Cybersecurity Information Exchange Research Articles

Secure Cybersecurity Information Sharing for Sectoral Organizations Using Ethereum Blockchain and IPFS

The COVID-19 pandemic has resulted in increased cross-sector cyber-attacks. Passive and reactive cybersecurity techniques relying solely on technology are insufficient to combat sophisticated attacks, necessitating proactive and collaborative security measures to minimize attacks. Cybersecurity Information Sharing (CIS) enhances security via proactive and collaborative cybersecurity information exchange, but its implementation via cloud services faces threats from man in the middle (MITM) and distributed denial of service (DDoS) attacks, as well as a vulnerability in cloud storage involving centralized data control. These threats and vulnerabilities result in a lack of user confidence in the confidentiality, integrity, and availability of information. This paper proposes Secure Cybersecurity Information Sharing (SCIS) to secure Cybersecurity Information in sectoral organizations using the private interplanetary file system (IPFS) network and the private Ethereum Blockchain network. Private Ethereum Blockchain enables secure and transparent transaction logging, while Private IPFS network provides decentralized storage, addressing vulnerabilities in centralized storage systems. The outcomes of the tests reveal that the suggested SCIS system offers cybersecurity information availability, confidentiality, and integrity. SCIS provides a high level of security to protect cybersecurity information exchanged between sectoral organizations using the Private Ethereum Blockchain network and the Private IPFS network so that organizations can safely share and utilize information.

Modeling and analyzing attacker behavior in IoT botnet using temporal convolution network (TCN)

Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of attackers is shown to be effective against a wide variety of attack types. Previous works, however, focus solely on anomalies in network traffic to detect bots and botnet. In this work we take a more robust approach of analyzing the heterogeneous events including network traffic, file download events, SSH logins and chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells. We have collected a large dataset of heterogeneous threat events from the honeypots. We have then combined and modeled the heterogeneous threat data to analyze attacker behavior. Then we have used a deep learning architecture called a Temporal Convolutional Network (TCN) to do sequential and predictive analysis on the data. A prediction accuracy of 85−97% validates our data model as well as our analysis methodology. In this work, we have also developed an automated mechanism to collect and analyze these data. For the automation we have used CYbersecurity information Exchange (CYBEX). Finally, we have compared TCN with Long Short-Term Memory (LSTM) and Gated Recurrent Unit (GRU) and have showed that TCN outperforms LSTM and GRU for the task at hand.

Cybersecurity threat intelligence knowledge exchange based on blockchain

Although cyber threat intelligence (CTI) exchange is a theoretically useful technique for improving security of a society, the potential participants are often reluctant to share their CTI and prefer to consume only, at least in voluntary based approaches. Such behavior destroys the idea of information exchange. On the other hand, governments are forcing specific entities and operators to report them specific incidents depending on their impact, otherwise there could be sanctions to those operators which are not reporting them on time. Obligations and sanctions are usually discouraging participants to share information voluntarily which will just share and report what is strictly required. We propose a paradigm shift of cybersecurity information exchange by introducing a new way to encourage all participants involved, at all levels, to share relevant information dynamically. It will also contribute to the support and deployment of Dynamic Risk Management frameworks to keep risks under an acceptance level along the time. Participants will have new and specific incentives to share, invest and consume threat intelligence and risk intelligence information depending on their different roles (producers, consumers, investors, donors and owner). Our proposal leverages from standards like Structured Threat Information Exchange, as well as W3C semantic web standards to enable a workspace of knowledge related to behavioral threat intelligence patterning to characterize tactics, techniques and procedures. At the same time, we propose an Ethereum Blockchain Smart contract Marketplace to better incentivize the sharing of that knowledge between all parties involved as well as creating a standard CTI token as a digital asset with a promising value in the market. Simulations and an experimentation were performed to demonstrate its benefits and incentives, but also its potential limits with regard to storage and cost of transactions.

Interoperability Services Supporting Information Exchange Between Cybersecurity Organisations

The security of cyberspace can be ensured by a broad cooperation of different organizations, actors. This cooperation cannot be achieved without interoperable information exchange between cybersecurity actors, organisations, and their IT systems. Interoperable information exchange can be realized using own resources, or using services provided by third parties. IT interoperability service can be defined as a service by which a service provider supports interoperable data exchange between IT systems of service consumers and cooperating actors. This publication provides different categorizations of interoperability services, discusses their benefits, and the necessary user tasks. It determines the types of interoperability service providers and their necessary capabilities. Finally, it defines the special requirements of cybersecurity information exchange and presents the main types of required services.

Risk Management using Cyber-Threat Information Sharing and Cyber-Insurance

Critical infrastructure systems spanning from transportation to nuclear operations are vulnerable to cyber attacks. Cyber-insurance and cyber-threat information sharing are two prominent mechanisms to defend cybersecurity issues proactively. However, standardization and realization of these choices have many bottlenecks. In this paper, we discuss the benefits and importance of cybersecurity information sharing and cyber-insurance in the current cyber-warfare situation. We model a standard game theoretic participation model for cybersecurity information exchange (CYBEX) and discuss the applicability of economic tools in addressing important issues related to CYBEX and cyber-insurance. We also pose several open research challenges, which need to be addressed for developing a robust cyber-risk management capability.

Establishing evolutionary game models for CYBer security information EXchange (CYBEX)

The initiative to protect critical resources against cyber attacks requires security investments complemented with a collaborative sharing effort from every organization. A CYBersecurity information EXchange (CYBEX) framework is required to facilitate cyber-threat intelligence (CTI) sharing among the organizations to abate the impact of cyber attacks. In this research, we present an evolutionary game theoretic framework to investigate the economic benefits of cybersecurity information sharing and analyze the impacts and consequences of not participating in the game. By using micro-economic theory as substrate, we model this framework as human-society inspired evolutionary game among the organizations and investigate the implications of information sharing. Using our proposed dynamic cost adaptation scheme and distributed learning heuristic, organizations are induced toward adopting the evolutionary stable strategy of participating in the sharing framework. We also extend the evolutionary analysis to understand sharing nature of participants in a heterogeneous information exchange environment.

Cyber security information exchange to gain insight into the effects of cyber threats and incidents

The last couple of years we have seen an increase in interests and initiatives in establishing threat intelligence sharing communities, and on the development of standards and platforms for automated cyber security information sharing. These initiatives are focused on helping organisations to increase their resilience to new attacks and threats. In this paper we will investigate how we can leverage from cyber security information sharing infrastructures to gain early insight into the large scale effects of cyber threats and incidents. In particular we focus on those that might have a disruptive effect on society. Furthermore, in this paper we will discuss what information needs to be shared and how this can be done using the dominant threat intelligence sharing standards.

독립적인 보안관리 도메인간 효과적인 사이버보안정보 교환 방법의 설계 및 구현

현재 사이버보안 위협을 방어하기 위한 하나의 방편으로서 보안 관리 도메인간 사이버보안 정보 공유를 통하여 전체 네트워크에 대한 보안 성능을 높이려는 연구가 활발히 진행되고 있다. 사이버보안 정보를 교환할 때 큰 이슈가 되는 것 중의 하나는 각 도메인이 서로 독립적이기 때문에 정보공유에 관련된 각 도메인의 요구사항이 서로 다르다는 것이다. 본 논문에서는 공유정책과 공유정책제어 프로토콜을 통하여 보안관리 도메인의 정보공유에 관한 요구사항을 반영함으로써 사이버보안정보의 교환을 효과적으로 제공할 수 있는 사이버보안정보 교환 방법을 제안한다. 아울러 본 논문에서는 제안하는 방법을 제공하는 통합보안제어 시스템을 개발하고 그 시스템상에서 제안하는 방법의 성능을 평가한다. As a way for defending against cyber security threats, there has been a research on cybersecurity information exchange between security management domains in order to raise security performance of the whole network. One of the hottest issues in exchanging cybersecurity information between security management domains is that the requirements of those domains on information sharing are different with each other because each is autonomous domain. This paper proposes a mechanism for effective cybersecurity Information exchange between independent security management domains, which can satisfy their requirements on information sharing through sharing policy and sharing policy control protocol, proposed in this paper. In this paper we have developed an integrated security control system that supports the proposed mechanism. Through the system the performance of the proposed mechanism is measured and evaluated.

CYBEX

The cybersecurity information exchange framework, known as CYBEX, is currently undergoing its first iteration of standardization efforts within ITU-T. The framework describes how cybersecurity information is exchanged between cybersecurity entities on a global scale and how the exchange is assured. The worldwide implementation of the framework will eventually minimize the disparate availability of cybersecurity information. This paper provides a specification overview, use cases, and the current status of CYBEX.