Security Researchers Research Articles

Cultivating cybersecurity learning: An integration of self-determination and flow

Because there is a critical shortage of cybersecurity talent, information security professionals and researchers should cultivate cybersecurity skills by encouraging individuals to pursue cybersecurity learning. However, some aspects of cybersecurity require substantial effort and perseverance for conceptual understanding to be gained. We propose motivation as the key to ensuring continuous engagement with and successful learning of such cybersecurity concepts. With a lab-based training program that taught participants about SQL injection attacks, we tested a research model that integrated flow theory and self-determination theory. Within the training program, we captured participants’ persistence in attempting and successfully completing the training exercises while also measuring their perceptions of motivation and flow. We found that flow facilitated motivation and its key antecedents. Flow and task significance had the strongest effects on motivation, while motivation fostered learning persistence and performance. We recommend training programs that maximize flow and task significance.

A differential game method against attacks in heterogeneous honeynet

The use of honeynet has become relatively common for security researchers and network operators to improve the network security. Thus, study of decision-making against attacks in a heterogeneous honeynet is significantly important for improving the design of honeynet and effectively preventing attacks. This paper establishes a dynamic node-evolutive model under attacks by considering the inherent characteristics and the functional interaction between ordinary nodes and honeypots, based on which the decision-making problem is modeled as a differential game. The existence of the saddle-point involved in the game is validated and the optimal dynamic strategies for the honeynet system and attackers are obtained through the proposed algorithm. The obtained optimal strategies are verified using several random strategies. The effects of the network topology and attack duration on the strategies for both sides and on the overall attack effect are evaluated. The key findings are: a) strategic decision-making should be closely related to the node degree. Specifically, the higher-degree node adapts attack or capture strategy in preference to the lower-degree one, in contrast to the patching strategy. b) a honeynet with higher power-law exponent is beneficial to eliminate attack effects, whereas a higher attack duration can aggravate these effects. The obtained results provide a theoretical foundation to improve the design of honeynet and restrain honeynet attacks.

BitScout: Remote Digital Forensics Toolkit

Forensic Science has been full of challenges for most of the Law Enforcement Agency (LEA) as we need to physically visit the crime scene, acquire evidence, then preserve it for forensic analysis. The path of collecting evidences from crime site and then bringing it to the Forensic Labs. becomes much cumbersome as the evidence may be corrupted or altered during transit. So why not to adopt a system for readily analysis of a compromised system without going to the crime site and sitting on one’s chair or forensic workstation? The answer may be yes, we can but will it be easy and ethical to acquire evidence from a system remotely without visiting the crime scene physically. Vitaly Kamluk from Kaspersky Labs made this possible now by launching a new forensic tool called BitScout . To solve this problem, security researchers and Forensic Investigator can now use BitScout to collect remotely, key forensic evidences, to acquire full disk images via the network or locally attached storage devices, or simply to assist in malware incident handling. Evidence data can be viewed and analysed remotely or locally while the source data storage remains intact through reliable container-based isolation. BitScout is an open-source and free tool developed by security researchers for all people interested in digital forensics and cyber crimes investigations.

SecPump: A Connected Open-Source Infusion Pump for Security Research Purposes

This letter presents SecPump, a new open-source wireless infusion pump platform dedicated to security researchers. The novelty of the platform is that it is “plug and play.” Indeed, SecPump simulates a functional infusion pump system on a single board without requiring additional hardware or mechanical components. The presented cyber-physical platform intends to provide a framework for security evaluation, tailored for countermeasure development against security flaws related to medical devices. This letter presents the functionality of the cyber-physical device, its wireless features, and its portability across several hardware architectures. Finally, both hardware and software attacks are showcased on the platform.

Pattern-Growth Based Mining Mouse-Interaction Behavior for an Active User Authentication System

Analyzing mouse-interaction behaviors for implicitly identifying computer users has received growing interest from security and biometric researchers. This study presents a simple but efficient active user authentication system by modeling mouse-interaction behavior, which is accurate and competent for future deployments. A pattern-growth-based mining method is proposed to extract frequent behavior segments, in obtaining a stable and discriminative representation of mouse-interaction behavior. Then procedural features are extracted to provide an accurate and fine-grained characterization of the behavior segments. A SVM-based decision procedure using one-class learning techniques is applied to the feature space for performing authentication. Analyses are conducted using data from around 1,526,400 mouse operations of 159 participants, and the authentication performance is evaluated across various application scenarios and tasks. Our experimental results show that characteristics from frequent behavior segments are more stable and discriminative than those from holistic behavior, and the system achieves a practically useful level of performance with FAR of 0.09 percent and FRR of 1 percent. Additional experiments on usability to sample length, reliability to application task, scalability to user size, robustness to mimic attack, and response to behavior change are provided to further explore the applicability. We also compare the proposed approach with the state-of-the-art approaches for the collected data.

A novel authentication and key‐agreement scheme for satellite communication network

SummaryIn these days, satellite communication networks are playing a significant role in facilitating the crucial infrastructural services that include environmental monitoring, electronic surveillance, public safety, intelligence operations for law enforcement, government agencies, and the military. However, security researchers have uncovered that many protocols for these satellite communication networks have some vulnerabilities and flaws that can allow remote attackers to intercept, block, and manipulate critical communication over the network. Therefore, in this article, we introduce an efficient and simple authentication key agreement protocol for securing mobile satellite communication systems. Our proposed protocol resists against denial of service, smart‐card stolen, replay, user impersonation, and stolen verifier attack. Furthermore, our protocol provides various functionality features like perfect‐forward secrecy, mutual‐authentication, dynamic identity, and session‐key agreement. Moreover, the performance analysis of our protocol shows that the communication and computation cost of the proposed protocol is far less than the existing protocols. Hence, our proposed protocol offers simple, efficient, secure authentication, and key agreement for mobile satellite systems.

Forensic Analysis of a Ransomware

In the present digital world malware is the most potent weapon. Malware, especially ransomware, is used in security breaches on a large scale which leads to huge losses in terms of money and critical information for big firms and government organisations. In order to counter the future ransomware attacks it is necessary to carry out a forensic analysis of the malware. This experiment proposes a manual method for dynamic malware analysis so that security researchers or malware analyst can easily understand the behaviour of the ransomware and implement a better solution for reducing the risk of malware attack in future. For doing this experiment Volatility, Regshot and FTK Imager Lite Forensics toolkit were used in a virtual and safe environment. The forensic analysis of a Ransomware is done in a virtual setup to prevent any infection to the base machine and carry out detailed analysis of the behaviour of the malware under different conditions. Malware analysis is important because the behavioral analysis helps in developing better mitigation techniques thereby reducing infection risks. The research can prove effective in development of a ransomware decryptor which can be used to recover data after an attack has encrypted the files.

A Neural Network-Based Approach for Cryptographic Function Detection in Malware

Cryptographic technology has been commonly used in malware for hiding their static characteristics and malicious behaviors to avoid the detection of anti-virus engines and counter the reverse analysis from security researchers. The detection of cryptographic functions in an effective way in malware has vital significance for malicious code detection and deep analysis. Many efforts have been made to solve this issue, while existing methods suffer from some issues, such as unable to achieve promising results in accuracy, limited by prior knowledge, and have a high overhead. In this paper, we draw on the idea of text classification in the field of natural language processing and propose a novel neural network to detect the type of cryptographic functions. The new network is an end-2-end model which includes two important modules: Instruction-2-vec and K-Max-CNN-Attention. The Instruction-2-vec model extracts the “words” of assembly instructions and transfers them into continuous vectors. The K-Max-CNN-Attention is used to encode the instruction vectors and generate the representation of the function. And we designed a softmax classifier to predict the categories of the functions. Extensive experiments were conducted on a collected dataset which contains 15 common types of cryptographic functions extracted from malware, to assess the validity of the proposed approach. The experiment results showed that the proposed approach archives a better performance than the recent embedding network SAFE with the Precision, Recall and F1-score of 0.9349, 0.8933 and 0.9020, respectively. We also compared it with four widely-used tools, the results demonstrated that our approach is much better in accuracy and effectiveness than all of them.

Bug Bounty Marketplaces and Enabling Responsible Vulnerability Disclosure

Cybercrime caused by exploited vulnerabilities bears a huge burden on societies. Most of these vulnerabilities are detectable, and the damage is preventable if software vendors and firms that deploy such software adopt right practices. Bug Bounty Programs (BBPs) by vendors and intermediaries are one of the most important creations in recent years, that helps software vendors to create marketplaces and to detect and prevent such exploits. This article develops the theory of BBPs and present a typology of BBPs using established theories of incentive compatibility and mechanism design. The authors empirically analyze the market creation function of BBPs using granular data from two different types of BBPs on a popular intermediary platform. The research findings suggest that BBPs are valuable opportunities to source vulnerabilities in software; nevertheless, the rate of disclosure and hacker participation marginally increases with vendor's rewards and other incentives. Similarly, the results show that security researchers are motivated to contribute to BBPs that offer higher remuneration and not just those programs with a higher likelihood for bug discovery. Our findings will help researchers and practitioners in information security and allied domains to develop a theoretical and empirical perspective of BBPs, and their usefulness to curb incidents of cybercrime.

Evaluation of N-Gram Based Multi-Layer Approach to Detect Malware in Android

Abstract N-gram techniques usually used in Natural Language Processing (NLP). Those techniques along with stacked generalization has been experimented and assessed in the field of android malware detection. Beacuse of the rapidly growing of android users, android malware has become most popular among the attackers. Android malware has become gigantic topics in information security. Various security researchers have already started to propose intelligency based android malware detection. In this paper, a details investigation has been performed to evaluate the effectiveness of unigram, bigram and trigram with stacked generalization. It’s been found that with stacking, unigram provides more than 97% of accuracy which is highest detection rate against bigram and trigram. In level 1, Extra Tree (ET), Random Forest (RF) and Gradient Boosting (GB) are used. As a final predictor and meta estimator eXtreme Gradient Boosting (XGBoost) is used. A strong basement to use n-gram techniques in developing android malware detection has been determined from this study.

WoT Communication Protocol Security and Privacy Issues

In this paper, we have proposed a novel approach for the prevention of the Internet of Things (IoT) from fake devices and highlighted privacy issues by using third party Application Program Interface (RestAPI) in Web of Things (WoT). For the ease of life, the usage of IoT devices, sensors, and Radio-Frequency Identifications (RFIDs) increased rapidly. Such as in transport for monitoring vehicles, taxi services, healthcare for patient’s health condition monitoring, smart cars, smart grids, and smart homes, etc. Due to this for financial gain attackers are targeting these networks or protocol and adversaries are trying to damage the reputation of the organization or to steal intellectual property. From the last two decades or more, the injection vulnerabilities are more threatening security risks for the web application still exists. The new security challenges occur for the security professional or security researchers in the form of IoT or WoT (Web of Things) communication protocols implementation. These protocol Message Queuing Telemetry Transport (MQTT), Constrained Application Protocol (CoAP), WebSockets, and RestAPI have a different type of security issues. Respectively insertion of fake devices, authentication is not implemented in WebSocket connections, and user’s privacy can be leaked with the use of RestAPI without its validation. We have developed a program in Personal Home Pages (PHP) for the detection of new devices in the IoT network. With this, the user’s privacy and data will be protected along with some critical security issues of WoT underlying protocols.

Cyber Security Defence Policies: A Proposed Guidelines for Organisations Cyber Security Practices

Many organisations have been struggling to defend their cyberspace without a specific direction or guidelines to follow and they have described and identified cyber attack as a devastating potential on business operation in a broader perspective. Since then, researchers in cyber security have come out with numerous reports on threats and attack on organisations. This study is conducted to develop and propose a Cyber Security Defence Policies (CSDP) by harmonising and synthesizing the existing practices identified from the literature review. Observation and questionnaire were adopted to evaluate, review and collect data under ethical agreement from 10 organisations. The validation is based on the principal components for the proposed CSDP and the proposed CSDP, using SPSS as the statistical tool. The result shows that, the validation of the proposed CSDP by 20 experts reveals a standard deviation of 0.607, 0.759, 0.801, 0.754, 0.513, 0.587 and 0.510 on each of the principal components without a missing value respectively. While the correlation matrix and the reproduced correlation matrix for the proposed CSDP indicated 61% and the percentage of acceptance on the principal components for the proposed CSDP are higher than 50%. Therefore, from the outcome, it has shown that the acceptance responds towards the proposed CSDP and the result from the principal components analysis (eigenvalue analysis) are significant enough for implementation and can be adopted by organisations as a guidelines for organisation cyber security practices.

TikTok dangers

The TikTok video-sharing platform is coming under intense scrutiny after the US Government declared it a security risk and researchers unveiled a number of vulnerabilities.

INFORMATION SECURITY AS A COMPONENT OF ECONOMIC SECURITY OF BUSINESS ENTITIES

The article is devoted to the definition and substantiation of the role of the information component in the economic security of the business entity. The object of study is the economic, managerial and regulatory processes of the subject of economic activity in its operation under the influence of destabilizing factors. The subject of the study are the theoretical foundations of economic security of the business entity. It is determined that the strengthening of the role of the information component in ensuring economic security is due to digitalization, informatization and globalization of business processes. It is claimed that the use of the results of scientific and technological progress causes the emergence of new types, tools and products of business, accelerates production processes, intensifies trade and exchange. With the development of new technologies, the number of incidents related to information leaks and cyberattacks in various fields: in financial and media companies, in the field of nuclear energy and others increases with geometric dependence. It is emphasized that a significant part of companies does not pay enough attention to the creation of full-fledged protection systems. It is determined that with the participating enterprise is not only a technical and technological complex for the production of material goods and services. Most economic security researchers view the enterprise primarily as an association of individuals to achieve a common goal. The staff of the enterprise is both a factor of production and a source of its development. It is emphasized that together with a large number of positive effects of the introduction of new technologies opens up many opportunities to harm business. In this case, the subjective factor in information security plays a crucial role, and can both harm the business and lead to its prosperity. Due to the fact that the issues of information security of economic entities as a component of their economic security have long gone beyond sectoral problems and require further careful study at the level of the state and society as a whole.

A Systematic State-of-the-Art Analysis of Multi-Agent Intrusion Detection

Multi-agent architectures have been successful in attaining considerable attention among computer security researchers. This is so, because of their demonstrated capabilities such as autonomy, embedded intelligence, learning and self-growing knowledge-base, high scalability, fault tolerance, and automatic parallelism. These characteristics have made this technology a de facto standard for developing ambient security systems to meet the open and dynamic nature of today’s online communities. Although multi-agent architectures are increasingly studied in the area of computer security, there is still not enough empirical evidence on their performance in intrusions and attacks detection. The aim of this paper is to report the systematic literature review conducted in the context of specific research questions, to investigate multi-agent IDS architectures to highlight the issues that affect their performance in terms of detection accuracy and response time. We used pertinent keywords and terms to search and retrieve the most recent research studies, on multi-agent IDS architectures, from the major research databases and digital libraries such as SCOPUS, Springer, and IEEE Explore. The search processes resulted in a number of studies; among them, there were journal articles, book chapters, conference papers, dissertations, and theses. The obtained studies were assessed and filtered out, and finally, there were over 71 studies chosen to answer the research questions. The results of this study have shown that multi-agent architectures include several advantages that can help in the development of ambient IDS. However, it has been found that there are several issues in the current multi-agent IDS architectures that may degrade the accuracy and response time of intrusions and attacks detection. Based on our findings, the issues of multi-agent IDS architectures include limitations in the techniques, mechanisms, and schemes used for multi-agent IDS adaptation and learning, load balancing, scalability, fault-tolerance, and high communication overhead. It has also been found that new measurement metrics are required for evaluating multi-agent IDS architectures.

An Efficient Malware Detection System using Hybrid Feature Selection Methods

Malware is a serious threat to individuals and users. The security researchers present various solutions, striving to achieve efficient malware detection. Malware attackers devise detection avoidance techniques to escape from detection systems. The key challenge is that growth of malware increases every hour, leading to large damages to users’ privacy. The training process takes much longer time, mining the unnecessary features. Feature Selection is effective in achieving unique feature set in detecting malware. In this paper, we propose a malware detection system using hybrid feature selection approach to detect malware efficiently with a reduced feature set. Machine learning based classification is performed on eight classifiers with two malware datasets. The experiments were done without and with feature selection. The empirical results show that the classification using selected feature set and XGB classifier identifies malware efficiently with an accuracy of 98.9% and 99.26% for the two datasets.

DptCry: an approach to decrypting ransomware WannaCry based on API hooking

Recently, the wanton outbreak of ransomware WannaCry caused great harm to the network users. How to prevent and decrypt ransomware WannaCry brings a big challenge to security practitioners and researchers. In this paper, we first study the detailed encryption and decryption process of ransomware WannaCry, and then propose a novel method called dptCry to decrypt and free the damaged data. dptCry monitors and tracks all the running processes of an operating system, performs API hooking for key operations, records key information with the customized hook functions. When ransomware WannaCry infected, Using the recorded key information, dptCry can decrypt the damaged files. Our experimental results show that dptCry can be effectively used to mitigate users from the damages caused by WannaCry. dptCry can also be applied to other ransomware using similar mechanisms.

A Framework for Vietnamese Email Phishing Detection

Currently, the attacks on network information systems are increasing rapidly in number and level of danger. Phishing email distribution method is widely used by hackers today. This is an attacking technique that exploits human behaviors in the system. This type of attack, though it is not too complicated, becomes very effective for attackers if users are unaware of information security and unable to identify phishing emails. This attack is particularly more commonly effective in developing countries where the information security is still overlooked. As a result, email phishing detection problem has become a hot topic for information security researchers. There have been some published methods to detect phishing emails on given email attacking datasets. However, one of the important issues in email phishing detection relates to the language used in emails. Each particular language used in different emails may lead to a different phising detection approach. In this article, a Vietnamese email phishing detection system is investigated. The research includes a feature selection method and a combination of machine learning algorithms to improve the performance of phishing email detection in Vietnamese language. The proposed method is evaluated using two datasets. The first dataset includes phishing emails from Vietnamese collected from Vietnamese volunteers. The second dataset is the widely used English emails as introduced in [16,17]. The experimental results show that our method is applicable for real Vietnamese email phishing detection systems.

Machine Learning Based Intrusion Detection Systems for IoT Applications

Internet of Things (IoT) and its applications are the most popular research areas at present. The characteristics of IoT on one side make it easily applicable to real-life applications, whereas on the other side expose it to cyber threats. Denial of Service (DoS) is one of the most catastrophic attacks against IoT. In this paper, we investigate the prospects of using machine learning classification algorithms for securing IoT against DoS attacks. A comprehensive study is carried on the classifiers which can advance the development of anomaly-based intrusion detection systems (IDSs). Performance assessment of classifiers is done in terms of prominent metrics and validation methods. Popular datasets CIDDS-001, UNSW-NB15, and NSL-KDD are used for benchmarking classifiers. Friedman and Nemenyi tests are employed to analyze the significant differences among classifiers statistically. In addition, Raspberry Pi is used to evaluate the response time of classifiers on IoT specific hardware. We also discuss a methodology for selecting the best classifier as per application requirements. The main goals of this study are to motivate IoT security researchers for developing IDSs using ensemble learning, and suggesting appropriate methods for statistical assessment of classifier’s performance.

Better together: Comparing vulnerability prediction models

Abstract Context Vulnerability Prediction Models (VPMs) are an approach for prioritizing security inspection and testing to find and fix vulnerabilities. VPMs have been created based on a variety of metrics and approaches, yet widespread adoption of VPM usage in practice has not occurred. Knowing which VPMs have strong prediction and which VPMs have low data requirements and resources usage would be useful for practitioners to match VPMs to their project’s needs. The low density of vulnerabilities compared to defects is also an obstacle for practical VPMs. Objective The goal of the paper is to help security practitioners and researchers choose appropriate features for vulnerability prediction through a comparison of Vulnerability Prediction Models. Method We performed replications of VPMs on Mozilla Firefox with 28,750 source code files featuring 271 vulnerabilities using software metrics, text mining, and crash data. We then combined features from each VPM and reran our classifiers. Results We improved the F-score of the best VPM (.20 to 0.28) by combining features from three types of VPMs and using Naive Bayes as the classifier. The strongest features in the combined model were the number of times a file was involved in a crash, the number of outgoing calls from a file, and the string “nullptr”. Conclusion Our results indicate that further work is needed to develop new features for input into classifiers. In addition, new analytic approaches for VPMs are needed for VPMs to be useful in practical situations, due to the low density of vulnerabilities in software (less than 1% for our dataset).