Attack Modeling and Mitigation Strategies for Risk-Based Analysis of Networked Medical Devices

The escalating integration of network-enabled medical devices raises concerns for both practitioners and academics in terms of introducing new vulnerabilities and attack vectors. This prompts the idea that combining medical device data, security vulnerability enumerations, and attack-modeling data into a single database could enable security analysts to proactively identify potential security weaknesses in medical devices and formulate appropriate mitigation and remediation plans. This study introduces a novel extension to a relational database risk assessment framework by using the open-source tool OVAL to capture device states and compare them to security advisories that warn of threats and vulnerabilities, and where threats and vulnerabilities exist provide mitigation recommendations. The contribution of this research is a proof of concept evaluation that demonstrates the integration of OVAL and CAPEC attack patterns for analysis using a database-driven risk assessment framework

Mitigating Cross-Site Request Forgery (CSRF) Attacks Using Reinforcement Learning and Predictive Analytics

Cross-Site Request Forgery (CSRF) attacks pose a significant threat to web application security, allowing attackers to perform unauthorized actions on behalf of authenticated users. Traditional CSRF mitigation techniques, such as using secure tokens and validating request origins, have limitations in adapting to attack patterns and optimizing security policies. This research explores the application of reinforcement learning (RL) and predictive analytics to enhance CSRF mitigation strategies. We propose several RL-based approaches, including CSRF token generation, CSRF detection, request validation, user behavior analysis, and security policy optimization. In these approaches, RL agents are trained to generate secure tokens, detect CSRF attacks, validate request authenticity, model user behavior, and optimize security policies based on observed attack patterns and system performance. The agents learn through simulated attack scenarios, real-world web traffic data, and continuous feedback, adapting to new CSRF techniques and balancing security effectiveness with user experience. Additionally, we investigate predictive analytics techniques for CSRF mitigation, such as anomaly detection, risk scoring, user behavior analysis, predictive token generation, and adaptive security policies. These techniques leverage machine learning algorithms to identify anomalous requests, assign risk scores, classify user behavior, generate secure tokens, and dynamically adjust security measures based on predicted risk levels. The research demonstrates the applications of RL and predictive analytics in enhancing CSRF mitigation strategies. These approaches offer promising solutions to strengthen web application security by proactively detecting and preventing CSRF attacks, adapting to attack patterns, and optimizing security policies. Further research is needed to validate the practicality and scalability of these techniques in real-world deployments and to integrate them with existing CSRF mitigation best practices. This research contributes to the field of web application security by introducing innovative approaches that leverage RL and predictive analytics to mitigate CSRF attacks. The proposed techniques may significantly improve the resilience of web applications against CSRF threats

Semantic Mapping of Security Events to Known Attack Patterns

In order to provide cyber environment security, analysts need to analyze a large number of security events on a daily basis and take proper actions to alert their clients of potential threats. The increasing cyber traffic drives a need for a system to assist security analysts to relate security events to known attack patterns. This thesis describes the enhancement of an existing Intrusion Detection System (IDS) with the automatic mapping of snort alert messages to known attack patterns. Our system relies on three approaches: supplementing snort messages by adding related Common Vulnerabilities and Exposures (CVE) entities, pre-clustering similar snort messages before mapping them to attack patterns in Common Attack Pattern Enumeration and Classification (CAPEC) and using Latent Semantic Analysis (LSA) to reduce the dimension of the feature space. The module has been deployed in our partner company and when evaluated against the recommendations of two security analysts, it improved the F-measure of their system from 51.81% to 64.84%

Attack Forecast and Prediction

Cyber-security has emerged as one of the most pressing issues for society with actors trying to use offensive capabilities and those who try to leverage on defensive capabilities to secure their assets or knowledge. However, in cyber-space attackers oftentimes have a significant first mover advantage leading to a dynamic cat and mouse game with defenders. Cyber Threat Intelligence (CTI) on past attacks bears potentials that can be used by means of predictive analytics to minimize the attackers first mover advantage. Yet, attack prediction is not an established means and automation levels are low. Within this work, we present Attack Forecast and Prediction ( ) which is based on MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK). consists of three modules representing different analytical procedures which are clustering, time series analysis, and genetic algorithms. identifies trends in the usage of attack techniques and crafts forecasts and predictions on future malware and the attack techniques used. We rely on time sorting to generate subgraphs of MITRE ATT&CK and evaluate the accuracy of predictions generated by based on these. Results of an experiment performed on the basis of 493 different malware, validate the utility of using for attack prediction. reaches for each module an F-score which is higher than an extrapolation of observed probabilities (baseline) with an F-score of up to 0.83 for a single module. It can hence be considered an effective means for predicting future attack patterns and help security professionals with preparing for future attacks

Radicalization patterns and modes of attack planning and preparation among lone-actor terrorists: an exploratory analysis

This article explores the link between radicalization patterns and modes of attack planning and preparation among lone-actor terrorists. Building on theorized patterns of lone-actor radicalization, we discuss and compare their modes of pre-attack behavior, including target and weapon choice, observance of operational security measures, likeliness of engaging in leakage behavior, and the overall amount of time devoted to these activities. This exploratory study builds upon a dataset of thirty-three lone-actor terrorist cases in North-America and Europe between 1986 and 2015. The analysis suggests that specific patterns of radicalization are linked to systematic differences in modes of attack planning and preparation. The results provide insights into the heterogeneity of terrorist involvement and tentatively suggest the potential importance for law-enforcement agencies in using case-specific knowledge on radicalization patterns to inform forecasts of likely pre-attack behaviors.Seventh Framework Programme (FP7)No. 608354 (PRIME) FP7-SEC-2013-1Security and Global Affair

Signature-based intrusion detection using NFR filter coding

During the last decade, significant research effort has been made to develop Intrusion Detection Systems that offer the capability to detect network intrusions in real time. These systems employ various techniques for detecting intrusions, including Misuse Detection and Anomaly Detection. Misuse detection depends on the ability to codify known attack signatures, while anomaly detection compares current system activity with models of normal usage patterns. However, approximations in defining normal behavior raises the false alarm rate for anomaly detection systems as compared to misuse detection systems, which are fairly accurate. This implies that misuse detection should form an essential component for successful intrusion detection. In this thesis, we present an analysis of the two most commonly occurring attack types in the Internet; the distributed denial of service attacks and the buffer overflow attacks and demonstrate new misuse detection techniques to detect these attacks. We use a distributed denial of service attack tool mstream and the buffer overflow attack against an SMTP implementation.We carry out detection of these attacks using a commercial intrusion detection system Network Flight Recorder (NFR) augmented with new attack signatures. Attack signatures are developed and coded into NFR as rule sets, called filters, which are written in NFR\u27s own language N-code. These filters can extract header information from various protocols as well as retrieve packet payload contents and then process this information using signature based analysis to determine intrusion scenarios. This is a step towards providing greater security systems connected to the Internet in an effort to allow internet users to conduct their businesses in an environment of enhanced confidence

Ransomware Simulator for In-Depth Analysis and Detection: Leveraging Centralized Logging and Sysmon for Improved Cybersecurity

Abstract Ransomware attacks have become increasingly prevalent and sophisticated, posing significant threats to organizations and individuals worldwide. To effectively combat these threats, security professionals must continuously develop and adapt their detection and mitigation strategies. This master thesis presents the design and implementation of a ransomware simulator to facilitate an in-depth analysis of ransomware Tactics, Techniques, and Procedures (TTPs) and to evaluate the effectiveness of centralized logging and Sysmon, including the latest event types, in detecting and responding to such attacks. The study explores the advanced capabilities of Sysmon as a logging tool and data source, focusing on its ability to capture multiple event types, such as file creation, process execution, and network traffic, as well as the newly added event types. The aim is to demonstrate the effectiveness of Sysmon in detecting and analyzing malicious activities, with an emphasis on the latest features. By focusing on the comprehensive aspects of a cyber-attack, the study showcases the versatility and utility of Sysmon in detecting and addressing various attack vectors. The ransomware simulator is developed using a PowerShell script that emulates various ransomware TTPs and attack scenarios, providing a comprehensive and realistic simulation of a ransomware attack. Sysmon, a powerful system monitoring tool, is utilized to monitor and log the activities associated with the simulated attack, including the events generated by the new Sysmon features. Centralized logging is achieved through the integration of Splunk Enterprise, a widely used platform for log analysis and management. The collected logs are then analyzed to identify patterns, indicators of compromise (IoCs), and potential detection and mitigation strategies. Through the development of the ransomware simulator and the subsequent analysis of Sysmon logs, this research contributes to strengthening the security posture of organizations and improving cybersecurity measures against ransomware threats, with a focus on the latest Sysmon capabilities. The results demonstrate the importance of monitoring and analyzing system events to effectively detect and respond to ransomware attacks. This research can serve as a basis for further exploration of ransomware detection and response strategies, contributing to the advancement of cybersecurity practices and the development of more robust security measures against ransomware threats

Analysis of intrusion detection system (IDS) in border gateway protocol

University of Technology, Sydney. Faculty of Engineering and Information Technology.Border Gateway Protocol (BGP) is the de-facto inter-domain routing protocol used across thousands of Autonomous Systems (AS) joined together in the Internet. The main purpose of BGP is to keep routing information up-to-date across the Autonomous System (AS) and provide a loop free path to the destination. Internet connectivity plays a vital role in organizations such as in businesses, universities and government organisations for exchanging information. This type of information is exchanged over the Internet in the form of packets, which contain the source and destination addresses. Because the Internet is a dynamic and sensitive system which changes continuously, it is therefore necessary to protect the system from intruders. Security has been a major issue for BGP. Nevertheless, BGP suffers from serious threats even today, DoS attack is the major security threat to the Internet today, among which, is the TCP SYN flooding, the most common type of attack. The aim of this DoS attack is to consume large amounts of bandwidth. Any system connected to the Internet and using TCP services are prone to such attacks. It is important to detect such malicious activities in a network, which could otherwise cause problems for the availability of services. This thesis proposes and implements two new security methods for the protection of BGP data plane, “Analysis of BGP Security Vulnerabilities” and “Border Gateway Protocol Anomaly Detection using Failure Quality Control Method” to detect the malicious packets and the anomaly packets in the network. The aim of this work is to combine the algorithms with the Network Data Mining (NDM) method to detect the malicious packets in the BGP network. Furthermore, these patterns can be used in the database as a signature to capture the incidents in the future

Global Cyber Attack Forecast using AI Techniques

The advancement of internet technology and growing involvement in the cyber world have made us prone to cyber-attacks inducing severe damage to individuals and organizations, including financial loss, identity theft, and reputational damage. The rapid emergence and evolution of new networks and new opportunities for businesses and technologies are increasing threats to security vulnerabilities. Hence cyber-crime analysis is one of the wide range applications of Data Mining that can be eventually used to predict and detect crime. However, there are several constraints while analyzing cyber-attacks, which are yet to be resolved for more accurate cyber security inspection. Although there are many strategies for intrusion detection, predicting upcoming cyber threats remains an open research challenge. Hence, this thesis seeks to utilize temporal correlations among attack frequencies within specific time periods to predict the future severity of cyber incidents. The research aims to address the current research limitations by introducing a real-time data collection framework that will provide up-to-date cyber-attack data. Furthermore, a platform for cyber-attack trend analysis has been developed using Power BI to provide insight into the current cyber-attack trend. A correlation was identified in the reported attack volume across consecutive time frames through collected attack data analysis. This thesis introduces a predictive model that forecasts the frequency of cyber-attacks within a specified time window, using solely a historical record of attack counts. The research includes various machine learning and deep learning methods to develop a prediction system based on multiple time frames with an over 15% improvement in accuracy compared to the conventional baseline model. Namely, our research demonstrates that cyber incidents are not entirely random, and by analyzing patterns and trends in past incidents, developed AI techniques can be used to improve cybersecurity measures and prevent future attacks