Proactive identification of cybersecurity compromises via the PROID compromise assessment framework

An understanding of how digital forensics integrates with the overall response to cybersecurity incidents is key to securing your organization's infrastructure from attacks. This edition will help you perform cutting-edge digital forensic activities and incident response. After focusing on the fundamentals of incident response that are critical to any information security team, you’ll move on to exploring the incident response framework. From understanding its importance to creating a swift and effective response to security incidents, the book will guide you with the help of useful examples. As you progress, you’ll discover the role that threat intelligence plays in the incident response process. You’ll also learn how to prepare an incident response report that documents the findings of your analysis. Finally, in addition to various incident response activities, the book will address malware analysis, and demonstrate how you can proactively use your digital forensic skills in threat hunting.

Cyber threat hunting is a proactive cybersecurity approach focused on identifying threats that evade traditional security measures. It involves the integration of human expertise, data analytics, and advanced tools to detect anomalies within organizational networks and systems. Despite its potential, many organizations remain dissatisfied with their threat hunting programs due to gaps in required analytical skills and the lack of integration of advanced techniques such as machine learning. This paper explores the design of an effective threat hunting exercise, examining its role in complementing traditional security measures. It emphasizes the importance of advanced data analytics, threat intelligence integration, and automation to enhance the effectiveness of threat hunting. The proposed framework underscores the significance of the data collection and analysis process, improving detection rates and reducing the impact of advanced threats. This study also addresses the challenges faced in threat hunting, including skills gaps and the need for better tools, and outlines strategies for overcoming these obstacles to create more robust security programs.

Threat hunting is a methodology to discover threats that have already penetrated organizations without relying on existing security devices. Threat hunting has been attracting attention because the traditional cyberattack process cannot catch advanced threats. In threat hunting, an operator analyzes multiple types of logs and collects traces of attacks in terms of tactics, techniques, and procedures (TTP). While existing log visualization technology can understand the log overview and discover suspicious points, it does not upport detailed analysis in a tabular format. Therefore, analysts must read each log entry carefully during a detailed analysis. In this paper, we propose a detailed analysis support system for threat hunting using three key ideas: (i) making TTP icons to help translate events, (ii) similarity value visualization, and (iii) relevance visualization between log entries to help an operator decide which entries should be analyzed next. We propose a " Hunting Operation Utilities for Need Decision " (HOUND) system that implements the three key ideas.

Hunting the advanced threats hidden in the enterprise networks has always been a complex and difficult task. Due to the variety of attacking means, it is difficult for traditional security systems to detect threats. Most existing methods analyze log records, but the amount of log records generated every day is very large. How to find the information related to the attack events quickly and effectively from massive data streams is an important problem. Considering that the knowledge graph can be used for automatic relation calculation and complex relation analysis, and can get relatively fast feedback, our work proposes to construct the knowledge graph based on kernel audit records, which fully considers the global correlation among entities observed in audit logs. We design the construction and application process of knowledge graph, which can be applied to actual threat hunting activities. Then we explore different ways to use the constructed knowledge graph for hunting actual threats in detail. Finally, we implement a LAN-wide hunting system which is convenient and flexible for security analysts. Evaluations based on the adversarial engagement designed by DARPA prove that our platform can effectively hunt sophisticated threats, quickly restore the attack path or assess the impact of attack.

The emergence of Software-Defined Networking (SDN) has brought along a wave of new technologies and developments in the field of networking with hopes of dealing with network resources more efficiently and providing a foundation of programmability. SDN allows for both flexibility and adaptability by separating the control and data planes in a network environment by virtualizing network hardware. We, in this work, present an advanced threat hunting model by combining the SDN infrastructure with threat hunting techniques and machine learning models aiming to intelligently handle network threats such as denial of Service, repeat, and main in the middle attacks. This advancement enables the handling of dynamic network traffic in areas such as smart cities and autonomous vehicles more efficiently by rapidly mitigating network threats.

Orthogonal frequency division multiple access (OFDMA) systems have recently drawn considerable attention as potential candidates for future generation cellular systems. To achieve proportional fairness among users while improving user's satisfaction in the upper layer, e.g. application and transmission control protocol (TCP) layers, we propose a novel multi-layer optimization approach for packet scheduling in OFDMA-based cellular systems, whereby the scheduler is designed not only based on optimization of the quality-of-service (QoS) class in the application layer, and fairness over users, but also based on the optimization of the throughput performance in the TCP layer. Simulations are conducted using TCP applications with the ultra mobile broadband (UMB) air interface numerology. Simulation results show that the proposed packet scheduling achieves up to 27.3% improvement over the proportional fairness scheduler in terms of the average system TCP throughput in the TCP layer, when resource usable rate for TCP applications is lower. Meanwhile, the proposed packet scheduling also performs with comparable fairness in the physical layer relative to the proportional fairness scheduler.

Introduction: The integration of artificial intelligence (AI), machine learning (ML), and data analytics is revolutionizing cybersecurity practices. With the advancement in technology and new threats emerging in the cyberspace, conventional approaches to security are not effectively sufficient. This paper aims at identifying how these sophisticated technologies improve the methods of threat identification, response, and the overall analytical capability to strengthen the computerized structures against modern SNEs. The threat is changing at incredible speeds, making it impossible to just wait for new threats to unfold and take a response. AI&ML are capable to analyses enormous quantity of data in extremely short time, as well as find patterns and changing previous unnoticed by analysts, automatically respond to threats in real time. Data analytics forms the bedrock on which the advanced systems are built and serve to process and analyze a large chunk of the security related information. The combination of these technologies provides a strong foundation for the cybersecurity environment that can be responsive to emerging threats, utilize prior attacks for training purposes, and self-develop the methodology for better protection. Methodology: The study employed a comprehensive search strategy across multiple electronic databases, including IEEE Xplore, ACM Digital Library, ScienceDirect, Scopus, and Google Scholar. Keywords related to AI, ML, data analytics, and cybersecurity were used in combination with Boolean operators. To make the outcome more meaningful and relevant, the general criteria for the eligibility of the papers were as follows. The selection process involved two phases: Title and abstract evaluation for the inclusion in the initial set of studies and subsequent full-text review of these studies. Some of our extraction process involved the use of a data extraction form to gather specific details from each of the study included in the analysis. To evaluate the quality of the studies included, the CASP tools were used with slight modifications. In this study, two independent reviewers participated in the decision on the study inclusion, data extraction, and quality assessment to reduce bias. This approach of writing helped in providing a comprehensive and methodical analysis of the contemporary state and potential developments in the context of AI and ML in the realm of cybersecurity. Results and Discussion: The review highlights that AI and ML greatly boost the threat detection by detecting patterns and anomalies within large volumes of security data. These technologies can be used to descend new and previously unknown type of attack known as zero-day attack & APTs (advanced persistent threats). Using AI and ML for predictive analytics enables the organization to leverage previous attacks and contexts to predict future attacks, and prepare for their defense. The use of AI in response to security threats also minimizes response time in times of security threats and optimizes processes. These technologies integrate to help quickly and more with minimal human intervention respond to threats thereby also reducing the time it takes to respond to threats. However, issues like quality of the data used in the model, reliability of the algorithm besides, question marks like who will tamper with the AI systems. The review also discusses new trends in cyber defense and remediation that may be of interest in the future, namely continuous authentication and advanced threat hunting. Potential issues associated with data privacy and algorithmic bigotry are pointed out as promising directions for future studies in this domain. Conclusion: The integration of AI, ML, and data analytics in cybersecurity represents a paradigm shift in how organizations approach digital defense. These technologies provide relevant functions for increasing threat diagnostics and response capabilities, as well as improving the predictive feature offered by this automation. The integration of AI, ML along with data analytics results into an architecture that is strong, flexible, intelligent and adaptive enough to cope up with growing security threats. Despite all these issues, including the problems with data quality and reliability of algorithms, as well as the numerous ethical questions, employing these technologies in cybersecurity seems promising. New types of cyber threats constantly emerge and therefore ongoing enhancement of AI and ML security tools will be imperative. The long-term research should endeavor to address the challenges mentioned above as well as elaborate on additional possible uses of these technologies in strengthening cybersecurity

Digital twin technology has the potential to enhance construction efficiency, reduce costs, and minimize errors. However, its application during the construction phase remains at an early stage, largely constrained by the absence of standardized guidelines and principles. To address this challenge, it is essential to establish a comprehensive and universal maturity assessment framework to facilitate the effective implementation of this technology in the construction phase of building projects. This study focuses on two critical aspects: the development of the maturity assessment framework and its empirical validation. The proposed framework encompasses a maturity assessment indicator system covering five dimensions: acquisition layer, data layer, modeling layer, analysis layer, and application layer. For the first time, an optimized matter-element model based on dynamic thresholds and nonlinear correlation is introduced to improve the accuracy of maturity assessments. Furthermore, a feedback mechanism based on Importance-Performance Analysis (IPA) is utilized to clarify the formulation of optimization strategies. Finally, the framework is applied to the CAZ Innovation Industrial Park construction phase in Xinyang, Henan Province. The assessment results demonstrate that the system precisely measures the project’s maturity level and provides effective improvement recommendations. This study not only offers technological support for assessing and optimizing the digital twin maturity during the construction phase of building projects but also provides methodological insights into global digital twin maturity assessments.

With the advances in communication and embedded systems, the monitoring and/or controlling of physical phenomena that span over wide spatial area have been attempted with deployment of a network of inexpensive and miniature sensors. In this paper, we focus on the automated sensor management for target identification at the application layer. The sensor management is formulated using graph grammar that reactively control the states of the sensors based on their proximity to the target and the states of their neighboring sensors. Target identification, on the other hand, concerns the estimation of the target's kinematics and attributes. The current practice is often formulated as finding the conditional probability of the target type on features derived from the sensor measurements with statistical pattern recognition. However, due to lack of training data, we demonstrate that the use of semantic latent indexing and stochastic approximation techniques, borrowed from the computer science community, is a more powerful method for sensor management and target identification.

Operating experiences with an on-line, computer based nuclear plant surveillance and anomaly detection system based on pattern recognition and artificial intelligence

Cloud computing is an important innovation in the current computing model. The critical problem of cloud computing faced at present is the security issue. In the current network environment, that relying on a single terminal to check the Trojan virus is considered increasingly unreliable. Based on the correspondence between the artificial immune system antibody and pathogen invasion intensity, this paper is to establish a real-time network risk evaluation model in cloud computing. This paper builds a hierarchical, quantitative measurement indicator system, and a unified evaluation information base and knowledge base. The paper also combines assets evaluation system and network integration evaluation system, considering from the application layer, the host layer, network layer may be factors that affect the network risks. The experimental results show that the new model improves the ability of intrusion detection and prevention than that of the traditional intrusion prevention systems.

In the Internet Era, millions of computer systems are connected to the Internet and the number is increasing infinitely. Maintaining proper Control and configuration for all such networked systems has proved to be impossible. This loophole makes the Internet systems vulnerable to various type of attacks. The objective of this research is to systematically identify a wide list of attacks in transport, session and application layers (Host layers). 148 effective controls are identified for the security attacks in addition to the 113 standard controls. The identified controls are analyzed in order to map and categorize them to the corresponding security layers wise.

In recent years, as a new distributed computing model, cloud computing has developed rapidly and become the focus of academia and industry. But now the security issue of cloud computing is a main critical problem of most enterprise customers faced. In the current network environment, that relying on a single terminal to check the Trojan virus is considered increasingly unreliable. This paper analyzes the characteristics of current cloud computing, and then proposes a comprehensive real-time network risk evaluation model for cloud computing based on the correspondence between the artificial immune system antibody and pathogen invasion intensity. The paper also combines assets evaluation system and network integration evaluation system, considering from the application layer, the host layer, network layer may be factors that affect the network risks. The experimental results show that this model improves the ability of intrusion detection and can support for the security of current cloud computing.

: Automatization of satellite detection in the SPASUR system requires a means of discriminating against nonsatellite responses. Earlier, a study of SPASUR automatic gain control (agc) amplitude response led to developing a pattern recognitions system based upon the inherent symmetry of a typical signal due to a satellite pass. A presentation is given of the Symmetry Recognition System II, and the technical performance at the San Diego Space Surveillance Station. In a 10-hour period, 106 alerts were generated; 20 were satellites correctly called symmetrical, and 39 were nonsatellites. Symmetry responses were generated on 14 alerts; some may have been due to remote, unverified satellite passes. No symmetry response was given to 33 verified satellites. Seven of these passes were missed due to agc pattern distortion by the SPASUR comb-filter switching action. Of the remaining signals, 25, below the agc noise level, could not be examined for symmetry. Design advances in the SPASUR system minimized the requirement for pattern recognition processing.

To accommodate an increasing demand for scarce spectrum resources, dynamic spectrum access (DSA) opens portions of the spectrum currently dedicated to licensed primary users, for access by unlicensed cognitive radio secondary users. A key requirement is that the secondary users do not interfere significantly with the primary users. Previous DSA research focuses on sense-and-avoid spectrum sharing strategies. The secondary user occupies a primary user channel only when it is not in use, and vacates immediately upon detecting primary user transmissions. In this setting, spectrum sensing is intended to provide little information aside from instantaneous primary user spectral-temporal occupancy. However, we anticipate that more adaptive and intelligent spectrum sharing strategies will require more advanced sensing capabilities allowing a secondary user to infer the primary user higher-layer protocol state and behavior. This type of feedback about the primary user will enable a secondary user to optimize its own spectrum access while also monitoring for potential impact to the primary user. In this study, we explore Bayesian nonparametric pattern recognition as a tool for informing intelligent secondary-user DSA strategies. We present a framework for learning and inferring primary user protocol state at the application and MAC layers from simple low-level energy detector features. We demonstrate, using a physical wireless network testbed, how this approach discovers actual primary user application layer protocol states and also detects anomalous primary user behavior caused by secondary user interference. We then extend the spectrum awareness framework to handle several simultaneous primary/secondary traffic flows, of potentially different types, multiplexed together onto a single wireless broadcast medium. We use the multi-flow framework to infer the application-layer states of the interleaved flows directly from observations of the aggregate traffic. In this process we circumvent deinterleaving the transmissions of the component flows, a particularly difficult task in cognitive radio environments with parameter-agile transmitters. We demonstrate the performance of the resulting technique on a network scenario with multiple simultaneous flows carrying different application layer traffic types, both in emulation and on an over-the-air hardware testbed.