph-based cybersecurity solutions to provide a guide for future studies. Therefore, as a key contribution of this paper, we provide a comprehensive review of graph mining for cybersecurity, including an overview of cybersecurity tasks, the typical graph mining techniques, and the general process of applying them to cybersecurity, as well as various solutions for different cybersecurity tasks. For each task, we probe into relevant methods and highlight the graph types, graph approaches, and task levels in their modeling. Furthermore, we collect open datasets and toolkits for graph-based cybersecurity. Finally, we outlook the potential directions of this field for future research.

computer science, information systems, software engineering

Nan Sun,Jun Zhang,Shang Gao,Leo Yu Zhang,Seyit Camtepe,Yang Xiang

DOI: https://doi.org/10.24251/HICSS.2021.749

2021-01-01

Abstract:Large volumes of Cybersecurity-related data is generated every day from various sources at high speed to adapt to the fast-evolving landscape of cybersecurity. It drives the emergence of challenges such as the efficient gathering of in-demand information from unstructured and heterogeneous data sources. After collecting sufficient data, it is hard for users to understand the message hidden behind without adequate security domain knowledge. To help address this problem, in this paper, we present My Security, an innovative search engine for gathering, managing, and understanding cybersecurity-related data. My Security is based on a novel indexing approach that stores both the information of data sources (e.g., publication date, authorship) and the pragmatics messages, including security category (e.g., ransomware, data breach) and corresponding security components (e.g., time of the event, impacted systems). With the established index, users can retrieve cybersecurity information through comprehensive approaches. Fetched results are provided with interpretations leveraged from pragmatics indexing. Additional data mining and visualization techniques enhance the interactivity of My Security by presenting the retrieved results in a clear and comprehensible manner with cybersecurity expertise. It is demonstrated that My Security is efficient at satisfying users' requirements for searching security data and helping people gain better insights into cybersecurity.

Leonardo Ferreira,Daniel Castro Silva,Mikel Uriarte Itzazelaia

DOI: https://doi.org/10.1007/s10115-023-01906-6

IF: 2.7

2023-06-07

Knowledge and Information Systems

Abstract:With the growth of CyberTerrorism, enterprises worldwide have been struggling to stop intruders from obtaining private data. Despite the efforts made by Cybersecurity experts, the shortage of skillful security teams and the usage of intelligent attacks have slowed down the enhancement of defense mechanisms. Furthermore, the pandemic in 2020 forced organizations to work in remote environments with poor security, leading to increased cyberattacks. One possible solution for these problems is the implementation of Recommender Systems to assist Cybersecurity human operators. Our goal is to survey the application of Recommender Systems in Cybersecurity architectures. These decision-support tools deal with information overload through filtering and prioritization methods, allowing businesses to increase revenue, achieve better user satisfaction, and make faster and more efficient decisions in various domains (e-commerce, healthcare, finance, and other fields). Several reports demonstrate the potential of using these recommendation structures to enhance the detection and prevention of cyberattacks and aid Cybersecurity experts in treating client incidents. This survey discusses several studies where Recommender Systems are implemented in Cybersecurity with encouraging results. One promising direction explored by the community is using Recommender Systems as attack predictors and navigation assistance tools. As contributions, we show the recent efforts in this area and summarize them in a table. Furthermore, we provide an in-depth analysis of potential research lines. For example, the inclusion of Recommender Systems in security information event management systems and security orchestration, automation, and response applications could decrease their complexity and information overload.

computer science, information systems, artificial intelligence

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Erik Hemberg,Jonathan Kelly,Michal Shlapentokh-Rothman,Bryn Reinstadler,Katherine Xu,Nick Rutar,Una-May O'Reilly

DOI: https://doi.org/10.48550/arXiv.2010.00533

2021-02-11

Abstract:Many public sources of cyber threat and vulnerability information exist to help defend cyber systems. This paper links MITRE's ATT&CK MATRIX of Tactics and Techniques, NIST's Common Weakness Enumerations (CWE), Common Vulnerabilities and Exposures (CVE), and Common Attack Pattern Enumeration and Classification list (CAPEC), to gain further insight from alerts, threats and vulnerabilities. We preserve all entries and relations of the sources, while enabling bi-directional, relational path tracing within an aggregate data graph called BRON. In one example, we use BRON to enhance the information derived from a list of the top 10 most frequently exploited CVEs. We identify attack patterns, tactics, and techniques that exploit these CVEs and also uncover a disparity in how much linked information exists for each of these CVEs. This prompts us to further inventory BRON's collection of sources to provide a view of the extent and range of the coverage and blind spots of public data sources.

Cryptography and Security

Xu Wu,Dezhi Wei,Bharati P. Vasgi,Ahmed Kareem Oleiwi,Sunil L. Bangare,Evans Asenso

DOI: https://doi.org/10.1155/2022/3639174

IF: 1.968

2022-07-22

Security and Communication Networks

Abstract:Network security situation awareness is a critical basis for security solutions because it displays the target system's security state by assessing actual or possible cyber-attacks in the target system. Aiming at the security and stability of global information flow, this paper studies the perception and measurement of the overall situation of network security. Through the Scrappy web crawler framework, data were collected from several Zhiming network security event websites, and based on the vulnerability database of China Computer Network Intrusion Prevention Center, the network security event database was designed and established, which enriched the data of situational awareness research. This study investigates the analysis and processing of network security events, a crucial parameter in the stage of security insight and perception, and builds and implements a text-based network security event analysis tool. By designing a network security event analysis tool based on text processing, the data cleaning of network security time text information is completed, and a set of network security event processing solutions with high applicability and comprehensiveness are formed. Statistical experimental results show that the network security event database built based on the crawler algorithm contains 43,848 pieces of data, which increases the capacity by 12.79% and 29.33% compared with the traditional algorithm, and reduces the reading time by 63.5% and 87.2%.

computer science, information systems,telecommunications

Xin Jin,Charalampos Katsis,Fan Sang,Jiahao Sun,Elisa Bertino,Ramana Rao Kompella,Ashish Kundu

2024-05-01

Abstract:The rampant occurrence of cybersecurity breaches imposes substantial limitations on the progress of network infrastructures, leading to compromised data, financial losses, potential harm to individuals, and disruptions in essential services. The current security landscape demands the urgent development of a holistic security assessment solution that encompasses vulnerability analysis and investigates the potential exploitation of these vulnerabilities as attack paths. In this paper, we propose Graphene, an advanced system designed to provide a detailed analysis of the security posture of computing infrastructures. Using user-provided information, such as device details and software versions, Graphene performs a comprehensive security assessment. This assessment includes identifying associated vulnerabilities and constructing potential attack graphs that adversaries can exploit. Furthermore, Graphene evaluates the exploitability of these attack paths and quantifies the overall security posture through a scoring mechanism. The system takes a holistic approach by analyzing security layers encompassing hardware, system, network, and cryptography. Furthermore, Graphene delves into the interconnections between these layers, exploring how vulnerabilities in one layer can be leveraged to exploit vulnerabilities in others. In this paper, we present the end-to-end pipeline implemented in Graphene, showcasing the systematic approach adopted for conducting this thorough security analysis.

Cryptography and Security,Computation and Language,Machine Learning