4,862 research outputs found
Comprehensive Security Framework for Global Threats Analysis
Cyber criminality activities are changing and becoming more and more professional. With the growth of financial flows through the Internet and the Information System (IS), new kinds of thread arise involving complex scenarios spread within multiple IS components. The IS information modeling and Behavioral Analysis are becoming new solutions to normalize the IS information and counter these new threads. This paper presents a framework which details the principal and necessary steps for monitoring an IS. We present the architecture of the framework, i.e. an ontology of activities carried out within an IS to model security information and User Behavioral analysis. The results of the performed experiments on real data show that the modeling is effective to reduce the amount of events by 91%. The User Behavioral Analysis on uniform modeled data is also effective, detecting more than 80% of legitimate actions of attack scenarios
An Integrated Framework for Sensing Radio Frequency Spectrum Attacks on Medical Delivery Drones
Drone susceptibility to jamming or spoofing attacks of GPS, RF, Wi-Fi, and
operator signals presents a danger to future medical delivery systems. A
detection framework capable of sensing attacks on drones could provide the
capability for active responses. The identification of interference attacks has
applicability in medical delivery, disaster zone relief, and FAA enforcement
against illegal jamming activities. A gap exists in the literature for solo or
swarm-based drones to identify radio frequency spectrum attacks. Any
non-delivery specific function, such as attack sensing, added to a drone
involves a weight increase and additional complexity; therefore, the value must
exceed the disadvantages. Medical delivery, high-value cargo, and disaster zone
applications could present a value proposition which overcomes the additional
costs. The paper examines types of attacks against drones and describes a
framework for designing an attack detection system with active response
capabilities for improving the reliability of delivery and other medical
applications.Comment: 7 pages, 1 figures, 5 table
PlayeRank: data-driven performance evaluation and player ranking in soccer via a machine learning approach
The problem of evaluating the performance of soccer players is attracting the
interest of many companies and the scientific community, thanks to the
availability of massive data capturing all the events generated during a match
(e.g., tackles, passes, shots, etc.). Unfortunately, there is no consolidated
and widely accepted metric for measuring performance quality in all of its
facets. In this paper, we design and implement PlayeRank, a data-driven
framework that offers a principled multi-dimensional and role-aware evaluation
of the performance of soccer players. We build our framework by deploying a
massive dataset of soccer-logs and consisting of millions of match events
pertaining to four seasons of 18 prominent soccer competitions. By comparing
PlayeRank to known algorithms for performance evaluation in soccer, and by
exploiting a dataset of players' evaluations made by professional soccer
scouts, we show that PlayeRank significantly outperforms the competitors. We
also explore the ratings produced by {\sf PlayeRank} and discover interesting
patterns about the nature of excellent performances and what distinguishes the
top players from the others. At the end, we explore some applications of
PlayeRank -- i.e. searching players and player versatility --- showing its
flexibility and efficiency, which makes it worth to be used in the design of a
scalable platform for soccer analytics
HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon
Advanced Persistent Threat (APT) actors are increasingly utilizing Living-off-the-Land (LotL) cyber attack techniques to avoid detection. LotL are techniques that abuse legitimate functionality to perform malicious cyber activities. A common LotL attack technique, that is currently very difficult to detect and prevent, is malicious process injection, MITRE ATT\&CK Process Injection ID: T1055. We report on the initial results for HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon. We developed a hierarchical graph-based detection approach for accurate and automated detection for five process injection techniques in Windows clients. These techniques include four of 11 T1055 sub-techniques: DLL Injection, PE Injection, APC Injection, Process Hollowing, and a T1056 sub-technique: API Hooking (T1056.004). Our novel detection approach exhibits, within the limitations of our small testing environment, very high sensitivity and specificity. HESPIDS demonstrates a promising avenue for development of automated detection of advanced cybersecurity threats
A Dynamically Configurable Log-based Distributed Security Event Detection Methodology using Simple Event Correlator
Log event correlation is an effective means of detecting system faults and security breaches encountered in information technology environments. Centralized, database-driven log event correlation is common, but suffers from flaws such as high network bandwidth utilization, significant requirements for system resources, and difficulty in detecting certain suspicious behaviors. This research presents a distributed event correlation system which performs security event detection, and compares it with a centralized alternative. The comparison measures the value in distributed event correlation by considering network bandwidth utilization, detection capability and database query efficiency, as well as through the implementation of remote configuration scripts and correlation of multiple log sources. These capabilities produce a configuration which allows a 99% reduction of network syslog traffic in the low-accountability case, and a significant decrease in database execution time through context-addition in the high-accountability case. In addition, the system detects every implemented malicious use case, with a low false positive rate
Graph clustering and anomaly detection of access control log for forensic purposes
Attacks on operating system access control have become a significant and increasingly common problem. This type of security threat is recorded in a forensic artifact such as an authentication log. Forensic investigators will generally examine the log to analyze such incidents. An anomaly is highly correlated to an attacker's attempts to compromise the system. In this paper, we propose a novel method to automatically detect an anomaly in the access control log of an operating system. The logs will be first preprocessed and then clustered using an improved MajorClust algorithm to get a better cluster. This technique provides parameter-free clustering so that it automatically can produce an analysis report for the forensic investigators. The clustering results will be checked for anomalies based on a score that considers some factors such as the total members in a cluster, the frequency of the events in the log file, and the inter-arrival time of a specific activity. We also provide a graph-based visualization of logs to assist the investigators with easy analysis. Experimental results compiled on an open dataset of a Linux authentication log show that the proposed method achieved the accuracy of 83.14% in the authentication log dataset
Multi-Source Data Fusion for Cyberattack Detection in Power Systems
Cyberattacks can cause a severe impact on power systems unless detected
early. However, accurate and timely detection in critical infrastructure
systems presents challenges, e.g., due to zero-day vulnerability exploitations
and the cyber-physical nature of the system coupled with the need for high
reliability and resilience of the physical system. Conventional rule-based and
anomaly-based intrusion detection system (IDS) tools are insufficient for
detecting zero-day cyber intrusions in the industrial control system (ICS)
networks. Hence, in this work, we show that fusing information from multiple
data sources can help identify cyber-induced incidents and reduce false
positives. Specifically, we present how to recognize and address the barriers
that can prevent the accurate use of multiple data sources for fusion-based
detection. We perform multi-source data fusion for training IDS in a
cyber-physical power system testbed where we collect cyber and physical side
data from multiple sensors emulating real-world data sources that would be
found in a utility and synthesizes these into features for algorithms to detect
intrusions. Results are presented using the proposed data fusion application to
infer False Data and Command injection-based Man-in- The-Middle (MiTM) attacks.
Post collection, the data fusion application uses time-synchronized merge and
extracts features followed by pre-processing such as imputation and encoding
before training supervised, semi-supervised, and unsupervised learning models
to evaluate the performance of the IDS. A major finding is the improvement of
detection accuracy by fusion of features from cyber, security, and physical
domains. Additionally, we observed the co-training technique performs at par
with supervised learning methods when fed with our features
- …