Threat Behavior Research Articles

SD-ABM-ISM: An integrated system dynamics and agent-based modeling framework for information security management in complex information systems with multi-actor threat dynamics

The increasing complexity and dynamic nature of modern Information Systems (IS) and evolving cybersecurity threats pose significant challenges for organizations in managing information security. Traditional methods often focus on isolated security aspects, failing to capture the intricate interdependencies between internal and external threats, vulnerabilities, and defensive strategies. These limitations necessitate a holistic approach that can comprehensively model and analyze the interactions within IS environments. Motivated to address these research gaps, we developed SD-ABM-ISM, a multi-method framework integrating System Dynamics (SD) and Agent-Based Modeling (ABM). This framework is designed to capture the complex dynamics of IS, incorporating insider and outsider threats and their interactions with defensive measures. SD-ABM-ISM enables an in-depth examination of how various threat actors impact security outcomes and how proactive and reactive investment strategies influence the resilience of the IS. The proposed framework provides a unique approach to understanding multi-actor threat dynamics and their effect on IS over time, facilitating informed decision-making for security investments. The framework offers a robust tool for security decision-makers, enabling organizations to align their security strategies with the evolving threat surface and enhance their resilience against cyberattacks. The detailed simulation and statistical analysis identify the influential elements in the IS over time, highlighting the impact of interactions between insider threats, outsider threats, and the IS itself in an environment characterized by high uncertainty and diverse threat behaviors. The insights from these interactions demonstrate how coordinated threats from multiple actors can amplify vulnerabilities while effective security measures can mitigate these risks. Considering proactive and reactive security investment strategies, SD-ABM-ISM provides a dynamic and cost-effective security investment strategy to protect IS from adversaries with various behaviors.

Predictive IoT-AI Model for Cyber Threat Detection in Smart Healthcare Environments

Abstract The rise of IoT-based smart healthcare environments has escalated the demand for robust and efficient cyber threat detection mechanisms, given the critical nature of these systems and their susceptibility to evolving cyber-attacks. This research presents the design of a predictive IoT-AI approach for cyber threat detection, leveraging the NSL-KDD dataset for comprehensive training and evaluation. Moreover, the existing methods demonstrates excessive computational time due to its high complexity in feature extraction and sequence modeling. In this study, the proposed model combines Convolutional Neural Network (CNN) layers for spatial feature extraction with a Gated Recurrent Unit (GRU) in the intermediate layers to capture temporal patterns and evolving threat behaviours. The combination of CNN and GRU utilizes the benefits of both models: CNNs for precise feature representation and GRUs for sequence modeling, thereby enabling the identification of sophisticated and emerging cyber threats. This hybrid architecture is optimized to attain high accuracy while retaining computational efficiency, ensuring real-time applicability in IoT-enabled healthcare systems. Through meticulous design and rigorous testing, the proposed algorithm achieved an impressive accuracy of 98%, underlining its capability to effectively and reliably detect a broad spectrum of cyber threats. The experimental results not only validate the efficacy of the CNN-GRU hybrid model but also highlight its scalability and robustness in real-world healthcare IoT applications. This exceptional accuracy underscores the model’s ability as a practical and dependable solution for safeguarding sensitive patient data and critical medical infrastructures against evolving cybersecurity challenges.

Swarm Learning and Knowledge Distillation Empowered Self-Driving Detection Against Threat Behavior for Intelligent IoT

Swarm Learning and Knowledge Distillation Empowered Self-Driving Detection Against Threat Behavior for Intelligent IoT

A systematic review of literature on homicide followed by suicide and mental state of perpetrators.

Homicide followed by suicide is rare, devastating and perpetrated worldwide. It is commonly assumed that the perpetrator had a mental disorder, raising concomitant questions about prevention. Though events have been reported, there has been no previous systematic review of the mental health of perpetrators. Our aims were twofold. First, to identify whether there are recognisable subgroups of homicide-suicides in published literature and, secondly, to investigate the relationship between perpetrator mental state and aspects of the incident. We conducted a systematic review of published literature on studies of homicide followed within 24h by suicide or serious suicide attempt that included measures of perpetrator mental state. Sixty studies were identified, most from North America or Europe. Methodologically, studies were too heterogeneous for meta-analysis. They fell into three main groups: family, mass shooter, and terrorist with an additional small mixed group. There was evidence of mental illness in a minority of perpetrators; its absence in the remainder was only partially evidenced. There was no clear association between any specific mental illness and homicide-suicide type, although depression was most cited. Social role disjunction, motive, substance misuse and relevant risk or threat behaviours were themes identified across all groups. Pre-established ideology was relevant in the mass shooter and terrorism groups. Prior trauma history was notable in the terrorist group. Research data were necessarily collected post-incident and in most cases without a standardised approach, so findings must be interpreted cautiously. Nevertheless, they suggest at least some preventive role for mental health professionals. Those presenting to services with depression, suicidal ideation, relationship difficulties and actual, or perceived, changes in social position or role would merit detailed, supportive assessment over time.

A systematic literature review on advanced persistent threat behaviors and its detection strategy

Abstract Advanced persistent threats (APTs) pose significant security-related challenges to organizations owing to their sophisticated and persistent nature, and are inimical to the confidentiality, integrity, and availability of organizational information and services. This study systematically reviews the literature on methods of detecting APTs by comprehensively surveying research in the area, identifying gaps in the relevant studies, and proposing directions for future work. The authors provide a detailed analysis of current methods of APT detection that are based on multi-stage attack-related behaviors. We adhered to the Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) guidelines and conducted an extensive search of a variety of databases. A total of 45 studies, encompassing sources from both academia and the industry, were considered in the final analysis. The findings reveal that APTs have the capability to laterally propagate and achieve their objectives by identifying and exploiting existing systemic vulnerabilities. By identifying shortcomings in prevalent methods of APT detection, we propose integrating the multi-stage attack-related behaviors of APTs with the assessment of the presence of vulnerabilities in the network and their susceptibility to being exploited in order to improve the accuracy of their identification. Such an improved approach uses vulnerability scores and probability metrics to determine the probable sequence of targeted nodes, and visualizes the path of APT attacks. This technique of advanced detection enables the early identification of the most likely targets, which, in turn, allows for the implementation of proactive measures to prevent the network from being further compromised. The research here contributes to the literature by highlighting the importance of integrating multi-stage attack-related behaviors, vulnerability assessment, and techniques of visualization for APT detection to enhance the overall security of organizations.

A Survey on Explainable Artificial Intelligence for Cybersecurity

The black-box nature of artificial intelligence (AI) models has been the source of many concerns in their use for critical applications. Explainable Artificial Intelligence (XAI) is a rapidly growing research field that aims to create machine learning models that can provide clear and interpretable explanations for their decisions and actions. In the field of network cybersecurity, XAI has the potential to revolutionize the way we approach network security by enabling us to better understand the behavior of cyber threats and to design more effective defenses. In this survey, we review the state of the art in XAI for cybersecurity in network systems and explore the various approaches that have been proposed to address this important problem. The review follows a systematic classification of network-driven cybersecurity threats and issues. We discuss the challenges and limitations of current XAI methods in the context of cybersecurity and outline promising directions for future research.

Explainable cyber threat behavior identification based on self-adversarial topic generation

Cyber Threat Intelligence (CTI) provides ample evidence and information regarding the detection of cyber attack activities. Existing methods employ CTI reports to extract Tactics, Techniques and Procedures (TTPs) for attack detection. Nevertheless, these methods are challenged in providing necessary and sufficient evidentiary support for recognition decisions, making it difficult for human operators to comprehend and accept the decision-making process. This paper proposes a topic prototype-based explainable TTPs classification approach, which provides accurate boundaries for key evidences to justify the results of TTPs classification. The proposed method introduces a self-adversarial framework for obtaining necessary and sufficient evidence for TTPs classification. The framework consists of an evidence generator and a TTPs classifier discriminator. The evidence generator utilizes a topic prototype-based keyword importance filtering method to extract evidence from CTI text while removing noise, resulting in an evidence set and a perturbation set. Subsequently, the impact of the evidence set and the perturbation set on TTPs classification is assessed using our siamese discriminator. The discriminator is specifically trained to ensure that only the elements belonging to the evidence set are accurately classified as TTPs information. The experiments primarily test the necessity and sufficiency of TTPs and evidence. In the sufficiency evaluations, classical deep learning methods are used for TTPs classification to verify the accuracy of the results, where the proposed method improves the Micro F1 scores by 0.16% to 6.63% and Macro F1s by 0.26% to 6.85%. To prove necessity, various case-based explainable methods are used to measure the completeness of CTI evidence. The results shows that the proposed method is able to obtain more stable prediction, more reasonable evidence sets, and more significant boundaries.

Adaptive fuzzy based threat evaluation method for air and missile defense systems

Threat evaluation is a vital process in air and missile defense systems. The reliable output of threat evaluation is essential in order to use sensor and weapon resources efficiently. Fuzzy rule-based system has been proven to be effective and widely used in threat evaluation decision support systems in air defense applications since it can model expert human knowledge. Creating this fuzzy rule-based system that reflects user behavior requires constructing fuzzy rules increasing exponentially with the number of fuzzy variables and the membership functions and subsequently manually tuning according to expected results. Building such a system is not only time-consuming but also difficult to adapt to changes of threat behavior in different operational contexts. In this paper, a methodology for automated generation and tuning of the fuzzy rule-based system has been proposed starting from a survey applied to air defense field experts to context-dependent near real-time adaptive tuning via interaction with the user during operation. The applicability of the proposed method is presented with numerical performance results using a survey applied to a group of air defense operators. Additionally, the effect of the context-dependent adaptive fuzzy rule-based tuning process is explored for different operational contexts.

Morphological characteristics convey social status signals in captive tree sparrows (Passer montanus).

In social animals that form flocks, individuals compete or cooperate to gain access to shared resources. In particular, group-foraging individuals frequently engage in aggressive interactions with conspecifics, including threat displays and physical attacks, in order to acquire food resources. Here, we investigated social interactions in flocks of captive tree sparrows (Passer montanus) to observe the formation of dominance hierarchies. We also examined correlations between social status and morphological traits to identify which physical traits act as indicators of dominance. To do so, we recorded aggressive behaviours (attacks and threats) of tree sparrows caught in two distinct regions in the Republic of Korea (Gwangju and Gurye). After merging the two groups, we examined dominance structures using David's scores for one month, and we recorded 1,051 aggressive interactions at a feeder in a group of 19 individuals. Using the number of aggressions and attack and threat behaviours, we tested whether morphological traits and sex influenced dominance structures. Aggressions were significantly more frequent in males than in females. However, no significant difference was observed the frequency of between- and within-sex aggression. In addition, differences in the frequency of aggression behaviours were observed between capture-site groups. Dominance structure was significantly correlated with certain morphological traits; specifically, the frequency of attacking behaviours was correlated with bill-nose length, and the frequency of threat displays was correlated with sex and badge size. These results suggest that social signals are closely related to morphological traits that are used to form dominance hierarchies in tree sparrow flocks.

Attack Behavior Extraction Based on Heterogeneous Cyberthreat Intelligence and Graph Convolutional Networks

The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats (APT). Extracting attack behaviors, i.e., Tactics, Techniques, Procedures (TTP) from Cyber Threat Intelligence (CTI) can facilitate APT actors’ profiling for an immediate response. However, it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature. Based on the Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) of threat behavior description, this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network (HTN) and Graph Convolutional Network (GCN) to solve this issue. It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence. With the help of the Bidirectional Encoder Representation from Transformers (BERT) pretraining model to analyze the contextual semantics of cyber threat intelligence, the task of threat behavior identification is transformed into a text classification task, which automatically extracts attack behavior in CTI, then identifies the malware and advanced threat actors. The experimental results show that F1 achieve 94.86% and 92.15% for the multi-label classification tasks of tactics and techniques. Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks. The F1 for malware and advanced threat actors identification task reached 98.45% and 99.48%, which are better than the benchmark model in the experiment and achieve state of the art. The model can effectively model threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.

A Graph Theory Based Self-Learning Honeypot to Detect Persistent Threats

Attacks on the cyber space is getting exponential in recent times. Illegal penetrations and breaches are real threats to the individuals and organizations. Conventional security systems are good enough to detect the known threats but when it comes to Advanced Persistent Threats (APTs) they fails. These APTs are targeted, more sophisticated and very persistent and incorporates lot of evasive techniques to bypass the existing defenses. Hence, there is a need for an effective defense system that can achieve a complete reliance of security. To address the above-mentioned issues, this paper proposes a novel honeypot system that tracks the anonymous behavior of the APT threats. The key idea of honeypot leverages the concepts of graph theory to detect such targeted attacks. The proposed honeypot is self-realizing, strategic assisted which withholds the APTs actionable techniques and observes the behavior for analysis and modelling. The proposed graph theory based self learning honeypot using the results γ(C(n,1)),γc (C(n,1)), γsc (C(n,1)) outperforms traditional techniques by detecting APTs behavioral with detection rate of 96%.

Exposing the darkness within: A review of dark personality traits, models, and measures and their relationship to insider threats

Insider threats are a pernicious threat to modern organizations that involve individuals intentionally or unintentionally engaging in behaviors that undermine or abuse information security. Previous research has established that personality factors are an important determinant of the likelihood that an individual will engage in insider threat behaviors. The present article asserts that dark personality traits, non-clinical personality characteristics that are typically associated with patterns of anti-social and otherwise noxious interpersonal behaviors, may be particularly useful for understanding and predicting insider threat behaviors. Although some relationships between insider threats and dark traits have been documented, most attention has been devoted to a limited subset of dark traits. To address this issue, we critically review contemporary models of dark traits and their potential value for understanding both malicious and non-malicious insider threats, supplemented by discussions of subject matter expert ratings concerning the relevance of dark traits for both insider threat behaviors and cybersecurity personnel job performance. We then review potential assessment issues and provide evidence of possible moderators for the relationships under investigation. Finally, we develop avenues for future research, an agenda for improving the measurement of dark traits, and guidance for how organizations may implement the assessment of dark traits in their organizational processes.

Rhesus monkey sociality is stable across time and linked to variation in the initiation but not receipt of prosocial behavior.

Rhesus monkeys and humans are highly social primates, yet both species exhibit pronounced variation in social functioning, spanning a spectrum of sociality. Naturally occurring low sociality in rhesus monkeys may be a promising construct by which to model social impairments relevant to human autism spectrum disorder (ASD), particularly if low sociality is found to be stable across time and associated with diminished social motivation. Thus, to better characterize variation in sociality and social communication profiles, we performed quantitative social behavior assessments on N = 95 male rhesus macaques (Macaca mulatta) housed in large, outdoor groups. In Study 1, we determined the social classification of our subjects by rank-ordering their total frequency of nonsocial behavior. Monkeys with the greatest frequency of nonsocial behavior were classified as low-social (n = 20) and monkeys with the lowest frequency of nonsocial behavior were classified as high-social (n = 21). To assess group differences in social communication profiles, in Study 2, we quantified the rates of transient social communication signals, and whether these social signals were initiated by or directed towards the focal subject. Finally, in Study 3, we assessed the within-individual stability of sociality in a subset of monkeys (n = 11 low-social, n = 11 high-social) two years following our initial observations. Nonsocial behavior frequency significantly correlated across the two timepoints (Studies 1 and 3). Likewise, low-social versus high-social classification accurately predicted classification two years later. Low-social monkeys initiated less prosocial behavior than high-social monkeys, but groups did not differ in receipt of prosocial behavior, nor did they differ in threat behavior. These findings indicate that sociality is a stable, trait-like characteristic and that low sociality is linked to diminished initiation of prosocial behavior in rhesus macaques. This evidence also suggests that low sociality may be a useful construct for gaining mechanistic insight into the social motivational deficits often observed in people with ASD.

Advanced Persistent Threat intelligent profiling technique: A survey

With the boom in Internet and information technology, cyber-attacks are becoming more frequent and sophisticated, especially Advanced Persistent Threat (APT) attacks. Unlike traditional attacks, APT attacks are more targeted, stealthy, and adversarial, rendering it challenging to manually analyze threat behaviors for APT detection, attribution, and response. Therefore, the research community has focused on intelligent defense methods. Intelligent threat profiling is dedicated to analyzing APT attacks and improving defense capability with Knowledge Graph and Deep Learning methods. With this insight, this paper provides the first systematic review of intelligent threat profiling techniques for APT attacks, covering three aspects: data, methods, and applications. The contents include data processing techniques, threat modeling, representation, reasoning methods, etc. Furthermore, this paper summarizes the latest research in applications, proposes the research framework and technical architecture, and provides insights into future research trends. This paper contributes to recognizing the advantages and challenges of intelligent threat profiling. It paves the way for integrating knowledge graphs and deep learning to achieve intelligent security.

Critical Comments on Selected Criminal Decisions: Force and Threat Behavior of Coercion

Critical Comments on Selected Criminal Decisions: Force and Threat Behavior of Coercion

TOXIC BEHAVIORS IN SOCIAL MEDIA: AN ANALYSIS OF RAPPORT THREAT BEHAVIORS IN SOCIAL MEDIA INTERACTIONS

Toxic Behaviors are what people do that irritate, annoy, or cause unpleasant feeling to others. These behaviors may cause other people to be depressed, angry, furious, sad, and anxious. In Rapport Management (Spencer-Oatey, 2000), these toxic behaviors are known as rapport threat behaviors since this kind of behaviors can threaten other people interpersonal rapport which is essential for harmonizing relationships between people. The main purpose of this study was to analyze these threatening behaviors to rapport in social media interactions. Social media interactions are the interactions found in social media platforms such as Facebook, Instagram, Twitter, MySpace, and other platforms. The sample for this study was the interactions in two social media platforms which are Facebook and Instagram. The study found that there are several rapport threat behaviors in the two social media platforms interactions. The rapport threat behaviors are accusations, insults, trash talks, the inappropriate use of emoji, the use of all capitalized letters and misunderstanding context and the captions of certain posts.

Glyphosate increases anxiety‐like behavior and threat response to novel neutral stimuli

Glyphosate is the active ingredient in the most used herbicides worldwide. Glyphosate was initially considered safe for mammals because it acts by inhibiting a metabolic route that is not present in mammals. Recent studies have correlated an increase in the diagnosis of anxiety with the increased use of glyphosate. Studies in rodents have shown that high doses of glyphosate increase anxiety‐like behaviors. Glyphosate exposure is regulated by the Environmental Protection Agency, which has established a chronic reference dose for glyphosate of 2.0mg/kg daily. The effect of this dose on anxiety has not been explored. Therefore, we aimed to assess the effect of prolonged oral consumption of glyphosate‐contaminated drinking water on anxiety‐like behaviors. Furthermore, we also aim to assess the effect of glyphosate on threat behaviors in response to novel, neutral stimuli. To achieve this, rats were given access to glyphosate‐contaminated drinking water ad libitum. Water was prepared for a target dose of 2.0mg/kg daily. Control rats received filtered drinking water. No differences were observed in the volume of water consumed. After 4 weeks of exposure, we assessed for anxiety‐like behavior using the open field test. No difference was observed in the amount of time spent in the center (glyphosate: 40.42.68, control: 49.01; p = 0.2601). After an additional 10 weeks of exposure, anxiety‐like behavior was reassessed in the elevated plus maze. Here, glyphosate decreased the time spent in the open arms (glyphosate: 48.95, control: 103.7; p=0.0104). Next, after 4 more weeks of exposure, animals were assessed for threat response in an open field containing a novel object in the center. Glyphosate decreased time spent exploring the novel object (glyphosate: 44.35, control: 89.69; p=0.0365). Lastly, after a total of 16 weeks of exposure, animals were exposed to 5 repetitions of a novel auditory tone (30s, 4kHz, 77dB; 3 min intertrial interval) within a familiar context to further explorer threat response. Threat response was measured as time spent freezing during the tone. We observed that glyphosate increased overall freezing to a novel tone (glyphosate: 14.05, control: 4.949; p=0.0201). For these reasons, we conclude that glyphosate exposure increases anxiety‐like behaviors as well as negative valence interpretation of different types of neutral, novel stimuli. Future directions include performing immunohistochemistry on brain regions involved in anxiety‐like behaviors such as the basolateral amygdala and bed nucleus of the stria terminalis.

MITIGATING RAPPORT THREATS ON SOCIAL MEDIA

This study aims to find out the strategies applied by people on social media in mitigating rapport threat behaviors and tries to formulate the rapport building behaviors from the applied strategies. The research is done to see whether the strategies work well in rapport threatening atmosphere in various situations taken from social media interactions. The data for this study were obtained from a number of online chats and discussion on several social media apps such as, Facebook, Whatsapp, Youtube and Instagram. The interactions were some chats, comments, discussion and arguments in Bahasa Indonesia. The data were taken from the interactions that cause offenses or threat on the interpersonal rapport of the people chatting on the social media. The method applied for this study is descriptive qualitative to identify the people’s strategies on social media to mitigate some rapport threat behaviors in the social media interactions. The study shows that people apply a number of strategies to mitigate the threats to the interpersonal rapport. The strategies are apologizing, complimenting, expressing gratitude, using emoji, using honorifics to address others, choosing the appropriate words, choosing the relevant topic and organizing information to be told to others. It is clearly shown from the study that there are a number of rapport threat behaviors in social media interactions but the people interacting on the social media have certain strategies which in turn become the rapport building behaviors to mitigate the threat.

It’s a man’s world; right? How women’s opinions about gender inequality affect physiological responses in men

In two experiments, we examined how men respond to women who either challenge or legitimize societal gender inequality, and how gender identification moderates these responses. We hypothesized that men feel less threatened by women who legitimize (vs. challenge) the gender hierarchy, and evaluate these women more positively. To investigate these expectations, we assessed self-reports (Studies 1 and 2) and cardiovascular threat/challenge responses (Study 2). Both studies showed that men experience less negative emotions when presented with a woman who legitimized (vs. challenged) the gender hierarchy. Moreover, among men with a relatively high gender identification, a woman who challenged the gender hierarchy elicited a physiological response pattern indicative of threat, whereas a woman who legitimized the gender hierarchy elicited a pattern indicative of challenge. Results are discussed in terms of social identity theory, status threat, and self-distancing behavior.

SmartValidator: A framework for automatic identification and classification of cyber threat data

A wide variety of Cyber Threat Information (CTI) is used by Security Operation Centres (SOCs) to perform validation of security incidents and alerts. Security experts manually define different types of rules and scripts based on CTI to perform validation tasks. These rules and scripts need to be updated continuously due to evolving threats, changing SOCs’ requirements and dynamic nature of CTI. The manual process of updating rules and scripts delays the response to attacks. To reduce the burden of human experts and accelerate response, we propose a novel Artificial Intelligence (AI) based framework, SmartValidator. SmartValidator leverages Machine Learning (ML) techniques to enable automated validation of alerts. It consists of three layers to perform the tasks of data collection, model building and alert validation. It projects the validation task as a classification problem. Instead of building and saving models for all possible requirements, we propose to automatically construct the validation models based on SOC’s requirements and CTI. We built a Proof of Concept (PoC) system with eight ML algorithms, two feature engineering techniques and 18 requirements to investigate the effectiveness and efficiency of SmartValidator. The evaluation results showed that when prediction models were built automatically for classifying cyber threat data, the F1-score of 75% of the models were above 0.8, which indicates adequate performance of the PoC for use in a real-world organization. The results further showed that dynamic construction of prediction models required 99% less models to be built than pre-building models for all possible requirements. Thus, SmartValidator is much more efficient to use when SOCs’ requirements and threat behaviour are constantly evolving. The framework can be followed by various industries to accelerate and automate the validation of alerts and incidents based on their CTI and SOC’s preferences.