Intelligent and behavioral-based detection of malware in IoT spectrum sensors

The number of Cyber-Physical Systems (CPS) available in industrial environments is growing mainly due to the evolution of the Internet-of-Things (IoT) paradigm. In such a context, radio frequency spectrum sensing in industrial scenarios is one of the most interesting applications of CPS due to the scarcity of the spectrum. Despite the benefits of operational platforms, IoT spectrum sensors are vulnerable to heterogeneous malware. The usage of behavioral fingerprinting and machine learning has shown merit in detecting cyberattacks. Still, there exist challenges in terms of (i) designing, deploying, and evaluating ML-based fingerprinting solutions able to detect malware attacks affecting real IoT spectrum sensors, (ii) analyzing the suitability of kernel events to create stable and precise fingerprints of spectrum sensors, and (iii) detecting recent malware samples affecting real IoT spectrum sensors of crowdsensing platforms. Thus, this work presents a detection framework that applies device behavioral fingerprinting and machine learning to detect anomalies and classify different botnets, rootkits, backdoors, ransomware and cryptojackers affecting real IoT spectrum sensors. Kernel events from CPU, memory, network,file system, scheduler, drivers, and random number generation have been analyzed, selected, and monitored to create device behavioral fingerprints. During testing, an IoT spectrum sensor of the ElectroSense platform has been infected with ten recent malware samples (two botnets, three rootkits, three backdoors, one ransomware, and one cryptojacker) to measure the detection performance of the framework in two different network configurations. Both supervised and semi-supervised approaches provided promising results when detecting and classifying malicious behaviors from the eight previous malware and seven normal behaviors. In particular, the framework obtained 0.88–0.90 true positive rate when detecting the previous malicious behaviors as unseen or zero-day attacks and 0.94–0.96 F1-score when classifying the

Protecting Android Devices from Malware Attacks: A State-of-the-Art Report of Concepts, Modern Learning Models and Challenges

Advancements in microelectronics have increased the popularity of mobile devices like cellphones, tablets, e-readers, and PDAs. Android, with its open-source platform, broad device support, customizability, and integration with the Google ecosystem, has become the leading operating system for mobile devices. While Android's openness brings benefits, it has downsides like a lack of official support, fragmentation, complexity, and security risks if not maintained. Malware exploits these vulnerabilities for unauthorized actions and data theft. To enhance device security, static and dynamic analysis techniques can be employed. However, current attackers are becoming increasingly sophisticated, and they are employing packaging, code obfuscation, and encryption techniques to evade detection models. Researchers prefer flexible artificial intelligence methods, particularly deep learning models, for detecting and classifying malware on Android systems. In this survey study, a detailed literature review was conducted to investigate and analyze how deep learning approaches have been applied to malware detection on Android systems. The study also provides an overview of the Android architecture, datasets used for deep learning-based detection, and open issues that will be studied in the future

Differentiate Metasploit Framework Attacks From Others

Metasploit Framework is a very popular collection of penetration testing tools. From auxiliaries such as network scanners and mappers to exploits and payloads, Metasploit Framework offers a plethera of apparatuses to implement all the stages of a penetration test. There are two versions: both a free open-source community version and a commercial professional version called Metasploit Pro. The free version, Metasploit Framework, is heavily used by cyber crimininals to carry out illegal activities to gain unauthorized access to targets. In this paper, I conduct experiments in a virtual environment to discover whether attacks originated from Metasploit Framework are marked with unique patterns and features so that these special characteristics can help identify and block Metasploit Framework attacks. Inside this virtual environment, I will set up two virtual machines: one attacker and one victim. The victim machine is designed to have vulnerabilities for penetration testing. The attacker virtual machine will attack the victim machine by using Metasploit Frameowrk. Wireshark will be used to capture and analyze the packets. The conclusion reached from the experiment results is that, even though the attacks from Metaploit Framework share certain common patterns, these characteristics are not significant enough to be used to create scanners or alerts with to keep victim machines immune from the attacks. The Metasploit Framework attacks keep evolving and it is still a very lofty goal to block cyber attacks from Metasploit Framework. This paper shares the experiment process, data and insight with readers

ANALYSIS OF CLIENT-SIDE ATTACKS THROUGH DRIVE-BY HONEYPOTS

Client-side cyberattacks on Web browsers are becoming more common relative to server-side cyberattacks. This work tested the ability of the honeypot (decoy) client software Thug to detect malicious or compromised servers that secretly download malicious files to clients, and to classify what it downloaded. Prior to using Thug we did TCP/IP fingerprinting to assess Thug’s ability to impersonate different Web browsers, and we created our own malicious Web server with some drive-by exploits to verify Thug’s functions; Thug correctly identified 85 out of 86 exploits from this server. We then tested Thug’s analysis of delivered exploits from two sets of real Web servers; one set was obtained from random Internet addresses of Web servers, and the other came from a commercial blacklist. The rates of malicious activity on 37,415 random websites and 83,667 blacklisted websites were 5.6% and 1.15%, respectively. Thug’s interaction with the blacklisted Web servers found 163 unique malware files. We demonstrated the usefulness and efficiency of client-side honeypots in analyzing harmful data presented by malicious websites. These honeypots can help government and industry defenders to proactively identify suspicious Web servers and protect users.OUSD(R&E)Outstanding ThesisLieutenant, United States NavyApproved for public release. Distribution is unlimited

Security and Privacy Problems in Voice Assistant Applications: A Survey

Voice assistant applications have become omniscient nowadays. Two models that provide the two most important functions for real-life applications (i.e., Google Home, Amazon Alexa, Siri, etc.) are Automatic Speech Recognition (ASR) models and Speaker Identification (SI) models. According to recent studies, security and privacy threats have also emerged with the rapid development of the Internet of Things (IoT). The security issues researched include attack techniques toward machine learning models and other hardware components widely used in voice assistant applications. The privacy issues include technical-wise information stealing and policy-wise privacy breaches. The voice assistant application takes a steadily growing market share every year, but their privacy and security issues never stopped causing huge economic losses and endangering users' personal sensitive information. Thus, it is important to have a comprehensive survey to outline the categorization of the current research regarding the security and privacy problems of voice assistant applications. This paper concludes and assesses five kinds of security attacks and three types of privacy threats in the papers published in the top-tier conferences of cyber security and voice domain.Comment: 5 figure

Cerberus: Exploring Federated Prediction of Security Events

Modern defenses against cyberattacks increasingly rely on proactive approaches, e.g., to predict the adversary's next actions based on past events. Building accurate prediction models requires knowledge from many organizations; alas, this entails disclosing sensitive information, such as network structures, security postures, and policies, which might often be undesirable or outright impossible. In this paper, we explore the feasibility of using Federated Learning (FL) to predict future security events. To this end, we introduce Cerberus, a system enabling collaborative training of Recurrent Neural Network (RNN) models for participating organizations. The intuition is that FL could potentially offer a middle-ground between the non-private approach where the training data is pooled at a central server and the low-utility alternative of only training local models. We instantiate Cerberus on a dataset obtained from a major security company's intrusion prevention product and evaluate it vis-a-vis utility, robustness, and privacy, as well as how participants contribute to and benefit from the system. Overall, our work sheds light on both the positive aspects and the challenges of using FL for this task and paves the way for deploying federated approaches to predictive security

Detecção de ataques por canais laterais na camada física

Today, with the advent of IoT and the resulting fragmentation of wireless technologies, they bring not only benefits, but also concerns. Daily, several individuals communicate with each other using various communication methods. Individuals use a variety of devices for innocuous day-to-day activities; however, there are some malicious individuals (dishonest agents) whose aim is to cause harm, with the exfiltration of information being one of the biggest concerns. Since the security of Wi-Fi communications is one of the areas of greatest investment and research regarding Internet security, dishonest agents make use of side channels to exfiltrate information, namely Bluetooth. Most current solutions for anomaly detection on networks are based on analyzing frames or packets, which, inadvertently, can reveal user behavior patterns, which they consider to be private. In addition, solutions that focus on inspecting physical layer data typically use received signal power (RSSI) as a distance metric and detect anomalies based on the relative position of the network nodes, or use the spectrum values directly on models classification without prior data processing. This Dissertation proposes mechanisms to detect anomalies, while ensuring the privacy of its nodes, which are based on the analysis of radio activity in the physical layer, measuring the behavior of the network through the number of active and inactive frequencies and the duration of periods of silence and activity. After the extraction of properties that characterize these metrics,an exploration and study of the data is carried out, followed by the use of the result to train One-Class Classification models. The models are trained with data taken from a series of interactions between a computer, an AP, and a mobile phone in an environment with reduced noise, in an attempt to simulate a simplified home automation scenario. Then, the models were tested with similar data but containing a compromised node, which periodically sent a file to a local machine via a Bluetooth connection. The data show that, in both situations, it was possible to achieve detection accuracy rates in the order of 75 % and 99 %. This work ends with some ideas of resource work, namely changes in the level of pre-processing, ideas of new tests and how to reduce the percentage of false negatives.Hoje, com o advento da IoT e a resultante fragmentação das tecnologias sem fio, elas trazem não apenas benefícios, mas também preocupações. Diariamente vários indivíduos se comunicam entre si usando vários métodos de comunicação. Os indivíduos usam uma variedade de dispositivos para atividades inócuas do dia-adia; no entanto, existem alguns indivíduos mal-intencionados (agentes desonestos) cujo objetivo é causar danos, sendo a exfiltração de informação uma das maiores preocupações. Sendo a segurança das comunicações Wi-Fi uma das áreas de maior investimento e investigação no que toca a segurança na Internet, os agentes desonestos fazem uso de canais laterais para exfiltrar informação, nomeadamente o Bluetooth. A maioria das soluções atuais para deteção de anomalias em redes baseiam-se em analisar tramas ou pacotes, o que, inadvertidamente, pode revelar padrões de comportamento dos utilizadores, que estes considerem privados. Além disso, as soluções que se focam em inspecionar dados da camada física normalmente usam a potência de sinal recebido (RSSI) como uma métrica de distância e detetam anomalias baseadas na posição relativa dos nós da rede, ou usam os valores do espetro diretamente em modelos de classificação sem prévio tratamento de dados. Esta Dissertação propõe mecanismos para deteção de anomalias, assegurando simultaneamente a privacidade dos seus nós, que se baseiam na análise de atividade rádio na camada física, medindo os comportamentos da rede através do número de frequências ativas e inativas e a duração de períodos de silêncio e atividade. Depois da extração de propriedades que caracterizam estas métricas, é realizada uma exploração dos dados e um estudo das mesmas, sendo depois usadas para treinar modelos de classificação mono-classe. Os modelos são treinados com dados retirados de uma série de interações entre um computador, um AP, e um telemóvel num ambiente com ruído reduzido, numa tentativa de simular um cenário de automação doméstica simplificado. De seguida, os modelos foram testados com dados semelhantes mas contendo um nó comprometido, que periodicamente enviava um ficheiro para uma máquina local através de uma ligação Bluetooth. Os dados mostram que, em ambas as situações, foi possível atingir taxas de precisão de deteção na ordem dos 75% e 99%. Este trabalho finaliza com algumas ideias de trabalho futuro, nomeadamente alterações ao nível do pré-processamento, ideias de novos testes e como diminuir a percentagem de falsos negativos.Mestrado em Engenharia de Computadores e Telemátic