Paolo Modesti,Lewis Golightly,Louis Holmes,Chidimma Opara,Marco Moscini

DOI: https://doi.org/10.3390/jcp4030021

2024-07-19

Abstract:The majority of Ethical Hacking (EH) tools utilised in penetration testing are developed by practitioners within the industry or underground communities. Similarly, academic researchers have also contributed to developing security tools. However, there appears to be limited awareness among practitioners of academic contributions in this domain, creating a significant gap between industry and academia's contributions to EH tools. This research paper aims to survey the current state of EH academic research, primarily focusing on research-informed security tools. We categorise these tools into process-based frameworks (such as PTES and Mitre ATT\&CK) and knowledge-based frameworks (such as CyBOK and ACM CCS). This classification provides a comprehensive overview of novel, research-informed tools, considering their functionality and application areas. The analysis covers licensing, release dates, source code availability, development activity, and peer review status, providing valuable insights into the current state of research in this field.

Cryptography and Security

Shun Inagaki,Robert Ramirez,Masaki Shimaoka,Kenichi Magata

DOI: https://doi.org/10.48550/arXiv.2011.13925

2020-11-26

Cryptography and Security

Abstract:When dealing with leading edge cyber security research, especially when operating from the perspective of an attacker or a red team, it becomes necessary for one to at times consider how ethics comes into play. There are currently no cyber security-specific ethics standards, which in particular is one reason more adversarial cyber security research lags behind in Japan. In this research, using machine learning and manual methods we extracted best practices for research ethics from past top conference papers. Using this knowledge we constructed an ethics knowledge base for cyber security research. Such a knowledge base can be used to properly distinguish grey-area research so that it is not wrongly forbidden. Using a decision tree-style user interface that we created for our knowledge base, researchers may be able to efficiently identify which aspects of their research require ethical consideration. In this work, as a preliminary step we focused on only a portion of the areas of research covered by cyber security conferences, but our results are applicable to any area of research.

Dhruva Goyal,Sitaraman Subramanian,Aditya Peela

2024-09-15

Abstract:Security researchers are continually challenged by the need to stay current with rapidly evolving cybersecurity research, tools, and techniques. This constant cycle of learning, unlearning, and relearning, combined with the repetitive tasks of sifting through documentation and analyzing data, often hinders productivity and innovation. This has led to a disparity where only organizations with substantial resources can access top-tier security experts, while others rely on firms with less skilled researchers who focus primarily on compliance rather than actual security. We introduce "LLM Augmented Pentesting," demonstrated through a tool named "Pentest Copilot," to address this gap. This approach integrates Large Language Models into penetration testing workflows. Our research includes a "chain of thought" mechanism to streamline token usage and boost performance, as well as unique Retrieval Augmented Generation implementation to minimize hallucinations and keep models aligned with the latest techniques. Additionally, we propose a novel file analysis approach, enabling LLMs to understand files. Furthermore, we highlight a unique infrastructure system that supports if implemented, can support in-browser assisted penetration testing, offering a robust platform for cybersecurity professionals, These advancements mark a significant step toward bridging the gap between automated tools and human expertise, offering a powerful solution to the challenges faced by modern cybersecurity teams.

Cryptography and Security,Artificial Intelligence

Yiming Zhang,Mingxuan Liu,Mingming Zhang,Chaoyi Lu,Haixin Duan

DOI: https://doi.org/10.1109/eurospw55150.2022.00064

2022-01-01

Abstract:Ethics has become a prevalent and important criterion for academic research. However, achieving ethical compliance in practice is a highly complex and specialized task. In the field of computer security research, although top-tier conferences all have set out visions for ethical compliance, researchers may encounter practical dilemmas such as the lack of assistance from legal departments and the absence of specific domain guidelines, leading to various realistic obstacles to ethical treatment. This paper provides a comprehensive investigation of ethical considerations in computer security research. We first summarize the ethical requirements of top-tier security and network conferences. Then, based on a survey of 6,078 academic papers and an online investigation of 248 researchers mainly from a Chinese security community, we reveal the current status and practical issues of ethical considerations in security research. In particular, given the plight of the lack of authoritative ethical guidance, we offer a series of suggestions on how researchers at institutions without authoritative departments could best mitigate ethical risks. We also raise several open questions, and expect to help seek paths towards better ethical compliance for the security community.

Ying He,Efpraxia Zamani,Iryna Yevseyeva,Cunjin Luo

DOI: https://doi.org/10.2196/41748

2023-04-25

Abstract:Background: Health information systems (HISs) are continuously targeted by hackers, who aim to bring down critical health infrastructure. This study was motivated by recent attacks on health care organizations that have resulted in the compromise of sensitive data held in HISs. Existing research on cybersecurity in the health care domain places an imbalanced focus on protecting medical devices and data. There is a lack of a systematic way to investigate how attackers may breach an HIS and access health care records. Objective: This study aimed to provide new insights into HIS cybersecurity protection. We propose a systematic, novel, and optimized (artificial intelligence-based) ethical hacking method tailored specifically for HISs, and we compared it with the traditional unoptimized ethical hacking method. This allows researchers and practitioners to identify the points and attack pathways of possible penetration attacks on the HIS more efficiently. Methods: In this study, we propose a novel methodological approach to ethical hacking in HISs. We implemented ethical hacking using both optimized and unoptimized methods in an experimental setting. Specifically, we set up an HIS simulation environment by implementing the open-source electronic medical record (OpenEMR) system and followed the National Institute of Standards and Technology's ethical hacking framework to launch the attacks. In the experiment, we launched 50 rounds of attacks using both unoptimized and optimized ethical hacking methods. Results: Ethical hacking was successfully conducted using both optimized and unoptimized methods. The results show that the optimized ethical hacking method outperforms the unoptimized method in terms of average time used, the average success rate of exploit, the number of exploits launched, and the number of successful exploits. We were able to identify the successful attack paths and exploits that are related to remote code execution, cross-site request forgery, improper authentication, vulnerability in the Oracle Business Intelligence Publisher, an elevation of privilege vulnerability (in MediaTek), and remote access backdoor (in the web graphical user interface for the Linux Virtual Server). Conclusions: This research demonstrates systematic ethical hacking against an HIS using optimized and unoptimized methods, together with a set of penetration testing tools to identify exploits and combining them to perform ethical hacking. The findings contribute to the HIS literature, ethical hacking methodology, and mainstream artificial intelligence-based ethical hacking methods because they address some key weaknesses of these research fields. These findings also have great significance for the health care sector, as OpenEMR is widely adopted by health care organizations. Our findings offer novel insights for the protection of HISs and allow researchers to conduct further research in the HIS cybersecurity domain.

Erik Hemberg,Jonathan Kelly,Michal Shlapentokh-Rothman,Bryn Reinstadler,Katherine Xu,Nick Rutar,Una-May O'Reilly

DOI: https://doi.org/10.48550/arXiv.2010.00533

2021-02-11

Abstract:Many public sources of cyber threat and vulnerability information exist to help defend cyber systems. This paper links MITRE's ATT&CK MATRIX of Tactics and Techniques, NIST's Common Weakness Enumerations (CWE), Common Vulnerabilities and Exposures (CVE), and Common Attack Pattern Enumeration and Classification list (CAPEC), to gain further insight from alerts, threats and vulnerabilities. We preserve all entries and relations of the sources, while enabling bi-directional, relational path tracing within an aggregate data graph called BRON. In one example, we use BRON to enhance the information derived from a list of the top 10 most frequently exploited CVEs. We identify attack patterns, tactics, and techniques that exploit these CVEs and also uncover a disparity in how much linked information exists for each of these CVEs. This prompts us to further inventory BRON's collection of sources to provide a view of the extent and range of the coverage and blind spots of public data sources.

Cryptography and Security

Daniel Dalalana Bertoglio,Arthur Gil,Juan Acosta,Julia Godoy,Roben Castagna Lunardi,Avelino Francisco Zorzo

2023-11-22

Abstract:With the increasing number of internet-based resources and applications, the amount of attacks faced by companies has increased significantly in the past years. Likewise, the techniques to test security and emulate attacks need to be constantly improved and, as a consequence, help to mitigate attacks. Among these techniques, penetration test (Pentest) provides methods to assess the security posture of assets, using different tools and methodologies applied in specific scenarios. Therefore, this study aims to present current methodologies, tools, and potential challenges applied to Pentest from an updated systematic literature review. As a result, this work provides a new perspective on the scenarios where penetration tests are performed. Also, it presents new challenges such as automation of techniques, management of costs associated with offensive security, and the difficulty in hiring qualified professionals to perform Pentest.

Cryptography and Security

Shanto Roy,Emmanouil Panaousis,Cameron Noakes,Aron Laszka,Sakshyam Panda,George Loukas

DOI: https://doi.org/10.48550/arXiv.2304.07411

2023-04-14

Cryptography and Security

Abstract:The MITRE ATT&CK framework, a comprehensive knowledge base of adversary tactics and techniques, has been widely adopted by the cybersecurity industry as well as by academic researchers. Its broad range of industry applications include threat intelligence, threat detection, and incident response, some of which go beyond what it was originally designed for. Despite its popularity, there is a lack of a systematic review of the applications and the research on ATT&CK. This systematization of work aims to fill this gap. To this end, it introduces the first taxonomic systematization of the research literature on ATT&CK, studies its degree of usefulness in different applications, and identifies important gaps and discrepancies in the literature to identify key directions for future work. The results of this work provide valuable insights for academics and practitioners alike, highlighting the need for more research on the practical implementation and evaluation of ATT&CK.

Jonathan Brokman,Omer Hofman,Oren Rachmil,Inderjeet Singh,Rathina Sabapathy,Aishvariya Priya,Vikas Pahuja,Amit Giloni,Roman Vainshtein,Hisashi Kojima

2024-10-22

Abstract:This report presents a comparative analysis of open-source vulnerability scanners for conversational large language models (LLMs). As LLMs become integral to various applications, they also present potential attack surfaces, exposed to security risks such as information leakage and jailbreak attacks. Our study evaluates prominent scanners - Garak, Giskard, PyRIT, and CyberSecEval - that adapt red-teaming practices to expose these vulnerabilities. We detail the distinctive features and practical use of these scanners, outline unifying principles of their design and perform quantitative evaluations to compare them. These evaluations uncover significant reliability issues in detecting successful attacks, highlighting a fundamental gap for future development. Additionally, we contribute a preliminary labelled dataset, which serves as an initial step to bridge this gap. Based on the above, we provide strategic recommendations to assist organizations choose the most suitable scanner for their red-teaming needs, accounting for customizability, test suite comprehensiveness, and industry-specific use cases.

Cryptography and Security,Machine Learning

Ivan Flechais,George Chalhoub

2023-11-17

Abstract:Research into the ethics of cybersecurity is an established and growing topic of investigation, however the translation of this research into practice is lacking: there exists a small number of professional codes of ethics or codes of practice in cybersecurity, however these are very broad and do not offer much insight into the ethical dilemmas that can be faced while performing specific cybersecurity activities. In order to address this gap, we leverage ongoing work on the Cyber Security Body of Knowledge (CyBOK) to help elicit and document the responsibilities and ethics of the profession. Based on a literature review of the ethics of cybersecurity, we use CyBOK to frame the exploration of ethical challenges in the cybersecurity profession through a series of 15 interviews with cybersecurity experts. Our approach is qualitative and exploratory, aiming to answer the research question "What ethical challenges, insights, and solutions arise in different areas of cybersecurity?". Our findings indicate that there are broad ethical challenges across the whole of cybersecurity, but also that different areas of cybersecurity can face specific ethical considerations for which more detailed guidance can help professionals in those areas. In particular, our findings indicate that security decision-making is expected of all security professionals, but that this requires them to balance a complex mix of technical, objective and subjective points of view, and that resolving conflicts raises challenging ethical dilemmas. We conclude that more work is needed to explore, map, and integrate ethical considerations into cybersecurity practice; the urgent need to conduct further research into the ethics of cybersecurity AI; and highlight the importance of this work for individuals and professional bodies who seek to develop and mature the cybersecurity profession in a responsible manner.

Cryptography and Security,Human-Computer Interaction

Bader Al-Sada,Alireza Sadighian,Gabriele Oligeri

2023-08-27

Abstract:MITRE ATT&CK is a comprehensive framework of adversary tactics, techniques and procedures based on real-world observations. It has been used as a foundation for threat modelling in different sectors, such as government, academia and industry. To the best of our knowledge, no previous work has been devoted to the comprehensive collection, study and investigation of the current state of the art leveraging the MITRE ATT&CK framework. We select and inspect more than fifty major research contributions, while conducting a detailed analysis of their methodology and objectives in relation to the MITRE ATT&CK framework. We provide a categorization of the identified papers according to different criteria such as use cases, application scenarios, adopted methodologies and the use of additional data. Finally, we discuss open issues and future research directions involving not only the MITRE ATT&CK framework but also the fields of risk analysis and cyber-threat intelligence at large.

Cryptography and Security

Robert B. Ramirez,Tomohiko Yano,Masaki Shimaoka,Kenichi Magata

DOI: https://doi.org/10.48550/arXiv.2011.02661

2020-11-05

Abstract:Research ethics in Information and Communications Technology has seen a resurgence in popularity in recent years. Although a number of general ethics standards have been issued, cyber security specifically has yet to see one. Furthermore, such standards are often abstract, lacking in guidance on specific practices. In this paper we compare peer-reviewed ethical analyses of condemned research papers to analyses derived from a knowledge base (KB) of concrete cyber security research ethics best practices. The KB we employ was compiled in prior work from a large random survey of research papers. We demonstrate preliminary evidence that such a KB can be used to yield comparable or more extensive ethical analyses of published cyber security research than expert application of standards like the Menlo Report. We extend the ethical analyses of the reviewed manuscripts, and calculate measures of the efficiency with which the expert versus KB methods yield ethical insights.

Cryptography and Security

Haitham S. Al-Sinani,Chris J. Mitchell

2024-10-07

Abstract:This technical report investigates the integration of generative AI (GenAI), specifically ChatGPT, into the practice of ethical hacking through a comprehensive experimental study and conceptual analysis. Conducted in a controlled virtual environment, the study evaluates GenAI's effectiveness across the key stages of penetration testing on Linux-based target machines operating within a virtual local area network (LAN), including reconnaissance, scanning and enumeration, gaining access, maintaining access, and covering tracks. The findings confirm that GenAI can significantly enhance and streamline the ethical hacking process while underscoring the importance of balanced human-AI collaboration rather than the complete replacement of human input. The report also critically examines potential risks such as misuse, data biases, hallucination, and over-reliance on AI. This research contributes to the ongoing discussion on the ethical use of AI in cybersecurity and highlights the need for continued innovation to strengthen security defences.

Cryptography and Security,Artificial Intelligence

Fatima Asif,Fatima Sohail,Zuhaib Hussain Butt,Faiz Nasir,Nida Asgar

2024-08-28

Abstract:This review paper investigates the diverse functions of ethical hacking within modern cybersecurity. By integrating current research, it analyzes the progression of ethical hacking techniques,their use in identifying vulnerabilities and conducting penetration tests, and their influence on strengthening organizational security. Additionally, the paper discusses the ethical considerations, legal contexts and challenges that arises with ethical hacking. This review ultimately enhances the understanding of how ethical hacking can bolster cybersecurity defenses.

Cryptography and Security

Shengye Wan,Joshua Saxe,Craig Gomes,Sahana Chennabasappa,Avilash Rath,Kun Sun,Xinda Wang

2024-05-04

Abstract:Recent research advances in Artificial Intelligence (AI) have yielded promising results for automated software vulnerability management. AI-based models are reported to greatly outperform traditional static analysis tools, indicating a substantial workload relief for security engineers. However, the industry remains very cautious and selective about integrating AI-based techniques into their security vulnerability management workflow. To understand the reasons, we conducted a discussion-based study, anchored in the authors' extensive industrial experience and keen observations, to uncover the gap between research and practice in this field. We empirically identified three main barriers preventing the industry from adopting academic models, namely, complicated requirements of scalability and prioritization, limited customization flexibility, and unclear financial implications. Meanwhile, research works are significantly impacted by the lack of extensive real-world security data and expertise. We proposed a set of future directions to help better understand industry expectations, improve the practical usability of AI-based security vulnerability research, and drive a synergistic relationship between industry and academia.

Cryptography and Security,Software Engineering

Riya Kedia,Pooja Jha,M. Dehury,Sahil Prasad Bejo,B. Kumar,Pallab Banerjee

DOI: https://doi.org/10.1109/WCONF58270.2023.10235163

2023-07-14

Abstract:Currently, because almost all interactions occur online, internet security is a critical concern. Penetration testing evaluates network and system security while also revealing security weaknesses. Piercing testing is carry out to ensure that there are no security flaws in the system or network that would permit unauthorised access. Penetration testing, often known as Pen Testing, is a collection of processes designed to track down vulnerabilities in a network or system, or online application that an attacker may exploit. It assists to confirm the effectiveness and efficiency of the different security measures put in place. This document concisely describes the foundations of penetration testing as well as illustrates how and where to deploy and utilise several tools and methodologies for penetration testing using Kali Linux for detecting system vulnerabilities: and provide a review of firewalls, networking protocols, as well as basic security problems that must be addressed in the goal of better protection of the system, ending after analysing the results.

Computer Science

Felipe Moreno-Vera,Mateus Nogueira,Cainã Figueiredo,Daniel Sadoc Menasché,Miguel Bicudo,Ashton Woiwood,Enrico Lovat,Anton Kocheturov,Leandro Pfleger de Aguiar

2023-08-04

Abstract:This paper proposes a machine learning-based approach for detecting the exploitation of vulnerabilities in the wild by monitoring underground hacking forums. The increasing volume of posts discussing exploitation in the wild calls for an automatic approach to process threads and posts that will eventually trigger alarms depending on their content. To illustrate the proposed system, we use the CrimeBB dataset, which contains data scraped from multiple underground forums, and develop a supervised machine learning model that can filter threads citing CVEs and label them as Proof-of-Concept, Weaponization, or Exploitation. Leveraging random forests, we indicate that accuracy, precision and recall above 0.99 are attainable for the classification task. Additionally, we provide insights into the difference in nature between weaponization and exploitation, e.g., interpreting the output of a decision tree, and analyze the profits and other aspects related to the hacking communities. Overall, our work sheds insight into the exploitation of vulnerabilities in the wild and can be used to provide additional ground truth to models such as EPSS and Expected Exploitability.

Cryptography and Security,Machine Learning

Sorin Adam Matei,Elisa Bertino

2023-11-08

Abstract:The present study explored managerial and instructor perceptions of their freshly employed cybersecurity workers' or students' preparedness to work effectively in a changing cybersecurity environment that includes AI tools. Specifically, we related perceptions of technical preparedness to ethical, systems thinking, and communication skills. We found that managers and professors perceive preparedness to use AI tools in cybersecurity to be significantly associated with all three non-technical skill sets. Most important, ethics is a clear leader in the network of relationships. Contrary to expectations that ethical concerns are left behind in the rush to adopt the most advanced AI tools in security, both higher education instructors and managers appreciate their role and see them closely associated with technical prowess. Another significant finding is that professors over-estimate students' preparedness for ethical, system thinking, and communication abilities compared to IT managers' perceptions of their newly employed IT workers.

Computers and Society,Artificial Intelligence,Cryptography and Security

Mohamed Zaoui,Belfaik Yousra,Sadqi Yassine,Maleh Yassine,Ouazzane Karim

DOI: https://doi.org/10.1109/access.2024.3403197

IF: 3.9

2024-05-28

IEEE Access

Abstract:Social engineering (SE) attacks are a growing concern for organizations that rely on technology to protect sensitive data. Identifying and preventing these attacks can be challenging, as they frequently rely on manipulating human behavior rather than exploiting technical vulnerabilities. Although various studies have explored SE attacks and their defense mechanisms, there remains a gap in the literature concerning the holistic and layered classification of these threats and countermeasures. To address this, we conducted a comprehensive literature survey to understand existing taxonomies and subsequently identified areas that required a more structured and exhaustive categorization. Based on the survey results, we propose a comprehensive taxonomy of SE attacks, classifying them based on three levels: environment, approaches, and mediums. Additionally, we present a taxonomy of social engineering countermeasures, encompassing both technical and non-technical solutions. The proposed taxonomies serve as a foundation for future research and offer organizations a valuable framework for developing effective strategies to detect, prevent, and respond to social engineering incidents.

computer science, information systems,telecommunications,engineering, electrical & electronic