Realistic Attack Scenarios Research Articles

Positional Packet Capture for Anomaly Detection in Multitenant Virtual Networks

ABSTRACTAnomaly detection in multitenant virtual networks presents significant challenges due to the dynamic, ephemeral nature of virtualized environments and the complex traffic patterns they generate. This paper presents a definition of preferable positions within virtual networks to enhance anomaly detection efficacy. Leveraging a combination of overlay and underlay capture positions, this paper examines the strategic impact of network positioning on anomaly detection accuracy, particularly in environments utilizing software‐defined networking (SDN) and network function virtualization (NFV). Through controlled testing with realistic attack scenarios, including data exfiltration, denial of service, and malware infiltration, the advantages and constraints of each capture position are demonstrated. The findings underscore the necessity of adaptable capture mechanisms to address variability in data volume, encapsulation challenges, and privacy concerns unique to virtualized ecosystems. The paper further introduces a cost calculation model that evaluates each capture position by weighting key factors, enabling an optimized trade‐off between detection accuracy and resource efficiency. The derived classification of the positional value significantly improves real‐time detection of both internal and external threats within multitenant networks.

Guide to developing case-based attack scenarios and establishing defense strategies for cybersecurity exercise in ICS environment

Critical infrastructure mainly performs its role through an industrial control system (ICS). Organizations conduct cyber exercises between red and blue teams, focusing on offense and defense. Practical exercises require explicit attack scenarios and corresponding defense strategies. However, systematic guides for deriving cyberattack scenarios or defense strategies still need to be improved. This paper proposes a guide for establishing realistic attack scenarios and defense strategies for cybersecurity exercises in ICS environments. Attack scenario generation is divided into four steps: generating attack references, deriving attack sequences, mapping threat information, and mapping vulnerable implementation patterns. Deriving a defensive strategy consists of two steps parallel to developing an attack scenario: deriving containment and eradication. The methodology we propose guides exercise planning based on a knowledge base, thereby assisting exercise planners in generating various scenarios and deriving clear defense strategies. We showed that a clear exercise plan could be established through a case study.

Protect Your Score: Contact-Tracing with Differential Privacy Guarantees

The pandemic in 2020 and 2021 had enormous economic and societal consequences, and studies show that contact tracing algorithms can be key in the early containment of the virus. While large strides have been made towards more effective contact tracing algorithms, we argue that privacy concerns currently hold deployment back. The essence of a contact tracing algorithm constitutes the communication of a risk score. Yet, it is precisely the communication and release of this score to a user that an adversary can leverage to gauge the private health status of an individual. We pinpoint a realistic attack scenario and propose a contact tracing algorithm with differential privacy guarantees against this attack. The algorithm is tested on the two most widely used agent-based COVID19 simulators and demonstrates superior performance in a wide range of settings. Especially for realistic test scenarios and while releasing each risk score with epsilon=1 differential privacy, we achieve a two to ten-fold reduction in the infection rate of the virus. To the best of our knowledge, this presents the first contact tracing algorithm with differential privacy guarantees when revealing risk scores for COVID19.

Hypervisor-based data synthesis: On its potential to tackle the curse of client-side agent remnants in forensic image generation

In the field of digital forensics, the number and heterogeneity of devices typically involved in an investigation is increasing. In order to train digital forensics practitioners and make faster progress in the development and validation of forensic tools, the demand for up-to-date data sets is high. However, manually creating data sets is a complex, tedious, and time-consuming task increasing the need for automated solutions. Existing data generation frameworks typically use components that run directly on the simulated client (e.g., a client-side agent controlled via SSH). On the one hand, this facilitates simulation by providing direct feedback from the client and the ability to use client-side libraries to access software. On the other hand, however, this approach creates unintended traces in the generated data sets that quickly reveal their synthetic origin and affect their realism and thus their relevance. To avoid such traces, this paper presents a hypervisor-based solution to eliminate such a client-side software component in a recent digital forensic data set generator, while compensating for its absence only through host-side means. To demonstrate the practicability of the proposed approach as well as the indistinguishability of the generated traces, a multi-participant scenario is performed as a proof of concept to replicate a realistic attack scenario on a Linux system from a Kali attacker machine. During the evaluation, the generated data set is compared in terms of unintended traces and realism to a data set generated by the same framework using an agent component. In this way, we demonstrate the benefits and overall usefulness of an agent-less data synthesis approach.

GENICS: A Framework for Generating Attack Scenarios for Cybersecurity Exercises on Industrial Control Systems

Due to the nature of the industrial control systems (ICS) environment, where process continuity is essential, intentionally initiating a cyberattack to check security controls can cause severe financial and human damage to the organization. Therefore, most organizations operating ICS environments check their level of security through simulated cybersecurity exercises. For these exercises to be effective, high-quality cyberattack scenarios that are likely to occur in the ICS environment must be assumed. Unfortunately, many organizations use limited attack scenarios targeting essential digital assets, leading to ineffective response preparedness. To derive high-quality scenarios, there is a need for relevant attack and vulnerability information, and standardized methods for creating and evaluating attack scenarios in the ICS context. To meet these challenges, we propose GENICS, an attack scenario generation framework for cybersecurity training in ICS. GENICS consists of five phases: threat analysis, attack information identification, modeling cyberattack scenarios, quantifying cyberattacks, and generating scenarios. The validity of GENICS was verified through a qualitative study and case studies on current attack scenario-generating methods. GENICS ensures a systematic approach to generate quantified, realistic attack scenarios, thereby significantly enhancing cybersecurity training in ICS environments.

Multi-Dimensional Fusion Deep Learning for Side Channel Analysis

The rapid advancement of deep learning has significantly heightened the threats posed by Side-Channel Attacks (SCAs) to information security, transforming their effectiveness to a degree several orders of magnitude superior to conventional signal processing techniques. However, the majority of existing Deep-Learning Side-Channel Attacks (DLSCAs) primarily focus on the classification accuracy of the trained model at the attack stage, often assuming that adversaries have unlimited computational and time resources during the profiling stage. This might result in an inflated assessment of the trained model’s fitting capability in a real attack scenario. In this paper, we present a novel DLSCA model, called a Multi-Dimensional Fusion Convolutional Residual Dendrite (MD_CResDD) network, to enhance and speed up the feature extraction process by incorporating a multi-scale feature fusion mechanism. By testing the proposed model on two software implementations of AES-128, we show that it is feasible to improve the profiling speed by at least 34% compared to other existing deep-learning models for DLSCAs and meanwhile achieved a certain level of improvement (8.4% and 0.8% for two implementations) in the attack accuracy. Furthermore, we also investigate how different fusion approaches, fusion times, and residual blocks can affect the attack efficiency on the same two datasets.

ProvSec: Open Cybersecurity System Provenance Analysis Benchmark Dataset with Labels

System provenance forensic analysis has been studied by a large body of research work. This area needs fine granularity data such as system calls along with event fields to track the dependencies of events. While prior work on security datasets has been proposed, we found a useful dataset of realistic attacks and details that are needed for high-quality provenance tracking is lacking. We created a new dataset of eleven vulnerable cases for system forensic analysis. It includes the full details of system calls including syscall parameters. Realistic attack scenarios with real software vulnerabilities and exploits are used. For each case, we created two sets of benign and adversary scenarios which are manually labeled for supervised machine-learning analysis. In addition, we present an algorithm to improve the data quality in the system provenance forensic analysis. We demonstrate the details of the dataset events and dependency analysis of our dataset cases.

Distributed robust‐multivariate‐observer‐based FDI attacks estimation for nonlinear multi‐agent systems with directed graphs

AbstractThis article investigates the distributed robust estimation problem for false data injection (FDI) attacks in nonlinear multi‐agent systems with directed graphs. To approximate the realistic attack scenario, the case where both the actuator network channel and sensor network channel suffering from FDIs are considered, and the attack signals contain time‐varying circumstances. A novel distributed robust‐multivariate‐observer (DRMO) strategy is developed such that the online estimation of FDI attack dynamics can be realized with the partially unknown nonlinear dynamics, attack transient increments, and disturbances impact being eliminated. The designed DRMO scheme only depends on the received compromised/uncompromised measurement output information on the account that whole state information cannot be measured directly. Finally, two simulation examples, including a network of four one‐link flexible joint manipulator systems with comparisons to existing methods, are given to show the effectiveness of the proposed scheme.

DEFIA: Evaluate defense effectiveness by fusing behavior information of cyberattacks

The existing researches point to a lack of studies addressing the quantitative evaluation of the effectiveness of cyber defense. This difficult matter has been plaguing cyber security researchers and managers. This paper provides a quantitative method to evaluate defense effectiveness, called DEFIA. DEFIA records information about attack behavior in a formatted way and evaluates the defense effectiveness based on the utility of attack behaviors. By calculating the probability features of the attack behavior in the attack sample, the physical space structure of the attack behavior information is constructed. In particular, we define the utility calculation principle of attack behaviors and regard it as the benchmark for evaluating defensive capabilities. DEFIA can quantitatively assess the defense effectiveness of defense methods deployed in computer systems. We explain how the method works by simulating some real attack scenarios and based on the information provided by Virustotal to prove that DEFIA is reasonable and feasible.

Translating theory into practice: assessing the privacy implications of concept-based explanations for biomedical AI.

Artificial Intelligence (AI) has achieved remarkable success in image generation, image analysis, and language modeling, making data-driven techniques increasingly relevant in practical real-world applications, promising enhanced creativity and efficiency for human users. However, the deployment of AI in high-stakes domains such as infrastructure and healthcare still raises concerns regarding algorithm accountability and safety. The emerging field of explainable AI (XAI) has made significant strides in developing interfaces that enable humans to comprehend the decisions made by data-driven models. Among these approaches, concept-based explainability stands out due to its ability to align explanations with high-level concepts familiar to users. Nonetheless, early research in adversarial machine learning has unveiled that exposing model explanations can render victim models more susceptible to attacks. This is the first study to investigate and compare the impact of concept-based explanations on the privacy of Deep Learning based AI models in the context of biomedical image analysis. An extensive privacy benchmark is conducted on three different state-of-the-art model architectures (ResNet50, NFNet, ConvNeXt) trained on two biomedical (ISIC and EyePACS) and one synthetic dataset (SCDB). The success of membership inference attacks while exposing varying degrees of attribution-based and concept-based explanations is systematically compared. The findings indicate that, in theory, concept-based explanations can potentially increase the vulnerability of a private AI system by up to 16% compared to attributions in the baseline setting. However, it is demonstrated that, in more realistic attack scenarios, the threat posed by explanations is negligible in practice. Furthermore, actionable recommendations are provided to ensure the safe deployment of concept-based XAI systems. In addition, the impact of differential privacy (DP) on the quality of concept-based explanations is explored, revealing that while negatively influencing the explanation ability, DP can have an adverse effect on the models' privacy.

A Highly Interpretable Framework for Generic Low-Cost UAV Attack Detection

The increasing prevalence of cyber-attacks on unmanned aerial vehicles (UAVs) has led to research on effective detection methods. However, current approaches often lack transferability and interoperability, which limits their effectiveness. This study proposes a CNN-BiLSTM-Attention (CBA) model for efficient attack detection using real-time UAV sensor data. Additionally, the SHapley Additive exPlanations (SHAP) method is used to improve the interpretability of the model. The proposed approach is tested on real attack scenarios, including denial-of-service (DoS) attacks and global positioning system (GPS) spoofing attacks, and demonstrates both effectiveness and interpretability.

An automatic unsupervised complex event processing rules generation architecture for real-time IoT attacks detection

In recent years, the Internet of Things (IoT) has grown rapidly, as has the number of attacks against it. Certain limitations of the paradigm, such as reduced processing capacity and limited main and secondary memory, make it necessary to develop new methods for detecting attacks in real time as it is difficulty to adapt as has the techniques used in other paradigms. In this paper, we propose an architecture capable of generating complex event processing (CEP) rules for real-time attack detection in an automatic and completely unsupervised manner. To this end, CEP technology, which makes it possible to analyze and correlate a large amount of data in real time and can be deployed in IoT environments, is integrated with principal component analysis (PCA), Gaussian mixture models (GMM) and the Mahalanobis distance. This architecture has been tested in two different experiments that simulate real attack scenarios in an IoT network. The results show that the rules generated achieved an F1 score of .9890 in detecting six different IoT attacks in real time.

LPG-PCFG: An Improved Probabilistic Context- Free Grammar to Hit Low-Probability Passwords.

With the development of the Internet, information security has attracted more attention. Identity authentication based on password authentication is the first line of defense; however, the password-generation model is widely used in offline password attacks and password strength evaluation. In real attack scenarios, high-probability passwords are easy to enumerate; extremely low-probability passwords usually lack semantic structure and, so, are tough to crack by applying statistical laws in machine learning models, but these passwords with lower probability have a large search space and certain semantic information. Improving the low-probability password hit rate in this interval is of great significance for improving the efficiency of offline attacks. However, obtaining a low-probability password is difficult under the current password-generation model. To solve this problem, we propose a low-probability generator–probabilistic context-free grammar (LPG–PCFG) based on PCFG. LPG–PCFG directionally increases the probability of low-probability passwords in the models’ distribution, which is designed to obtain a degeneration distribution that is friendly for generating low-probability passwords. By using the control variable method to fine-tune the degeneration of LPG–PCFG, we obtained the optimal combination of degeneration parameters. Compared with the non-degeneration PCFG model, LPG–PCFG generates a larger number of hits. When generating and times, the number of hits to low-probability passwords increases by and , respectively.

SnWF: Website Fingerprinting Attack by Ensembling the Snapshot of Deep Learning

The website fingerprinting (WF) attack enables a local eavesdropper to identify which website a client is visiting under encrypted network connections. By leveraging deep neural networks, the state-of-the-art WF attacks achieve high accuracy in classic experimental scenes. However, due to the high variance of neural networks, those attacks are sensitive to the specific information in the data and would result in less-than-ideal performance on data outside the training set or on data that is impacted by the effect of concept drift. In this paper, we present snWF, a novelWF attack, which leverages an out-of-the ordinary ensemble to reduce the variance of neural networks and improve the robustness of the attack. In a large open-world setting with 400,000 websites, snWF manages to determine whether a user is visiting a monitored website, with a true positive rate of 98.1% and a false positive rate of 5.7%. We also evaluated snWF in a more realistic attack scenario, termed as <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">wide-world</i> , to examine whether snWF can correctly classify websites that even an adversary has not seen before, and we found that snWF achieves a higher classification accuracy than the state-of-the-art attacks in this new setting. In addition, in the face of concept drift, snWF is found to be more resilient than any other attacks. Moreover, we are the first to reveal that under concept drift WF attacks suffer more severe performance degradation in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">open-world</i> setting than in a <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">closed-world</i> setting.

Semantic-Based Approach for Cyber-Physical Cascading Effects Within Healthcare Infrastructures

This paper presents a framework for integrated cyber-physical security propagation study within critical infrastructures (hospitals use case). The framework includes an ontology for the semantic modeling of cyber-physical security. The impact propagation approach relies on propagation rules inferring the cascading effects of security incidents occurring in hospitals. An impact score module allows evaluating impacts’ severity, considering implemented protection measures. This work is part of the European project SAFECARE, which provides a set of tests and demonstration sessions in partnership with 3 hospitals in Europe. During these tests, we measured effectiveness and efficiency metrics, as well as end users’ satisfaction feedback. Experiments performed on real attack scenarios, show high effectiveness rates and a common agreement from end-users about the added value of the solution to enhance risks analysis practice and increase hospitals mitigation strategies efficiency.

Responding to Targeted Stealthy Attacks on Android Using Timely-Captured Memory Dumps

The increasing dominance of Android smartphones for everyday communication and data processing makes long-term stealthy malware an even more dangerous threat. Recent malware campaigns like Flubot demonstrate that by employing stealthy malware techniques even at minimal capacity, malware is highly effective in making its way to millions of devices with little resistance from existing detection mechanisms. Consequential late detection demands comprehensive forensic timelines to reconstruct all malicious activities. However, the reduced forensic footprint of stealthy attacks with minimal malware involvement leaves investigators little evidence to work with even when utilising state-of-the-art digital forensics tools. Volatile memory forensics can be effective in such scenarios since app execution of any form is always bound to leave a trail of evidence in memory, even if it is short-lived. In this work, we motivate the need for <i>JIT-MF</i> (Just-in-time Memory Forensics), a technique that aims to address the challenges that arise with timely collection of short-lived evidence in volatile memory to solve the stealthiest of Android attacks. By taking an incident-response-centric approach, focused on protecting stock Android device users rather than treating them as potential adversaries, we show that JIT-MF tools can collect elusive attack steps in volatile memory without requiring device rooting. Furthermore, we build <i>MobFor</i>, a JIT-MF based tool focusing on capturing evidence related to messaging hijack attacks. This tool provides a context to explore solutions for JIT-MF implementation challenges, aiming to render JIT-MF tools practical for real-world requirements. Finally, we demonstrate that when compared to state-of-the-art digital forensic tools Belkasoft and XRY in a realistic attack scenario involving an enhanced version of the WhatsApp Pink malware and stock Android devices, only MobFor can recover the contents of messages sent by the malware, hence decisively contributing to an enriched forensic timeline.

A New Injection Threat on S7-1500 PLCs - Disrupting the Physical Process Offline

Programmable Logic Controllers (PLCs) are increasingly connected and integrated into the Industrial Internet of Things (IIoT) for a better network connectivity and a more streamlined control process. But in fact, this brings also its security challenges and exposes them to various cyber-attacks targeting the physical process controlled by such devices. In this work, we investigate whether the newest S7 PLCs are vulnerable by design and can be exploited. In contrast to the typical control logic injection attacks existing in the research community, which require from adversaries to be online along the ongoing attack, this article introduces a new exploit strategy that aims at disrupting the physical process controlled by the infected PLC when adversaries are not connected neither to the target nor to its network at the point zero for the attack. Our exploit approach is comprised of two steps: 1) Patching the PLC with a malicious <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Time-of-Day</i> interrupt block once an attacker gains access to an exposed PLC, 2) Triggering the interrupt at a later time on the attacker will, when he is disconnected to the system’s network. For a real attack scenario, we implemented our attack approach on a Fischertechnik training system based on S7-1500 PLC using the latest version of S7CommPlus protocol. Our experimental results showed that we could keep the patched interrupt block in idle mode and hidden in the PLC memory for a long time without being revealed before being activated at the specific date and time that the attacker defined. Finally, we suggested some potential security recommendations to protect industrial environments from such a threat.

Threat Modelling and Beyond-Novel Approaches to Cyber Secure the Smart Energy System

Smart Grids (SGs) represent electrical power systems that incorporate increased information processing and efficient technological solutions. The integration of local prosumers, demand response systems and storage allows novel possibilities with regard to energy balancing and optimization of grid operations. Unfortunately, the dependence on IT leaves the SG exposed to security violations. In this paper, we contribute to this challenge and provide a methodology for systematic risk assessment of cyber attacks in SG systems. We propose a threat model and identify possible vulnerabilities in low-voltage distribution grids. Then, we calculate exploitation probabilities from realistic attack scenarios. Lastly, we apply formal verification to check the stochastic model against attack properties. The obtained results provide insight into potential threats and the likeliness of successful attacks. We elaborate on the effects of a security violation with regard to security and privacy of energy clients. In the aftermath, we discuss future considerations for improving security in the critical energy sector.

Challenging the Security of Logic Locking Schemes in the Era of Deep Learning: A Neuroevolutionary Approach

Logic locking is a prominent technique to protect the integrity of hardware designs throughout the integrated circuit design and fabrication flow. However, in recent years, the security of locking schemes has been thoroughly challenged by the introduction of various deobfuscation attacks. As in most research branches, deep learning is being introduced in the domain of logic locking as well. Therefore, in this article we present SnapShot, a novel attack on logic locking that is the first of its kind to utilize artificial neural networks to directly predict a key bit value from a locked synthesized gate-level netlist without using a golden reference. Hereby, the attack uses a simpler yet more flexible learning model compared to existing work. Two different approaches are evaluated. The first approach is based on a simple feedforward fully connected neural network. The second approach utilizes genetic algorithms to evolve more complex convolutional neural network architectures specialized for the given task. The attack flow offers a generic and customizable framework for attacking locking schemes using machine learning techniques. We perform an extensive evaluation of SnapShot for two realistic attack scenarios, comprising both reference combinational and sequential benchmark circuits as well as silicon-proven RISC-V core modules. The evaluation results show that SnapShot achieves an average key prediction accuracy of 82.60% for the selected attack scenario, with a significant performance increase of 10.49 percentage points compared to the state of the art. Moreover, SnapShot outperforms the existing technique on all evaluated benchmarks. The results indicate that the security foundation of common logic locking schemes is built on questionable assumptions. Based on the lessons learned, we discuss the vulnerabilities and potentials of logic locking uncovered by SnapShot. The conclusions offer insights into the challenges of designing future logic locking schemes that are resilient to machine learning attacks.

Modified Cache-Template Attack on AES

While it has been known for a long time that the cache behavior is a powerful source of the information leakage, more realistic attack scenarios have received a lot of attention by the cryptographic community. To develop practical cache-based attacks, there is an increasingly need to automate the process of finding exploitable cache-based side-channels in computer systems. Cache template attack is a generic technique that utilizes Flush+Reload attack in order to automatically exploit cache vulnerability of Intel platforms. Cache template attack on T-table-based AES implementation consists of two phases including the profiling phase and the key exploitation phase. Profiling is a preprocessing phase to monitor dependencies between the secret key and behavior of the cache memory. In addition, the addresses of T-tables can be obtained automatically. In the key exploitation phase, most significant bits (MSBs) of the secret key bytes are retrieved by monitoring exploitable addresses. In this paper, we propose a simple yet effective searching technique which accelerates the profiling phase by a factor of at most 64. To verify the theoretical model of our technique, we implement the described attack on AES. The experimental results confirmed a shorter runtime of the attack in comparison to the original attack.