Chen Yan,Hocheol Shin,Connor Bolton,Wenyuan Xu,Yongdae Kim,Kevin Fu

DOI: https://doi.org/10.1109/sp40000.2020.00026

2020-01-01

Abstract:Over the last six years, several papers demonstrated how intentional analog interference based on acoustics, RF, lasers, and other physical modalities could induce faults, influence, or even control the output of sensors. Damage to the availability and integrity of sensor output carries significant risks to safety-critical systems that make automated decisions based on trusted sensor measurement. Established signal processing models use transfer functions to express reliability and dependability characteristics of sensors, but existing models do not provide a deliberate way to express and capture security properties meaningfully. Our work begins to fill this gap by systematizing knowledge of analog attacks against sensor circuitry and defenses. Our primary contribution is a simple sensor security model such that sensor engineers can better express analog security properties of sensor circuitry without needing to learn significantly new notation. Our model introduces transfer functions and a vector of adversarial noise to represent adversarial capabilities at each stage of a sensor's signal conditioning chain. The primary goals of the systematization are (1) to enable more meaningful quantification of risk for the design and evaluation of past and future sensors, (2) to better predict new attack vectors, and (3) to establish defensive design patterns that make sensors more resistant to analog attacks.

Yanmiao Zhang,Xiaoyu Ji,Yushi Cheng,Wenyuan Xu

DOI: https://doi.org/10.23919/ChiCC.2019.8866144

2019-01-01

Abstract:As a modern power transmission network, smart grid connects abundant terminal devices and plays an important role in our daily life. However, along with its growth are the security threats. Different from the separated environment previously, an adversary nowadays can destroy the power system by attacking its terminal devices. As a result, it's critical to ensure the security and safety of terminal devices. To achieve it, detecting the pre-existing vulnerabilities in the terminal program and enhancing its security, are of great importance and necessity. In this paper. we introduce Cker, a novel vulnerability detection tool for smart grid devices, which generates an program model based on device sources and sets rules to perform model checking. We utilize the static analysis to extract necessary information and build corresponding program models. By further checking the model with pre-defined vulnerability patterns, we achieve security detection and error reporting. The evaluation results demonstrate that our method can effectively detect vulnerabilities in smart devices with an acceptable accuracy and false positive rate. In addition, as Cker is realized by pure python. it can be easily scaled to other platforms.

Shane S. Clark,Benjamin Ransford,Amir Rahmati,Shane Guineau,Jacob Sorber,Wenyuan Xu,Kevin Fu

2013-01-01

Abstract:Medical devices based on embedded systems are ubiquitous in clinical settings. Increasingly, they connect to networks and run off-the-shelf operating systems vulnerable to malware. But strict validation requirements make it prohibitively difficult or costly to use anti-virus software or automated operating system updates on these systems. Our add-on monitoring system, WattsUpDoc, uses a traditionally undesirable side channel of power consumption to enable run-time malware detection. In our experiments, WattsUpDoc detected previously known malware with at least 94% accuracy and previously unknown malware with at least 85% accuracy on several embedded devices--detection rates similar to those of conventional malware-detection systems on PCs. WattsUpDoc detects malware without requiring hardware or software modifications or network communication.

Liliana Pasquale,Kushal Ramkumar,Wanling Cai,John McCarthy,Gavin Doherty,Bashar Nuseibeh

DOI: https://doi.org/10.48550/arXiv.2306.04481

2023-06-05

Cryptography and Security

Abstract:With software systems permeating our lives, we are entitled to expect that such systems are secure by design, and that such security endures throughout the use of these systems and their subsequent evolution. Although adaptive security systems have been proposed to continuously protect assets from harm, they can only mitigate threats arising from changes foreseen at design time. In this paper, we propose the notion of Sustainable Adaptive Security (SAS) which reflects such enduring protection by augmenting adaptive security systems with the capability of mitigating newly discovered threats. To achieve this objective, a SAS system should be designed by combining automation (e.g., to discover and mitigate security threats) and human intervention (e.g., to resolve uncertainties during threat discovery and mitigation). In this paper, we use a smart home example to showcase how we can engineer the activities of the MAPE (Monitor, Analysis, Planning, and Execution) loop of systems satisfying sustainable adaptive security. We suggest that using anomaly detection together with abductive reasoning can help discover new threats and guide the evolution of security requirements and controls. We also exemplify situations when humans can be involved in the execution of the activities of the MAPE loop and discuss the requirements to engineer human interventions.

S. Shukla,Anand Handa,Nitesh Kumar

DOI: https://doi.org/10.1145/3488932.3527289

2022-05-30

Abstract:There are several security tools available to tackle cyber threats, but the sophistication of attacks leads to the failure of defense mechanisms. Among such tools, endpoint security agents are much prominent to safeguard organizations from potential threats. To monitor and investigate systems for unpredictable modifications and proof of tactics, techniques, and procedures (TTP) used by malware writers. In this work, we develop a real-time system behavior monitoring solution. We use three modules - monitoring, analysis, and mapping to counter the threats based on attack patterns. All three modules have their unique mechanism and are interconnected. The monitoring agent is developed for the Windows platform using the C++ programming language, which captures Windows kernel-level system events in a multi-threaded form. It captures critical information such as - network activity, registry, file, accessed paths, processes, etc. The monitoring agent ships the collected events to the analysis module. In the analysis module, we perform analysis in three phases: rule-based, machine learning (ML)-based, and risk-assessment. Rule-based mechanism finds the Indicator of Compromises (IoCs) from the system events related to exploits, web shell, malicious documents, etc. The ML-based analysis gives an overall understanding of normal vs. suspicious behavior. The risk-assessment analysis uses rule-based and ML-based analysis outputs, to provide the risk-score based on the number of IoCs detected and the suspicious behavior predicted. In the mapping phase, we offer an interactive dashboard to the end-user for visualizing all the activities and the analysis outcomes like running processes, suspicious processes, network activities, port accessed, suspicious paths accessed by a single process, etc., using Kibana. The designed tool monitors the system events in near real-time and reports any suspicious activity that helps in mitigating the threats posed to the user. Hence, it acts as a comprehensive security solution with multi-dimensional capabilities.

Computer Science

Gregory A. Pluta,Larry Brumbaugh,William Yurcik

DOI: https://doi.org/10.48550/arXiv.cs/0603114

2006-03-29

Abstract:We focus on examining and working with an important category of computer software called Services, which are provided as a part of newer Microsoft Windows operating systems. A typical Windows user transparently utilizes many of these services but is frequently unaware of their existence. Since some services have the potential to create significant problems when they are executing, it is important for a system administrator to identify which services are running on the network, the types of processing done by each service, and any interrelationships among the various services. This information can then be used to improve the overall integrity of both the individual computer where a questionable service is running and in aggregate an entire network of computers. NCSA has developed an application called SMART (Services Monitoring And Reporting Tool) that can be used to identify and display all services currently running in the network. A commercial program called Hyena remotely monitors the services on all computers attached to the network and exports this information to SMART. SMART produces various outputs that the system administrator can analyze and then determine appropriate actions to take. In particular, SMART provides a color coordinated user interface to quickly identify and classify both potentially hazardous services and also unknown services.

Networking and Internet Architecture,Cryptography and Security

Zag ElSayed,Nelly Elsayed,Chengcheng Li,Magdy Bayoumi

DOI: https://doi.org/10.48550/arXiv.2106.00834

2021-06-01

Networking and Internet Architecture

Abstract:Network security morning (NSM) is essential for any cybersecurity system, where the average cost of a cyber attack is 1.1 million. No matter how secure a system, it will eventually fail without proper and continuous monitoring. No wonder that the cybersecurity market is expected to grow up to $170.4 billion in 2022. However, the majority of legacy industries do not invest in NSM implementation until it is too late due to the initial and operation costs and static unutilized resources. Thus, this paper proposes a novel dynamic Internet of things (IoT) architecture for an industrial NSM that features a low installation and operation cost, low power consumption, intelligent organization behavior, and environmentally friendly operation. As a case study, the system is implemented in a mid-range oil a gas manufacturing facility in the southern states with more than 300 machines and servers over three remote locations and a production plant that features a challenging atmosphere condition. The proposed system successfully shows a significant saving (>65%) in power consumption, acquires one-tenth of the installation cost, develops an intelligent operation expert system tool as well as saves the environment from more than 500mg of CO2 pollution per hour, promoting green IoT systems.

M. Fuentes-García,J. Camacho,G. Maciá-Fernández

DOI: https://doi.org/10.1109/ACCESS.2021.3067106

IF: 3.9

IEEE Access

Abstract:Network Security Monitoring (NSM) is a popular term to refer to the detection of security incidents by monitoring the network events. An NSM system is central for the security of current networks, given the escalation in sophistication of cyberwarfare. In this paper, we review the state-of-the-art in NSM, and derive a new taxonomy of the functionalities and modules in an NSM system. This taxonomy is useful to assess current NSM deployments and tools for both researchers and practitioners. We organize a list of popular tools according to this new taxonomy, and identify challenges in the application of NSM in modern network deployments, like Software Defined Network (SDN) and Internet of Things (IoT).

Engineering,Computer Science

Laurent Segers,Borna Talebi,Bruno da Silva,Abdellah Touhafi,An Braeken

DOI: https://doi.org/10.3390/s24144720

IF: 3.9

2024-07-20

Sensors

Abstract:Environmental monitoring is essential for safeguarding the health of our planet and protecting human health and well-being. Without trust, the effectiveness of environmental monitoring and the ability to address environmental challenges are significantly compromised. In this paper, we present a sensor platform capable of performing authenticated and trustworthy measurements, together with a lightweight security protocol for sending the data from the sensor to a central server anonymously. Besides presenting a new and very efficient symmetric-key-based protocol, we also demonstrate on real hardware how existing embedded security modules can be utilized for this purpose. We provide an in-depth evaluation of the performance and a detailed security analysis.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Roberto Magán-Carrión,José Camacho,Gabriel Maciá-Fernández,Ángel Ruíz-Zafra

DOI: https://doi.org/10.1177/1550147720921309

2021-12-06

Abstract:Technology evolves quickly. Low-cost and ready-to-connect devices are designed to provide new services and applications. Smart grids or smart healthcare systems are some examples of these applications, all of which are in the context of smart cities. In this total-connectivity scenario, some security issues arise since the larger the number of connected devices is, the greater the surface attack dimension. In this way, new solutions for monitoring and detecting security events are needed to address new challenges brought about by this scenario, among others, the large number of devices to monitor, the large amount of data to manage and the real-time requirement to provide quick security event detection and, consequently, quick response to attacks. In this work, a practical and ready-to-use tool for monitoring and detecting security events in these environments is developed and introduced. The tool is based on the Multivariate Statistical Network Monitoring (MSNM) methodology for monitoring and anomaly detection and we call it MSNM-Sensor. Although it is in its early development stages, experimental results based on the detection of well-known attacks in hierarchical network systems prove the suitability of this tool for more complex scenarios, such as those found in smart cities or IoT ecosystems.

Cryptography and Security,Machine Learning,Networking and Internet Architecture,Other Statistics

Josephine Lamp,Carlos E. Rubio-Medrano,Ziming Zhao,Gail-Joon Ahn

DOI: https://doi.org/10.1109/MSCPES.2017.8064532

2017-01-01

Abstract:Recently, energy delivery systems (EDS) have undergone an intensive modernization process that includes the introduction of dedicated cyber-infrastructures for the purposes of monitoring, control, and optimization of resources. While extremely convenient, the introduction of software-based control over computer networks has also opened the door for the exploitation of non-trivial security vulnerabilities by malicious third-parties. As demonstrated by recent incidents, EDS systems worldwide are vulnerable to sophisticated attacks that include a well-thought out combination of strategies at various levels of abstraction. In such a context, a comprehensive solution supporting automated monitoring and assessment, that can assist security officials in effectively preventing and mitigating such attacks, is highly desired. With this in mind, this paper presents an ongoing effort that takes security requirements obtained from existing documents on guidelines and best practices on EDS, and implements a proof-of-concept framework based on adaptive and customizable software modules that collect and process security-relevant data for assuring the security of EDS.

Atul Vaibhav

DOI: https://doi.org/10.48550/arXiv.1411.5213

2014-11-19

Distributed, Parallel, and Cluster Computing

Abstract:With our growing reliability on distributed networks, the security aspect of such networks becomes of prime importance. In large scale distributed networks it becomes cardinal to have an efficient and effective monitoring scheme. The monitoring schemes supervise the node behaviour in the network and look out for any discrepancy. Monitoring schemes comprise of monitoring components that work together to help schemes in meeting various security requirement parameters for the networks. These security parameters are breached via various attacks by manipulation of monitoring components of particular monitoring schemes to produce faulty results and thereby reducing efficiency of networks, reliability and security. In this paper we have discussed these components of monitoring, multiple monitoring schemes, their security parameters and various types of attacks possible on these monitoring components by manipulating assumptions of monitoring schemes.

Vasileios Mavroeidis,Audun Jøsang

DOI: https://doi.org/10.1145/3199478.3199490

2021-03-29

Abstract:Threat actors can be persistent, motivated and agile, and leverage a diversified and extensive set of tactics and techniques to attain their goals. In response to that, defenders establish threat intelligence programs to stay threat-informed and lower risk. Actionable threat intelligence is integrated into security information and event management systems (SIEM) or is accessed via more dedicated tools like threat intelligence platforms. A threat intelligence platform gives access to contextual threat information by aggregating, processing, correlating, and analyzing real-time data and information from multiple sources, and in many cases, it provides centralized analysis and reporting of an organization's security events. Sysmon logs is a data source that has received considerable attention for endpoint visibility. Approaches for threat detection using Sysmon have been proposed, mainly focusing on search engine technologies like NoSQL database systems. This paper demonstrates one of the many use cases of Sysmon and cyber threat intelligence. In particular, we present a threat assessment system that relies on a cyber threat intelligence ontology to automatically classify executed software into different threat levels by analyzing Sysmon log streams. The presented system and approach augments cyber defensive capabilities through situational awareness, prediction, and automated courses of action.

Cryptography and Security

Dimitrios Myridakis,Georgios Spathoulas,Athanasios Kakarountas,Dimitrios Schinianakis

DOI: https://doi.org/10.3390/fi12030048

2020-03-10

Future Internet

Abstract:The continuous growth of the number of Internet of Things (IoT) devices and their inclusion to public and private infrastructures has introduced new applciations to the market and our day-to-day life. At the same time, these devices create a potential threat to personal and public security. This may be easily understood either due to the sensitivity of the collected data, or by our dependability to the devices’ operation. Considering that most IoT devices are of low cost and are used for various tasks, such as monitoring people or controlling indoor environmental conditions, the security factor should be enhanced. This paper presents the exploitation of side-channel attack technique for protecting low-cost smart devices in an intuitive way. The work aims to extend the dataset provided to an Intrusion Detection Systems (IDS) in order to achieve a higher accuracy in anomaly detection. Thus, along with typical data provided to an IDS, such as network traffic, transmitted packets, CPU usage, etc., it is proposed to include information regarding the device’s physical state and behaviour such as its power consumption, the supply current, the emitted heat, etc. Awareness of the typical operation of a smart device in terms of operation and functionality may prove valuable, since any deviation may warn of an operational or functional anomaly. In this paper, the deviation (either increase or decrease) of the supply current is exploited for this reason. This work aimed to affect the intrusion detection process of IoT and proposes for consideration new inputs of interest with a collateral interest of study. In parallel, malfunction of the device is also detected, extending this work’s application to issues of reliability and maintainability. The results present 100% attack detection and this is the first time that a low-cost security solution suitable for every type of target devices is presented.

João Pedro Seara,Carlos Serrão

DOI: https://doi.org/10.3390/electronics13050873

IF: 2.9

2024-02-24

Electronics

Abstract:Cybersecurity failures have become increasingly detrimental to organizations worldwide, impacting their finances, operations, and reputation. This issue is worsened by the scarcity of cybersecurity professionals. Moreover, the specialization required for cybersecurity expertise is both costly and time-consuming. In light of these challenges, this study has concentrated on automating cybersecurity processes, particularly those pertaining to continuous vulnerability detection. A cybersecurity vulnerability scanner was developed, which is freely available to the community and does not necessitate any prior expertise from the operator. The effectiveness of this tool was evaluated by IT companies and systems engineers, some of whom had no background in cybersecurity. The findings indicate that the scanner proved to be efficient, precise, and easy to use. It assisted the operators in safeguarding their systems in an automated fashion, as part of their security audit strategy.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rasmi-Vlad Mahmoud,Marios Anagnostopoulos,Sergio Pastrana,Jens Myrup Pedersen

DOI: https://doi.org/10.1109/access.2024.3400167

IF: 3.9

2024-05-22

IEEE Access

Abstract:In cybersecurity, adversaries employ a myriad of tactics to evade detection and breach defenses. Malware remains a formidable weapon in their arsenal. To counter this threat, researchers unceasingly pursue dynamic analysis, which aims to comprehend and thwart established malware strains. This paper introduces an innovative methodology for dynamic malware analysis while critically evaluating prevailing technologies and their limitations. The proposed approach hinges on harnessing the capabilities of an open-source Security Information and Event Management (SIEM) toolset, namely the Elastic-Stack. This toolset is utilized to capture, structure, and analyze the behavioral patterns of malware without relying on any pre-existing sandbox framework. This augmentation facilitates a profound understanding of the activities exhibited by malware samples. With the help of the proposed ecosystem, we compile the AAU_MalData dataset that encompasses distinctly the benign and malicious behavior. Specifically, we analyzed the behavior of the 2,800 malware within a realistic network topology and systematically collected Windows event logs, which serve as a comprehensive record of the malware's actions. These event logs are precious as they are organized in a timestamped format, providing a chronological list of system activities, such as event descriptions, process and file details, and registry modifications. These are pivotal in comprehending the malware's functionality and repercussions on the compromised system. Furthermore, by incorporating the MITRE ATT&CK framework, we leveraged the event logs to correlate the malware's mode of operation, delve into its Command and Control operations, and investigate its persistence mechanisms, enabling a structured and practical approach to malware analysis. The AAU_MalData dataset, organized in a JSON format data structure, is offered to the research community first as a proof of concept to demonstrate the toolset's feasibility for dynamic malware analysis and second as a potential training ground for anti-malware mechanisms based on host and network Indicators of Compromise (IoCs).

computer science, information systems,telecommunications,engineering, electrical & electronic

Sung-Hwa Han,Daesung Lee

DOI: https://doi.org/10.3390/electronics11121871

IF: 2.9

2022-06-15

Electronics

Abstract:Obfuscation and cryptography technologies are applied to malware to make the detection of malware through intrusion prevention systems (IPSs), intrusion detection systems (IDSs), and antiviruses difficult. To address this problem, the security requirements for post-detection and proper response are presented, with emphasis on the real-time file access monitoring function. However, current operating systems provide only file access control techniques, such as SELinux (version 2.6, Red Hat, Raleigh, NC, USA) and AppArmor (version 2.5, Immunix, Portland, OR, USA), to protect system files and do not provide real-time file access monitoring. Thus, the service manager or data owner cannot determine real-time unauthorized modification and leakage of important files by malware. In this paper, a structure to monitor user access to important files in real time is proposed. The proposed structure has five components, with a kernel module interrelated to the application process. With this structural feature, real-time monitoring is possible for all file accesses, and malicious attackers cannot bypass this file access monitoring function. By verifying the positive and negative functions of the proposed structure, it was validated that the structure accurately provides real-time file access monitoring function, the monitoring function resource is sufficiently low, and the file access monitoring performance is high, further confirming the effectiveness of the proposed structure.

engineering, electrical & electronic,computer science, information systems,physics, applied

Matthew R. Yaswinski,Minhaz Chowdhury,Mike Jochen,Md Minhaz Chowdhury

DOI: https://doi.org/10.1109/eit.2019.8834112

2019-05-01

Abstract:Linux is used in a large variety of situations, from private homes on personal machines to businesses storing personal data on servers. This operating system is often seen as more secure than Windows or Mac OS X, but this does not mean that there are no security concerns to be had when running it. Attackers can crack simple passwords over a network, vulnerabilities can be exploited if firewalls do not close enough ports, and malware can be downloaded and run on a Linux system. In addition, sensitive information can be accessed through physical or network access if proper permissions are not set on the files or directories containing it. However, most of these attacks can be prevented by keeping a system up to date, maintaining a secure firewall, using an antivirus, making complex passwords, and setting strong file permissions. This paper presents a list of methods for securing a Linux system from both external and internal threats.

Tao Zhang,Yang Yu,Yi Li

DOI: https://doi.org/10.3969/j.issn.1000-386x.2014.05.005

2014-01-01

Abstract:With the penetration of Linux technology,lots of Linux servers have been deployed in distributed systems.It becomes a big problem to carry out effective security auditing for those server resources at present.We design and implement a security auditing system applicable to complex distributed environments according to the characteristics of Linux servers.Our solution adopts component-based, modular architecture to support multi-layer deployment.Based on the audits at kernel level and application level,our system achieves the comprehensive audit on Linux servers including system resources,terminal accesses,file,database and network resources,etc.Meanwhile, our system uses data mining techniques to thoroughly analyse the audit message,and realises the intelligent auditing on Linux servers.Our system has been deployed in a real system,and shows very good effect.