Yinan Wang,Wei Li,Gangfeng Yan,Sumian Song

DOI: https://doi.org/10.1109/icit.2017.7915433

2017-01-01

Abstract:This paper proposes an unified framework for electrical cyber physical systems (ECPSs) and studies the mechanism of cyber attacks and cyber security. Communication networks are designed by characteristics of power grids. This model is universal to both transmission and distribution grids. The fragility of ECPSs under cyber attacks (DoS attacks and false data injection attacks) is analyzed in three scenarios based on different types and attackers' acknowledgments of the ECPSs. It has been proved that attacks happen at information uploading routers or control strategy downloading routers will influence the system differently. The effectiveness of relay protection policies and cyber security policies are verified by experimental results.

Gordon Werner,Shanchieh Yang,Katie McConky

DOI: https://doi.org/10.1145/3064814.3064831

2017-04-04

Abstract:Cyber attacks occur on a near daily basis and are becoming exponentially more common. While some research aims to detect the characteristics of an attack, little focus has been given to patterns of attacks in general. This paper aims to exploit temporal correlations between the number of attacks per day in order to predict future intensity of cyber incidents. Through analysis of attack data collected from Hackmageddon, correlation was found among reported attack volume in consecutive days. This paper presents a forecasting system that aims to predict the number of cyber attacks on a given day based only on a set of historical attack count data. Our system conducts ARIMA time series forecasting on all previously collected incidents to predict the expected number of attacks on a future date. Our tool is able to use only a subset of data relevant to a specific attack method. Prediction models are dynamically updated over time as new data is collected to improve accuracy. Our system outperforms naive forecasting methods by 14.1% when predicting attacks of any type, and up to 21.2% when forecasting attacks of a specific type. Our system also produces a model which more accurately predicts future cyber attack intensity behavior.

Haicheng Tu,Hui-Liang Shen,Yongxiang Xia

DOI: https://doi.org/10.1109/iscas45731.2020.9180816

2020-01-01

Abstract:Under the variety of information and communication technologies, the control center can securely and reliably operate power grid during the system disturbances and natural events. Specifically, when the initial failures are detected by cyber monitoring, the system will timely take emergency protecting operations to restrain the spreading of failures. Although cyber network makes the system more robust, they also increase the risk from the cyber network. In this paper, we firstly consider a control strategy into the cascading failures model. Then, we study how the cyber attack - False negatives attack confuses the control center, and makes the control center can not take emergency operation timely, causing the failure continue spreading. We propose an optimization problem to model the above assumptions and, by solving the optimization problem, study the impact of different attack scenarios on power system.

Zhengbing Hu,Roman Odarchenko,Sergiy Gnatyuk,Maksym Zaliskyi,Anastasia Chaplits,Sergiy Bondar,Vadim Borovik,

DOI: https://doi.org/10.5815/ijcnis.2020.06.01

2021-12-08

International Journal of Computer Network and Information Security

Abstract:Represented paper is currently topical, because of year on year increasing quantity and diversity of attacks on computer networks that causes significant losses for companies. This work provides abilities of such problems solving as: existing methods of location of anomalies and current hazards at networks, statistical methods consideration, as effective methods of anomaly detection and experimental discovery of choosed method effectiveness. The method of network traffic capture and analysis during the network segment passive monitoring is considered in this work. Also, the processing way of numerous network traffic indexes for further network information safety level evaluation is proposed. Represented methods and concepts usage allows increasing of network segment reliability at the expense of operative network anomalies capturing, that could testify about possible hazards and such information is very useful for the network administrator. To get a proof of the method effectiveness, several network attacks, whose data is storing in specialised DARPA dataset, were chosen. Relevant parameters for every attack type were calculated. In such a way, start and termination time of the attack could be obtained by this method with insignificant error for some methods.

Yu-Zhong Chen,Zi-Gang Huang,Shouhuai Xu,Ying-Cheng Lai

DOI: https://doi.org/10.1371/journal.pone.0124472

2016-03-24

Abstract:A relatively unexplored issue in cybersecurity science and engineering is whether there exist intrinsic patterns of cyberattacks. Conventional wisdom favors absence of such patterns due to the overwhelming complexity of the modern cyberspace. Surprisingly, through a detailed analysis of an extensive data set that records the time-dependent frequencies of attacks over a relatively wide range of consecutive IP addresses, we successfully uncover intrinsic spatiotemporal patterns underlying cyberattacks, where the term "spatio" refers to the IP address space. In particular, we focus on analyzing {\em macroscopic} properties of the attack traffic flows and identify two main patterns with distinct spatiotemporal characteristics: deterministic and stochastic. Strikingly, there are very few sets of major attackers committing almost all the attacks, since their attack "fingerprints" and target selection scheme can be unequivocally identified according to the very limited number of unique spatiotemporal characteristics, each of which only exists on a consecutive IP region and differs significantly from the others. We utilize a number of quantitative measures, including the flux-fluctuation law, the Markov state transition probability matrix, and predictability measures, to characterize the attack patterns in a comprehensive manner. A general finding is that the attack patterns possess high degrees of predictability, potentially paving the way to anticipating and, consequently, mitigating or even preventing large-scale cyberattacks using macroscopic approaches.

Cryptography and Security,Data Analysis, Statistics and Probability,Physics and Society,Applications

N. Goodman,A. Black

European Journal of Anaesthesiology

Abstract:

Y M Ivanyo,Y M Krakovsky,A N Luzgin

DOI: https://doi.org/10.1088/1757-899x/327/2/022044

2018-03-01

IOP Conference Series: Materials Science and Engineering

Abstract:At present, cyber-security issues of industrial control systems occupy one of the key niches in a state system of planning and management Functional disruption of these systems via cyber-attacks may lead to emergencies related to loss of life, environmental disasters, major financial and economic damage, or disrupted activities of cities and settlements. There is then an urgent need to develop protection methods against cyber-attacks. This paper studied the results of cyber-attack interval forecasting with a pre-set intensity level of cyber-attacks. Interval forecasting is the forecasting of one interval from two predetermined ones in which a future value of the indicator will be obtained. For this, probability estimates of these events were used. For interval forecasting, a probabilistic neural network with a dynamic updating value of the smoothing parameter was used. A dividing bound of these intervals was determined by a calculation method based on statistical characteristics of the indicator. The number of cyber-attacks per hour that were received through a honeypot from March to September 2013 for the group 'zeppo-norcal' was selected as the indicator.

Jiangxing Wu

DOI: https://doi.org/10.1007/978-3-030-29844-9_2

2020-01-01

Abstract:With the ever-evolving cyber attacks as well as defense technologies, the attack behaviors are characterized by uncertainty, complexity, and diversity, and the attack operations are becoming large-scale, synergistic, and multilevel. To study any cyber attacks, it is necessary to establish an objective and scientific and descriptive methodology for accurate feature analysis so as to come up with some general laws based on which the overall defense strategies will be put forward. So far, there is not a universal scientific theoretical model for us to depict the cyber attack behaviors, and the existing theoretical models are proposed for specific scenarios or certain attack categories. The scientific description of cyber attack behaviors is the premise and basis for analyzing the theory of cyber attacks and establishing a general theory of cyber defense. This chapter is an overview or an attempted summary of the existing formal description methods of mainstream network attacks and proposes some preliminary suggestions for the formal analysis of cyber attacks against the complicated dynamic heterogeneous redundant (DHR) network environments. The content herein, though not directly applied in the following chapters, is of guiding significance and reference value for the research on the theory of cyber attacks based on vulnerabilities or backdoors, the formulation of cyberspace defense strategies, and the design of cyber attack defense mechanisms.

Ekzhin Ear,Jose L. C. Remy,Antonia Feffer,Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2309.04878

2023-09-10

Abstract:Cybersecurity of space systems is an emerging topic, but there is no single dataset that documents cyber attacks against space systems that have occurred in the past. These incidents are often scattered in media reports while missing many details, which we dub the missing-data problem. Nevertheless, even "low-quality" datasets containing such reports would be extremely valuable because of the dearth of space cybersecurity data and the sensitivity of space systems which are often restricted from disclosure by governments. This prompts a research question: How can we characterize real-world cyber attacks against space systems? In this paper, we address the problem by proposing a framework, including metrics, while also addressing the missing-data problem, by "extrapolating" the missing data in a principled fashion. To show the usefulness of the framework, we extract data for 72 cyber attacks against space systems and show how to extrapolate this "low-quality" dataset to derive 4,076 attack technique kill chains. Our findings include: cyber attacks against space systems are getting increasingly sophisticated; and, successful protection against on-path and social engineering attacks could have prevented 80% of the attacks.

Cryptography and Security

Minzhao Lyu,Hassan Habibi Gharakheili,Vijay Sivaraman

DOI: https://doi.org/10.48550/arXiv.2306.16675

2023-06-29

Cryptography and Security

Abstract:Enterprise networks that host valuable assets and services are popular and frequent targets of distributed network attacks. In order to cope with the ever-increasing threats, industrial and research communities develop systems and methods to monitor the behaviors of their assets and protect them from critical attacks. In this paper, we systematically survey related research articles and industrial systems to highlight the current status of this arms race in enterprise network security. First, we discuss the taxonomy of distributed network attacks on enterprise assets, including distributed denial-of-service (DDoS) and reconnaissance attacks. Second, we review existing methods in monitoring and classifying network behavior of enterprise hosts to verify their benign activities and isolate potential anomalies. Third, state-of-the-art detection methods for distributed network attacks sourced from external attackers are elaborated, highlighting their merits and bottlenecks. Fourth, as programmable networks and machine learning (ML) techniques are increasingly becoming adopted by the community, their current applications in network security are discussed. Finally, we highlight several research gaps on enterprise network security to inspire future research.

hasan cam,pierre mouallem,yilin mo,bruno sinopoli,benjamin nkrumah

DOI: https://doi.org/10.1109/CogSIMA.2014.6816560

2014-01-01

Abstract:A distributed cyber control system comprises various types of assets, including sensors, intrusion detection systems, scanners, controllers, and actuators. The modeling and analysis of these components usually require multi-disciplinary approaches. This paper presents a modeling and dynamic analysis of a distributed cyber control system for situational awareness by taking advantage of control theory and time Petri net. Linear time-invariant systems are used to model the target system, attacks, assets influences, and an anomaly-based intrusion detection system. Time Petri nets are used to model the impact and timing relationships of attacks, vulnerability, and recovery at every node. To characterize those distributed control systems that are perfectly attackable, algebraic and topological attackability conditions are derived. Numerical evaluation is performed to determine the impact of attacks on distributed control system.

Aidong Xu,Xingpu Cai,Mengya Li,Yang Cao,Huajun Chen,Wei Ding,Chao Hong,Zhibing Wu,Qi Wang

DOI: https://doi.org/10.1109/cyber46603.2019.9066579

2019-01-01

Abstract:With the development of information and communication technology, power system has integrated deeply with communication system, which is a typical cyber physical system. While the development of smart grid makes the power side control more accurate and efficient, it also poses potential cyber attack risks. Attackers can cause grid faults and further power outages by disguising the attack behaviors as natural faults. When the grid is on operation, a large amount of data is generated on both the power side and the information side. Therefore, identifying the cause of the grid faults correctly through data mining can be helpful to take correct countermeasures in time to prevent the fault from expanding. In this paper, an identification method is proposed based on the collaborative characteristic sequence of a certain event and is verified on a four-machine two-zone system. The results show that method is effective and reliable.

Mir Mehedi Ahsan Pritom,Kristin M. Schweitzer,Raymond M. Bateman,Min Xu,Shouhuai Xu

DOI: https://doi.org/10.1109/ISI49825.2020.9280539

2021-02-26

Abstract:COVID-19 (Coronavirus) hit the global society and economy with a big surprise. In particular, work-from-home has become a new norm for employees. Despite the fact that COVID-19 can equally attack innocent people and cybercriminals, it is ironic to see surges in cyberattacks leveraging COVID-19 as a theme, dubbed COVID-19 themed cyberattacks or COVID-19 attacks for short, which represent a new phenomenon that has yet to be systematically understood. In this paper, we make the first step towards fully characterizing the landscape of these attacks, including their sophistication via the Cyber Kill Chain model. We also explore the solution space of defenses against these attacks.

Cryptography and Security

Ashok Deb,Kristina Lerman,Emilio Ferrara

DOI: https://doi.org/10.3390/info9110280

2018-04-15

Abstract:Recent high-profile cyber attacks exemplify why organizations need better cyber defenses. Cyber threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into groups' collective malicious activity. We propose a novel approach to predict cyber events using sentiment analysis. We test our approach using cyber attack data from 2 major business organizations. We consider 3 types of events: malicious software installation, malicious destination visits, and malicious emails that surpassed the target organizations' defenses. We construct predictive signals by applying sentiment analysis on hacker forum posts to better understand hacker behavior. We analyze over 400K posts generated between January 2016 and January 2018 on over 100 hacking forums both on surface and Dark Web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can outperform state-of-the-art deep learning and time-series models on forecasting cyber attacks weeks ahead of the events.

Computation and Language

Pin-Yu Chen,Sutanay Choudhury,Luke Rodriguez,Alfred Hero,Indrajit Ray

DOI: https://doi.org/10.48550/arXiv.1905.01002

2019-05-03

Cryptography and Security

Abstract:Lateral movement attacks are a serious threat to enterprise security. In these attacks, an attacker compromises a trusted user account to get a foothold into the enterprise network and uses it to attack other trusted users, increasingly gaining higher and higher privileges. Such lateral attacks are very hard to model because of the unwitting role that users play in the attack and even harder to detect and prevent because of their low and slow nature. In this paper, a theoretical framework is presented for modeling lateral movement attacks and for proposing a methodology for designing resilient cyber systems against such attacks. The enterprise is modeled as a tripartite graph capturing the interaction between users, machines, and applications, and a set of procedures is proposed to harden the network by increasing the cost of lateral movement. Strong theoretical guarantees on system resilience are established and experimentally validated for large enterprise networks.

Malik Qasaimeh,Rand Abu Hammour,Muneer Bani Yassein,Raad S. Al‐Qassas,Juan Alfonso Lara Torralbo,David Lizcano

DOI: https://doi.org/10.1002/smr.2489

2022-08-16

Abstract:As the number of cyber‐attacks on financial institutions has increased over the past few years, an advanced system that is capable of predicting the target of an attack is essential. Such a system needs to be integrated into the existing detection systems of financial institutions as it provides them with proactive controls with which to halt an attack by predicting patterns. Advanced prediction systems also enhance the software design and security testing of new advanced cyber‐security measures by providing new testing scenarios supported by attack forecasting. This present study developed a model that forecasts future network‐based cyber‐attacks on financial institutions using a deep neural network. The dataset that was used to train and test the model consisted of some of the biggest cyber‐attacks on banking institutions over the past three years. This provided insight into new patterns that may end with a cyber‐crime. These new attacks were also evaluated to determine behavioral similarities with the nearest known attack or a combination of several existing attacks. The performance of the forecasting model was then evaluated in a real banking environment and provided a forecasting accuracy of 90.36%. As such, financial institutions can use the proposed forecasting model to improve their security testing measures.

computer science, software engineering

Jin-Wook Chang,Kartik Jayachandran,Carlos A. Ramírez,Ali Tintera

DOI: https://doi.org/10.1016/j.econlet.2024.111676

IF: 1.469

2024-04-10

Economics Letters

Abstract:Using detailed information on cyberattacks and establishments in the United States, we study whether and how an establishment's characteristics can alter the likelihood of cyberattacks. We find that larger establishments and establishments of publicly traded companies are more likely targets.

economics

Enes Altinisik,Husrev Taha Sencar,Mohamed Nabeel,Issa Khalil,Ting Yu

DOI: https://doi.org/10.48550/arXiv.2206.05679

2022-06-12

Abstract:Enterprise networks are one of the major targets for cyber attacks due to the vast amount of sensitive and valuable data they contain. A common approach to detecting attacks in the enterprise environment relies on modeling the behavior of users and systems to identify unexpected deviations. The feasibility of this approach crucially depends on how well attack-related events can be isolated from benign and mundane system activities. Despite the significant focus on end-user systems, the background behavior of servers running critical services for the enterprise is less studied. To guide the design of detection methods tailored for servers, in this work, we examine system event records from 46 servers in a large enterprise obtained over a duration of ten weeks. We analyze the rareness characteristics and the similarity of the provenance relations in the event log data. Our findings show that server activity, in general, is highly variant over time and dissimilar across different types of servers. However, careful consideration of profiling window of historical events and service level grouping of servers improve rareness measurements by 24.5%. Further, utilizing better contextual representations, the similarity in provenance relationships could be improved. An important implication of our findings is that detection techniques developed considering experimental setups with non-representative characteristics may perform poorly in practice.

Cryptography and Security

D. Glomaud,J. Chodkiewicz,L. Mérienne,J. C. Salamagne

1976-09-01

Abstract:

Ariel Futoransky,Luciano Notarfrancesco,Gerardo Richarte,Carlos Sarraute

DOI: https://doi.org/10.48550/arXiv.1006.1916

2010-06-10

Abstract:In this work we start walking the path to a new perspective for viewing cyberwarfare scenarios, by introducing conceptual tools (a formal model) to evaluate the costs of an attack, to describe the theater of operations, targets, missions, actions, plans and assets involved in cyberwarfare attacks. We also describe two applications of this model: autonomous planning leading to automated penetration tests, and attack simulations, allowing a system administrator to evaluate the vulnerabilities of his network.

Cryptography and Security,Artificial Intelligence