Attack Traces Research Articles

Network intrusion detection using oversampling technique and machine learning algorithms.

The expeditious growth of the World Wide Web and the rampant flow of network traffic have resulted in a continuous increase of network security threats. Cyber attackers seek to exploit vulnerabilities in network architecture to steal valuable information or disrupt computer resources. Network Intrusion Detection System (NIDS) is used to effectively detect various attacks, thus providing timely protection to network resources from these attacks. To implement NIDS, a stream of supervised and unsupervised machine learning approaches is applied to detect irregularities in network traffic and to address network security issues. Such NIDSs are trained using various datasets that include attack traces. However, due to the advancement in modern-day attacks, these systems are unable to detect the emerging threats. Therefore, NIDS needs to be trained and developed with a modern comprehensive dataset which contains contemporary common and attack activities. This paper presents a framework in which different machine learning classification schemes are employed to detect various types of network attack categories. Five machine learning algorithms: Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors and Artificial Neural Networks, are used for attack detection. This study uses a dataset published by the University of New South Wales (UNSW-NB15), a relatively new dataset that contains a large amount of network traffic data with nine categories of network attacks. The results show that the classification models achieved the highest accuracy of 89.29% by applying the Random Forest algorithm. Further improvement in the accuracy of classification models is observed when Synthetic Minority Oversampling Technique (SMOTE) is applied to address the class imbalance problem. After applying the SMOTE, the Random Forest classifier showed an accuracy of 95.1% with 24 selected features from the Principal Component Analysis method.

СИСТЕМА ИЗМЕРЕНИЯ ЗАЩИЩЕННОСТИ ИНФОРМАЦИИ И ПЕРСОНАЛЬНЫХ ДАННЫХ ДЛЯ УСТРОЙСТВ ИНТЕРНЕТА ВЕЩЕЙ

The purpose of the article: elimination of the gap in existing need in the set of clear and objective security and privacy metrics for the IoT devices users and manufacturers and an absence of such a set incorporating the interconnected security and privacy metrics, the algorithms for their calculation and generation of the integral clear and objective score by the development of the security and privacy measuring system for the IoT devices. Research method: theoretical and system analysis for determination and classification of the security and privacy metrics, semantic analysis for generating of the semantic model of personal data processing scenarios, analytical modeling methods for generating of the attack traces, log analysis methods, statistical methods and machine learning methods for searching of the anomalies in device behavior, development of the database and software implementing the proposed security and privacy measuring system. The result obtained: the security and privacy measuring system for the IoT devices users and manufacturers is proposed. The proposed system allows automated calculation of the security and privacy metrics based on the available data on the device and generation of the integral security and privacy score. The hierarchy of security and privacy metrics is developed in the scope of the proposed system. The proposed metrics are calculated using static and dynamic data on the device and its behavior. Original algorithms for calculation of the outlined metrics are developed, including the algorithms for calculation of the integral security and privacy score. The architecture of the security measuring system is developed. It integrates the components implementing the developed algorithms for metrics calculation. The system operation is demonstrated on the case study. The area of use of the proposed approach - the developed security and privacy measuring system can be used by the IoT devices manufacturers to analyse their security and privacy, and to provide the users with simple and clear security and privacy metrics. Novelty: the hierarchy of static and dynamic security and privacy metrics for the Internet of Things is developed; the approach to security and privacy assessment for the Internet of Things on the basis of the developed metrics and available data is proposed; novel algorithms for metrics calculation are developed; novel algorithms for integral metrics calculation considering available data are developed. Contribution: Fedorchenko E. – development of the approach, metrics hierarchy, and system architecture, problem statement for the components and their development, Novikova E. – the component for calculation of privacy risks, the component for calculation of integral risk scores, Kotenko I. – project management, problem statement, system architecture, Gaifulina D. – the component for event logs processing and integration, Tushkanova O., Murenin I. – the component for calculation of the dynamic risks score using statistical methods and machine learning, Levshun D. – metrics database, the component for calculation of the static risk score, Meleshko A. – the component for readability assessment, Kolomeets M. – the component for privacy risks assessment on the basis of *.apk files, the component for the dynamic risk score calculation considering attacks traces. All authors participated in the writing of the article.

BCAuth: Physical Layer Enhanced Authentication and Attack Tracing for Backscatter Communications

Backscatter communication (BC) enables ultra-low-power communications and allows devices to harvest energy simultaneously. But its practical deployment faces severe security threats caused by its nature of openness and broadcast. Authenticating backscatter devices (BDs) is treated as the first line of defense. However, complex cryptographic approaches are not desirable due to the limited computation capability of BDs. Existing physical layer authentication schemes cannot effectively support BD mobility, multiple attacker identification and attacker location tracing in an integrated way. To tackle these problems, this paper proposes BCAuth, a multi-stage authentication and attack tracing scheme based on the physical spatial information of BDs to realize enhanced BD authentication security for both static and mobile BDs. After initial authentication based on BD identity with its position information registration, preemptive authentication and re-authentication are performed according to spatial correlation of backscattered signal source locations associated with the BD. By exploiting clustering-based analysis on spacial information, BCAuth is capable of determining the number of attackers and localizing their positions. In addition, we propose a reciprocal channel-based method for BD re-authentication with better authentication performance than the clustering-based method for mobile BDs when the BDs is able to measure received signal strength (RSS), which also enables mutual authentication. We theoretically analyze BCAuth security and conduct extensive numerical simulations with various settings to show its desirable performance.

Seeded Transfer Learning for Enhanced Attack Trace and Effective Deception

Seeded Transfer Learning for Enhanced Attack Trace and Effective Deception

Improving Deep Learning Based Second-Order Side-Channel Analysis With Bilinear CNN

In recent years, deep learning techniques have received significant attention in the side-channel community due to their state-of-the-art performance in profiled attacks against embedded devices. Compared with template attacks, deep learning-based attacks can deal with the high dimensionality of trace and misalignment without pre-processing. However, the performance of attacks is very sensitive to the network architecture, especially when considering masking countermeasures. Although previous works have shown the potential of neural networks to break the first-order masking, the inner-working of how the network combines the leakage of mask and masked value is still unclear and could be suboptimal. To reduce this gap, we propose to embed product combination, which has been proved to be the best combination function in noisy situations, into the design of neural networks. To this end, we introduce a bilinear convolutional neural network (in short, B-CNN) for efficient profiled attacks against the widely used masking countermeasure. In order to interpret the inner-working and decision-making of B-CNN, we propose a new visualization tool called layer-wise correlation that can reveal the points of interest and help to understand the combination of leakages. We evaluate our networks on several public datasets, e.g., ASCAD and CHES CTF 2018. The results indicate that B-CNN converges significantly faster than classic CNN models, even using a very limited number of profiling traces (e.g., 8000 profiling traces for the ASCAD dataset). Moreover, our networks perform even systematically better (w.r.t. the number of attack traces) than the current state-of-the-art results on all the investigated datasets.

Privacy-Preserving Authentication Scheme for Roaming Service in Global Mobility Networks

With the rapid development of mobile intelligent technologies and services, users can freely experience ubiquitous services in global mobility networks. It is necessary to provide authentications and protection to the privacy of mobile users. Until now, many authentication and privacy schemes were proposed. However, most of the schemes have been exposed to some security problems. Recently, Madhusudhan and Shashidhara (M&S) proposed a lightweight authentication scheme, denoted as the M&S scheme, for roaming services in global mobility networks. This paper shows that the M&S scheme has security flaws including two masquerading attacks and a mobile user trace attack. After that, we propose a privacypreserving authentication scheme for global mobility networks. The proposed scheme not only focused on the required security but also added privacy concerns focused on anonymity based on a dynamic pseudonym, which is based on exclusive-or operation, hash operation and symmetric key cryptography. Formal security analysis is performed based on Burrow-Abadi-Needdham (BAN) logic and the ProVerif tool, which concludes that the proposed scheme is secure. The analysis shows that the proposed authentication scheme is secure and provides privacy with a reasonable performance.

An anonymous two-factor authentication protocol for IoT-based applications

Internet of things (IoT) allows people to establish a real-time connection with physical objects. To fulfill this lifelong ambition, the infrastructure of Wireless Sensor Networks (WSNs) plays a pivotal role. However, the public channel that is used by the sensors and users can imperil the security of their connection. Accordingly, many authentication protocol have been proposed to preserve the integrity and confidentiality of the transmitted messages. In this paper, we examine Wu et al.’s protocol as one of the most state-of-the-art protocols and prove that it is susceptible to sensor capture attack, user trace attack, and DoS attack, also it cannot provide forward secrecy. To mitigate these weaknesses, we propose our protocol and analyze that with both formal and informal methods to show that it is secure against various known attacks such as sensor and user trace, sensor capture, offline password guessing, and replay attacks. Finally, we evaluate our protocol in terms of security features and communication and computation costs. The results show that our protocol not only is more secure than other existing protocols but also reduces 62.1% of the computation cost and 30.76% of the communication cost in comparison with the costs of Wu et al.’s protocol.

Cross-Device Profiled Side-Channel Attack with Unsupervised Domain Adaptation

Deep learning (DL)-based techniques have recently proven to be very successful when applied to profiled side-channel attacks (SCA). In a real-world profiled SCA scenario, attackers gain knowledge about the target device by getting access to a similar device prior to the attack. However, most state-of-the-art literature performs only proof-of-concept attacks, where the traces intended for profiling and attacking are acquired consecutively on the same fully-controlled device. This paper reminds that even a small discrepancy between the profiling and attack traces (regarded as domain discrepancy) can cause a successful single-device attack to completely fail. To address the issue of domain discrepancy, we propose a Cross-Device Profiled Attack (CDPA), which introduces an additional fine-tuning phase after establishing a pretrained model. The fine-tuning phase is designed to adjust the pre-trained network, such that it can learn a hidden representation that is not only discriminative but also domain-invariant. In order to obtain domain-invariance, we adopt a maximum mean discrepancy (MMD) loss as a constraint term of the classic cross-entropy loss function. We show that the MMD loss can be easily calculated and embedded in a standard convolutional neural network. We evaluate our strategy on both publicly available datasets and multiple devices (eight Atmel XMEGA 8-bit microcontrollers and three SAKURA-G evaluation boards). The results demonstrate that CDPA can improve the performance of the classic DL-based SCA by orders of magnitude, which significantly eliminates the impact of domain discrepancy caused by different devices.

The Influences of Feature Sets on the Detection of Advanced Persistent Threats

This paper investigates the influences of different statistical network traffic feature sets on detecting advanced persistent threats. The selection of suitable features for detecting targeted cyber attacks is crucial to achieving high performance and to address limited computational and storage costs. The evaluation was performed on a semi-synthetic dataset, which combined the CICIDS2017 dataset and the Contagio malware dataset. The CICIDS2017 dataset is a benchmark dataset in the intrusion detection field and the Contagio malware dataset contains real advanced persistent threat (APT) attack traces. Several different combinations of datasets were used to increase variety in background data and contribute to the quality of results. For the feature extraction, the CICflowmeter tool was used. For the selection of suitable features, a correlation analysis including an in-depth feature investigation by boxplots is provided. Based on that, several suitable features were allocated into different feature sets. The influences of these feature sets on the detection capabilities were investigated in detail with the local outlier factor method. The focus was especially on attacks detected with different feature sets and the influences of the background on the detection capabilities with respect to the local outlier factor method. Based on the results, we could determine a superior feature set, which detected most of the malicious flows.

Formal security analysis for software architecture design: An expressive framework to emerging architectural styles

Analysing security in the architecture design of modern software systems is a challenging task. Emerging technologies utilised in building software systems may pose security threats, so software engineers need to consider both the structure and behaviour of architectural styles that employ these supporting technologies. This paper presents an automated approach to security analysis that helps to identify security characteristics at the architectural level. Key techniques used by our approach include the use of metrics, vulnerability identification and attack scenarios. Our modelling is expressive in defining architectural styles and security characteristics. Our analysis approach gives insightful results that allow software engineers to trace through the design to find parts of the system that may be impacted by attacks. We have developed an analysis tool that allows user to seamlessly model the software architecture design and analyse security. The evaluation has been conducted to assess the accuracy and performance of our approach. The results show that our analysis approach performs reasonably well to analyse the security in the architectural design. • Emerging technologies utilised in software systems may pose security threats. • Our approach helps to identify security characteristics at the architectural level. • Our approach applies metrics to measure security and trace attack scenarios. • The insightful results allows tracing the design to identify impacts by the attacks. • Our approach is expressive to define other security metrics and architecture styles.

Developing a Framework for Data Communication in a Wireless Network using Machine Learning Technique

The emergence of Internet of Things (IoT) has become a huge innovation for utilizing the enormous power of wireless media. The adaptation of smart devices, with intelligent networking, has greatly enhanced the traffic of the IoT environment. The present security mechanism is primarily focusing on specific areas such as content filtering, monitoring techniques, and anomaly detection. A vulnerability reflects the inability of a network that allows an attacker to detect the extent of existing mechanism of security. The existing techniques focused on specific attacks rather than monitoring the whole network. However, there is a demand for a framework to govern and protect data and services in IoT network. Anomaly detection framework is a resource intensive activity to protect data and services of IoT / Wireless Sensor Networks (WSN). It supports application layer of IoT network and traces it frequently to find the existence of malicious activities. In this study, researchers proposed an anomaly detection framework to safeguard against wireless attacks. The proposed framework has employed a machine learning technique to detect the traces of wireless attacks. It supports IoT based networks to monitor the functionalities of the resources. In addition, it discusses the open challenges in IoT networks with possible solutions. Researchers employed a test bed for evaluating the proposed framework. The outcome of the study shows that the proposed framework provides better services with more security.

A comprehensive survey on data provenance: State-of-the-art approaches and their deployments for IoT security enforcement

Data provenance collects comprehensive information about the events and operations in a computer system at both application and kernel levels. It provides a detailed and accurate history of transactions that help delineate the data flow scenario across the whole system. Data provenance helps achieve system resilience by uncovering several malicious attack traces after a system compromise that are leveraged by the analyzer to understand the attack behavior and discover the level of damage. Existing literature demonstrates a number of research efforts on information capture, management, and analysis of data provenance. In recent years, provenance in IoT devices attracts several research efforts because of the proliferation of commodity IoT devices. In this survey paper, we present a comparative study of the state-of-the-art approaches to provenance by classifying them based on frameworks, deployed techniques, and subjects of interest. We also discuss the emergence and scope of data provenance in IoT network. Finally, we present the urgency in several directions that data provenance needs to pursue, including data management and analysis.

Cryptanalysis of a Chaotic Block Cryptographic System Against Template Attacks

The security of chaotic cryptographic system can be theoretically evaluated by using conventional statistical tests and numerical simulations, such as the character frequency test, entropy test, avalanche test and SP 800-22 tests. However, when the cryptographic algorithm operates on a cryptosystem, the leakage information such as power dissipation, electromagnetic emission and time-consuming can be used by attackers to analyze the secret keys, namely the Side Channel Analysis (SCA) attack. In this paper, a cryptanalysis method is proposed for evaluating the security of a chaotic block cryptographic system from a hardware perspective by utilizing the Template Attacks (TAs). Firstly, a chaotic block cryptographic system is described briefly and implemented based on an Atmel XMEGA microcontroller. Then the TA using a multivariate Gaussian model is introduced. In order to reduce computational complexity and improve the efficiency of TA, the Hamming weight is used in this work to model power consumption traces. The proposed TA method has the following advantages including (a) using the sum of difference to select points of interest of traces, (b) using a data processing method to minimize the influences on power information modeling from the redundant sampling points, and (c) all the traces are aligned precisely before establishing the templates. Experimental results show that the TA can be used to attack the chaotic cryptographic systems and is more efficient, i.e. [Formula: see text]32% less attack traces than correlation power analysis, when the templates are properly built.

Clone Detection Based on BPNN and Physical Layer Reputation for Industrial Wireless CPS

Industrial wireless cyber–physical systems are vulnerable to malicious node attacks, for example, clone node attack. The existing clone detection schemes are either based on upper layer observations or physical layer channel state information. The schemes based on upper layer observations are vulnerable to defamation while the schemes based on channel state information perform better against defamation, but are badly affected by channel conditions. This article applies physical layer reputation and back propagation neural network to clone detection, aiming at improving the detection accuracy. The proposed scheme accumulates the physical layer reputations by channel state information and input them to the neural network. The cloud server performs attack detection by group detection first. If a certain group is classified as attacked, the corresponding edge processor will perform attack tracing to identify the specific clone nodes. During the attack tracing stage, multiple reputations of each node is adopted for a comprehensive inspection. Extensive experiments are conducted on the Universal Software Radio Peripheral platform. The numerical results show that the proposed scheme significantly improves the detection accuracy.

Tracking the Insider Attacker: A Blockchain Traceability System for Insider Threats

The insider threats have always been one of the most severe challenges to cybersecurity. It can lead to the destruction of the organisation’s internal network system and information leakage, which seriously threaten the confidentiality, integrity and availability of data. To make matters worse, since the attacker has authorized access to the internal network, they can launch the attack from the inside and erase their attack trace, which makes it challenging to track and forensics. A blockchain traceability system for insider threats is proposed in this paper to mitigate the issue. First, this paper constructs an insider threat model of the internal network from a different perspective: insider attack forensics and prevent insider attacker from escaping. Then, we analyze why it is difficult to track attackers and obtain evidence when an insider threat has occurred. After that, the blockchain traceability system is designed in terms of data structure, transaction structure, block structure, consensus algorithm, data storage algorithm, and query algorithm, while using differential privacy to protect user privacy. We deployed this blockchain traceability system and conducted experiments, and the results show that it can achieve the goal of mitigating insider threats.

Plaintext: A Missing Feature for Enhancing the Power of Deep Learning in Side-Channel Analysis?

Deep learning (DL) has proven to be very effective for image recognition tasks, with a large body of research on various model architectures for object classification. Straight-forward application of DL to side-channel analysis (SCA) has already shown promising success, with experimentation on open-source variable key datasets showing that secret keys can be revealed with 100s traces even in the presence of countermeasures. This paper aims to further improve the application of DL for SCA, by enhancing the power of DL when targeting the secret key of cryptographic algorithms when protected with SCA countermeasures. We propose a new model, CNN-based model with Plaintext feature extension (CNNP) together with multiple convolutional filter kernel sizes and structures with deeper and narrower neural networks, which has empirically proven its effectiveness by outperforming reference profiling attack methods such as template attacks (TAs), convolutional neural networks (CNNs) and multilayer perceptron (MLP) models. Our model generates state-of-the art results when attacking the ASCAD variable-key database, which has a restricted number of training traces per key, recovering the key within 40 attack traces in comparison with order of 100s traces required by straightforward machine learning (ML) application. During the profiling stage an attacker needs no additional knowledge on the implementation, such as the masking scheme or random mask values, only the ability to record the power consumption or electromagnetic field traces, plaintext/ciphertext and the key. Additionally, no heuristic pre-processing is required in order to break the high-order masking countermeasures of the target implementation.

An efficient hash-based authenticated key agreement scheme for multi-server architecture resilient to key compromise impersonation

During the past decade, rapid advances in wireless communication technologies have made it possible for users to access desired services using hand-held devices. Service providers have hosted multiple servers to ensure seamless online services to end-users. To ensure the security of this online communication, researchers have proposed several multi-server authentication schemes incorporating various cryptographic primitives. Due to the low power and computational capacities of mobile devices, the hash-based multi-server authenticated key agreement schemes with offline Registration Server (RS) are the most efficient choice. Recently, Kumar-Om presented such a scheme and proved its security against all renowned attacks. However, we find that their scheme bears an incorrect login phase, and is unsafe to the trace attack, the Session-Specific Temporary Information Attack (SSTIA), and the Key Compromise Impersonation Attack (KCIA). In fact, all of the existing multi-server authentication schemes (hash-based with offline RS) do not withstand KCIA. To deal with this situation, we propose an improved hash-based multi-server authentication scheme (with offline RS). We analyze the security of the proposed scheme under the random oracle model and use the ‘‘Automated Validation of Internet Security Protocols and Applications’’ (AVISPA) tool. The comparative analysis of communication overhead and computational complexity metrics shows the efficiency of the proposed scheme.

The Forefront of Cyberattack Countermeasures Focusing on Traces of Attacks

The Forefront of Cyberattack Countermeasures Focusing on Traces of Attacks

A game-theoretic defensive approach for forensic investigators against rootkits

Forensic science aims to present evidence in the courtroom, in a forensically sound manner. Therefore, forensic procedures must guarantee the provability, admissibility, accuracy, and authenticity of the case's evidence. However, anti-forensics threaten forensic procedures by forging, hiding, and even modifying remaining evidence in a crime scene. For instance, rootkits hide traces of attacks in a compromised system. To prevent anti-forensics, forensic investigators use de-anti-forensic methods (e.g. anti-rootkits).The necessity of more research on anti-forensics motivated us to propose a game-theoretic approach to model the interactions between an attacker and an investigator (players) who use rootkits and anti-rootkits, respectively. We assume these players act competitively, and each does not know his/her opponent's pay-off. We identify sets of characteristics for rootkits and anti-rootkits to profile them and define each player's actions. We examine the existence of the Nash Equilibrium for a two-player game. Experimental results show the simulated game is convergent. Thus, we identify the investigators' most desirable and stable defensive strategies against the attacker's most desirable and stable offensive strategies. We also formulate a relationship between characteristics of rootkits and anti-rootkits using the Nash Equilibrium of the game. Finally, we propose some general features to help investigators to evaluate anti-rootkits and design more efficient defensive tools.

SKINNY-Based RFID Lightweight Authentication Protocol

With the rapid development of the Internet of Things and the popularization of 5G communication technology, the security of resource-constrained IoT devices such as Radio Frequency Identification (RFID)-based applications have received extensive attention. In traditional RFID systems, the communication channel between the tag and the reader is vulnerable to various threats, including denial of service, spoofing, and desynchronization. Thus, the confidentiality and integrity of the transmitted data cannot be guaranteed. In order to solve these security problems, in this paper, we propose a new RFID authentication protocol based on a lightweight block cipher algorithm, SKINNY, (short for LRSAS). Security analysis shows that the LRSAS protocol guarantees mutual authentication and is resistant to various attacks, such as desynchronization attacks, replay attacks, and tracing attacks. Performance evaluations show that the proposed solution is suitable for low-cost tags while meeting security requirements. This protocol reaches a balance between security requirements and costs.