CyberRAG: An agentic RAG cyber attack classification and reporting tool

The development of digital technologies leads to an increase in cyber threats, which requires a systematic approach to the classification of cyber attacks and appropriate legal regulation. As a result of the widespread use of the digital environment, traditional crimes have also moved into the digital space. Cyberattack is a growing threat worldwide. The threat of cyber attacks and data leaks is a major concern for governments, businesses and individuals. The purpose of the article is to study the principles of classification of cyber attacks and assessment of legal regulation in the Republic of Kazakhstan. The main focus is on identifying the main types of cyber attacks, their characteristics and classification methods, as well as analyzing current legislation in the field of cybersecurity in order to develop proposals for improving legal regulation in this area. The relevance of this topic is due to the growing threats in cyberspace and the need to effectively counter cyber attacks. With the increase in the number of Internet users and the development of information technology, the likelihood of committing cybercrimes increases. Legal regulation in this area plays a key role in ensuring cybersecurity and protecting the rights of citizens and organizations. Assessment of the principles of classification of cyber attacks and analysis of legal regulation in the Republic of Kazakhstan are of great practical importance for the development of effective measures to prevent and suppress cyber attacks. The analysis was carried out on the basis of an integrated approach, including a review of the literature, the study of methods of counteraction. Methods of formal classification of attacks were also used, taking into account various methods and levels of danger.

Modern critical infrastructures such as Smart Grids (SGs) rely heavily on Information and Communication Technology (ICT) systems to monitor and control operations and states within large-scale facilities. The potential offered by SGs includes an effective integration of renewables, a demand-response action and a dynamic pricing system. The increasing use of ICT for the communication infrastructure of modern power systems offers advantages but can give rise to cyber attacks that compromise the security of the SG. To deal efficiently with the security concerns of SGs, a survey of the different attacks that consider the physical as well as the cyber characteristics of modern power grids is required. In the present paper, first the specific differences between SGs with respect to both Information Technology (IT) systems and conventional energy grids are discussed. Thereafter, the specific security requirements of SGs are presented in order to raise awareness of the new security challenges. Finally, a new classification of cyber attacks, based on the architecture of the SG, is proposed and details for each category are provided. The new classification is distinguished by its focus on the cyber-physical security of the SG in particular, which gives a comprehensive overview of the different threats. Thus, this new classification forms the necessary knowledge-basis for the design of respective countermeasures.

Cyber attack detection is based on assumption that intrusive activities are noticeably different from normal system activities and thus detectable. A cyber attack would cause loss of integrity, confidentiality, denial of resources. The fact is that no single classifier able to give maximum accuracy for all the five classes (Normal, Probe, DOS, U2R and R2L). We have proposed a Cyber Attack Detection System (CADS) and its generic framework, which performs well for all the classes. This is based on Generalized Discriminant Analysis (GDA) algorithm for feature reduction of the cyber attack dataset and an ensemble approach of classifiers for classification of cyber attacks. The ensemble approach of classifiers classifies cyber attack based on the union of the subsets of features. Thus it can detect a wider range of attacks. The C4.5 and improved Support Vector Machine (iSVM) classifiers are combined as a hierarchical hybrid classifier (C4.5-iSVM) and an ensemble approach combining the individual base classifiers and hybrid classifier for best classification of cyber attacks. The experimental results illustrate that the proposed Cyber Attack Detection System is having improved detection accuracy for all the classes of attacks.

Cyber attack detection is based on assumption that intrusive activities are noticeably different from normal system activities and thus detectable. A cyber attack would cause loss of integrity, confidentiality, denial of resources. The fact is that no single classifier is able to give maximum accuracy for all the five classes (Normal, Probe, DOS, U2R and R2L). We have proposed a Cyber Attack Detection System (CADS) and its generic framework, which performs well for all the classes. This is based on Generalized Discriminant Analysis (GDA) algorithm for feature reduction of the cyber attack dataset and an ensemble approach of classifiers for classification of cyber attacks. The ensemble approach of classifiers classifies cyber attack based on the union of the subsets of features. Thus, it can detect a wider range of attacks. The C4.5 and improved Support Vector Machine (iSVM) classifiers are combined as a hierarchical hybrid classifier (C4.5-iSVM) and an ensemble approach combining the individual base classifiers and hybrid classifier for best classification of cyber attacks. The experimental results illustrate that the proposed Cyber Attack Detection System is having higher detection accuracy for the all classes of attacks with minimize training, testing times and false positive alarm.

Cyber security evolving as a severe problem almost in all sectors of cyberspace, due to the time-to-time increase in the number of security breaches. Numerous Zero-days attacks occur continuously, due to the increase in multiple protocols. Almost all of these attacks are small variants of previously known cyber attacks. Moreover, even the advanced approach like Machine Learning (ML), faces the difficulty in identifying those attack’s small mutants over time. Recently, Deep Learning (DL) has been utilized for multiple applications related to cybersecurity fields. Making use of this DL to identify the cyber attack might be a resilient mechanism for novel attacks or tiny mutations. Thereby, a novel cyber attack classification model named DCNN-Bi-LSTM-ICS is proposed in this work. This proposed DCNN-Bi-LSTM-ICS has five working stages. Firstly, in the data acquisition stage, the input data (considering the datasets) for attack classification has been collected. These raw data are pre-processed in the second stage, where an improved class imbalance balancing processing is conducted which makes use of the Improved Synthetic Minority Oversampling Technique (ISMOTE). In the third stage, along with the conventional mutual information and statistical features, Improved holo-entropy-based features are extracted. To choose the appropriate feature from those retrieved features, an Improved Chi-Square (ICS) processing is developed in the fourth stage. In the final classification stage, a hybrid classification model that combines both the Deep Convolutional Neural Network (DCNN) and Bi-directional Long Short Term Memory (Bi-LSTM) has been developed. The outcomes show that the proposed DCNN-Bi-LSTM-ICS can offer outstanding performance in the cyber attack classification task.

Cyber attack detection is the process of detecting and responding to malicious or unauthorized activities in networks, computer systems, and digital environments. The objective is to identify these attacks early, safeguard sensitive data, and minimize the potential damage. An intrusion detection system (IDS) is a cybersecurity tool mainly designed to monitor system activities or network traffic to detect and respond to malicious or suspicious behaviors that may indicate a cyber attack. IDSs that use machine learning (ML) and deep learning (DL) have played a pivotal role in helping organizations identify and respond to security risks in a prompt manner. ML and DL techniques can analyze large amounts of information and detect patterns that may indicate the presence of malicious or cyber attack activities. Therefore, this study focuses on the design of blockchain-assisted hybrid metaheuristics with a machine learning-based cyber attack detection and classification (BHMML-CADC) algorithm. The BHMML-CADC method focuses on the accurate recognition and classification of cyber attacks. Moreover, the BHMML-CADC technique applies Ethereum BC for attack detection. In addition, a hybrid enhanced glowworm swarm optimization (HEGSO) system is utilized for feature selection (FS). Moreover, cyber attacks can be identified with the design of a quasi-recurrent neural network (QRNN) model. Finally, hunter–prey optimization (HPO) algorithm is used for the optimal selection of the QRNN parameters. The experimental outcomes of the BHMML-CADC system were validated on the benchmark BoT-IoT dataset. The wide-ranging simulation analysis illustrates the superior performance of the BHMML-CADC method over other algorithms, with a maximum accuracy of 99.74%.

Cyber attack detection and classification is major challenge for web and network security. The increasing data traffic in network and web invites multiple cyber attack. The dynamic nature and large number of attribute of cyber data faced a problem of detection and prevention. In current research trend various method and framework are proposed by different authors. These framework and proposed method is based on data mining and neural network approach. Data mining offers various techniques such as clustering, classification, rule generation and temporal event mining; these techniques are very efficient for detection process of cyber attack. The application of neural network in cyber attack classification use as feature reduction technique. Feature reduction is very important task in cyber attack classification; because the cyber attack data consists of huge amount of features. This paper presents various method of cyber attack detection and classification technique based on data mining and neural network approach along with IDS evaluation criteria and dataset used for validated of IDS is also discussed here.

This paper introduces a classification scheme for the visual classification of cyber attacks. Through the use of the scheme, the impact of various cyber attacks throughout the history of South Africa are investigated and classified. The goal of this paper is to introduce a classification scheme that arranges attacks into different classes and sub-classes, which is presented visually. To enhance the visual description, each class has a maximum of three sub-classes, which can overlap. This classification scheme helps to show the diverse impacts of cyber attacks in South Africa. This method of classification can be used for the assessment of any cyber attack and to find similarities between attacks.

There is an emerging consensus that the nation's electricity grid is vulnerable to cyber attacks. This vulnerability arises from the increasing reliance on using remote measurements, transmitting them over legacy data networks to system operators who make critical decisions based on available data. Data integrity attacks are a class of cyber attacks that involve a compromise of information that is processed by the grid operator. This information can include meter readings of injected power at remote generators, power flows on transmission lines, and relay states. These data integrity attacks have consequences only when the system operator responds to compromised data by re-dispatching generation under normal or contingency protocols. These consequences include (a) financial losses from sub-optimal economic dispatch to service loads, (b) robustness/resiliency losses from placing the grid at operating points that are at greater risk from contingencies, and (c) systemic losses resulting from cascading failures induced by poor operational choices. This paper is focussed on understanding the connections between grid operational procedures and cyber attacks. We first offer an example to illustrate how data integrity attacks can cause economic and physical damage by misleading operators into taking inappropriate decisions. We then focus on unobservable data integrity attacks involving power meter data. These are coordinated attacks where the compromised data is consistent with the physics of power flow, and is therefore passed by any bad data detection algorithm. We develop metrics to assess the economic impact of these attacks under operator re-dispatch decisions using optimal power flow methods. These metrics can be used to prioritize the adoption of appropriate countermeasures including PMU placement, encryption, hardware upgrades, and advanced detection algorithms.

Characterization and classification of cyber attacks in smart grids are crucial for situational awareness and mitigation of their effects. Graph signal processing (GSP) framework for the analysis of energy data, provides new perspectives and opportunities for such characterization by capturing topology, interconnections, and interactions among the components of smart grids. In this work, several forms of cyber stresses on power system's measurements and state estimation have been analyzed using the local smoothness of their graph signals. Using the local smoothness, characteristics of different cyber stresses are described analytically and evaluated by simulations. Moreover, the local smoothness features are used in machine learning models to classify multiple random and clustered cyber stresses and determine attack center and radius in case of clustered attacks.

Cyberattack classification through the utilization of supervised machine learning methods. The system is designed to categorize diverse cyber-attacks by employing a meticulously curated dataset encompassing a wide array of attack types, including but not limited to malware, phishing, and distributed denial-of-service (DDoS) attacks. Feature extraction techniques are applied to both network traffic data and behavioural attributes, facilitating the training of a robust classification model. Various supervised learning algorithms, such as decision trees, support vector machines, and neural networks, are evaluated for their efficacy in accurately predicting attack categories. The training process involves labelling historical attack instances, enabling the model to discern intricate patterns and subtle differentiators among attack types. Regular model updates and retraining with new attack data ensure its relevance in dynamically evolving threat landscapes. The system's predictive accuracy empowers cyber security teams to swiftly identify and respond to cyber threats, thereby bolstering overall defence strategies. Through this research, we contribute to the proactive identification and mitigation of cyber-attacks, ultimately fortifying digital security frameworks

Cybersecurity is a crucial aspect in maintaining the integrity and availability of information systems, especially on web servers which are vulnerable to various types of attacks and anomalies. This research aims to investigate the application of transfer learning in the classification of cyber attacks and anomalies on web servers. Transfer learning, a powerful deep learning approach, enables pre-trained models to adapt to new tasks with limited data, offering an efficient solution for detecting malicious activities and unusual patterns in web server logs. The goal is to improve detection accuracy while reducing the time and resources required to train models from scratch. This study uses a bi-layer classification approach with pre-trained Transformer models, RoBERTa and BERT, through transfer learning to detect cyber attacks and anomalies in web server log data. The process includes preprocessing the log data, extracting relevant features, and fine-tuning BERT to classify known attacks in the first layer, followed by RoBERTa in the second layer to detect unusual or unknown behaviors. Model performance is evaluated using accuracy, precision, recall, and F1-score, and results are compared with traditional deep learning methods like RoBERTa and BERT to highlight the advantages of this bi-layer transfer learning approach. The result of this proposed bi-layer classification method is improved performance in detecting cyber attacks and anomalies compared to using RoBERTa and BERT individually. By combining both models, the system is anticipated to achieve higher accuracy, better precision in identifying true threats, improved recall for detecting a wider range of attacks, and a more balanced F1-score. This layered approach leverages the strengths of both RoBERTa and BERT, enabling more robust and reliable threat detection, with reduced false positives and false negatives compared to single-model implementations.

The interconnection of less secure devices in a network is known as the internet of things (IoT). Data and systems may be better protected with the aid of cyber security in the IoT. Cyber security violations occur most frequently when an attacker uses many systems connected to multiple networks or systems to conduct an offence. These cyber dangers can do more than just steal or corrupt data; they can also temporarily or permanently disable network infrastructure. Because it is always changing, manually detecting cyber-attacks becomes expensive and tiresome. Therefore, they may be identified and categorized using machine learning methods. Internet of things devices may now maintain connections for long durations without any intervention from a person. This chapter extensively covers cyberattack detection and categorization in IoT systems using machine learning approaches.

Secure control against cyber attacks becomes increasingly significant in cyber-physical systems (CPSs). False data injection attacks are a class of cyber attacks that aim to compromise CPS functions by injecting false data such as sensor measurements and control signals. For quantified false data injection attacks, this paper establishes an effective defense framework from the energy conversion perspective. Then, we design an energy controller to dynamically adjust the system energy changes caused by unknown attacks. The designed energy controller stabilizes the attacked CPSs and ensures the dynamic performance of the system by adjusting the amount of damping injection. Moreover, with the L <sub xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">2</sub> disturbance attenuation technique, the burden of control system design is simplified because there is no need to design an attack observer. In addition, this secure control method is simple to implement because it avoids complicated mathematical operations. The effectiveness of our control method is demonstrated through an industrial CPS that controls a permanent magnet synchronous motor.

THE PURPOSE. Smart electrical grids involve extensive use of information infrastructure. Such an aggregate cyber-physical system can be subject to cyber attacks. One of the ways to counter cyberattacks is state estimation. State Estimation is used to identify the present power system operating state and eliminating metering errors and corrupted data. In particular, when a real measurement is replaced by a false one by a malefactor or a failure in the functioning of communication channels occurs, it is possible to detect false data and restore them. However, there is a class of cyberattacks, so-called False Data Injection Attack, aimed at distorting the results of the state estimation. The aim of the research was to develop a state estimation algorithm, which is able to work in the presence of cyber-attack with high accuracy.METHODS. The authors propose a Multi-Model Forecasting-Aided State Estimation method based on multi-model discrete tracking parameter estimation by the Kalman filter. The multimodal state estimator consisted of three single state estimators, which produced single estimates using different forecasting models. In this paper only linear forecasting models were considered, such as autoregression model, vector autoregression model and Holt’s exponen tial smoothing. When we obtained the multi-model estimate as the weighted sum of the single-model estimates. Cyberattack detection was implemented through innovative and residual analysis. The analysis of the proposed algorithm performance was carried out by simulation modeling using the example of a IEEE 30-bus system in Matlab.RESULTS. The paper describes an false data injection cyber attack and its specific impact on power system state estimation. A Multi - Model Forecasting-Aided State Estimation algorithm has been developed, which allows detecting cyber attacks and recovering corrupted data. Simulation of the algorithm has been carried out and its efficiency has been proved.CONCLUSION. The results showed the cyber attack detection rate of 100%. The Multi-Model Forecasting-Aided State Estimation is an protective measure against the impact of cyber attacks on power system.