Cyber Security and Critical Infrastructures

Journal Name	Impact Factor	CiteScore	Launched Year	First Decision (median)	APC
Applied Sciences applsci	2.7	4.5	2011	16.9 Days	CHF 2400
Electronics electronics	2.9	4.7	2012	15.6 Days	CHF 2400
Future Internet futureinternet	3.4	6.7	2009	11.8 Days	CHF 1600
Sensors sensors	3.9	6.8	2001	17 Days	CHF 2600
Journal of Cybersecurity and Privacy jcp	-	-	2021	23.5 Days	CHF 1000

12 pages, 881 KiB

Open AccessArticle

Analysis of Distinguishable Security between the One-Time Password Extraction Function Family and Random Function Family

by Hyunki Kim and Okyeon Yi

Appl. Sci. 2023, 13(15), 8761; https://doi.org/10.3390/app13158761 - 28 Jul 2023

Viewed by 862

Abstract

A one-time password is a security system that uses a password that is only used once for authentication, and it is commonly used in multi-factor authentication systems. The process of generating an OTP is very similar to generating pseudorandom sequences in cryptography. However, [...] Read more.

A one-time password is a security system that uses a password that is only used once for authentication, and it is commonly used in multi-factor authentication systems. The process of generating an OTP is very similar to generating pseudorandom sequences in cryptography. However, since only a part of the bit string is used in OTP, an algorithm is needed to extract that part. In addition, the OTP process also includes converting the value of the bit string value into decimal form for human perception. This paper focuses on analyzing the extraction function, which is the step before the hexadecimal is reprocessed into the decimal form. We analyze a function family, which includes functions used in the process of extracting a bit string in terms of distinguishable security. As a result, we conclude that the OTP extraction function family is vulnerable in terms of distinguishable security compared to the random function family. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

19 pages, 15121 KiB

Open AccessArticle

An Experimental Detection of Distributed Denial of Service Attack in CDX 3 Platform Based on Snort

by Chin-Ling Chen and Jian Lin Lai

Sensors 2023, 23(13), 6139; https://doi.org/10.3390/s23136139 - 04 Jul 2023

Cited by 2 | Viewed by 1718

Abstract

Distributed Denial of Service (DDoS) attacks pose a significant threat to internet and cloud security. Our study utilizes a Poisson distribution model to efficiently detect DDoS attacks with a computational complexity of O(n). Unlike Machine Learning (ML)-based algorithms, our method only [...] Read more.

Distributed Denial of Service (DDoS) attacks pose a significant threat to internet and cloud security. Our study utilizes a Poisson distribution model to efficiently detect DDoS attacks with a computational complexity of O(n). Unlike Machine Learning (ML)-based algorithms, our method only needs to set up one or more Poisson models for legitimate traffic based on the granularity of the time periods during preprocessing, thus eliminating the need for training time. We validate this approach with four virtual machines on the CDX 3.0 platform, each simulating different aspects of DDoS attacks for offensive, monitoring, and defense evaluation purposes. The study further analyzes seven diverse DDoS attack methods. When compared with existing methods, our approach demonstrates superior performance, highlighting its potential effectiveness in real-world DDoS attack detection. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

21 pages, 6592 KiB

Open AccessArticle

A Port-Hopping Technology against Remote Attacks and Its Effectiveness Evaluation

by Jiajun Yan, Ying Zhou and Tao Wang

Electronics 2023, 12(11), 2477; https://doi.org/10.3390/electronics12112477 - 31 May 2023

Cited by 1 | Viewed by 993

Abstract

Traditional network defense approaches are insufficient to deal with new types of network threats. Active defense approaches based on software-defined networks helps to solve this problem, which includes random port-hopping technology. Existing port-hopping approaches have problems such as the inability to completely hide [...] Read more.

Traditional network defense approaches are insufficient to deal with new types of network threats. Active defense approaches based on software-defined networks helps to solve this problem, which includes random port-hopping technology. Existing port-hopping approaches have problems such as the inability to completely hide the service port and the complicated hopping mechanism. What is more, there is no strict demonstration of the security effectiveness evaluation of random port hopping and its influencing factors. In this paper, a hidden services port-hopping approach and several models are proposed to solve these existing problems. Firstly, the algorithm, protocol, and flow update process of the method are presented. Secondly, according to the conceptual model of network attack and the network attack and defense model, the mathematical model of network attack is proposed to evaluate the security effectiveness of random port hopping. Furthermore, the resource layer and attack surface are redefined and the conceptual model of random port hopping is proposed to reveal the security mechanism of random port hopping more figuratively. After that, the factors that influence the security effectiveness of random port hopping are analyzed. Finally, both experiments and theoretical analysis show that hidden services port hopping is an effective active defense technology and the factors that influence the probability of a successful attack include the time interval of port hopping, the size of port-hopping space, and the number of vulnerable ports. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

18 pages, 3429 KiB

Open AccessArticle

Cybersecurity in a Large-Scale Research Facility—One Institution’s Approach

by David S. Butcher, Christian J. Brigham, James Berhalter, Abigail L. Centers, William M. Hunkapiller, Timothy P. Murphy, Eric C. Palm and Julia H. Smith

J. Cybersecur. Priv. 2023, 3(2), 191-208; https://doi.org/10.3390/jcp3020011 - 16 May 2023

Viewed by 2250

Abstract

A cybersecurity approach for a large-scale user facility is presented—utilizing the National High Magnetic Field Laboratory (NHMFL) at Florida State University (FSU) as an example. The NHMFL provides access to the highest magnetic fields for scientific research teams from a range of disciplines. [...] Read more.

A cybersecurity approach for a large-scale user facility is presented—utilizing the National High Magnetic Field Laboratory (NHMFL) at Florida State University (FSU) as an example. The NHMFL provides access to the highest magnetic fields for scientific research teams from a range of disciplines. The unique challenges of cybersecurity at a widely accessible user facility are showcased, and relevant cybersecurity frameworks for the complex needs of a user facility with industrial-style equipment and hazards are discussed, along with the approach for risk identification and management, which determine cybersecurity requirements and priorities. Essential differences between information technology and research technology are identified, along with unique requirements and constraints. The need to plan for the introduction of new technology and manage legacy technologies with long usage lifecycles is identified in the context of implementing cybersecurity controls rooted in pragmatic decisions to avoid hindering research activities while enabling secure practices, which includes FAIR (findable, accessible, interoperable, and reusable) and open data management principles. The NHMFL’s approach to FAIR data management is presented. Critical success factors include obtaining resources to implement and maintain necessary security protocols, interdisciplinary and diverse skill sets, phased implementation, and shared allocation of NHMFL and FSU responsibilities. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

22 pages, 1520 KiB

Open AccessArticle

XFilter: An Extension of the Integrity Measurement Architecture Based on Fine-Grained Policies

by Alan Litchfield and Weihua Du

Appl. Sci. 2023, 13(10), 6046; https://doi.org/10.3390/app13106046 - 15 May 2023

Viewed by 1013

Abstract

The Integrity Measurement Architecture subsystem on the Linux platform is a critical security component in the kernel to ensure the integrity of the running system. However, the default Integrity Measurement Architecture policy mechanisms based on options such as file owner and FSMAGIC cannot [...] Read more.

The Integrity Measurement Architecture subsystem on the Linux platform is a critical security component in the kernel to ensure the integrity of the running system. However, the default Integrity Measurement Architecture policy mechanisms based on options such as file owner and FSMAGIC cannot achieve a file-level configuration. Although Integrity Measurement Architecture supports the Linux Security Module policy rules to be close to the goal of fine-grained configuration, it is not easy to be managed because the Linux Security Module was not originally designed for integrity measurement. Moreover, the Linux Security Module-based policy does not apply in some use cases considering the type of Mandatory Access Control tools chosen by users. This paper presents a new policy configuration option, named XFilter, that achieves a fine-grained policy configuration method. The XFilter includes two policy matching mechanisms, XLabel and XList, which share the same policy token created for XFilter exclusively. XLabel marks the files for measurement using a label in the file’s extended attribute (xattr). By contrast, XList stores the measurement information in a list of file paths. To simplify the deployment, an automatic configuration process is implemented for integrating into the package management system. The evaluation results suggest that both mechanisms satisfy the requirements of file-level IMA policy control and create a performance burden for system operation in the acceptable range. They also reveal a positive correlation between the increment of the system latency and the growth of the length of file paths list for the XList mechanism. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)
(This article belongs to the Section Computing and Artificial Intelligence)

► Show Figures

Figure 1

29 pages, 984 KiB

Open AccessArticle

The Design and Implementation of a Secure Datastore Based on Ethereum Smart Contract

by Izdehar M. Aldyaflah, Wenbing Zhao, Himanshu Upadhyay and Leonel Lagos

Appl. Sci. 2023, 13(9), 5282; https://doi.org/10.3390/app13095282 - 23 Apr 2023

Cited by 5 | Viewed by 1967

Abstract

In this paper, we present a secure datastore based on an Ethereum smart contract. Our research is guided by three research questions. First, we will explore to what extend a smart-contract-based datastore should resemble a traditional database system. Second, we will investigate how [...] Read more.

In this paper, we present a secure datastore based on an Ethereum smart contract. Our research is guided by three research questions. First, we will explore to what extend a smart-contract-based datastore should resemble a traditional database system. Second, we will investigate how to store the data in a smart-contract-based datastore for maximum flexibility while minimizing the gas consumption. Third, we seek answers regarding whether or not a smart-contract-based datastore should incorporate complex processing such as data encryption and data analytic algorithms. The proposed smart-contract-based datastore aims to strike a good balance between several constraints: (1) smart contracts are publicly visible, which may create a confidentiality concern for the data stored in the datastore; (2) unlike traditional database systems, the Ethereum smart contract programming language (i.e., Solidity) offers very limited data structures for data management; (3) all operations that mutate the blockchain state would incur financial costs and the developers for smart contracts must make sure sufficient gas is provisioned for every smart contract call, and ideally, the gas consumption should be minimized. Our investigation shows that although it is essential for a smart-contract-based datastore to offer some basic data query functionality, it is impractical to offer query flexibility that resembles that of a traditional database system. Furthermore, we propose that data should be structured as tag-value pairs, where the tag serves as a non-unique key that describes the nature of the value. We also conclude that complex processing should not be allowed in the smart contract due to the financial burden and security concerns. The tag-based secure datastore designed this way also defines its applicative perimeter, i.e., only applications that align with our strategy would find the proposed datastore a good fit. Those that would rather incur higher financial cost for more data query flexibility and/or less user burden on data pre- and post-processing would find the proposed database too restrictive. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

20 pages, 616 KiB

Open AccessArticle

CVMan: A Framework for Clone-Incurred Vulnerability Management

by Jian Shi, Deqing Zou, Shouhuai Xu and Hai Jin

Appl. Sci. 2023, 13(8), 4948; https://doi.org/10.3390/app13084948 - 14 Apr 2023

Viewed by 1203

Abstract

Software clones may cause vulnerability proliferation, which highlights the importance of investigating clone-incurred vulnerabilities. In this paper, we propose a framework for automatically managing clone-incurred vulnerabilities. Two innovations of the framework are the notion of the spatial clone-relation graph, which describes clone-based [...] Read more.

Software clones may cause vulnerability proliferation, which highlights the importance of investigating clone-incurred vulnerabilities. In this paper, we propose a framework for automatically managing clone-incurred vulnerabilities. Two innovations of the framework are the notion of the spatial clone-relation graph, which describes clone-based relationships between software programs, and the temporal clone-relation graph, which describes the evolution of clones in software over time. As a case study, we apply the framework to analyze eight versions of Ubuntu while drawing a number of insights, such as: (i) clones are prevalent with about one-sixth of the codebase being clones; (ii) intra-program clones are often attributed to polymorphisms or functional similarities between procedures, while inter-program clones are often attributed to shared code repositories and the reuse of libraries; (iii) the clone surface of Linux remains stable at around 0.6, meaning that spatial and temporal clones in Linux account for about 60% of the codebase, while the lifetime of 53% clones spans eight versions; and (iv) the clone-incurred vulnerability surface in Linux is small, while vulnerable clones and non-vulnerable clones have similar lifetimes. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

21 pages, 1110 KiB

Open AccessArticle

Separating Malicious from Benign Software Using Deep Learning Algorithm

by Ömer Aslan

Electronics 2023, 12(8), 1861; https://doi.org/10.3390/electronics12081861 - 14 Apr 2023

Cited by 2 | Viewed by 1878

Abstract

The increased usage of the Internet raises cyber security attacks in digital environments. One of the largest threats that initiate cyber attacks is malicious software known as malware. Automatic creation of malware as well as obfuscation and packing techniques make the malicious detection [...] Read more.

The increased usage of the Internet raises cyber security attacks in digital environments. One of the largest threats that initiate cyber attacks is malicious software known as malware. Automatic creation of malware as well as obfuscation and packing techniques make the malicious detection processes a very challenging task. The obfuscation techniques allow malware variants to bypass most of the leading literature malware detection methods. In this paper, a more effective malware detection system is proposed. The goal of the study is to detect traditional as well as new and complex malware variants. The proposed approach consists of three modules. Initially, the malware samples are collected and analyzed by using dynamic malware analysis tools, and execution traces are collected. Then, the collected system calls are used to create malware behaviors as well as features. Finally, a proposed deep learning methodology is used to effectively separate malware from benign samples. The deep learning methodology consists of one input layer, three hidden layers, and an output layer. In hidden layers, 500, 64, and 32 fully connected neurons are used in the first, second, and third hidden layers, respectively. To keep the model simple as well as obtain optimal solutions, we have selected three hidden layers in which neurons are decreasing in the following subsequent layers. To increase the model performance and use more important features, various activation functions are used. The test results show that the proposed system can effectively detect the malware with more than 99% DR, f-measure, and 99.80 accuracy, which is substantially high when compared with other methods. The proposed system can recognize new malware variants that could not be detected with signature, heuristic, and some behavior-based detection techniques. Further, the proposed system has performed better than the well-known methods that are mentioned in the literature based on the DR, precision, recall, f-measure, and accuracy metrics. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

15 pages, 2487 KiB

Open AccessArticle

Root Mirror Sites Identification and Service Area Analysis

by Jiachen Wang, Zhiping Li, Zhaoxin Zhang, Jian Chen, Chao Li and Yanan Cheng

Electronics 2023, 12(7), 1737; https://doi.org/10.3390/electronics12071737 - 05 Apr 2023

Viewed by 1408

Abstract

The operation of today’s Internet can only be achieved with the domain name system (DNS), and the essential part of the DNS is the root servers. Adding anycast mirrors has been used to maintain the security of root servers, but many problems accompany [...] Read more.

The operation of today’s Internet can only be achieved with the domain name system (DNS), and the essential part of the DNS is the root servers. Adding anycast mirrors has been used to maintain the security of root servers, but many problems accompany this technique. In this paper, we used 36198 probe points deployed worldwide to probe 1160 root mirror sites and analyzed the data with root mirrors’ identification and localization (RMIL). RMIL is a method to identify and locate root mirrors. It contains probing and analyzing the network services ID (NSID) and traceroute data to identify and locate root mirror sites. Using this method, 821 (70.78% of the total) sites were accurately identified and located, and city-level localization was achieved for 281 other sites. Finally, the identification results were used in the service area analysis. The analysis contained multiple dimensions: locations, autonomous system numbers (ASN), internet service providers (ISP), and IPV4 prefixes. As such, we helped identify and locate root mirror sites more precisely and discover which ones have a greater service area in different dimensions. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

18 pages, 1250 KiB

Open AccessArticle

Anomaly Detection Module for Network Traffic Monitoring in Public Institutions

by Łukasz Wawrowski, Andrzej Białas, Adrian Kajzer, Artur Kozłowski, Rafał Kurianowicz, Marek Sikora, Agnieszka Szymańska-Kwiecień, Mariusz Uchroński, Miłosz Białczak, Maciej Olejnik and Marcin Michalak

Sensors 2023, 23(6), 2974; https://doi.org/10.3390/s23062974 - 09 Mar 2023

Cited by 2 | Viewed by 2589

Abstract

It seems to be a truism to say that we should pay more and more attention to network traffic safety. Such a goal may be achieved with many different approaches. In this paper, we put our attention on the increase in network traffic [...] Read more.

It seems to be a truism to say that we should pay more and more attention to network traffic safety. Such a goal may be achieved with many different approaches. In this paper, we put our attention on the increase in network traffic safety based on the continuous monitoring of network traffic statistics and detecting possible anomalies in the network traffic description. The developed solution, called the anomaly detection module, is mostly dedicated to public institutions as the additional component of the network security services. Despite the use of well-known anomaly detection methods, the novelty of the module is based on providing an exhaustive strategy of selecting the best combination of models as well as tuning the models in a much faster offline mode. It is worth emphasizing that combined models were able to achieve 100% balanced accuracy level of specific attack detection. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

22 pages, 3487 KiB

Open AccessArticle

E-APTDetect: Early Advanced Persistent Threat Detection in Critical Infrastructures with Dynamic Attestation

by Béla Genge, Piroska Haller and Adrian-Silviu Roman

Appl. Sci. 2023, 13(6), 3409; https://doi.org/10.3390/app13063409 - 07 Mar 2023

Viewed by 1335

Abstract

Advanced Persistent Threats (APTs) represent a complex series of techniques directed against a particular organization, where the perpetrator is able to hide its presence for a longer period of time (e.g., months, years). Previous such attacks have demonstrated the exceptional impact that a [...] Read more.

Advanced Persistent Threats (APTs) represent a complex series of techniques directed against a particular organization, where the perpetrator is able to hide its presence for a longer period of time (e.g., months, years). Previous such attacks have demonstrated the exceptional impact that a cyber attack may have on the operation of Supervisory Control And Data Acquisition Systems (SCADA), and, more specifically, on the underlying physical process. Existing techniques for the detection of APTs focus on aggregating results originating from a collection of anomaly detection agents. However, such approaches may require an extensive time period in case the process is in a steady-state. Conversely, this paper documents E-APTDetect, an approach that uses dynamic attestation and multi-level data fusion for the early detection of APTs. The methodology leverages sensitivity analysis and Dempster-Shafer’s Theory of Evidence as its building blocks. Extensive experiments are performed on a realistic Vinyl Acetate Monomer (VAM) process model. The model contains standard chemical unit operations and typical industrial characteristics, which make it suitable for a large variety of experiments. The experimental results conducted on the VAM process demonstrate E-APTDetect’s ability to efficiently detect APTs, but also highlight key aspects related to the attacker’s advantage. The experiments also highlight that the adversary’s advantage is affected by two major factors: the number of compromised components; and, the precision of manipulation. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

23 pages, 2345 KiB

Open AccessArticle

Rethinking the Operation Pattern for Anomaly Detection in Industrial Cyber–Physical Systems

by Zishuai Cheng, Baojiang Cui and Junsong Fu

Appl. Sci. 2023, 13(5), 3244; https://doi.org/10.3390/app13053244 - 03 Mar 2023

Viewed by 1436

Abstract

Anomaly detection has been proven to be an efficient way to detect malicious behaviour and cyberattacks in industrial cyber–physical systems (ICPSs). However, most detection models are not entirely adapted to the real world as they require intensive computational resources and labelled data and [...] Read more.

Anomaly detection has been proven to be an efficient way to detect malicious behaviour and cyberattacks in industrial cyber–physical systems (ICPSs). However, most detection models are not entirely adapted to the real world as they require intensive computational resources and labelled data and lack interpretability. This study investigated the traffic behaviour of a real coal mine system and proposed improved features to describe its operation pattern. Based on these features, this work combined the basic deterministic finite automaton (DFA) and normal distribution (ND) models to build an unsupervised anomaly detection model, which uses a hierarchical structure to pursue interpretability. To demonstrate its capability, this model was evaluated on real traffic and seven simulated attack types and further compared with nine state-of-the-art works. The evaluation and comparison results show that the proposed method achieved a 99% F1-score and is efficient in detecting sophisticated attacks. Furthermore, it achieved an average 17% increase in precision and a 12% increase in F1-Score compared to previous works. These results confirm the advantages of the proposed method. The work further suggests that future works should investigate operation pattern features rather than pursuing complex algorithms. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

21 pages, 1268 KiB

Open AccessArticle

A Polynomial Multiplication Accelerator for Faster Lattice Cipher Algorithm in Security Chip

by Changbao Xu, Hongzhou Yu, Wei Xi, Jianyang Zhu, Chen Chen and Xiaowen Jiang

Electronics 2023, 12(4), 951; https://doi.org/10.3390/electronics12040951 - 14 Feb 2023

Viewed by 1912

Abstract

Polynomial multiplication is the most computationally expensive part of the lattice-based cryptography algorithm. However, the existing acceleration schemes have problems, such as low performance and high hardware resource overhead. Based on the polynomial multiplication of number theoretic transformation (NTT), this paper proposed a [...] Read more.

Polynomial multiplication is the most computationally expensive part of the lattice-based cryptography algorithm. However, the existing acceleration schemes have problems, such as low performance and high hardware resource overhead. Based on the polynomial multiplication of number theoretic transformation (NTT), this paper proposed a simple element of Montgomery module reduction with pipeline structure to realize fast module multiplication. In order to improve the throughput of the NTT module, the block storage technology is used in the NTT hardware module to enable the computing unit to read and write data alternately. Based on the NTT hardware module, a precalculated parameter storage and real-time calculation method suitable for the hardware architecture of this paper is also proposed. Finally, the hardware of polynomial multiplier based on NTT module is implemented, and its function simulation and performance evaluation are carried out. The results show that the proposed hardware accelerator can have excellent computing performance while using fewer hardware resources, thus meeting the requirements of lattice cipher algorithms in security chips. Compared with the existing studies, the computing performance of the polynomial multiplier designed in this paper is improved by approximately 1 to 3 times, and the slice resources and storage resources used are reduced by approximately 60% and 17%, respectively. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

15 pages, 790 KiB

Open AccessArticle

BadDGA: Backdoor Attack on LSTM-Based Domain Generation Algorithm Detector

by You Zhai, Liqun Yang, Jian Yang, Longtao He and Zhoujun Li

Electronics 2023, 12(3), 736; https://doi.org/10.3390/electronics12030736 - 01 Feb 2023

Cited by 1 | Viewed by 1806

Abstract

Due to the outstanding performance of deep neural networks (DNNs), many researchers have begun to transfer deep learning techniques to their fields. To detect algorithmically generated domains (AGDs) generated by domain generation algorithm (DGA) in botnets, a long short-term memory (LSTM)-based DGA detector [...] Read more.

Due to the outstanding performance of deep neural networks (DNNs), many researchers have begun to transfer deep learning techniques to their fields. To detect algorithmically generated domains (AGDs) generated by domain generation algorithm (DGA) in botnets, a long short-term memory (LSTM)-based DGA detector has achieved excellent performance. However, the previous DNNs have found various inherent vulnerabilities, so cyberattackers can use these drawbacks to deceive DNNs, misleading DNNs into making wrong decisions. Backdoor attack as one of the popular attack strategies strike against DNNs has attracted widespread attention in recent years. In this paper, to cheat the LSTM-based DGA detector, we propose BadDGA, a backdoor attack against the LSTM-based DGA detector. Specifically, we offer four backdoor attack trigger construction methods: TLD-triggers, Ngram-triggers, Word-triggers, and IDN-triggers. Finally, we evaluate BadDGA on ten popular DGA datasets. The experimental results show that under the premise of 1‰ poisoning rate, our proposed backdoor attack can achieve a 100% attack success rate to verify the effectiveness of our method. Meanwhile, the model’s utility on clean data is influenced slightly. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

22 pages, 4040 KiB

Open AccessArticle

Security Architecture for Secure Train Control and Monitoring System

by Yudha Purwanto, Muhammad Faris Ruriawan, Andry Alamsyah, Febry Pandu Wijaya, Dewi Nala Husna, Agri Kridanto, Fifin Nugroho, Anang Fakhrudin, Mu’ammar Itqon, Mochamad Yudha Febrianta, Sri Widiyanesti, Fussy Mentari, Alfian Akbar Gozali and Ade Romadhony

Sensors 2023, 23(3), 1341; https://doi.org/10.3390/s23031341 - 25 Jan 2023

Cited by 3 | Viewed by 2224

Abstract

A Train Control and Monitoring System (TCMS) is a vital part of monitoring sensors in a train. The data output of sensors is sent wirelessly to the data server for monitoring. However, as the wireless channel used to send the data is a [...] Read more.

A Train Control and Monitoring System (TCMS) is a vital part of monitoring sensors in a train. The data output of sensors is sent wirelessly to the data server for monitoring. However, as the wireless channel used to send the data is a shared public network, the transmitted data are prone to hackers and attacks. This paper proposes the Securebox architecture to manage secure data transfer from the onboard Vehicle Control Unit (VCU) to the data server in TCMS. The architecture is comprised of four main functions: network management, buffer management, data management, and security management. The architecture has been successfully developed in an HSM (Hardware Security Modul) and verified using alpha and beta software testing to form a secure TCMS. From the real-time testing phase in an electric-diesel train, the average performance of the AES-based HSM showed 55% faster time processing with unnoticed 0.1% added memory usage compared to the 3DES. The secure TCMS also withstands MITM attack and provides end-to-end data security compared to the (Mobile Station) MS to Base Station (BS) only in GSM-R. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

18 pages, 4222 KiB

Open AccessArticle

SubvectorS_Geo: A Neural-Network-Based IPv6 Geolocation Algorithm

by Zhaorui Ma, Xinhao Hu, Shicheng Zhang, Na Li, Fenlin Liu, Qinglei Zhou, Hongjian Wang, Guangwu Hu and Qilin Dong

Appl. Sci. 2023, 13(2), 754; https://doi.org/10.3390/app13020754 - 05 Jan 2023

Cited by 4 | Viewed by 1918

Abstract

IPv6 geolocation is necessary for many location-based Internet services. However, the accuracy of the current IPv6 geolocation methods including machine-learning-based or deep-learning-based location algorithms are unsatisfactory for users. Strong geographic correlation is observed for measurement path features close to the target IP, so [...] Read more.

IPv6 geolocation is necessary for many location-based Internet services. However, the accuracy of the current IPv6 geolocation methods including machine-learning-based or deep-learning-based location algorithms are unsatisfactory for users. Strong geographic correlation is observed for measurement path features close to the target IP, so previous methods focused more on stable paths in the vicinity of the probe. Based on this, this paper proposes a new IPv6 geolocation algorithm, SubvectorS_Geo, which is mainly divided into three steps: firstly, it filters geographically relevant routing feature codes layer by layer to approximate the fine-grained trusted region of the target; secondly, it extracts delay vectors into the trusted region; thirdly, it evaluates the vector similarity to determine the final target geolocation information. The final experiments show that the median error distance range is 7.025 km to 9.709 km on three real datasets (Shanghai, New York State, and Tokyo). Compared with the advanced method, the median distance error distance is reduced by at least 6.8% and the average error distance is reduced by at least 9.2%. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

25 pages, 673 KiB

Open AccessArticle

ERACE: Toward Facilitating Exploit Generation for Kernel Race Vulnerabilities

by Danjun Liu, Pengfei Wang, Xu Zhou and Baosheng Wang

Appl. Sci. 2022, 12(23), 11925; https://doi.org/10.3390/app122311925 - 22 Nov 2022

Viewed by 1735

Abstract

Since a large number of Linux kernel vulnerabilities are discovered every year, many vulnerabilities cannot be patched in time. Security vendors often prioritize patching high-risk vulnerabilities, and the ratings of vulnerabilities need to be evaluated based on factors such as exploitability and the [...] Read more.

Since a large number of Linux kernel vulnerabilities are discovered every year, many vulnerabilities cannot be patched in time. Security vendors often prioritize patching high-risk vulnerabilities, and the ratings of vulnerabilities need to be evaluated based on factors such as exploitability and the scope of influence. However, evaluating exploitability is challenging and time-consuming, especially for race vulnerabilities, whose exploitation process is complicated and the success rate of exploitation is low, making them more likely to be overlooked. In this paper, we propose a new framework, called ERACE, to facilitate the process of exploiting kernel race vulnerabilities. Given a program called a proof of concept (PoC) that can trigger a race vulnerability, ERACE first applies a combination of dynamic and static analysis techniques to locate the instruction that causes the race. Then, it applies code instrumentation and static analysis to determine the timing relationship between the race instructions and the triggering type of the vulnerability and records the vulnerability context information. Next, it uses backward taint analysis to identify checkpoints that can be used to determine whether the race condition and heap spraying are satisfied and records the system calls to which the checkpoints belong. Finally, we can generate exploits based on the information collected above. To demonstrate the utility of ERACE, we tested it on 23 real-world vulnerabilities. As a result, we successfully detected the race points of 19 vulnerabilities, the timing relationship among the race instructions, and the triggering types of 17 vulnerabilities and succeeded in generating exploits for 13 vulnerabilities. ERACE can effectively help security researchers simplify the analysis process of kernel race vulnerabilities, select appropriate exploitation methods, and use checkpoints to increase the success rates of exploitations. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

32 pages, 1872 KiB

Open AccessArticle

A Survey and Ontology of Blockchain Consensus Algorithms for Resource-Constrained IoT Systems

by Misbah Khan, Frank den Hartog and Jiankun Hu

Sensors 2022, 22(21), 8188; https://doi.org/10.3390/s22218188 - 26 Oct 2022

Cited by 4 | Viewed by 2794

Abstract

The basic properties of blockchain, such as decentralization, security, and immutability, show promising potential for IoT applications. The main feature—decentralization of blockchain technology—depends on the consensus. However, consensus algorithms are mostly designed to work in extensive computational and communication environments for network security [...] Read more.

The basic properties of blockchain, such as decentralization, security, and immutability, show promising potential for IoT applications. The main feature—decentralization of blockchain technology—depends on the consensus. However, consensus algorithms are mostly designed to work in extensive computational and communication environments for network security and immutability, which is not desirable for resource-restricted IoT applications. Many solutions are proposed to address this issue with modified consensus algorithms based on the legacy consensus, such as the PoW, PoS, and BFT, and new non-linear data structures, such as DAG. A systematic classification and analysis of various techniques in the field will be beneficial for both researchers and industrial practitioners. Most existing relevant surveys provide classifications intuitively based on the domain knowledge, which are infeasible to reveal the intrinsic and complicated relationships among the relevant basic concepts and techniques. In this paper, a powerful tool of systematic knowledge classification and explanation is introduced to structure the survey on blockchain consensus algorithms for resource-constrained IoT systems. More specifically, an ontology was developed for a consensus algorithm apropos of IoT adaptability. The developed ontology is subdivided into two parts—CONB and CONIoT—representing the classification of generic consensus algorithms and the ones that are particularly proposed for IoT, respectively. Guided by this ontology, an in depth discussion and analysis are provided on the major consensus algorithms and their IoT compliance based on design and implementation targets. Open research challenges and future research directions are provided. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

27 pages, 1164 KiB

Open AccessArticle

Horus: An Effective and Reliable Framework for Code-Reuse Exploits Detection in Data Stream

by Gang Yang, Xingtong Liu and Chaojing Tang

Electronics 2022, 11(20), 3363; https://doi.org/10.3390/electronics11203363 - 18 Oct 2022

Cited by 2 | Viewed by 1496

Abstract

Recent years have witnessed a rapid growth of code-reuse attacks in advance persistent threats and cyberspace crimes. Carefully crafted code-reuse exploits circumvent modern protection mechanisms and hijack the execution flow of a program to perform expected functionalities by chaining together existing codes. The [...] Read more.

Recent years have witnessed a rapid growth of code-reuse attacks in advance persistent threats and cyberspace crimes. Carefully crafted code-reuse exploits circumvent modern protection mechanisms and hijack the execution flow of a program to perform expected functionalities by chaining together existing codes. The sophistication and intricacy of code-reuse exploits hinder the scrutinization and dissection of them. Although the previous literature has introduced some feasible approaches, effectiveness and reliability in practical applications remain severe challenges. To address this issue, we propose Horus, a data-driven framework for effective and reliable detection on code-reuse exploits. In order to raise the effectiveness against underlying noises, we comprehensively leverage the strengths of time-series and frequency-domain analysis, and propose a learning-based detector that synthesizes the contemporary twofold features. Then we employ a lightweight interpreter to speculatively and tentatively translate the suspicious bytes to open the black box and enhance the reliability and interpretability. Additionally, a functionality-preserving data augmentation is adopted to increase the diversity of limited training data and raise the generality for real-world deployment. Comparative experiments and ablation studies are conducted on a dataset composed of real-world instances to verify and prove the prevalence of Horus. The experimental results illustrate that Horus outperforms existing methods on the identification of code-reuse exploits from data stream with an acceptable overhead. Horus does not rely on any dynamic executions and can be easily integrated into existing defense systems. Moreover, Horus is able to provide tentative interpretations about attack semantics irrespective of target program, which further improve system’s effectiveness and reliability. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

4 pages, 182 KiB

Open AccessEditorial

Combining Security and Reliability of Critical Infrastructures: The Concept of Securability

by Leandros Maglaras, Helge Janicke and Mohamed Amine Ferrag

Appl. Sci. 2022, 12(20), 10387; https://doi.org/10.3390/app122010387 - 15 Oct 2022

Cited by 3 | Viewed by 1223

Abstract

The digital revolution has made people more dependent on ICT technology to perform everyday tasks, whether at home or at work [...] Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

22 pages, 585 KiB

Open AccessArticle

Anomalous Network Traffic Detection Method Based on an Elevated Harris Hawks Optimization Method and Gated Recurrent Unit Classifier

by Yao Xiao, Chunying Kang, Hongchen Yu, Tao Fan and Haofang Zhang

Sensors 2022, 22(19), 7548; https://doi.org/10.3390/s22197548 - 05 Oct 2022

Cited by 2 | Viewed by 1223

Abstract

In recent years, network traffic contains a lot of feature information. If there are too many redundant features, the computational cost of the algorithm will be greatly increased. This paper proposes an anomalous network traffic detection method based on Elevated Harris Hawks optimization. [...] Read more.

In recent years, network traffic contains a lot of feature information. If there are too many redundant features, the computational cost of the algorithm will be greatly increased. This paper proposes an anomalous network traffic detection method based on Elevated Harris Hawks optimization. This method is easier to identify redundant features in anomalous network traffic, reduces computational overhead, and improves the performance of anomalous traffic detection methods. By enhancing the random jump distance function, escape energy function, and designing a unique fitness function, there is a unique anomalous traffic detection method built using the algorithm and the neural network for anomalous traffic detection. This method is tested on three public network traffic datasets, namely the UNSW-NB15, NSL-KDD, and CICIDS2018. The experimental results show that the proposed method does not only significantly reduce the number of features in the dataset and computational overhead, but also gives better indicators for every test. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

12 pages, 4991 KiB

Open AccessArticle

Chosen Plaintext Combined Attack against SM4 Algorithm

by Jintao Rao and Zhe Cui

Appl. Sci. 2022, 12(18), 9349; https://doi.org/10.3390/app12189349 - 18 Sep 2022

Cited by 2 | Viewed by 1820

Abstract

The SM4 algorithm is widely used to ensure the security of data transmission. The traditional chosen plaintext power attacks against SM4 usually need to analyze four rounds power traces in turn to recover the secret key. In this paper, we propose a new [...] Read more.

The SM4 algorithm is widely used to ensure the security of data transmission. The traditional chosen plaintext power attacks against SM4 usually need to analyze four rounds power traces in turn to recover the secret key. In this paper, we propose a new combined chosen plaintext power analysis, which combines the chosen plaintext power attack and the differential characteristics of the substitution box (S-box) in SM4. In our attack, only the second and fourth round S-box outputs of SM4 algorithm are used as attack points, and some sensitive fixed intermediate values are obtained by power analysis when inputting specific plaintext. Then the differential analysis of these sensitive intermediate values is carried out to calculate the difference between the input and output of the S-box, and the key can be recovered from the differential characteristics of S-box. Compared with the traditional chosen plaintext power analysis, which requires four rounds of analysis, our analysis reduces the number of attack rounds into two rounds, and adopts the nonlinear S-box with obvious leakage information as the attack intermediate value, which effectively improves the feasibility of attack. Finally, a practical attack experiment is carried out on a Field Programmable Gate Array (FPGA) based implementation of SM4 algorithm, and the results show that our method is feasible and effective for real experiments. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

20 pages, 2578 KiB

Open AccessArticle

A Cyber-Physical Risk Assessment Approach for Internet of Things Enabled Transportation Infrastructure

by Konstantinos Ntafloukas, Daniel P. McCrum and Liliana Pasquale

Appl. Sci. 2022, 12(18), 9241; https://doi.org/10.3390/app12189241 - 15 Sep 2022

Cited by 10 | Viewed by 2551

Abstract

A critical transportation infrastructure integrated with the Internet of Things based wireless sensor network, operates as a cyber-physical system. However, the new form of IoT enabled transportation infrastructure is susceptible to cyber-physical attacks in the sensing area, due to inherent cyber vulnerabilities of [...] Read more.

A critical transportation infrastructure integrated with the Internet of Things based wireless sensor network, operates as a cyber-physical system. However, the new form of IoT enabled transportation infrastructure is susceptible to cyber-physical attacks in the sensing area, due to inherent cyber vulnerabilities of IoT devices and deficient control barriers that could protect it. Traditional risk assessment processes, consider the physical and cyber space as isolated environments, resulting in IoT enabled transportation infrastructure not being assessed by stakeholders (i.e., operators, civil and security engineers) for cyber-physical attacks. In this paper, a new risk assessment approach for cyber-physical attacks against IoT based wireless sensor network is proposed. The approach relies on the identification and proposal of novel cyber-physical characteristics, in the aspect of threat source (e.g., motives), vulnerability (e.g., lack of authentication mechanisms) and types of physical impacts (e.g., casualties). Cyber-physical risk is computed as a product of the level and importance of these characteristics. Monte Carlo simulations and sensitivity analysis are performed to evaluate the results of an IoT enabled bridge subjected to cyber-physical attack scenarios. The results indicate that 76.6% of simulated cases have high-risk and control barriers operating in physical and cyber space can reduce the cyber-physical risk by 71.8%. Additionally, cyber-physical risk differentiates when the importance of the characteristics that are considered during risk assessment is overlooked. The approach is of interest to stakeholders who attempt to incorporate the cyber domain in risk assessment procedures of their system. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

20 pages, 7518 KiB

Open AccessArticle

Design and Testing of a Computer Security Layer for the LIN Bus

by Felipe Páez and Héctor Kaschel

Sensors 2022, 22(18), 6901; https://doi.org/10.3390/s22186901 - 13 Sep 2022

Cited by 3 | Viewed by 2193

Abstract

Most modern vehicles are connected to the internet via cellular networks for navigation, assistance, etc. via their onboard computer, which can also provide onboard Wi-Fi and Bluetooth services. The main in-vehicle communication buses (CAN, LIN, FlexRay) converge at the vehicle’s onboard computer and [...] Read more.

Most modern vehicles are connected to the internet via cellular networks for navigation, assistance, etc. via their onboard computer, which can also provide onboard Wi-Fi and Bluetooth services. The main in-vehicle communication buses (CAN, LIN, FlexRay) converge at the vehicle’s onboard computer and offer no computer security features to protect the communication between nodes, thus being highly vulnerable to local and remote cyberattacks which target the onboard computer and/or the vehicle’s electronic control units through the aforementioned buses. To date, several computer security proposals for CAN and FlexRay buses have been published; a formal computer security proposal for the LIN bus communications has not been presented. So, we researched possible security mechanisms suitable for this bus’s particularities, tested those mechanisms in microcontroller and PSoC hardware, and developed a prototype LIN network using PSoC nodes programmed with computer security features. This work presents a novel combination of encryption and a hash-based message authentication code (HMAC) scheme with replay attack rejection for the LIN communications. The obtained results are promising and show the feasibility of the implementation of an LIN network with real-time computer security protection. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

14 pages, 5907 KiB

Open AccessArticle

A Multiscale Fusion Lightweight Image-Splicing Tamper-Detection Model

by Dan Zhao and Xuedong Tian

Electronics 2022, 11(16), 2621; https://doi.org/10.3390/electronics11162621 - 21 Aug 2022

Cited by 5 | Viewed by 1534

Abstract

The easy availability and usability of photo-editing tools have increased the number of forgery attacks, primarily splicing attacks, thereby increasing cybercrimes. Because of an existing image-splicing tamper-detection algorithm based on deep learning with high model complexity and weak robustness, a multiscale fusion lightweight [...] Read more.

The easy availability and usability of photo-editing tools have increased the number of forgery attacks, primarily splicing attacks, thereby increasing cybercrimes. Because of an existing image-splicing tamper-detection algorithm based on deep learning with high model complexity and weak robustness, a multiscale fusion lightweight model for image-splicing tamper detection is proposed. For the above problems and to improve MobileNetV2, the structural block of the classification part of the original network structure was removed, the stride of the sixth largest structural block of the network was changed to 1, the dilated convolution was used instead of downsampling, and the features extracted from the second and third large structural blocks in the network were downsampled with maximal pooling; then, the constraint on the backbone network was increased by jumping connections. Combined with the pyramid pooling module, the acquired feature layers were divided into regions of different sizes for average pooling; then, all feature layers were fused. The experimental results show that it had a low number of parameters and required a small amount of computation, achieving 91.0% and 96.4% precision on CASIA and COLUMB, respectively, and 83.2% and 88.1% F-measure on CASIA and COLUMB, respectively. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

31 pages, 4717 KiB

Open AccessArticle

Development of an Open-Source Testbed Based on the Modbus Protocol for Cybersecurity Analysis of Nuclear Power Plants

by Israel Barbosa de Brito and Rafael T. de Sousa, Jr.

Appl. Sci. 2022, 12(15), 7942; https://doi.org/10.3390/app12157942 - 08 Aug 2022

Cited by 11 | Viewed by 3674

Abstract

The possibility of cyber-attacks against critical infrastructure, and in particular nuclear power plants, has prompted several efforts by academia. Many of these works aim to capture the vulnerabilities of the industrial control systems used in these plants through computer simulations and hardware in [...] Read more.

The possibility of cyber-attacks against critical infrastructure, and in particular nuclear power plants, has prompted several efforts by academia. Many of these works aim to capture the vulnerabilities of the industrial control systems used in these plants through computer simulations and hardware in the loop configurations. However, general results in this area are limited by the cost and diversity of existing commercial equipment and protocols, as well as by the inherent complexity of the nuclear plants. In this context, this work introduces a testbed for the study of cyber-attacks against a realistic simulation of a nuclear power plant. Our approach consists in surveying issues regarding realistic simulations of nuclear power plants and to design and experimentally validate a software testbed for the controlled analysis of cyberattacks against the simulated nuclear plant. The proposal integrates a simulated Modbus/TCP network environment containing basic industrial control elements implemented with open-source software components. We validate the proposed testbed architecture by performing and analyzing a representative cyberattack in the developed environment, thus showing the principles for the analysis of other possible cybernetic attacks. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

4 pages, 166 KiB

Open AccessEditorial

Cybersecurity of Critical Infrastructures: Challenges and Solutions

by Leandros Maglaras, Helge Janicke and Mohamed Amine Ferrag

Sensors 2022, 22(14), 5105; https://doi.org/10.3390/s22145105 - 07 Jul 2022

Cited by 3 | Viewed by 2422

Abstract

People’s lives are becoming more and more dependent on information and computer technology [...] Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

13 pages, 511 KiB

Open AccessArticle

Network Security Node-Edge Scoring System Using Attack Graph Based on Vulnerability Correlation

by Gun-Yoon Shin, Sung-Sam Hong, Jung-Sik Lee, In-Sung Han, Hwa-Kyung Kim and Haeng-Rok Oh

Appl. Sci. 2022, 12(14), 6852; https://doi.org/10.3390/app12146852 - 06 Jul 2022

Cited by 4 | Viewed by 2257

Abstract

As network technology has advanced, and as larger and larger quantities of data are being collected, networks are becoming increasingly complex. Various vulnerabilities are being identified in such networks, and related attacks are continuously occurring. To solve these problems and improve the overall [...] Read more.

As network technology has advanced, and as larger and larger quantities of data are being collected, networks are becoming increasingly complex. Various vulnerabilities are being identified in such networks, and related attacks are continuously occurring. To solve these problems and improve the overall quality of network security, a network risk scoring technique using attack graphs and vulnerability information must be used. This technology calculates the degree of risk by collecting information and related vulnerabilities in the nodes and the edges existing in the network-based attack graph, and then determining the degree of risk in a specific network location or the degree of risk occurring when a specific route is passed within the network. However, in most previous research, the risk of the entire route has been calculated and evaluated based on node information, rather than edge information. Since these methods do not include correlations between nodes, it is relatively difficult to evaluate the risk. Therefore, in this paper, we propose a vulnerability Correlation and Attack Graph-based node-edge Scoring System (VCAG-SS) that can accurately measure the risk of a specific route. The proposed method uses the Common Vulnerability Scoring System (CVSS) along with node and edge information. Performing the previously proposed arithmetic evaluation of confidentiality, integrity, and availability (CIA) and analyzing the correlation of vulnerabilities between each node make it possible to calculate the attack priority. In the experiment, the risk scores of nodes and edges and the risk of each attack route were calculated. Moreover, the most threatening attack route was found by comparing the attack route risk. This confirmed that the proposed method calculated the risk of the network attack route and was able to effectively select the network route by providing the network route priority according to the risk score. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

15 pages, 530 KiB

Open AccessArticle

A Novel Lightweight Anonymous Proxy Traffic Detection Method Based on Spatio-Temporal Features

by Yanjie He and Wei Li

Sensors 2022, 22(11), 4216; https://doi.org/10.3390/s22114216 - 01 Jun 2022

Cited by 5 | Viewed by 3931

Abstract

Anonymous proxies are used by criminals for illegal network activities due to their anonymity, such as data theft and cyber attacks. Therefore, anonymous proxy traffic detection is very essential for network security. In recent years, detection based on deep learning has become a [...] Read more.

Anonymous proxies are used by criminals for illegal network activities due to their anonymity, such as data theft and cyber attacks. Therefore, anonymous proxy traffic detection is very essential for network security. In recent years, detection based on deep learning has become a hot research topic, since deep learning can automatically extract and select traffic features. To make (heterogeneous) network traffic adapt to the homogeneous input of typical deep learning algorithms, a major branch of existing studies convert network traffic into images for detection. However, such studies are commonly subject to the limitation of large-sized image representation of network traffic, resulting in very large storage and computational resource overhead. To address this limitation, a novel method for anonymous proxy traffic detection is proposed. The method is one of the solutions to reduce storage and computational resource overhead. Specifically, it converts the sequences of the size and inter-arrival time of the first N packets of a flow into images, and then categorizes the converted images using the one-dimensional convolutional neural network. Both proprietary and public datasets are used to validate the proposed method. The experimental results show that the converted images of the method are at least 90% smaller than that of existing image-based deep learning methods. With substantially smaller image sizes, the method can still achieve F1 scores up to 98.51% in Shadowsocks traffic detection and 99.8% in VPN traffic detection. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

26 pages, 794 KiB

Open AccessFeature PaperArticle

A Cloud Based Optimization Method for Zero-Day Threats Detection Using Genetic Algorithm and Ensemble Learning

by Mike Nkongolo, Jacobus Philippus Van Deventer, Sydney Mambwe Kasongo, Syeda Rabab Zahra and Joseph Kipongo

Electronics 2022, 11(11), 1749; https://doi.org/10.3390/electronics11111749 - 31 May 2022

Cited by 12 | Viewed by 3049

Abstract

This article presents a cloud-based method to classify 0-day attacks from a novel dataset called UGRansome1819. The primary objective of the research is to classify potential unknown threats using Machine Learning (ML) algorithms and cloud services. Our study contribution uses a novel anomaly [...] Read more.

This article presents a cloud-based method to classify 0-day attacks from a novel dataset called UGRansome1819. The primary objective of the research is to classify potential unknown threats using Machine Learning (ML) algorithms and cloud services. Our study contribution uses a novel anomaly detection dataset that carries 0-day attacks to train and test ML algorithms using Amazon Web Services such as S3 bucket and SageMaker. The proposed method used Ensemble Learning with a Genetic Algorithm (GA) optimizer having three ML algorithms such as Naive Bayes (NB), Random Forest (RF), and Support Vector Machine (SVM). These algorithms analyze the dataset by combining each classifier and assessing the classification accuracy of 0-day threats. We have implemented several metrics such as Accuracy, F1-Score, Confusion Matrix, Recall, and Precision to evaluate the performance of the selected algorithms. We have then compared the UGRansome1819 performance complexity with existing datasets using the same optimization settings. The RF implementation (before and after optimization) remains constant on the UGRansome1819 that outperformed the CAIDA and UNSWNB-15 datasets. The optimization technique only improved in Accuracy on the UNSWNB-15 and CAIDA datasets but sufficient performance was achieved in terms of F1-Score with UGRansome1819 using a multi-class classification scheme. The experimental results demonstrate a UGRansome1819 classification ratio of 1% before and after optimization. When compared to the UNSWNB-15 and CAIDA datasets, UGRansome1819 attains the highest accuracy value of 99.6% (prior optimization). The Genetic Algorithm was used as a feature selector and dropped five attributes of the UGRansome1819 causing a decrease in the computational time and over-fitting. The straightforward way to improve the model performance to increase its accuracy after optimization is to add more data samples to the training data. Doing so will add more details to the data and fine-tune the model will result in a more accurate and optimized performance. The experiments demonstrate the instability of single classifiers such as SVM and NB and suggest the proposed optimized validation technique which can aggregate weak classifiers (e.g., SVM and NB) into an ensemble of the genetic optimizer to enhance the classification performance. The UGRansome1819 model’s specificity and sensitivity were estimated to be 100% with three predictors of threatening classes (Signature, Synthetic Signature, and Anomaly). Lastly, the test classification accuracy of the SVM model improved by 6% after optimization. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

25 pages, 4304 KiB

Open AccessArticle

Developing Cybersecurity Systems Based on Machine Learning and Deep Learning Algorithms for Protecting Food Security Systems: Industrial Control Systems

by Hasan Alkahtani and Theyazn H. H. Aldhyani

Electronics 2022, 11(11), 1717; https://doi.org/10.3390/electronics11111717 - 27 May 2022

Cited by 15 | Viewed by 3394

Abstract

Industrial control systems (ICSs) for critical infrastructure are extensively utilized to provide the fundamental functions of society and are frequently employed in critical infrastructure. Therefore, security of these systems from cyberattacks is essential. Over the years, several proposals have been made for various [...] Read more.

Industrial control systems (ICSs) for critical infrastructure are extensively utilized to provide the fundamental functions of society and are frequently employed in critical infrastructure. Therefore, security of these systems from cyberattacks is essential. Over the years, several proposals have been made for various types of cyberattack detection systems, with each concept using a distinct set of processes and methodologies. However, there is a substantial void in the literature regarding approaches for detecting cyberattacks in ICSs. Identifying cyberattacks in ICSs is the primary aim of this proposed research. Anomaly detection in ICSs based on an artificial intelligence algorithm is presented. The methodology is intended to serve as a guideline for future research in this area. On the one hand, machine learning includes logistic regression, k-nearest neighbors (KNN), linear discriminant analysis (LDA), and decision tree (DT) algorithms, deep learning long short-term memory (LSTM), and the convolution neural network and long short-term memory (CNN-LSTM) network to detect ICS malicious attacks. The proposed algorithms were examined using real ICS datasets from the industrial partners Necon Automation and International Islamic University Malaysia (IIUM). There were three types of attacks: man-in-the-middle (mitm) attack, web-server access attack, and telnet attack, as well as normal. The proposed system was developed in two stages: binary classification and multiclass classification. The binary classification detected the malware as normal or attacks and the multiclass classification was used for detecting all individual attacks. The KNN and DT algorithms achieved superior accuracy (100%) in binary classification and multiclass classification. Moreover, a sensitivity analysis method was presented to predict the error between the target and prediction values. The sensitivity analysis results showed that the KNN and DT algorithms achieved R2 = 100% in both stages. The obtained results were compared with existing systems; the proposed algorithms outperformed existing systems. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

25 pages, 926 KiB

Open AccessArticle

A Lightweight Multi-Source Fast Android Malware Detection Model

by Tao Peng, Bochao Hu, Junping Liu, Junjie Huang, Zili Zhang, Ruhan He and Xinrong Hu

Appl. Sci. 2022, 12(11), 5394; https://doi.org/10.3390/app12115394 - 26 May 2022

Cited by 9 | Viewed by 2366

Abstract

Most of the current malware detection methods running on Android are based on signature and cloud technologies leading to poor protection against new types of malware. Deep learning techniques take Android malware detection to a new level. Still, most deep learning-based Android malware [...] Read more.

Most of the current malware detection methods running on Android are based on signature and cloud technologies leading to poor protection against new types of malware. Deep learning techniques take Android malware detection to a new level. Still, most deep learning-based Android malware detection methods are too inefficient or even unworkable on Android devices due to their high resource consumption. Therefore, this paper proposes MSFDroid, a lightweight multi-source fast Android malware detection model, which uses information from the internal files of the Android application package in several dimensions to build base models for ensemble learning. Meanwhile, this paper proposes an adaptive soft voting method by dynamically adjusting the weights of each base model to overcome the noise generated by traditional soft voting and thus improves the performance. It also proposes adaptive shrinkage convolutional unit that can dynamically adjust the convolutional kernel’s weight and the activation function’s threshold to improve the expressiveness of the CNN. The proposed method is tested on public datasets and on several real devices. The experimental results show that it achieves a better trade-off between performance and efficiency by significantly improving the detection speed while achieving a comparable performance compared to other deep learning methods. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

19 pages, 878 KiB

Open AccessArticle

Graph Layer Security: Encrypting Information via Common Networked Physics

by Zhuangkun Wei, Liang Wang, Schyler Chengyao Sun, Bin Li and Weisi Guo

Sensors 2022, 22(10), 3951; https://doi.org/10.3390/s22103951 - 23 May 2022

Cited by 4 | Viewed by 2162

Abstract

The proliferation of low-cost Internet of Things (IoT) devices has led to a race between wireless security and channel attacks. Traditional cryptography requires high computational power and is not suitable for low-power IoT scenarios. Whilst recently developed physical layer security (PLS) can exploit [...] Read more.

The proliferation of low-cost Internet of Things (IoT) devices has led to a race between wireless security and channel attacks. Traditional cryptography requires high computational power and is not suitable for low-power IoT scenarios. Whilst recently developed physical layer security (PLS) can exploit common wireless channel state information (CSI), its sensitivity to channel estimation makes them vulnerable to attacks. In this work, we exploit an alternative common physics shared between IoT transceivers: the monitored channel-irrelevant physical networked dynamics (e.g., water/oil/gas/electrical signal-flows). Leveraging this, we propose, for the first time, graph layer security (GLS), by exploiting the dependency in physical dynamics among network nodes for information encryption and decryption. A graph Fourier transform (GFT) operator is used to characterise such dependency into a graph-bandlimited subspace, which allows the generation of channel-irrelevant cipher keys by maximising the secrecy rate. We evaluate our GLS against designed active and passive attackers, using IEEE 39-Bus system. Results demonstrate that GLS is not reliant on wireless CSI, and can combat attackers that have partial networked dynamic knowledge (realistic access to full dynamic and critical nodes remains challenging). We believe this novel GLS has widespread applicability in secure health monitoring and for digital twins in adversarial radio environments. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

15 pages, 377 KiB

Open AccessArticle

A Fine-Grained Secure Service Provisioning Platform for Hypervisor Systems

by Junho Seo, Seonah Lee, Ki-Il Kim and Kyong Hoon Kim

Electronics 2022, 11(10), 1606; https://doi.org/10.3390/electronics11101606 - 18 May 2022

Cited by 2 | Viewed by 1605

Abstract

As computing technology has been recently widely adopted, most computing devices provide security-related services as basic requirements, which is an important research issue for sustainability of computing devices. The rapid increase of software components makes it difficult to detect or prevent vulnerabilities in [...] Read more.

As computing technology has been recently widely adopted, most computing devices provide security-related services as basic requirements, which is an important research issue for sustainability of computing devices. The rapid increase of software components makes it difficult to detect or prevent vulnerabilities in the large-size software. One of the prominent approaches for ensuring secure service is the isolation of service which allows the related code and data to be executed only in a particular area. In this paper, we provide a secure service provisioning platform for hypervisor systems. The main contribution of the proposed framework is to enhance the previous secure service provisioning platform in order to solve the non-preemption problem of secure services. Thus, the proposed framework improves the security isolation service in hypervisors and can be used for fine-grained secure service in secure embedded systems. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

16 pages, 21517 KiB

Open AccessArticle

One-Class LSTM Network for Anomalous Network Traffic Detection

by Yanmiao Li, Yingying Xu, Yankun Cao, Jiangang Hou, Chun Wang, Wei Guo, Xin Li, Yang Xin, Zhi Liu and Lizhen Cui

Appl. Sci. 2022, 12(10), 5051; https://doi.org/10.3390/app12105051 - 17 May 2022

Cited by 7 | Viewed by 2673

Abstract

Artificial intelligence-assisted security is an important field of research in relation to information security. One of the most important tasks is to distinguish between normal and abnormal network traffic (such as malicious or sudden traffic). Traffic data are usually extremely unbalanced, and this [...] Read more.

Artificial intelligence-assisted security is an important field of research in relation to information security. One of the most important tasks is to distinguish between normal and abnormal network traffic (such as malicious or sudden traffic). Traffic data are usually extremely unbalanced, and this seriously hinders the detection of outliers. Therefore, the identification of outliers in unbalanced datasets has become a key issue. To help solve this challenge, there is increasing interest in focusing on one-class classification methods that train models based on the samples of a single given class. In this paper, long short-term memory (LSTM) is introduced into one-class classification, and one-class LSTM (OC-LSTM) is proposed based on the traditional one-class support vector machine (OC-SVM). In contrast with other hybrid deep learning methods based on auto-encoders, the proposed method is an end-to-end training network that uses a loss function such as the OC-SVM optimization objective for model training. A comprehensive experiment on three large complex network traffic datasets showed that this method is superior to the traditional shallow method and the most advanced deep method. Furthermore, the proposed method can provide an effective reference for anomaly detection research in the field of network security, especially for the application of one-class classification. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

29 pages, 3410 KiB

Open AccessArticle

A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment

by Yulia Cherdantseva, Pete Burnap, Simin Nadjm-Tehrani and Kevin Jones

Appl. Sci. 2022, 12(10), 4880; https://doi.org/10.3390/app12104880 - 11 May 2022

Cited by 10 | Viewed by 2590

Abstract

A key purpose of a Supervisory Control and Data Acquisition (SCADA) system is to enable either an on-site or remote supervisory control and monitoring of physical processes of various natures. In order for a SCADA system to operate safely and securely, a wide [...] Read more.

A key purpose of a Supervisory Control and Data Acquisition (SCADA) system is to enable either an on-site or remote supervisory control and monitoring of physical processes of various natures. In order for a SCADA system to operate safely and securely, a wide range of experts with diverse backgrounds must work in close rapport. It is critical to have an overall view of an entire system at a high level of abstraction which is accessible to all experts involved, and which assists with gauging and assessing risks to the system. Furthermore, a SCADA system is composed of a large number of interconnected technical and non-technical sub-elements, and it is crucial to capture the dependencies between these sub-elements for a comprehensive and rigorous risk assessment. In this paper, we present a generic configurable dependency model of a SCADA system which captures complex dependencies within a system and facilitates goal-oriented risk assessment. The model was developed by collecting and analysing the understanding of the dependencies within a SCADA system from 36 domain experts. We describe a methodology followed for developing the dependency model, present an illustrative example where the generic dependency model is configured for a SCADA system controlling water distribution, and outline an exemplary risk assessment process based on it. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

14 pages, 551 KiB

Open AccessArticle

Cyber-Security Threats and Side-Channel Attacks for Digital Agriculture

by Adel N. Alahmadi, Saeed Ur Rehman, Husain S. Alhazmi, David G. Glynn, Hatoon Shoaib and Patrick Solé

Sensors 2022, 22(9), 3520; https://doi.org/10.3390/s22093520 - 05 May 2022

Cited by 23 | Viewed by 7647

Abstract

The invention of smart low-power devices and ubiquitous Internet connectivity have facilitated the shift of many labour-intensive jobs into the digital domain. The shortage of skilled workforce and the growing food demand have led the agriculture sector to adapt to the digital transformation. [...] Read more.

The invention of smart low-power devices and ubiquitous Internet connectivity have facilitated the shift of many labour-intensive jobs into the digital domain. The shortage of skilled workforce and the growing food demand have led the agriculture sector to adapt to the digital transformation. Smart sensors and systems are used to monitor crops, plants, the environment, water, soil moisture, and diseases. The transformation to digital agriculture would improve the quality and quantity of food for the ever-increasing human population. This paper discusses the security threats and vulnerabilities to digital agriculture, which are overlooked in other published articles. It also provides a comprehensive review of the side-channel attacks (SCA) specific to digital agriculture, which have not been explored previously. The paper also discusses the open research challenges and future directions. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

18 pages, 341 KiB

Open AccessArticle

A Secure Communication Method Based on Message Hash Chain

by Mingxuan Han and Wenbao Jiang

Appl. Sci. 2022, 12(9), 4505; https://doi.org/10.3390/app12094505 - 29 Apr 2022

Cited by 2 | Viewed by 1830

Abstract

Traditional network communication methods lack endogenous security mechanisms, which is the root cause of network security problems, e.g., spoofing identity and address forgery. This paper proposes a secure communication method based on the message hash chain, referred to as the chain communication method [...] Read more.

Traditional network communication methods lack endogenous security mechanisms, which is the root cause of network security problems, e.g., spoofing identity and address forgery. This paper proposes a secure communication method based on the message hash chain, referred to as the chain communication method or MHC method. We use the message hash chain to ensure that the transmission process is immutable, non-repudiation, reliability, and the integrity and synchronization of the message. At the same time, we can sign and authenticate data streams in batches through chain signature and authentication technology, which can significantly reduce the overhead of signature and authentication, thereby improving the efficiency of secure message transmission. This paper formally proves the security of the message hash chain, conducts an in-depth analysis of the reliability of the MHC method, and conducts relevant experimental tests. The results show that the average transmission efficiency of the MHC method applied at the network layer is about 70% lower than that of the IP protocol communication method without a security mechanism. However, it is about 5% higher than the average transmission efficiency of the non-repudiation IPSec protocol communication method. The average transmission efficiency of the MHC method is about 23.5 times higher than that of the IP protocol communication method with the packet-by-packet signature. It is easier to ensure the non-repudiation of the data stream. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

14 pages, 1080 KiB

Open AccessArticle

Malcertificate: Research and Implementation of a Malicious Certificate Detection Algorithm Based on GCN

by Jingru Liu, Nurbol Luktarhan, Yuyuan Chang and Wenjie Yu

Appl. Sci. 2022, 12(9), 4440; https://doi.org/10.3390/app12094440 - 27 Apr 2022

Cited by 1 | Viewed by 3072

Abstract

Encryption is widely used to ensure the security and confidentiality of information. Because people trust in encryption technology, a series of attack methods based on certificates have been derived. Malicious certificates protect many malicious behaviors and threaten data security. To counter this threat, [...] Read more.

Encryption is widely used to ensure the security and confidentiality of information. Because people trust in encryption technology, a series of attack methods based on certificates have been derived. Malicious certificates protect many malicious behaviors and threaten data security. To counter this threat, machine learning algorithms are widely used in malicious certificate detection. However, the detection efficiency of such algorithms largely depends on whether the extracted features can effectively represent the data. In contrast, graph convolutional networks (GCNs) can automatically extract useful features. GCNs are powerful at fitting graph data, which can improve the effectiveness of learning systems by efficiently embedding prior knowledge in an end-to-end manner. In this paper, we propose an algorithm for detecting malicious digital certificates with GCNs. Firstly, we transform the digital certificate dataset with pem document structure into a corpus of graph structure based on attribute co-occurrence and document attribute relations. Then, we put the graph structure certificate dataset into a GCN for training. The results of the experiment show that GCN is very effective in certificate classification and outperforms traditional machine learning algorithms and extant neural network algorithms. The accuracy of our algorithm to detect malicious certificates is 97.41%. This shows that our algorithm is very effective. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

24 pages, 1809 KiB

Open AccessArticle

An Environment-Specific Prioritization Model for Information-Security Vulnerabilities Based on Risk Factor Analysis

by Jorge Reyes, Walter Fuertes, Paco Arévalo and Mayra Macas

Electronics 2022, 11(9), 1334; https://doi.org/10.3390/electronics11091334 - 22 Apr 2022

Cited by 5 | Viewed by 2634

Abstract

Vulnerabilities represent a constant and growing risk for organizations. Their successful exploitation compromises the integrity and availability of systems. The use of specialized tools facilitates the vulnerability monitoring and scanning process. However, the large amount of information transmitted over the network makes it [...] Read more.

Vulnerabilities represent a constant and growing risk for organizations. Their successful exploitation compromises the integrity and availability of systems. The use of specialized tools facilitates the vulnerability monitoring and scanning process. However, the large amount of information transmitted over the network makes it difficult to prioritize the identified vulnerabilities based on their severity and impact. This research aims to design and implement a prioritization model for detecting vulnerabilities based on their network environment variables and characteristics. A mathematical prioritization model was developed, which allows for calculating the risk factor using the phases of collection, analysis, and extraction of knowledge from the open information sources of the OSINT framework. The input data were obtained through the Shodan REST API. Then, the mathematical model was applied to the relevant information on vulnerabilities and their environment to quantify and calculate the risk factor. Additionally, a software prototype was designed and implemented that automates the prioritization process through a Client–Server architecture incorporating data extraction, correlation, and calculation modules. The results show that prioritization of vulnerabilities was achieved with the information available to the attacker, which allows evaluating the overexposure of information from organizations. Finally, we concluded that Shodan has relevant variables that assess and quantify the overexposure of an organization’s data. In addition, we determined that the Common Vulnerability Scoring System (CVSS) is not sufficient to prioritize software vulnerabilities since the environments where they reside have different characteristics. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

17 pages, 3886 KiB

Open AccessArticle

Using Singular Value Decomposition and Chaotic Maps for Selective Encryption of Video Feeds in Smart Traffic Management

by Oussama Benrhouma, Ahmad B. Alkhodre, Ali AlZahrani, Abdallah Namoun and Wasim A. Bhat

Appl. Sci. 2022, 12(8), 3917; https://doi.org/10.3390/app12083917 - 13 Apr 2022

Cited by 7 | Viewed by 1843

Abstract

Traffic management in a smart city mainly relies on video feeds from various sources such as street cameras, car dash cams, traffic signal cameras, and so on. Ensuring the confidentiality of these video feeds during transmission is necessary. However, due to these devices’ [...] Read more.

Traffic management in a smart city mainly relies on video feeds from various sources such as street cameras, car dash cams, traffic signal cameras, and so on. Ensuring the confidentiality of these video feeds during transmission is necessary. However, due to these devices’ poor processing power and memory capacity, the applicability of traditional encryption algorithms is not feasible. Therefore, a selective encryption system based on singular value decomposition (SVD) and chaotic maps is presented in this study. The proposed cryptosystem can be used in smart traffic management. We apply SVD to identify the most significant parts of each frame of the video feed for encryption. Chaotic systems were deployed to achieve high diffusion and confusion properties in the resulted cipher. Our results suggest that the computational overhead is significantly less than that of the traditional approaches with no compromise on the strength of the encryption. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

19 pages, 780 KiB

Open AccessArticle

Ransomware-Resilient Self-Healing XML Documents

by Mahmoud Al-Dwairi, Ahmed S. Shatnawi, Osama Al-Khaleel and Basheer Al-Duwairi

Future Internet 2022, 14(4), 115; https://doi.org/10.3390/fi14040115 - 07 Apr 2022

Cited by 7 | Viewed by 2826

Abstract

In recent years, various platforms have witnessed an unprecedented increase in the number of ransomware attacks targeting hospitals, governments, enterprises, and end-users. The purpose of this is to maliciously encrypt documents and files on infected machines, depriving victims of access to their data, [...] Read more.

In recent years, various platforms have witnessed an unprecedented increase in the number of ransomware attacks targeting hospitals, governments, enterprises, and end-users. The purpose of this is to maliciously encrypt documents and files on infected machines, depriving victims of access to their data, whereupon attackers would seek some sort of a ransom in return for restoring access to the legitimate owners; hence the name. This cybersecurity threat would inherently cause substantial financial losses and time wastage for affected organizations and users. A great deal of research has taken place across academia and around the industry to combat this threat and mitigate its danger. These ongoing endeavors have resulted in several detection and prevention schemas. Nonetheless, these approaches do not cover all possible risks of losing data. In this paper, we address this facet and provide an efficient solution that would ensure an efficient recovery of XML documents from ransomware attacks. This paper proposes a self-healing version-aware ransomware recovery (SH-VARR) framework for XML documents. The proposed framework is based on the novel idea of using the link concept to maintain file versions in a distributed manner while applying access-control mechanisms to protect these versions from being encrypted or deleted. The proposed SH-VARR framework is experimentally evaluated in terms of storage overhead, time requirement, CPU utilization, and memory usage. Results show that the snapshot size increases proportionately with the original size; the time required is less than 120 ms for files that are less than 1 MB in size; and the highest CPU utilization occurs when using the bzip2. Moreover, when the zip and gzip are used, the memory usage is almost fixed (around 6.8 KBs). In contrast, it increases to around 28 KBs when the bzip2 is used. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

13 pages, 1928 KiB

Open AccessArticle

Security Ontology Structure for Formalization of Security Document Knowledge

by Simona Ramanauskaitė, Anatoly Shein, Antanas Čenys and Justinas Rastenis

Electronics 2022, 11(7), 1103; https://doi.org/10.3390/electronics11071103 - 31 Mar 2022

Cited by 4 | Viewed by 1967

Abstract

Cybersecurity solutions are highly based on data analysis. Currently, it is not enough to make an automated decision; it also has to be explainable. The decision-making logic traceability should be provided in addition to justification by referencing different data sources and evidence. However, [...] Read more.

Cybersecurity solutions are highly based on data analysis. Currently, it is not enough to make an automated decision; it also has to be explainable. The decision-making logic traceability should be provided in addition to justification by referencing different data sources and evidence. However, the existing security ontologies, used for the implementation of expert systems and serving as a knowledge base, lack interconnectivity between different data sources and computer-readable linking to the data source. Therefore, this paper aims to increase the possibilities of ontology-based cyber intelligence solutions, by presenting a security ontology structure for data storage to the ontology from different text-based data sources, supporting the knowledge traceability and relationship estimation between different security documents. The proposed ontology structure is tested by storing data of three text-based data sources, and its application possibilities are provided. The study shows that the structure is adaptable for different text data sources and provides an additional value related to security area extension. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

10 pages, 2492 KiB

Open AccessArticle

A Detection Method for Social Network Images with Spam, Based on Deep Neural Network and Frequency Domain Pre-Processing

by Hua Shen, Xinyue Liu and Xianchao Zhang

Electronics 2022, 11(7), 1081; https://doi.org/10.3390/electronics11071081 - 29 Mar 2022

Cited by 2 | Viewed by 1763

Abstract

As a result of the rapid development of internet technology, images are widely used on various social networks, such as WeChat, Twitter or Facebook. It follows that images with spam can also be freely transmitted on social networks. Most of the traditional methods [...] Read more.

As a result of the rapid development of internet technology, images are widely used on various social networks, such as WeChat, Twitter or Facebook. It follows that images with spam can also be freely transmitted on social networks. Most of the traditional methods can only detect spam in the form of links and texts; there are few studies on detecting images with spam. To this end, a novel detection method for identifying social images with spam, based on deep neural network and frequency domain pre-processing, is proposed in this paper. Firstly, we collected several images with embedded spam and combined the DIV2K2017 dataset to build an image dataset for training the proposed detection model. Then, the specific components of the spam in the images were determined through experiments and the pre-processing module was specially designed. Low-frequency domain regions with less spam are discarded through Haar wavelet transform analysis. In addition, a feature extraction module with special convolutional layers was designed, and an appropriate number of modules was selected to maximize the extraction of three different high-frequency feature regions. Finally, the different high-frequency features are spliced along the channel dimension to obtain the final classification result. Our extensive experimental results indicate that the spam element mainly exists in the images as high-frequency information components; they also prove that the proposed model is superior to the state-of-the-art detection models in terms of detection accuracy and detection efficiency. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

18 pages, 3711 KiB

Open AccessEditor’s ChoiceArticle

Adaptative Perturbation Patterns: Realistic Adversarial Learning for Robust Intrusion Detection

by João Vitorino, Nuno Oliveira and Isabel Praça

Future Internet 2022, 14(4), 108; https://doi.org/10.3390/fi14040108 - 29 Mar 2022

Cited by 13 | Viewed by 7870

Abstract

Adversarial attacks pose a major threat to machine learning and to the systems that rely on it. In the cybersecurity domain, adversarial cyber-attack examples capable of evading detection are especially concerning. Nonetheless, an example generated for a domain with tabular data must be [...] Read more.

Adversarial attacks pose a major threat to machine learning and to the systems that rely on it. In the cybersecurity domain, adversarial cyber-attack examples capable of evading detection are especially concerning. Nonetheless, an example generated for a domain with tabular data must be realistic within that domain. This work establishes the fundamental constraint levels required to achieve realism and introduces the adaptative perturbation pattern method (A2PM) to fulfill these constraints in a gray-box setting. A2PM relies on pattern sequences that are independently adapted to the characteristics of each class to create valid and coherent data perturbations. The proposed method was evaluated in a cybersecurity case study with two scenarios: Enterprise and Internet of Things (IoT) networks. Multilayer perceptron (MLP) and random forest (RF) classifiers were created with regular and adversarial training, using the CIC-IDS2017 and IoT-23 datasets. In each scenario, targeted and untargeted attacks were performed against the classifiers, and the generated examples were compared with the original network traffic flows to assess their realism. The obtained results demonstrate that A2PM provides a scalable generation of realistic adversarial examples, which can be advantageous for both adversarial training and attacks. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Graphical abstract

16 pages, 1422 KiB

Open AccessArticle

Evaluation of Contextual and Game-Based Training for Phishing Detection

by Joakim Kävrestad, Allex Hagberg, Marcus Nohlberg, Jana Rambusch, Robert Roos and Steven Furnell

Future Internet 2022, 14(4), 104; https://doi.org/10.3390/fi14040104 - 25 Mar 2022

Cited by 10 | Viewed by 5026

Abstract

Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes [...] Read more.

Cybersecurity is a pressing matter, and a lot of the responsibility for cybersecurity is put on the individual user. The individual user is expected to engage in secure behavior by selecting good passwords, identifying malicious emails, and more. Typical support for users comes from Information Security Awareness Training (ISAT), which makes the effectiveness of ISAT a key cybersecurity issue. This paper presents an evaluation of how two promising methods for ISAT support users in acheiving secure behavior using a simulated experiment with 41 participants. The methods were game-based training, where users learn by playing a game, and Context-Based Micro-Training (CBMT), where users are presented with short information in a situation where the information is of direct relevance. Participants were asked to identify phishing emails while their behavior was monitored using eye-tracking technique. The research shows that both training methods can support users towards secure behavior and that CBMT does so to a higher degree than game-based training. The research further shows that most participants were susceptible to phishing, even after training, which suggests that training alone is insufficient to make users behave securely. Consequently, future research ideas, where training is combined with other support systems, are proposed. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

19 pages, 799 KiB

Open AccessArticle

Less Is More: Robust and Novel Features for Malicious Domain Detection

by Chen Hajaj, Nitay Hason and Amit Dvir

Electronics 2022, 11(6), 969; https://doi.org/10.3390/electronics11060969 - 21 Mar 2022

Cited by 7 | Viewed by 2919

Abstract

Malicious domains are increasingly common and pose a severe cybersecurity threat. Specifically, many types of current cyber attacks use URLs for attack communications (e.g., C&C, phishing, and spear-phishing). Despite the continuous progress in detecting cyber attacks, there are still critical weak spots in [...] Read more.

Malicious domains are increasingly common and pose a severe cybersecurity threat. Specifically, many types of current cyber attacks use URLs for attack communications (e.g., C&C, phishing, and spear-phishing). Despite the continuous progress in detecting cyber attacks, there are still critical weak spots in the structure of defense mechanisms. Since machine learning has become one of the most prominent malware detection methods, a robust feature selection mechanism is proposed that results in malicious domain detection models that are resistant to evasion attacks. This mechanism exhibits a high performance based on empirical data. This paper makes two main contributions: First, it provides an analysis of robust feature selection based on widely used features in the literature. Note that even though the feature set dimensional space is cut by half, the performance of the classifier is still improved (an increase in the model’s F1-score from 92.92% to 95.81%). Second, it introduces novel features that are robust with regard to the adversary’s manipulation. Based on an extensive evaluation of the different feature sets and commonly used classification models, this paper shows that models based on robust features are resistant to malicious perturbations and concurrently are helpful in classifying non-manipulated data. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

20 pages, 504 KiB

Open AccessArticle

Authentication and Authorization in Microservices Architecture: A Systematic Literature Review

by Murilo Góes de Almeida and Edna Dias Canedo

Appl. Sci. 2022, 12(6), 3023; https://doi.org/10.3390/app12063023 - 16 Mar 2022

Cited by 16 | Viewed by 10409

Abstract

The microservice architectural style splits an application into small services, which are implemented independently, with their own deployment unit. This architecture can bring benefits, nevertheless, it also poses challenges, especially about security aspects. In this case, there are several microservices within a single [...] Read more.

The microservice architectural style splits an application into small services, which are implemented independently, with their own deployment unit. This architecture can bring benefits, nevertheless, it also poses challenges, especially about security aspects. In this case, there are several microservices within a single system, it represents an increase in the exposure of the safety surface, unlike the monolithic style, there are several applications running independently and must be secured individually. In this architecture, microservices communicate with each other, sometimes in a trust relationship. In this way, unauthorized access to a specific microservice could compromise an entire system. Therefore, it brings a need to explore knowledge about issues of security in microservices, especially in aspects of authentication and authorization. In this work, a Systematic Literature Review is carried out to answer questions on this subject, involving aspects of the challenges, mechanisms and technologies that deal with authentication and authorization in microservices. It was found that there are few studies dealing with the subject, especially in practical order, however, there is a consensus that communication between microservices, mainly due to its individual and trustworthy characteristics, is a concern to be considered. To face the problems, mechanisms such as OAuth 2.0, OpenID Connect, API Gateway and JWT are used. Finally, it was found that there are few open-source technologies that implement the researched mechanisms, with some mentions of the Spring Framework. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

26 pages, 12811 KiB

Open AccessArticle

Artificial Intelligence Algorithms for Malware Detection in Android-Operated Mobile Devices

by Hasan Alkahtani and Theyazn H. H. Aldhyani

Sensors 2022, 22(6), 2268; https://doi.org/10.3390/s22062268 - 15 Mar 2022

Cited by 36 | Viewed by 5647

Abstract

With the rapid expansion of the use of smartphone devices, malicious attacks against Android mobile devices have increased. The Android system adopted a wide range of sensitive applications such as banking applications; therefore, it is becoming the target of malware that exploits the [...] Read more.

With the rapid expansion of the use of smartphone devices, malicious attacks against Android mobile devices have increased. The Android system adopted a wide range of sensitive applications such as banking applications; therefore, it is becoming the target of malware that exploits the vulnerabilities of the security system. A few studies proposed models for the detection of mobile malware. Nevertheless, improvements are required to achieve maximum efficiency and performance. Hence, we implemented machine learning and deep learning approaches to detect Android-directed malicious attacks. The support vector machine (SVM), k-nearest neighbors (KNN), linear discriminant analysis (LDA), long short-term memory (LSTM), convolution neural network-long short-term memory (CNN-LSTM), and autoencoder algorithms were applied to identify malware in mobile environments. The cybersecurity system was tested with two Android mobile benchmark datasets. The correlation was calculated to find the high-percentage significant features of these systems in the protection against attacks. The machine learning and deep learning algorithms successfully detected the malware on Android applications. The SVM algorithm achieved the highest accuracy (100%) using the CICAndMal2017 dataset. The LSTM model also achieved a high percentage accuracy (99.40%) using the Drebin dataset. Additionally, by calculating the mean error, mean square error, root mean square error, and Pearson correlation, we found a strong relationship between the predicted values and the target values in the validation phase. The correlation coefficient for the SVM method was R² = 100% using the CICAndMal2017 dataset, and LSTM achieved R² = 97.39% in the Drebin dataset. Our results were compared with existing security systems, showing that the SVM, LSTM, and CNN-LSTM algorithms are of high efficiency in the detection of malware in the Android environment. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

28 pages, 917 KiB

Open AccessArticle

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

by Ángel Longueira-Romero, Rosa Iglesias, Jose Luis Flores and Iñaki Garitano

Sensors 2022, 22(6), 2126; https://doi.org/10.3390/s22062126 - 09 Mar 2022

Cited by 7 | Viewed by 3454

Abstract

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is [...] Read more.

The rapid evolution of industrial components, the paradigm of Industry 4.0, and the new connectivity features introduced by 5G technology all increase the likelihood of cybersecurity incidents. Such incidents are caused by the vulnerabilities present in these components. Designing a secure system is critical, but it is also complex, costly, and an extra factor to manage during the lifespan of the component. This paper presents a model to analyze the known vulnerabilities of industrial components over time. The proposed Extended Dependency Graph (EDG) model is based on two main elements: a directed graph representation of the internal structure of the component, and a set of quantitative metrics based on the Common Vulnerability Scoring System (CVSS). The EDG model can be applied throughout the entire lifespan of a device to track vulnerabilities, identify new requirements, root causes, and test cases. It also helps prioritize patching activities. The model was validated by application to the OpenPLC project. The results reveal that most of the vulnerabilities associated with OpenPLC were related to memory buffer operations and were concentrated in the libssl library. The model was able to determine new requirements and generate test cases from the analysis. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

23 pages, 5426 KiB

Open AccessArticle

A Study on Reversible Data Hiding Technique Based on Three-Dimensional Prediction-Error Histogram Modification and a Multilayer Perceptron

by Chih-Chieh Hung, Chuang-Chieh Lin, Hsien-Chu Wu and Chia-Wei Lin

Appl. Sci. 2022, 12(5), 2502; https://doi.org/10.3390/app12052502 - 28 Feb 2022

Cited by 6 | Viewed by 2071

Abstract

In the past few years, with the development of information technology and the focus on information security, many studies have gradually been aimed at data hiding technology. The embedding and extraction algorithms are mainly used by the technology to hide the data that [...] Read more.

In the past few years, with the development of information technology and the focus on information security, many studies have gradually been aimed at data hiding technology. The embedding and extraction algorithms are mainly used by the technology to hide the data that requires secret transmission into a multimedia carrier so that the data transmission cannot be realized to achieve secure communication. Among them, reversible data hiding (RDH) is a technology for the applications that demand the secret data extraction as well as the original carrier recovery without distortion, such as remote medical diagnosis or military secret transmission. In this work, we hypothesize that the RDH performance can be enhanced by a more accurate pixel value predictor. We propose a new RDH scheme of prediction-error expansion (PEE) based on a multilayer perceptron, which is an extensively used artificial neural network in plenty of applications. The scheme utilizes the correlation between image pixel values and their adjacent pixels to obtain a well-trained multilayer perceptron so that we are capable of achieving more accurate pixel prediction results. Our data mapping method based on the three-dimensional prediction-error histogram modification uses all eight octants in the three-dimensional space for secret data embedding. The experimental results of our RDH scheme show that the embedding capacity greatly increases and the image quality is still well maintained. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

17 pages, 2089 KiB

Open AccessArticle

Few-Shot Network Intrusion Detection Using Discriminative Representation Learning with Supervised Autoencoder

by Auwal Sani Iliyasu, Usman Alhaji Abdurrahman and Lirong Zheng

Appl. Sci. 2022, 12(5), 2351; https://doi.org/10.3390/app12052351 - 24 Feb 2022

Cited by 11 | Viewed by 3505

Abstract

Recently, intrusion detection methods based on supervised deep learning techniques (DL) have seen widespread adoption by the research community, as a result of advantages, such as the ability to learn useful feature representations from input data without excessive manual intervention. However, these techniques [...] Read more.

Recently, intrusion detection methods based on supervised deep learning techniques (DL) have seen widespread adoption by the research community, as a result of advantages, such as the ability to learn useful feature representations from input data without excessive manual intervention. However, these techniques require large amounts of data to generalize well. Collecting a large-scale malicious sample is non-trivial, especially in the modern day with its constantly evolving landscape of cyber-threats. On the other hand, collecting a few-shot of malicious samples is more realistic in practical settings, as in cases such as zero-day attacks, where security agents are only able to intercept a limited number of such samples. Hence, intrusion detection methods based on few-shot learning is emerging as an alternative to conventional supervised learning approaches to simulate more realistic settings. Therefore, in this paper, we propose a novel method that leverages discriminative representation learning with a supervised autoencoder to achieve few-shot intrusion detection. Our approach is implemented in two stages: we first train a feature extractor model with known classes of malicious samples using a discriminative autoencoder, and then in the few-shot detection stage, we use the trained feature extractor model to fit a classifier with a few-shot examples of the novel attack class. We are able to achieve detection rates of 99.5% and 99.8% for both the CIC-IDS2017 and NSL-KDD datasets, respectively, using only 10 examples of an unseen attack. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

16 pages, 3924 KiB

Open AccessArticle

Towards a Hybrid Machine Learning Model for Intelligent Cyber Threat Identification in Smart City Environments

by Najla Al-Taleb and Nazar Abbas Saqib

Appl. Sci. 2022, 12(4), 1863; https://doi.org/10.3390/app12041863 - 11 Feb 2022

Cited by 11 | Viewed by 3101

Abstract

The concept of a smart city requires the integration of information and communication technologies and devices over a network for the better provision of services to citizens. As a result, the quality of living is improved by continuous analyses of data to improve [...] Read more.

The concept of a smart city requires the integration of information and communication technologies and devices over a network for the better provision of services to citizens. As a result, the quality of living is improved by continuous analyses of data to improve service delivery by governments and other organizations. Due to the presence of extensive devices and data flow over networks, the probability of cyber attacks and intrusion detection has increased. The monitoring of this huge amount of data traffic is very difficult, though machine learning algorithms have huge potential to support this task. In this study, we compared different machine learning models used for cyber threat classification. Our comparison was focused on the analyzed cyber threats, algorithms, and performance of these models. We have identified that real-time classification, accuracy, and false-positive rates are still the major issues in the performance of existing models. Accordingly, we have proposed a hybrid deep learning (DL) model for cyber threat intelligence (CTI) to improve threat classification performance. Our model was based on a convolutional neural network (CNN) and quasi-recurrent neural network (QRNN). The use of QRNN not only resulted in improved accuracy but also enabled real-time classification. The model was tested on BoT-IoT and TON_IoT datasets, and the results showed that the proposed model outperformed the other models. Due to this improved performance, we emphasize that the application of this model in the real-time environment of a smart system network will help in reducing threats in a reasonable time. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

21 pages, 5989 KiB

Open AccessArticle

CVDF DYNAMIC—A Dynamic Fuzzy Testing Sample Generation Framework Based on BI-LSTM and Genetic Algorithm

by Mingrui Ma, Lansheng Han and Yekui Qian

Sensors 2022, 22(3), 1265; https://doi.org/10.3390/s22031265 - 07 Feb 2022

Cited by 2 | Viewed by 2055

Abstract

As one of the most effective methods of vulnerability mining, fuzzy testing has scalability and complex path detection ability. Fuzzy testing sample generation is the key step of fuzzy testing, and the quality of sample directly determines the vulnerability mining ability of fuzzy [...] Read more.

As one of the most effective methods of vulnerability mining, fuzzy testing has scalability and complex path detection ability. Fuzzy testing sample generation is the key step of fuzzy testing, and the quality of sample directly determines the vulnerability mining ability of fuzzy tester. At present, the known sample generation methods focus on code coverage or seed mutation under a critical execution path, so it is difficult to take both into account. Therefore, based on the idea of ensemble learning in artificial intelligence, we propose a fuzzy testing sample generation framework named CVDF DYNAMIC, which is based on genetic algorithm and BI-LSTM neural network. The main purpose of CVDF DYNAMIC is to generate fuzzy testing samples with both code coverage and path depth detection ability. CVDF DYNAMIC generates its own test case sets through BI-LSTM neural network and genetic algorithm. Then, we integrate the two sample sets through the idea of ensemble learning to obtain a sample set with both code coverage and vulnerability mining ability for a critical execution path of the program. In order to improve the efficiency of fuzzy testing, we use heuristic genetic algorithm to simplify the integrated sample set. We also innovatively put forward the evaluation index of path depth detection ability (pdda), which can effectively measure the vulnerability mining ability of the generated test case set under the critical execution path of the program. Finally, we compare CVDF DYNAMIC with some existing fuzzy testing tools and scientific research results and further propose the future improvement ideas of CVDF DYNAMIC. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

30 pages, 6627 KiB

Open AccessArticle

Bit-Level Automotive Controller Area Network Message Reverse Framework Based on Linear Regression

by Zixiang Bi, Guoai Xu, Guosheng Xu, Chenyu Wang and Sutao Zhang

Sensors 2022, 22(3), 981; https://doi.org/10.3390/s22030981 - 27 Jan 2022

Cited by 7 | Viewed by 2902

Abstract

Modern intelligent and networked vehicles are increasingly equipped with electronic control units (ECUs) with increased computing power. These electronic devices form an in-vehicle network via the Controller Area Network (CAN) bus, the de facto standard for modern vehicles. Although many ECUs provide convenience [...] Read more.

Modern intelligent and networked vehicles are increasingly equipped with electronic control units (ECUs) with increased computing power. These electronic devices form an in-vehicle network via the Controller Area Network (CAN) bus, the de facto standard for modern vehicles. Although many ECUs provide convenience to drivers and passengers, they also increase the potential for cyber security threats in motor vehicles. Numerous attacks on vehicles have been reported, and the commonality among these attacks is that they inject malicious messages into the CAN network. To close the security holes of CAN, original equipment manufacturers (OEMs) keep the Database CAN (DBC) file describing the content of CAN messages, confidential. This policy is ineffective against cyberattacks but limits in-depth investigation of CAN messages and hinders the development of in-vehicle intrusion detection systems (IDS) and CAN fuzz testing. Current research reverses CAN messages through tokenization, machine learning, and diagnostic information matching to obtain details of CAN messages. However, the results of these algorithms yield only a fraction of the information specified in the DBC file regarding CAN messages, such as field boundaries and message IDs associated with specific functions. In this study, we propose multiple linear regression-based frameworks for bit-level inversion of CAN messages that can approximate the inversion of DBC files. The framework builds a multiple linear regression model for vehicle behavior and CAN traffic, filters the candidate messages based on the decision coefficients, and finally locates the bits describing the vehicle behavior to obtain the data length and alignment based on the model parameters. Moreover, this work shows that the system has high reversion accuracy and outperforms existing systems in boundary delineation and filtering relevant messages in actual vehicles. Full article

(This article belongs to the Topic Cyber Security and Critical Infrastructures)

► Show Figures

Figure 1

Topic Menu

Topic Editors

Cyber Security and Critical Infrastructures

Topic Information

Keywords

Participating Journals

Published Papers (55 papers)

Further Information

Guidelines

MDPI Initiatives

Follow MDPI

Topic Menu

Topic Editors

Cyber Security and Critical Infrastructures

Topic Information

Keywords

Participating Journals

Related Topic

Published Papers (55 papers)

Further Information

Guidelines

MDPI Initiatives

Follow MDPI