Real Attacks Research Articles

Digital Twin-Based Evaluation of Vehicular Controller Area Network Intrusion Detection Systems

The functions and operations of a modern automobile are becoming increasingly computerised, with this transformation made possible by Electronic Control Units (ECUs) that communicate and coordinate with each other on the in-vehicle network. Controller Area Network (CAN) is one of the most popular protocols for the in-vehicle network, supporting low latency and reliable communications. However, the CAN protocol does not have provisions for security, such as encryption, authentication, and authorisation, which makes it vulnerable to cyberattacks, particularly in today’s automotive landscape characterised by extensive connectivity with external devices, vehicles, and infrastructure. While intrusion detection systems (IDS) for CAN have emerged as a key security measure, assessing their performance against realistic attacks remains a challenge since testing with real vehicles poses significant costs and safety risks and testbeds suffer from a lack of fidelity in terms of the CAN frame transmission timings and generated payloads. This work proposes a digital twin (DT)-based framework for CAN IDS evaluation that replicates the functionality of real-world ECUs and CAN bus of a vehicle with real-time flow of data from the physical bus to its virtual representation. The main contribution of this work is a CAN DT that can not only enable the generation of realistic attack traffic for simple and sophisticated attack scenarios but also the generation of diverse combinations of attack and real driving scenarios. This DT can facilitate the evaluation of both the detection capability and performance of CAN IDS. This work presents the methodology for generating the proposed DT and discusses current findings as well as future work

Positional Packet Capture for Anomaly Detection in Multitenant Virtual Networks

ABSTRACTAnomaly detection in multitenant virtual networks presents significant challenges due to the dynamic, ephemeral nature of virtualized environments and the complex traffic patterns they generate. This paper presents a definition of preferable positions within virtual networks to enhance anomaly detection efficacy. Leveraging a combination of overlay and underlay capture positions, this paper examines the strategic impact of network positioning on anomaly detection accuracy, particularly in environments utilizing software‐defined networking (SDN) and network function virtualization (NFV). Through controlled testing with realistic attack scenarios, including data exfiltration, denial of service, and malware infiltration, the advantages and constraints of each capture position are demonstrated. The findings underscore the necessity of adaptable capture mechanisms to address variability in data volume, encapsulation challenges, and privacy concerns unique to virtualized ecosystems. The paper further introduces a cost calculation model that evaluates each capture position by weighting key factors, enabling an optimized trade‐off between detection accuracy and resource efficiency. The derived classification of the positional value significantly improves real‐time detection of both internal and external threats within multitenant networks.

Method for raising personnel awareness of information security using the Gophish software application

In today’s cyberspace, where threats are constantly evolving, phishing attacks require special attention. They are one of the most common social engineering methods used to gain access to confidential information by manipulating users. Such attacks can lead to data breaches, financial losses, and reputational risks. One of the key problems is the lack of staff training in recognizing phishing threats. Traditional training methods do not provide adequate interactivity and realism, which reduces the effectiveness of awareness raising. To address this issue, new approaches are needed that model real-life cyberattack scenarios. The Gophish tool allows you to create personalized phishing campaigns that simulate real attacks and analyze user reactions. Its functionality includes creating email templates, sending messages, and collecting data on user interaction. This allows organizations to identify weaknesses, adjust training programs, and conduct additional training. The results show that using Gophish increases staff awareness of social engineering. Interactive simulations contribute to a better understanding of phishing threats and help users recognize the danger in time. Thanks to the analytics collected, management can quickly implement corrective measures. The development of artificial intelligence and machine learning opens up new opportunities for improving such tools. Future solutions will be able to adapt simulations to specific users, making training even more effective.

PENETRATION TESTING APPROACHES EMPLOYING THE OPENVAS VULNERABILITY MANAGEMENT UTILITY

Currently, issues of security of information systems of critical information infrastructure facilities are becoming relevant. At the same time, the current tasks of an information security (IS) audit of critical information infrastructure objects, as a rule, come down to checking them for compliance with IS requirements. However, with this approach to auditing, the resistance of these objects to real attacks by intruders often remains unclear. To test this resistance, objects are subjected to a testing procedure, namely penetration testing. The goal is a comparative analysis of existing foreign and domestic penetration testing methods and standards. The elements of novelty of the work are the identified features, advantages, disadvantages and scope of applicability of existing standards and methods of penetration testing. This article will review the OpenVAS vulnerability scanner. Readers will become familiar with the basic and advanced functions of the program; its settings depend on the functions and capabilities.

Harnessing Unsupervised Insights: Enhancing Black-Box Graph Injection Attacks with Graph Contrastive Learning

Adversarial attacks on Graph Neural Networks (GNNs) have emerged as a significant threat to the security of graph learning. Compared with Graph Modification Attacks (GMAs), Graph Injection Attacks (GIAs) are considered more realistic attacks, in which attackers perturb GNN models by injecting a small number of fake nodes. However, most existing black-box GIA methods either require comprehensive knowledge of the dataset and the ground-truth labels or a large number of queries to execute the attack, which is often unfeasible in many scenarios. In this paper, we propose an unsupervised method for leveraging the rich knowledge contained in the graph data themselves to enhance the success rate of graph injection attacks on the initial query. Specifically, we introduce GraphContrastive Learning-based Graph Injection Attack (GCIA), which consists of a node encoder, a reward predictor, and a fake node generator. The Graph Contrastive Learning (GCL)-based node encoder transforms nodes for low-dimensional continuous embedding, the reward predictor acts as a simplified surrogate for the target model, and the fake node generator produces fake nodes and edges based on several carefully designed loss functions, utilizing the node encoder and reward predictor. Extensive results demonstrate that the proposed GCIA method achieves a first query success rate of 91.2% on the Reddit dataset and improves the success rate to over 99.7% after 10 queries.

Harnessing the power of blockchain to strengthen cybersecurity measures: a review

As the digital environment continues to evolve with the increasing frequency and complexity of cybersecurity threats, there is growing interest in using blockchain (BC) technology. BC is a technology with desirable properties such as decentralization, integrity, and transparency. The decentralized nature of BC eliminates single points of failure, reducing the vulnerability of critical systems to targeted attacks. The complex and rapidly evolving nature of cyber threats requires an earlier and adaptive approach. This review paper examined several papers collected from official websites. Focusing on using BC technology to improve cybersecurity, the main keywords of the review paper were BC technology, supply chain management, proof of work, and proof of stake. This review paper aims to investigate the security components through a threat assessment that compares the security of BC in different classes and real attack environments. It highlights the potential of BC to strengthen cybersecurity measures, citing unique features. The review paper also points out that there is a lack of focus on addressing security challenges related to computer data and digital systems and calling for a deeper discussion on problem-solving.

Multi-SpacePhish: Extending the Evasion-space of Adversarial Attacks against Phishing Website Detectors Using Machine Learning

Existing literature on adversarial Machine Learning (ML) focuses either on showing attacks that break every ML model or defenses that withstand most attacks. Unfortunately, little consideration is given to the actual feasibility of the attack or the defense. Moreover, adversarial samples are often crafted in the “feature-space,” making the corresponding evaluations of questionable value. Simply put, the current situation does not allow one to estimate the actual threat posed by adversarial attacks, leading to a lack of secure ML systems. We aim to clarify such confusion in this article. By considering the application of ML for Phishing Website Detection (PWD), we formalize the “evasion-space,” in which an adversarial perturbation can be introduced to fool an ML-PWD—demonstrating that even perturbations in the “feature-space” are useful. Then, we propose a realistic threat model describing evasion attacks against ML-PWD that are cheap to stage, and hence intrinsically more attractive for real phishers. After that, we perform the first statistically validated assessment of state-of-the-art ML-PWD against 12 evasion attacks. Our evaluation shows (i) the true efficacy of evasion attempts that are more likely to occur; and (ii) the impact of perturbations crafted in different evasion-spaces; our realistic evasion attempts induce a statistically significant degradation (3–10% at p < 0.05), and their cheap cost makes them a subtle threat. Notably, however, some ML-PWD are immune to our most realistic attacks ( p = 0.22). Finally, as an additional contribution of this journal publication, we are the first to propose and empirically evaluate the intriguing case wherein an attacker introduces perturbations in multiple evasion-spaces at the same time . These new results show that simultaneously applying perturbations in the problem- and feature-space can cause a drop in the detection rate from 0.95 to 0. Our contribution paves the way for a much-needed re-assessment of adversarial attacks against ML systems for cybersecurity.

Guide to developing case-based attack scenarios and establishing defense strategies for cybersecurity exercise in ICS environment

Critical infrastructure mainly performs its role through an industrial control system (ICS). Organizations conduct cyber exercises between red and blue teams, focusing on offense and defense. Practical exercises require explicit attack scenarios and corresponding defense strategies. However, systematic guides for deriving cyberattack scenarios or defense strategies still need to be improved. This paper proposes a guide for establishing realistic attack scenarios and defense strategies for cybersecurity exercises in ICS environments. Attack scenario generation is divided into four steps: generating attack references, deriving attack sequences, mapping threat information, and mapping vulnerable implementation patterns. Deriving a defensive strategy consists of two steps parallel to developing an attack scenario: deriving containment and eradication. The methodology we propose guides exercise planning based on a knowledge base, thereby assisting exercise planners in generating various scenarios and deriving clear defense strategies. We showed that a clear exercise plan could be established through a case study.

On The Security Of A Novel Construction Of Certificateless Aggregate Signature Scheme For Healthcare Wireless Medical Sensor Networks

Abstract Recently, Qiao et al. proposed a novel construction of certificateless aggregate signature (CLAS) scheme to ensure the integrity and authenticity of medical data in healthcare wireless medical sensor networks (HWMSNs). They first created an underlying certificateless signature (CLS) scheme, and then proposed a CLAS scheme from the underlying CLS scheme by adding an aggregation algorithm and a verification algorithm. In this paper, we point out that their CLS scheme is insecure because the Type I adversary can forge valid signatures. That is, the unforgeability is not actually captured by their CLS scheme. Finally, we map our cryptanalysis to the practical application. That is, in the practical application of HWMSNs, the attacker can launch real attack to their CLS scheme using our cryptanalysis to forge signatures. Therefore, Qiao et al.’s CLS scheme can be totally broken.

A Red Team automated testing modeling and online planning method for post-penetration

Post-penetration red team automation testing effectively addresses the pain points of traditional manual red teams, including manpower, time costs, and the high level of professional knowledge required, thereby improving the efficiency and effectiveness of red team penetration testing. However, introducing automation technology into the red team testing domain still faces numerous technical challenges. These challenges include accurately simulating real attack environments, coordinating complex attack actions, and effectively resolving uncertainties during the attack process. These challenges remain critical issues that require urgent solutions. In this context, we propose a post-penetration-oriented automated red team penetration test modeling and planning approach. The objective of this approach is to automatically generate attack paths, coordinate attack behaviors, and adjust attack behaviors based on feedback, enabling attacks on real target networks through corresponding operations. We conducted analysis and performance testing on our solution, comparing it with other available planners. Our experimental results demonstrate the effectiveness of the proposed planner in achieving automated penetration testing. Compared to other available planners, ours can generate valid attack paths more quickly and exhibits excellent performance in planning effectiveness and quality. Furthermore, our planner possesses wide applicability across various penetration testing scenarios.

AARF: Autonomous Attack Response Framework for Honeypots to Enhance Interaction Based on Multi-Agent Dynamic Game

Highly interactive honeypots can form reliable connections by responding to attackers to delay and capture intranet attacks. However, current research focuses on modeling the attacker as part of the environment and defining single-step attack actions by simulation to study the interaction of honeypots. It ignores the iterative nature of the attack and defense game, which is inconsistent with the correlative and sequential nature of actions in real attacks. These limitations lead to insufficient interaction of the honeypot response strategies generated by the study, making it difficult to support effective and continuous games with attack behaviors. In this paper, we propose an autonomous attack response framework (named AARF) to enhance interaction based on multi-agent dynamic games. AARF consists of three parts: a virtual honeynet environment, attack agents, and defense agents. Attack agents are modeled to generate multi-step attack chains based on a Hidden Markov Model (HMM) combined with the generic threat framework ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). The defense agents iteratively interact with the attack behavior chain based on reinforcement learning (RL) to learn to generate honeypot optimal response strategies. Aiming at the sample utilization inefficiency problem of random uniform sampling widely used in RL, we propose the dynamic value label sampling (DVLS) method in the dynamic environment. DVLS can effectively improve the sample utilization during the experience replay phase and thus improve the learning efficiency of honeypot agents under the RL framework. We further couple it with a classic DQN to replace the traditional random uniform sampling method. Based on AARF, we instantiate different functional honeypot models for deception in intranet scenarios. In the simulation environment, honeypots collaboratively respond to multi-step intranet attack chains to defend against these attacks, which demonstrates the effectiveness of AARF. The average cumulative reward of the DQN with DVLS is beyond eight percent, and the convergence speed is improved by five percent compared to a classic DQN.

Comparative Analysis of Anomaly Detection Approaches in Firewall Logs: Integrating Light-Weight Synthesis of Security Logs and Artificially Generated Attack Detection.

Detecting anomalies in large networks is a major challenge. Nowadays, many studies rely on machine learning techniques to solve this problem. However, much of this research depends on synthetic or limited datasets and tends to use specialized machine learning methods to achieve good detection results. This study focuses on analyzing firewall logs from a large industrial control network and presents a novel method for generating anomalies that simulate real attacker actions within the network without the need for a dedicated testbed or installed security controls. To demonstrate that the proposed method is feasible and that the constructed logs behave as one would expect real-world logs to behave, different supervised and unsupervised learning models were compared using different feature subsets, feature construction methods, scaling methods, and aggregation levels. The experimental results show that unsupervised learning methods have difficulty in detecting the injected anomalies, suggesting that they can be seamlessly integrated into existing firewall logs. Conversely, the use of supervised learning methods showed significantly better performance compared to unsupervised approaches and a better suitability for use in real systems.

The role of cyber exercises in improving cyber readiness

It's dangerous to assume that your cyber defences are up to the task of defending your organisation. How do you know how you will perform in the face of real attacks? The best way to know is to carry out realistic exercises that put your defences to the test. Not only will you have an accurate idea if your security is properly matched to the risks and threats you face, such exercises may also help you meet your regulatory obligations.

Protect Your Score: Contact-Tracing with Differential Privacy Guarantees

The pandemic in 2020 and 2021 had enormous economic and societal consequences, and studies show that contact tracing algorithms can be key in the early containment of the virus. While large strides have been made towards more effective contact tracing algorithms, we argue that privacy concerns currently hold deployment back. The essence of a contact tracing algorithm constitutes the communication of a risk score. Yet, it is precisely the communication and release of this score to a user that an adversary can leverage to gauge the private health status of an individual. We pinpoint a realistic attack scenario and propose a contact tracing algorithm with differential privacy guarantees against this attack. The algorithm is tested on the two most widely used agent-based COVID19 simulators and demonstrates superior performance in a wide range of settings. Especially for realistic test scenarios and while releasing each risk score with epsilon=1 differential privacy, we achieve a two to ten-fold reduction in the infection rate of the virus. To the best of our knowledge, this presents the first contact tracing algorithm with differential privacy guarantees when revealing risk scores for COVID19.

Evasion Attacks on Deep Learning-Based Helicopter Recognition Systems

Identifying objects in surveillance and reconnaissance systems with the human eye can be challenging, underscoring the growing importance of employing deep learning models for the recognition of enemy weapon systems. These systems, leveraging deep neural networks known for their strong performance in image recognition and classification, are currently under extensive research. However, it is crucial to acknowledge that surveillance and reconnaissance systems utilizing deep neural networks are susceptible to vulnerabilities posed by adversarial examples. While prior adversarial example research has mainly utilized publicly available internet data, there has been a significant absence of studies concerning adversarial attacks on data and models specific to real military scenarios. In this paper, we introduce an adversarial example designed for a binary classifier tasked with recognizing helicopters. Our approach generates an adversarial example that is misclassified by the model, despite appearing unproblematic to the human eye. To conduct our experiments, we gathered real attack and transport helicopters and employed TensorFlow as the machine learning library of choice. Our experimental findings demonstrate that the average attack success rate of the proposed method is 81.9%. Additionally, when epsilon is 0.4, the attack success rate is 90.1%. Before epsilon reaches 0.4, the attack success rate increases rapidly, and then we can see that epsilon increases little by little thereafter.

Hypervisor-based data synthesis: On its potential to tackle the curse of client-side agent remnants in forensic image generation

In the field of digital forensics, the number and heterogeneity of devices typically involved in an investigation is increasing. In order to train digital forensics practitioners and make faster progress in the development and validation of forensic tools, the demand for up-to-date data sets is high. However, manually creating data sets is a complex, tedious, and time-consuming task increasing the need for automated solutions. Existing data generation frameworks typically use components that run directly on the simulated client (e.g., a client-side agent controlled via SSH). On the one hand, this facilitates simulation by providing direct feedback from the client and the ability to use client-side libraries to access software. On the other hand, however, this approach creates unintended traces in the generated data sets that quickly reveal their synthetic origin and affect their realism and thus their relevance. To avoid such traces, this paper presents a hypervisor-based solution to eliminate such a client-side software component in a recent digital forensic data set generator, while compensating for its absence only through host-side means. To demonstrate the practicability of the proposed approach as well as the indistinguishability of the generated traces, a multi-participant scenario is performed as a proof of concept to replicate a realistic attack scenario on a Linux system from a Kali attacker machine. During the evaluation, the generated data set is compared in terms of unintended traces and realism to a data set generated by the same framework using an agent component. In this way, we demonstrate the benefits and overall usefulness of an agent-less data synthesis approach.

Cognition in Social Engineering Empirical Research: A Systematic Literature Review

The interdisciplinarity of the Social Engineering (SE) domain creates crucial challenges for the development and advancement of empirical SE research, making it particularly difficult to identify the space of open research questions that can be addressed empirically. This space encompasses questions on attack conditions, employed experimental methods, and interactions with underlying cognitive aspects. As a consequence, much potential in the breadth of existing empirical SE research and in its mapping to the actual cognitive processes it aims to measure is left untapped. In this work, we carry out a systematic review of 169 articles investigating overall 735 hypotheses in the field of empirical SE research, focusing on experimental characteristics and core cognitive features from both attacker and target perspectives. Our study reveals that experiments only partially reproduce real attacks and that the exploitable SE attack surface appears much larger than the coverage provided by the current body of research. Factors such as targets’ context and cognitive processes are often ignored or not explicitly considered in experimental designs. Similarly, the effects of different pretexts and varied targetization levels are overall marginally investigated. Our findings on current SE research dynamics provide insights into methodological shortcomings and help identify supplementary techniques that can open promising future research directions.

GENICS: A Framework for Generating Attack Scenarios for Cybersecurity Exercises on Industrial Control Systems

Due to the nature of the industrial control systems (ICS) environment, where process continuity is essential, intentionally initiating a cyberattack to check security controls can cause severe financial and human damage to the organization. Therefore, most organizations operating ICS environments check their level of security through simulated cybersecurity exercises. For these exercises to be effective, high-quality cyberattack scenarios that are likely to occur in the ICS environment must be assumed. Unfortunately, many organizations use limited attack scenarios targeting essential digital assets, leading to ineffective response preparedness. To derive high-quality scenarios, there is a need for relevant attack and vulnerability information, and standardized methods for creating and evaluating attack scenarios in the ICS context. To meet these challenges, we propose GENICS, an attack scenario generation framework for cybersecurity training in ICS. GENICS consists of five phases: threat analysis, attack information identification, modeling cyberattack scenarios, quantifying cyberattacks, and generating scenarios. The validity of GENICS was verified through a qualitative study and case studies on current attack scenario-generating methods. GENICS ensures a systematic approach to generate quantified, realistic attack scenarios, thereby significantly enhancing cybersecurity training in ICS environments.

Multi-Dimensional Fusion Deep Learning for Side Channel Analysis

The rapid advancement of deep learning has significantly heightened the threats posed by Side-Channel Attacks (SCAs) to information security, transforming their effectiveness to a degree several orders of magnitude superior to conventional signal processing techniques. However, the majority of existing Deep-Learning Side-Channel Attacks (DLSCAs) primarily focus on the classification accuracy of the trained model at the attack stage, often assuming that adversaries have unlimited computational and time resources during the profiling stage. This might result in an inflated assessment of the trained model’s fitting capability in a real attack scenario. In this paper, we present a novel DLSCA model, called a Multi-Dimensional Fusion Convolutional Residual Dendrite (MD_CResDD) network, to enhance and speed up the feature extraction process by incorporating a multi-scale feature fusion mechanism. By testing the proposed model on two software implementations of AES-128, we show that it is feasible to improve the profiling speed by at least 34% compared to other existing deep-learning models for DLSCAs and meanwhile achieved a certain level of improvement (8.4% and 0.8% for two implementations) in the attack accuracy. Furthermore, we also investigate how different fusion approaches, fusion times, and residual blocks can affect the attack efficiency on the same two datasets.

An Effective Method for Detecting Unknown Types of Attacks Based on Log-Cosh Variational Autoencoder

The increasing prevalence of unknown-type attacks on the Internet highlights the importance of developing efficient intrusion detection systems. While machine learning-based techniques can detect unknown types of attacks, the need for innovative approaches becomes evident, as traditional methods may not be sufficient. In this research, we propose a deep learning-based solution called the log-cosh variational autoencoder (LVAE) to address this challenge. The LVAE inherits the strong modeling abilities of the variational autoencoder (VAE), enabling it to understand complex data distributions and generate reconstructed data. To better simulate discrete features of real attacks and generate unknown types of attacks, we introduce an effective reconstruction loss term utilizing the logarithmic hyperbolic cosine (log-cosh) function in the LVAE. Compared to conventional VAEs, the LVAE shows promising potential in generating data that closely resemble unknown attacks, which is a critical capability for improving the detection rate of unknown attacks. In order to classify the generated unknown data, we employed eight feature extraction and classification techniques. Numerous experiments were conducted using the latest CICIDS2017 dataset, training with varying amounts of real and unknown-type attacks. Our optimal experimental results surpassed several state-of-the-art techniques, achieving accuracy and average F1 scores of 99.89% and 99.83%, respectively. The suggested LVAE strategy also demonstrated outstanding performance in generating unknown attack data. Overall, our work establishes a solid foundation for accurately and efficiently identifying unknown types of attacks, contributing to the advancement of intrusion detection techniques.