Insider Attacks Research Articles

Cybercrime investigation model

With each passing day, individuals, organizations, and even governmental entities are confronted with an escalating incidence of cybercrimes. Faced with limited resources and the increasing complexity of cyberattacks, organizations often find themselves incapable of detecting and preventing such malicious actions and necessitating investigative efforts to mitigate their consequences. The primary objective of this study is the development of a comprehensive model for cybercrime investigation. In constructing this model, we have drawn upon related literature concerning cybercrimes and their investigation, alongside employing a spectrum of research methodologies, including analysis and synthesis, examination and generalization, deduction, and induction. Through an analysis of the investigative phases and the required for them information, we have formulated a cybercrime investigation model. Furthermore, we have field-tested this model in the context of an insider attack investigation. It is envisaged that the proposed model can serve as a foundational framework for the formulation of practical guidelines pertaining to the investigation of information security incidents, applicable both in governmental and commercial organizations.

Organizations’ Readiness for Insider Attacks: A Process-Oriented Approach

Organizations’ Readiness for Insider Attacks: A Process-Oriented Approach

A modified lightweight authenticated key agreement protocol for Internet of Drones

Drones can be embedded in the system Internet of Drones can make a military observation of a region, a transport system embedded with sensors. Drones played a highly important role in different fields and brought great convenience to production and lifestyle. But we know all the data collected by sensors embedded in drones suffer from security challenges and privacy issues. There are a lot of authenticated key agreement protocols for the security of transmitted data through drones. We have analyzed a recent protocol, “A lightweight authentication and key agreement scheme for Internet of Drones” by Zhang et al. in the year 2020. We have found that this protocol is not secure against stolen smart card attacks, and the control server stores extra data. We have tried to address security issues of password guessing, anonymity, user/server impersonation, insider attack, and stolen smart card attacks, and man in the middle attack. We have proposed a modified lightweight authenticated key agreement protocol for Internet of Drones. We have proved its security in the random oracle model. We have done a performance analysis of the proposed protocol with relevant protocols that ensures its efficiency and security as well.

Improved and Provably Secure ECC-Based Two-Factor Remote Authentication Scheme with Session Key Agreement

The remote authentication scheme is a cryptographic protocol incorporated by user–server applications to prevent unauthorized access and security attacks. Recently, a two-factor authentication scheme using hard problems in elliptic curve cryptography (ECC)—the elliptic curve discrete logarithm problem (ECDLP), elliptic curve computational Diffie–Hellman problem (ECCDHP), and elliptic curve factorization problem (ECFP)—was developed, but was unable to address several infeasibility issues while incurring high communication costs. Moreover, previous schemes were shown to be vulnerable to privileged insider attacks. Therefore, this research proposes an improved ECC-based authentication scheme with a session key agreement to rectify the infeasible computations and provide a mechanism for the password change/update phase. The formal security analysis proves that the scheme is provably secure under the random oracle model (ROM) and achieves mutual authentication using BAN logic. Based on the performance analysis, the proposed scheme resists the privileged insider attack and attains all of the security goals while keeping the computational costs lower than other schemes based on the three hard problems. Therefore, the findings suggest the potential applicability of the three hard problems in designing identification and authentication schemes in distributed computer networks.

Enhancing false negative and positive rates for efficient insider threat detection

Insider threats on information security can become a burden for organizations. However, outsider attacks have received more attention compared to insider attacks. Many researchers studied insider threats and proposed various approaches (such as signature based, machine learning based, and deep learning based) to alleviate this type of threats. In this work, we present a novel insider threat detection system based on a deep learning network of Long Short Term Memory (LSTM). The developed detection system aims to analyze and mitigate the negative effect of insiders by differentiating benign activities from malicious ones. The detection system utilizes sentiment analysis to classify the users’ activities and gray encoding to maintain temporal behavior between activities (especially correlated activities). This allows us to reform a dataset in which each row represents a variable length sample to train a deep learning based detection system. Different data representations, such as binary encoding (BE), real-valued data, without encoding (WE), were used to test the effectiveness of gray encoding in maintaining the temporal relationships between activities. The proposed detection techniques were evaluated using log files from CERT r4.2 insiders’ dataset that represent activities of employees for eighteen working months. The evaluation results have shown enhanced false positive of 0.29%, false negative of 2.47% and an AUC value of 97%.

Sensor-based continuous user authentication on smartphone through machine learning

With the rapid development of hardware and software technology, many end-users have often stored their data on smartphones through several in-built sensors. Thus, the security of stored data on smartphones has become a significant concern. This has fueled the importance of entry-point authentication methods on smartphones. Many entry-point authentication methods have failed to offer security due to insider or side-channel attacks. This article introduces a sensor-based continuous user authentication approach on the smartphone through multi-modal behavioral biometrics and a machine learning model to tackle the aforementioned issues. The proposed approach captures the touch and motion-based behavioral biometrics through the touchscreen and inertial sensors of the device. Then, the proposed approach extracts several features from captured behavioral data and selects the best set of features through a filter-based feature selection technique. Further, we implement a nonlinear support vector machine with optimized hyperparameters for training and predicting the features to generate the scores. We apply score-level fusion on generated scores of several sensors to compute the final score for identification of the genuine user. In this article, we systematically evaluate the proposed approach with the most commonly used behavioral activities of the smartphone user in our daily life. The experiment results on all behavioral activities show that the proposed approach obtained the best authentication score compared to the other machine learning models, and state-of-the-art methods. Finally, we conclude our article by addressing the limitations of the proposed approach and practical research issues for future exploration.

Attack Detection in Wireless Sensor Network: A Big Data Perspective

For securing the network, intrusion detection systems are frequently used in wireless sensor networks to fight against insider attacks by adopting the appropriate trust-based methods. Still, the sensors could create an enormous amount of data that reduces the efficacy of trust computation in the big data era. This paper aims to introduce a new attack detection system under the big data perspective. Originally, the input data is fed the preprocessing phase, in which the normalization process takes place. Further, the MapReduce framework is used to handle the bulk data by reducing it. The preprocessed data is subjected to extract the features, where it extracts the raw features, statistical features, and higher-order statistical features. Here, the feature selection is done by chi-square ranking and info-gain ranking. Further, these features are provided as the input to the classification phase, where multilayer perception (MLP) is used for detecting the presence of an attack. For making the classification more precise, weights of MLP are optimally tuned by proposed slap swarm updated sparrow optimized algorithm which integrated the concept of sparrow search algorithm and salp swarm algorithm. Finally, the performance of presented scheme is calculated to existing approaches under different metrics.

An Intrusion Detection System for RPL-Based IoT Networks

The Internet of Things (IoT) has become very popular during the last decade by providing new solutions to modern industry and to entire societies. At the same time, the rise of the industrial Internet of Things (IIoT) has provided various benefits by linking infrastructure around the world via sensors, machine learning, and data analytics. However, the security of IoT devices has been proven to be a major concern. Almost a decade ago, the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) was designed to handle routing in IoT and IIoT. Since then, numerous types of attacks on RPL have been published. In this paper, a novel intrusion detection system (IDS) is designed and implemented for RPL-based IoT. The objective is to perform an accurate and efficient detection of various types of routing and denial-of-service (DoS) attacks such as version number attack, blackhole attack, and grayhole attack, and different variations of flooding attacks such as Hello flood attack, DIS attack, and DAO insider attack. To achieve this, different detection strategies are combined, taking advantage of the strengths of each individual strategy. In addition, the proposed IDS is experimentally evaluated by performing a deep analysis of the aforementioned attacks in order to study the impact caused. This evaluation also estimates the accuracy and effectiveness of the IDS performance when confronted with the considered attacks. The obtained results show high detection accuracy. Furthermore, the overhead introduced in terms of CPU usage and power consumption is negligible. In particular, the CPU usage overhead is less than 2% in all cases, whereas the average power consumption increase is no more than 0.5%, which can be considered an insignificant impact on the overall resource utilisation.

Provably Secure PUF-Based Lightweight Mutual Authentication Scheme for Wireless Body Area Networks

Wireless body area networks (WBANs) are used in modern medical service environments for the convenience of patients and medical professionals. Owing to the recent COVID-19 pandemic and an aging society, WBANs are attracting attention. In a WBAN environment, the patient has a sensor node attached to him/her that collects patient status information, such as blood pressure, blood glucose, and pulse; this information is simultaneously transmitted to his/her respective medical professional through a gateway. The medical professional receives and checks the patient’s status information and provides a diagnosis. However, sensitive information, including the patient’s personal and status data, are transmitted via a public channel, causing security concerns. If an adversary intercepts this information, it could threaten the patient’s well-being. Therefore, a secure authentication scheme is essential for WBAN environments. Recently, Chen et al. proposed a two-factor authentication scheme for WBANs. However, we found out Chen et al.’s scheme is vulnerable to a privileged insider, physical cloning, verification leakage, impersonation, and session key disclosure attacks. We also propose a secure physical-unclonable-function (PUF)-based lightweight mutual authentication scheme for WBANs. Through informal security analysis, we demonstrate that the proposed scheme using biometrics and the PUF is safe against various security attacks. In addition, we verify the security features of our scheme through formal security analyses using Burrows–Abadi–Needham (BAN) logic, the real-or-random (RoR) model, and the Automated Validation of Internet Security Protocols and Applications (AVISPA). Furthermore, we evaluate the security features, communication costs, and computational costs of our proposed scheme and compare them with those of other related schemes. Consequently, our scheme is more suitable for WBAN environments than the other related schemes.

Attack Mitigation and Security for Vehicle Platoon

This research entails an investigation into enhanced attack detection techniques as a security feature in vehicular platooning. The paper evaluates critical challenges in the security of Vehicular Ad hoc Networks (VANETs) with a focus on vulnerabilities in vehicle platooning. We evaluate the possibilities of securing a platoon through enhanced attack detection following an inside attack while considering current communication-based approaches to vehicular platoon security that have been effective at isolating infected platoon members. This study proposes the use of color-shift keying (CSK) as a security tool for enhanced detection of an apparent platoon attack. We simulate various attack scenarios involving a vehicular platoon communicating via a VLC network and assess the degree of exposure of such networks to three types of attacks – Sybil attacks, delay attacks, and denial-of-service (DoS) attacks. We recommend the use of a light-to-frequency (LTF) converter comprising of a receiver to collect and decode transmitted symbols with regard to the frequency of transmission. Once there is a drop in the intensity of the light transmitted in the platoon, CSK is implemented to alter the intensity of the red, green, and blue (RGB) spectrum coupled with radiofrequency to ensure the security of the communication. CSK will use coded symbols to transmit the control information from the leader using a microcontroller.

Bio-Inspired Dynamic Trust and Congestion-Aware Zone-Based Secured Internet of Drone Things (SIoDT)

The Internet of Drone Things (IoDT) is a trending research area where drones are used to gather information from ground networks. In order to overcome the drawbacks of the Internet of Vehicles (IoV), such as congestion issues, security issues, and energy consumption, drones were introduced into the IoV, which is termed drone-assisted IoV. Due to the unique characteristics of the IoV, such as dynamic mobility and unsystematic traffic patterns, the performance of the network is reduced in terms of delay, energy consumption, and overhead. Additionally, there is the possibility of the existence of various attackers that disturb the traffic pattern. In order to overcome this drawback, the drone-assisted IoV was developed. In this paper, the bio-inspired dynamic trust and congestion-aware zone-based secured Internet of Drone Things (BDTC-SIoDT) is developed, and it is mainly divided into three sections. These sections are dynamic trust estimation, congestion-aware community construction, and hybrid optimization. Initially, through the dynamic trust estimation process, triple-layer trust establishment is performed, which helps to protect the network from all kinds of threats. Secondly, a congestion-aware community is created to predict congestion and to avoid it. Finally, hybrid optimization is performed with the combination of ant colony optimization (ACO) and gray wolf optimization (GWO). Through this hybrid optimization technique, overhead occurs during the initial stage of transmission, and the time taken by vehicles to leave and join the cluster is reduced. The experimentation is performed using various threats, such as flooding attack, insider attack, wormhole attack, and position falsification attack. To analyze the performance, the parameters that are considered are energy efficiency, packet delivery ratio, routing overhead, end-to-end delay, packet loss, and throughput. The outcome of the proposed BDTC-SIoDT is compared with earlier research works, such as LAKA-IOD, NCAS-IOD, and TPDA-IOV. The proposed BDTC-SIoDT achieves high performance when compared with earlier research works.

Detection of Unknown Insider Attack on Components of Big Data System: A Smart System Application for Big Data Cluster

Big data applications running on a big data cluster, creates a set of process on different nodes and exchange data via regular network protocols. The nodes of the cluster may receive some new type of attack or unpredictable internal attack from those applications submitted by client. As the applications are allowed to run on the cluster, it may acquire multiple node resources so that the whole cluster becomes slow or unavailable to other clients. Detection of these new types of attacks is not possible using traditional methods. The cumulative network traffic of the nodes must be analyzed to detect such attacks. This work presents an efficient testbed for internal attack generation, data set creation, and attack detection in the cluster. This work also finds the nodes under attack. A new insider attack named BUSY YARN Attack has been identified and analyzed in this work. The framework can be used to recognize similar insider attacks of type DOS where target node(s) in the cluster is unpredictable.

Optimal weighted fusion based insider data leakage detection and classification model for Ubiquitous computing systems

With the rapid growth and evolving advancement in artificial technology, Ubiquitous computing methods plays a vital role in day to day lives. Insider threats were malicious activities which are executed by an official worker within an institution. Insider threats indicate cybersecurity challenges for public and private companies, as an insider attack could cause widespread damages to company properties than exterior attacks. Many prevailing methods in the domain of insider threat concentrated on identifying general insider attack situations. But insider attacks are takes place in several ways, and one of the dangerous attack is a data leakage attack which is accomplished by a malicious insider before one leaves a company. This article develops a Metaheuristic with Weighted Fusion Based Insider Data Leakage Detection and Classification (MWF-IDLDC) Model for Ubiquitous Computing Systems. The presented MWF-IDLDC technique primarily performs pre-processing and feature extraction at the initial stage. In addition, the MWF-IDLDC technique derives a weighted fusion-based feature extraction approach comprising three DL methods namely long short-term memory (LSTM), gated recurrent unit (GRU), and stacked autoencoder (SAE). For optimally tuning the hyperparameters related to the DL models, the ant lion optimizer (ALO) algorithm is utilized in this study. The design of fusion process with ALO hyperparameter optimizer demonstrate the novelty of the work. The experimental validation of the MWF-IDLDC approach can be tested using a series of simulations and the outcomes were scrutinized under distinct aspects. The comparative analysis highlighted the improvements of the MWF-IDLDC method compared to recent approaches with maximum accuracy of 99.40%.

A hybrid framework for detecting structured query language injection attacks in web-based applications

<p><span>Almost every web-based application is managed and operated through a number of websites, each of which is vulnerable to cyber-attacks that are mounted across the same networks used by the applications, with much less risk to the attacker than physical attacks. Such web-based attacks make use of a range of modern techniques-such as structured query language injection (SQLi), cross-site scripting, and data tampering-to achieve their aims. Among them, SQLi is the most popular and vulnerable attack, which can be performed in one of two ways; either by an outsider of an organization (known as the outside attacker) or by an insider with a good knowledge of the system with proper administrative rights (known as the inside attacker). An inside attacker, in contrast to an outsider, can take down the system easily and pose a significant challenge to any organization, and therefore needs to be identified in advance to mitigate the possible consequences. Blockchain-based technique is an efficient approach to detect and mitigate SQLi attacks and is widely used these days. Thus, in this study, a hybrid method is proposed that combines a SQL query matching technique (SQLMT) and a standard blockchain framework to detect SQLi attacks created by insiders. The results obtained by the proposed hybrid method through computational experiments are further validated using standard web validation tools.</span></p>

Cryptanalysis of a Semi-Quantum Bi-Signature Scheme Based on W States

Recently, Zhao et al. proposed a semi-quantum bi-signature (SQBS) scheme based on W states with two quantum signers and just one classical verifier. In this study, we highlight three security issues with Zhao et al.’s SQBS scheme. In Zhao et al.’s SQBS protocol, an insider attacker can perform an impersonation attack in the verification phase and an impersonation attack in the signature phase to capture the private key. In addition, an eavesdropper can perform a man-in-the-middle attack to obtain all of the signer’s secret information. All of the above three attacks can pass the eavesdropping check. Without considering these security issues, the SQBS protocol could fail to ensure the signer’s secret information.

An adaptive formal parallel technique with reputation integration for the enforcement of security policy in the cloud environment

Protecting sensitive data from unauthorized users is a major challenge while sharing data via cloud storage. This has been the objective of mechanisms to control access. This paper proposes an adaptive formal technique for security policy enforcement in Cloud environment. In this approach, the actions of the user performed in the cloud are modeled as a process algebra expression, with a new variant of Algebra Communication Process ACP, with reputation integration. Security policies are expressed by logical formula. Our system enables us to check whether the process meets the security policy and the reputation limit that is required. If it does not, automatic enforcement generates a new process that satisfies a security policy. To prove the efficacy of our security policy enforcement, a software prototype has been implemented and evaluate. The results show a decrease in computation costs and an improvement in cloud defense against insider attacks. It demonstrates also, that our solution outperforms SKMFA-SC (Prabha and Saraswathi, 2020), SEAPP (Hu et al., 2021), FDAC-TR (Yan et al., 2017), RMTAC (Lin et al., 2015), RRAC (Amoon et al., 2020) and DTRM (Lin et al., 2018) in terms of unauthorized access blocking rate, false positive and negative rates, average reputation evaluation accuracy rate, and average response system time.

Cryptanalysis and improvement of REAS‐TMIS: Resource‐efficient authentication scheme for telecare medical information system

AbstractRecently, Tanveer et al. proposed a resource‐efficient authentication scheme for telecare medical information systems employing the authenticated key exchange. Tanveer et al. vehemently claimed that the protocol is safe against smart card stolen attacks, password guessing attacks, anonymity and untraceability, replay attacks, man‐in‐the‐middle attacks, impersonation attacks, and so forth. We have scrutinized the Tanveer et al. protocol. Based on his attack model, we have analyzed that this protocol is not secured against session key disclosure attacks, privileged insider attacks, and medical server impersonation attacks. We have also discussed improvement mechanisms to protect the mentioned security threats.

A misbehavior detection system to detect novel position falsification attacks in the Internet of Vehicles

In the Internet of Vehicle (IoV) networks, vehicles exchange periodic Basic Safety Messages (BSMs) containing information regarding speed and position. Safety-critical applications like blind-spot warning and lane change warning systems use the BSMs to ensure the safety of road users. To create chaos in the network, an insider attacker may inject false information into the BSM and broadcast it to nearby vehicles. One such attack is the position falsification attack, where the attacker inserts false information regarding the position in the BSMs. The literature has explored the use of Misbehavior Detection Systems (MDSs) to detect such attacks. But the limitaitons of the existing approaches are that they either perform exceptionally well in specific environmental settings or have compromised detection accuracy favoring a generalized model. Moreover, all the current machine learning-based detection models are signature-based, which requires prior knowledge about the attacks for effective detection. Motivated by the research gap, we propose a Novel Position Falsification Attack Detection System for the Internet of Vehicles (NPFADS for the IoV) to learn and detect novel position falsification attacks emerging in IoV networks. The performance of NPFADS is analyzed using the metrics precision, recall, F1 score, ROC, and PR curves. The Vehicular Reference Misbehavior (VeReMi) dataset is used as the benchmark for the study. The system’s performance is compared to existing MDSs in the literature. The analysis shows that our proposed system outperforms the existing supervised learning models even when initialized with zero knowledge about the novel position falsification attacks.

A Low-Latency and High-Throughput Multipath Technique to Overcome Black Hole Attack in Mobile Ad Hoc Network (MTBD)

Security in MANETs is a highly contentious topic in the field of network management. The availability and functionality of a MANET might be compromised by a variety of attacks. One of the most prevalent active attacks used to degrade network speed and reliability is the black hole attack, which leads the compromised agent to discard all data packets. The purpose of a black hole node is to trick other access points into thinking that they must use their node as their route to a certain destination. The black hole node in a cable network cannot be detected or eliminated in an AODV network. We improved AODV in this study by utilizing a lighter-weight technique based on timing and baiting for detecting and separating single and collaboration black hole attacks. MANETs have a dynamic topology, an open medium, and a lack of a highly centralized monitoring point, all of which offer security problems. Attacks on security are one of the sorts of attacks. In MANETs, it has no central administration, and mobile devices link to other devices wirelessly. Black holes, insider attacks, gray holes, parallel universes, faulty nodes, and packet drops are all threats that can cause considerable disruption in secure communication. Simulation findings demonstrate that the proposed method significantly outperforms previous techniques in terms of end-to-end delay, throughput, packet delivery ratio, and average energy. A multipath methodology is used in our proposed method to mitigate the black hole attack in MANET. The proposed technique is tested in a simulation reality to see how stable it is in the face of an attack. When the proposed method’s results are compared to those of existing state-of-the-art approaches, it is discovered that the acquired results are satisfactory.

A construction of Chebyshev chaotic map based authenticated key agreement protocol for satellite communication system

AbstractIn this article, we have discussed various authentication and key agreement protocols for satellite communication system and their flaws off‐line passwords guess, stolen smart card attack, insider attack and replay attack and so forth. We have analyzed the security of a recently published Uddeshaya et al's protocol for satellite communication, and discussed how it suffers from design flaws and insider attack. This protocol cannot stop the Bergamo attack, but the proposed protocol is applicable in specific environment against Bergamo attack. We have compared and illustrated the performance and security analysis of several existing protocols for satellite communication. The proposed authenticated key agreement protocol possesses both low computation and low communication cost. This protocol establishes a verified session key with only two messages of exchange. We have discussed the security of proposed framework in the random oracle model.