Cyber-attack Strategy Research Articles

ML-based Fileless Malware Threats Analysis for the Detection of Cyber security Attack based on Memory Forensics: A Survey

The rapid advancements in cyber-attack strategies are in parallel with the measures for detection, analysis, and prevention. Attackers have recently developed fileless malware that can simply bypass existing security mechanisms. The high complexity of malware and the attacks rises in today’s world because malware increases the chance of cyberwar in many countries, the rise of one of the most sophisticated fileless malware is now increasing day by day and the present challenges for traditional malware detection and analysis are used that does not provide the complete information on Fileless malware. It evades conventional signature and firewall detection systems by hiding and directly injecting its malicious code into RAM, leaving no or minimum traces on the file system. This review paper explores the crucial artifacts in memory forensics that lead to a critical approach to addressing the challenges mentioned so that the investigator can detect and analyze the critical threats. Also, it highlights the method that helps the investigators analyze every aspect of the malicious or embedded code. This will help us to improve the detection criteria and the accuracy of the results. This study also helps the examiners in the examination of the processes and different types of analysis i.e. strings, anomaly detection, and the critical techniques used for retrieving malware artifacts. This review also includes the limitations of the existing tools and methodologies and the new evolving techniques and tactics used by the malware to hide its footprints. By identifying these gaps these papers provide robust farmwork for the enhancement of malware analysis tools and procedures to help the examiners in the analysis and examination of malware

A Novel Collusion Combination Cyberattack Strategy Against Integrated Energy System

A Novel Collusion Combination Cyberattack Strategy Against Integrated Energy System

Infusing Morabaraba game design to develop a cybersecurity awareness game (CyberMoraba)

Numerous studies have confirmed the effectiveness of Cybersecurity Awareness Games (CAGs) in enhancing the security posture of diverse organizations. As these organizations increasingly face the formidable challenge of cyberattacks, implementing serious CAGs to solve this issue has become a paramount concern. This article introduces an innovative approach to cybersecurity education by presenting a serious CAG. The game aims to effectively educate students about critical aspects of cybersecurity awareness engagingly and interactively. The study aimed to redefine cybersecurity awareness training by introducing an indigenous game design that intricately incorporates the traditional South African Morabaraba board game. While the effectiveness of non-indigenous games like "Capture The Flag (CTF)" in cybersecurity training is acknowledged, indigenous designs have been overlooked. This research creatively integrates Morabaraba's gameplay into cybersecurity training, adapting it into a competitive game where players adopt the roles of either defenders or attackers, with corresponding tokens/images symbolizing various cyber defense and attack strategies. Both the defenders and attackers in the game can elevate their awareness scores by strategically positioning defensive or attacking images on the game board. Subsequently, a judging entity assesses the players' moves and assigns scores based on the accuracy of the images placed. The game mirrors real-world scenarios, promoting strategic thinking and leveraging interactive gameplay for practical insights into cybersecurity awareness. Players demonstrate their cybersecurity knowledge through offensive and defensive strategies. A group of 40 students evaluated the game's effectiveness, highlighting its potential to create an engaging and competitive learning environment that imparts cybersecurity principles and practical application. The evaluation of the game mechanics demonstrated a remarkably positive outcome, with students expressing both enjoyment and an enhanced understanding of cybersecurity awareness.

Optimal Cyber Attack Strategy Using Reinforcement Learning Based on Common Vulnerability Scoring System

Optimal Cyber Attack Strategy Using Reinforcement Learning Based on Common Vulnerability Scoring System

Enhanced robust frequency stabilization of a microgrid against simultaneous cyber-attacks

A microgrid (MG) is a smart grid cyber-physical system, with component coordination relying on cyber resilience. Weak communications, protocols, and tools make the MG's secondary frequency control vulnerable to various cyber-attacks, posing new challenges and stability risks. In response to this challenge, this paper introduces the enhanced robust H∞ technique considering the dynamic impacts of cyber-attacks on secondary frequency control to develop a secondary frequency control loop, improving the regulation performance and cyber resiliency of the MG frequency. The secondary control cyber-attack strategies mainly rely on false data injection (FDI), denial of service (DoS), and controller hijacking. These attack techniques are simultaneously considered in formulating the H∞ problem and control synthesis as unstructured parametric uncertainty, attenuating the concurrent cyber impacts. The study extends a load frequency control model to illustrate how cyber-attacks can be represented mathematically and physically in the MG. The results reveal that cyber-attacks affect secondary frequency control elements differently depending on the type of cyber threats used. By implementing an enhanced H∞ controller, the MG can effectively maintain stable frequency levels even when faced with malicious attacks and disruptions caused by renewable energy sources and loads.

CyPhERS: A cyber-physical event reasoning system providing real-time situational awareness for attack and fault response

Cyber–physical systems (CPSs) constitute the backbone of critical infrastructures such as power grids or water distribution networks. Operating failures in these systems can cause serious risks for society. To avoid or minimize downtime, operators require real-time awareness about critical incidents. However, online event identification in CPSs is challenged by the complex interdependency of numerous physical and digital components, requiring to take cyber attacks and physical failures equally into account. The online event identification problem is further complicated through the lack of historical observations of critical but rare events, and the continuous evolution of cyber attack strategies. This work introduces and demonstrates CyPhERS, a Cyber-Physical Event Reasoning System. CyPhERS provides real-time information pertaining the occurrence, location, physical impact, and root cause of potentially critical events in CPSs, without the need for historical event observations. Key novelty of CyPhERS is the capability to generate informative and interpretable event signatures of known and unknown types of both cyber attacks and physical failures. The concept is evaluated and benchmarked on a demonstration case that comprises a multitude of attack and fault events targeting various components of a CPS. The results demonstrate that the event signatures provide relevant and inferable information on both known and unknown event types.

Assessment of spatiotemporally coordinated cyberattacks on renewable energy forecasting in smart energy system

The employment of deep learning (DL) in renewable energy forecasting (REF) may bring novel cyberthreats. However, this fact has not drawn sufficient attention in the existing literature. To fill the gap, this article, among the first, investigates the latent cyberthreat incurred by the DL-based REF model. First, a spatiotemporally coordinated cyberattack strategy is proposed by considering attackable geo-distributed renewable energy resources (RESs) and periods. It is fulfilled by compromising meteorological data transmitted from external online weather forecast interfaces which are required for REF but also exposed to potential adversaries. In this manner, the malicious adversary is able to deteriorate the REF performance, thereby jeopardizing the operation of the smart energy system. Second, the cyberattack optimization models under the white-box and black-box scenarios are designed. In the white-box scenario, the adversary has full knowledge of these operator-own REF models to obtain false data that should be injected into the meteorological data for launching cyberattacks; in the black-box scenario, the adversary will train surrogate models to replace these operator-own models for attack guidance. Third, an iterative solving method is proposed to solve the proposed white-box and black-box cyberattack optimization models. As DL models (sealed, non-differentiable, and highly non-linear) are introduced to the optimization problem, conventional optimization solvers are unable to handle the cyberattack optimization problem. The proposed solving method utilizes the proximal gradient descent principle, and is feasible to explore the near-optimal solution to the problem. At last, the efficacy of the proposed cyberattack strategy under different RES penetration levels and attack strengths and its catastrophic impacts are comprehensively assessed on the IEEE 39-bus benchmark. The results reveal that the cyberattack would cause enormous economic losses and even collapse the smart energy system.

What Are the Attackers Doing Now? Automating Cyberthreat Intelligence Extraction from Text on Pace with the Changing Threat Landscape: A Survey

Cybersecurity researchers have contributed to the automated extraction of CTI from textual sources, such as threat reports and online articles describing cyberattack strategies, procedures, and tools. The goal of this article is to aid cybersecurity researchers in understanding the current techniques used for cyberthreat intelligence extraction from text through a survey of relevant studies in the literature. Our work finds 11 types of extraction purposes and 7 types of textual sources for CTI extraction. We observe the technical challenges associated with obtaining available clean and labeled data for replication, validation, and further extension of the studies. We advocate for building upon the current CTI extraction work to help cybersecurity practitioners with proactive decision-making such as in threat prioritization and mitigation strategy formulation to utilize knowledge from past cybersecurity incidents.

Detection of data-driven blind cyber-attacks on smart grid: A deep learning approach

An immense challenge to future smart cities is providing resilience against cyber-attacks on critical infrastructures like the smart grid. Data-driven cyber-attack strategies like the false data injection attack (FDIA) can modify the states of the grid, hence posing a critical scenario. With an accurate knowledge of measurement subspace, this work demonstrates an effective blind FDIA formulation strategy. The current trend in the identification of such attacks is generally confined to their presence detection within the measurements, while their intrusion points remain concealed. To alleviate this concern, this study promotes an effective execution of novel robust, nonlinear deep learning models which can not only effectually identify the presence but also the exact locations of intrusions of blind attacks in real-time while working concurrently with the conventional bad data detector, thus furnishing a cost-effective approach. Moreover, such neural network models demonstrate a multilabel classification strategy by capturing the inconsistency with co-occurrence dependency of the attack vectors introduced into the raw measurements. Furthermore, these deep learning structures prove to be model-free, hence attacks can be determined without any statistical knowledge of the grid. The performance of the proposed framework is evaluated utilizing the standard IEEE test bench undertaking diverse noise and attack scenarios.

A Cross-Layer Design Approach to Strategic Cyber Defense and Robust Switching Control of Cyber-Physical Wind Energy Systems

Due to the increasing adoption of smart sensing and Internet of things (IoT) devices, wind energy system (WES) becomes more vulnerable to cyber and physical attacks. Therefore, designing a secure and resilient WES is critical. This paper first proposes a system-of-systems (SoS) framework for the cyber-physical WES. Specifically, on the one hand, we adopt a game-theoretic model to capture the interactions between the WES system defender and the adversary at the cyber layer. The outcome of this cyber defense game is reflected by control-aware Nash equilibria. On the other hand, we devise a cyber-aware robust and resilient switching controller based on a Markov jump linear system model for the physical WES. The performances of the WES cyber and physical layers are interdependent due to their natural couplings. We further investigate the SoS equilibrium of the integrated WES, which considers the system security, robustness, and resilience holistically. Finally, we use case studies to corroborate the developed cross-layer design principles for the cyber-physical WES. Note to Practitioners—Cybersecurity becomes a critical concern of wind energy system (WES) operators as an increasing amount of IoT devices are adopted for WES’s communication, monitoring, and operation support purposes. This cyber-physical integration in WES creates a much broader attack surface because adversaries can compromise the physical WES by attacking its dependent cyberspace. To mitigate the impact of attacks, the operator should not only design intelligent control strategies for WES but also strategically secure the WES’s cyber layer. These two goals are naturally coupled together. On the one hand, the WES operates under different compromised conditions depending on the attack actions at the cyber layer. Thus, the control design needs to be adversary-aware by taking the real-time cyber state into account. On the other hand, the adversary’s cyberattack strategy is influenced by the induced performance degradation of WES. Hence, the corresponding attack measures and countermeasures, in turn, should be physically control-aware. This paper establishes a holistic mathematical framework to simultaneously address these two challenging objectives. The obtained solution provides guidelines for the WES operator on the optimal security resource investment in defending against cyberattacks and the robust switching control design to mitigate the impacts of attacks further. This methodology creates a defense-in-depth paradigm for the WES operators to maintain the energy system efficiency in the adversarial environment. This cross-layer design approach is also efficient and user-friendly for online implementation with the developed iterative algorithm. The simulated-based case studies in this paper show the effectiveness of the proposed approach. However, a more thorough validation of the method in practice is necessary before its integration with the production standard.

Fileless malware threats: Recent advances, analysis approach through memory forensics and research challenges

The rapid advancements in cyber-attack strategies are in parallel with the measures for detection, analysis, and prevention. Attackers have recently developed fileless malware that can simply bypass existing security mechanisms. Researchers publish reports to help discover fileless malware and to better understand the threatʼs scope to counteract it. However, with the lack of studies on fileless malware regarding the classification and the scale of the threat, they have not been thoroughly analyzed. As a result, in this research, we explored the most recent advancements in fileless malware prevention and detection and highlighted future research challenges. We also propose an analytical approach based on the attack strategies and attributes of the selected sample. Our method simplifies feature extraction and reduces processing load. Furthermore, compared to the static analysis we do not need for decompression and unpacking for the analysis. We applied the proposed method on a real case example. It has been seen that information about fileless malware detection, working mechanism, attack method and attacker named “Kovter” can be accessed. Our approach is advantageous and can be applied as a new technique for fileless malware detection to protect systems from cyber threats. This paper also presents an insight to the fileless malware threat and provides a basic review of the methods and techniques used in the detection and analysis of fileless malware attacks.

Deep Learning (DL) Oriented Forensic Analysis

Cyber-attacks are now more prevalent than ever before in all aspects of our daily lives. As a result of this circumstance, both individuals and organizations are fighting cybercrime on a regular basis. Furthermore, today's hackers have advanced a step further and are capable of employing complex cyber-attack strategies, exacerbating the problem. Some of these approaches are minute and undetectable, and they frequently masquerade as genuine requests and directives. To combat this threat, cyber security professionals, as well as digital forensic investigators, are constantly compelled to filter through massive and complicated pools of data, also known as Big Data, in order to uncover Potential Digital Forensic Evidence. that can be used as evidence in court. Potential Digital Evidence can then be used to assist investigators in reaching certain conclusions and/or judgments. The fact that Big Data frequently comes from various sources and has diverse file formats makes cyber forensics even more difficult for investigators. When it comes to the processing of vast amounts of complicated data for forensic purposes, forensic investigators typically have less time and budget to fulfil the rising demands. This paper will be studying how to incorporate Deep Learning cognitive computing approaches into Cyber Forensics Keywords: Deep Learning, Forensic Analysis, Artificial Intelligence, Online Safety, Evidence BOOK Chapter ǀ Research Nexus in IT, Law, Cyber Security & Forensics. Open Access. Distributed Free Citation: Herbert Cyril Dodoo (2022): Deep Learning (DL) Oriented Forensic Analysis Book Chapter Series on Research Nexus in IT, Law, Cyber Security & Forensics. Pp 320-328 www.isteams.net/ITlawbookchapter2022. dx.doi.org/10.22624/AIMS/CRP-BK3-P51

US-China Confrontation in Cyber Security

This study presents the research results of the activities of the United States and China as the major global competitors in the field of cybersecurity. We have established the nature and trends of the confrontation, explored the goals and means of cyber influences in the confrontation between two states in this area, and identified directions for the development of the competition between the United States and China in the field of cybersecurity. Today, the United States and China are the world leaders in cyberspace and the information (cyber) security sector. The United States remains the undisputed world leader in cybersecurity, but China is rapidly closing the gap, relying on the strong potential of human and economic resources in cyberspace. From the beginning of the second decade of the XXI century. countries have been accusing each other of cyberattacks for economic purposes and cyber espionage. The United States has pointed to the People's Liberation Army's (PLA) leading role in organizing cyberattacks, and China has made similar allegations against the US intelligence. Despite attempts to reconcile policies in this area, tensions between the United States and China over cyber-building are growing. And since the beginning of the 2020s, politically motivated influences on information systems have become the target of cyberattacks. The United States notes a change in China's cyberattack strategy from regular cyber espionage to prosecuting political and security goals. Additionally, systematic control over the sources of cyber threats has been transferred from the PLA to the security structures of China. China also accuses the United States of using cyber influences to increase world hegemony and using cyber threats in the arms race. Beijing makes these statements from the standpoint of its own “multipolar” world strategy, which is threatened by the activities of the Joe Biden administration, aimed at consolidating Western countries in the face of cyber threats from China. The field of cybersecurity in US-China relations is becoming increasingly important in terms of the security strategies of these two world leaders. Each of them uses cyber tools as a tool of cyber influence, as well as a tool for strategic communication at the level of relations with strategic partners. Therefore, these issues will become increasingly important in terms of research interests, in particular the implementation of foreign policy interests in relations with these countries.

Exploring the Dark Web for Cyber Threat Intelligence

Cyber attack strategies have become more prominent in recent years, making it more difficult to stop an assault, even if some form of countermeasure is used. Even with protection systems in place, it is challenging to totally avoid all cyber intrusions. We are, in a sense, in a defense-only posture. A strategy for exploiting this threat will be provided, which will combine social network analysis with cognitive computing to filter hostile behavior and forecast their vulnerabilities. The major goal is to harvest crucial postings from dark web forums, including posts from malicious hackers, and disseminate information like virus trading and hacking strategies. Hence ,We are proposing an approach to extract forums which include important information or intelligence and identify traits of each forum using AI and ML Techniques. Information gathering from the dark-web communities is quite a challenging task, data cannot address real-world cybersecurity problems considering the importance of information gathering. The dataset containing forum posts from the darknet were extracted from different websites using different web crawlers .Then the retrieved data is cleaned , normalized, parsed, processed and classified and labeled according to their severity. After this phase different ML algorithms were applied on labeled data . Finally the model is tested with the inputs and used for predicting the cyber threats for future. The main focus of this research will assist us in identifying future developing risks in cyberspace and high propensity measures to counter such malicious tasks. With recent technological advancements, recent research has revealed that dark-web indications may be connected with event data and leveraged to forecast intrusions, indicating perhaps a more threat-focused cybercrime is on the horizon. Keywords—Intelligence, Darkweb, Forums, Machine Learning

A Framework for Crime Detection and Diminution in Digital Forensics (CD3F)

Cyber-attacks have become one of the world's most serious issues. Every day, they wreak serious financial harm to governments and people. As cyber-attacks become more common, so does cyber-crime. Identifying cyber-crime perpetrators and understanding attack tactics are critical in the battle against crime and criminals. Cyber-attack detection and prevention are difficult undertakings. Researchers have lately developed security models and made forecasts using artificial intelligence technologies to solve these concerns. In the literature, the authors explained numerous ways of predicting crime. They, on the other hand, have a problem forecasting cyber-crime and cyber-attack strategies. Here, in this paper author proposed a digital forensic investigation procedure that deals with cyber-crime. In this investigation, the process author explains digital forensics techniques for ensuring that digital evidence is located, collected, preserved, evaluated, and reported in such a way that the evidence's integrity is preserved. These sequential digital forensic stages affect a standard and accepted digital forensic investigation procedure, and each phase is influenced by sequential occurrences, with each event relying on tasks. Digital forensics investigation is a technique for ensuring that digital evidence is handled in such a way that the evidence's integrity is preserved. Sequential digital forensic stages affect a standard and accepted digital forensic investigation procedure, and each phase is influenced by sequential occurrences, with each event relying on tasks.

Cybersecurity Analysis of Load Frequency Control in Power Systems: A Survey

Today, power systems have transformed considerably and taken a new shape of geographically distributed systems from the locally centralized systems thereby leading to a new infrastructure in the framework of networked control cyber-physical system (CPS). Among the different important operations to be performed for smooth generation, transmission, and distribution of power, maintaining the scheduled frequency, against any perturbations, is an important one. The load frequency control (LFC) operation actually governs this frequency regulation activity after the primary control. Due to CPS nature, the LFC operation is vulnerable to attacks, both from physical and cyber standpoints. The cyber-attack strategies ranges from a variety of attacks such as jamming the network communication, time-delay attack, and false data injection. Motivated by these perspectives, this paper studies the cybersecurity issues of the power systems during the LFC operation, and a survey is conducted on the security analysis of LFC. Various cyber-attack strategies, their mathematical models, and vulnerability assessments are performed to understand the possible threats and sources causing failure of frequency regulation. The LFC operation of two-area power systems is considered as a tutorial example to quantify the vulnerabilities. Mitigation strategies through control theoretic approaches are then reviewed and highlighted for LFC operation under cyber-attack.

Public Plug-in Electric Vehicles + Grid Data: Is a New Cyberattack Vector Viable?

High-wattage demand-side appliances such as Plug-in Electric Vehicles (PEVs) are proliferating. As a result, information on the charging patterns of PEVs is becoming accessible via smartphone applications, which aggregate real-time availability and historical usage of public PEV charging stations. Moreover, information on the power grid infrastructure and operations has become increasingly available in technical documents and real-time dashboards of the utilities, affiliates, and the power grid operators. The research question that this study explores is: Can one combine high-wattage demand-side appliances with public information to launch cyberattacks on the power grid? To answer this question and report a proof of concept demonstration, the study scrapes data from public sources for Manhattan, NY, USA using the electric vehicle charging station smartphone application and the power grid data circulated by the U.S. Energy Information Administration, New York Independent System Operator, and the local utility in New York. It then designs a novel data-driven cyberattack strategy using state-feedback based partial eigenvalue relocation, which targets frequency stability of the power grid. The study establishes that while such an attack is not possible at the current penetration level of PEVs, it will be practical once the number of PEVs increases.

Market-Level Defense Against FDIA and a New LMP-Disguising Attack Strategy in Real-Time Market Operations

Traditional cyberattack strategies on the electricity market only consider bypassing bad data detections. However, our analysis shows that experienced market operators can detect abnormal locational marginal prices (LMPs) under the traditional attack model during real-time (RT) operations, because such attack model ignores the characteristics of the LMP itself and leads to price spikes that can be an easy-to-detect signal of abnormality. A detection approach based on the concept of critical load level (CLL) is used to help operators identify risky periods when operators would be prone to overlooking abnormal LMPs. During safe periods, the abnormal LMPs are identified according to the operator's experience, while in risky CLL intervals, a N-x cyber contingency analysis is proposed to help independent system operators (ISOs) detect abnormal LMPs. Further, this paper constructs a new type of cyberattack strategy capable of not only bypassing bad data detection in the state estimation stage but also disguising the compromised LMPs as regular LMPs to avoid market operators’ alerts in a realistic scenario wherein the attacker has imperfect information on system topology. Finally, the proposed analysis method and the attack strategy are evaluated through numerical studies on the PJM 5-bus system and the IEEE 118-bus system.

Adaptive optimisation-offline cyber attack on remote state estimator

ABSTRACTSecurity issues of cyber-physical systems have received increasing attentions in recent years. In this paper, deception attacks on the remote state estimator equipped with the chi-squared failure detector are considered, and it is assumed that the attacker can monitor and modify all the sensor data. A novel adaptive optimisation-offline cyber attack strategy is proposed, where using the current and previous sensor data, the attack can yield the largest estimation error covariance while ensuring to be undetected by the chi-squared monitor. From the attacker's perspective, the attack is better than the existing linear deception attacks to degrade the system performance. Finally, some numerical examples are provided to demonstrate theoretical results.

On Cyber Attacks and the Maximum-Weight Rooted-Subtree Problem

This paper makes three contributions to cyber-security research. First,we define a model for cyber-security systems and the concept of acyber-security attack within the model's framework. The modelhighlights the importance of game-over components - criticalsystem components which if acquired will give an adversary the abilityto defeat a system completely. The model is based on systems thatuse defense-in-depth/layered-security approaches, as many systemsdo. In the model we define the concept of penetration cost,which is the cost that must be paid in order to break into the nextlayer of security. Second, we define natural decision and optimizationproblems based on cyber-security attacks in terms of doubly weightedtrees, and analyze their complexity. More precisely, given a treeT rooted at a vertex r, a penetrating cost edge functionc on T, a target-acquisition vertex function p on T,the attacker's budget and the game-over thresholdB,G ∈ ℚ+respectively, we consider the problem of determiningthe existence of a rooted subtree T' of T within the attacker'sbudget that is, the sum of the costs of the edges in T' is lessthan or equal to B with total acquisition value more than thegame-over threshold that is, the sum of the target values of thenodes in T' is greater than or equal to G. We prove that thegeneral version of this problem is intractable, but does admit apolynomial time approximation scheme. We also analyze the complexityof three restricted versions of the problems, where the penetrationcost is the constant function, integer-valued, and rational-valuedamong a given fixed number of distinct values. Using recursion anddynamic-programming techniques, we show that for constant penetrationcosts an optimal cyber-attack strategy can be found in polynomialtime, and for integer-valued and rational-valued penetration costsoptimal cyber-attack strategies can be found in pseudo-polynomialtime. Third, we provide a list of open problems relating to the architecturaldesign of cyber-security systems and to the model.