A new multi-label dataset for Web attacks CAPEC classification using machine learning techniques

Context: There are many datasets for training and evaluating models to detect web attacks, labeling each request as normal or attack. Web attack protection tools must provide additional information on the type of attack detected, in a clear and simple way. Objectives: This paper presents a new multi-label dataset for classifying web attacks based on CAPEC classification, a new way of features extraction based on ASCII values, and the evaluation of several combinations of models and algorithms. Methods: Using a new way to extract features by computing the average of the sum of the ASCII values of each of the characters in each field that compose a web request, several combinations of algorithms (LightGBM and CatBoost) and multi-label classification models are evaluated, to provide a complete CAPEC classification of the web attacks that a system is suffering. The training and test data used for training and evaluating the models come from the new SR-BH 2020 multi-label dataset. Results: Calculating the average of the sum of the ASCII values of the different characters that make up a web request shows its usefulness for numeric encoding and feature extraction. The new SR-BH 2020 multi-label dataset allows the training and evaluation of multi-label classification models, also allowing the CAPEC classification of the various attacks that a web system is undergoing. The combination of the two-phase model with the MultiOutputClassifier module of the scikit-learn library, together with the CatBoost algorithm shows its superiority in classifying attacks in the different criticality scenarios. Conclusion: Experimental results indicate that the combination of machine learning algorithms and multi-phase models leads to improved prediction of web attacks. Also, the use of a multi-label dataset is suitable for training learning models that provide information about the type of attack. (c) 2022 The Author(s). Published by Elsevier Ltd. This is an open access article under the CC BY license ( http://creativecommons.org/licenses/by/4.0/

The application of a new secure software development life cycle (S-SDLC) with agile methodologies

The software development environment is focused on reaching functional products in the shortest period by making use of the least amount of resources possible. In this scenario, crucial elements such as software quality or software security are not considered at all, and in most cases, the high value offered to the projects is not taken into account. Nowadays, agile models are booming. They are defined by the way they achieve the interaction and integration of everyone involved in the software life cycle, the advantages of the quick reaction to change, and the implementation of artifacts or deliverables which display the level of progress reached at any time. In this context, it seems clearly necessary to define a new software development model, which prioritizes security aspects at any phase of the software life cycle and takes advantage of the benefits of the agile models. The proposed methodology shows that if security is considered from the beginning, vulnerabilities are easily detected and solved during the time planned for the project, with no extra time nor costs for the client and it increases the possibilities of reaching success in terms of not only functionality but also quality

On Attacking Kerberos Authentication Protocol in Windows Active Directory Services: A Practical Survey

Organizations use Active Directory Windows service to authenticate users in a network with the extended Kerberos Authentication protocol. Therefore, it is necessary to investigate its resistance to the different types of attacks it can suffer, the best way to detect them and to parameterize it to mitigate the effects of the attacks. This work analyzes the main Kerberos attacks in Active Directory Windows networks, inherent in the design of the protocol and not resolved. For each attack the objective is studied, implementation is developed in a virtual laboratory and detection is analyzed, proposing measures for mitigation and response. Subsequently, they are discussed in a general way and the results of the attacks are analyzed according to some parameters. As conclusions of the work carried out, it should be noted that although the attacks are mostly difficult to implement, their detection is even more complicated, and the damage is very severe so it's necessary to continuously monitor the logs in these environments to detect them and taking into account strict recommendations for mitigation and response

A New Mail System for Secure Data Transmission in Cyber Physical Systems

This paper provides a complete study on email requirements, with special emphasis on its security aspects and architecture. It explores how current protocols have evolved, the environment in which they have been developed and the evolution of security requirements. This paper also analyzes email vulnerabilities and the reasons that have motivated the exploitation of them. The threats and solutions of the most used email protocols today are detailed, such as Simple Mail Transfer Protocol, Post office Protocol, Internet Message Access Protocol protocols, among others. An analysis of the main security solutions proposed in recent years is carried out and how these threats are solved, as well as a comparison of each of them. The result of this work leads us to conclude that it is necessary to make an integral change in the protocols used in the electronic mail in order to have a secure message exchange system that meets all the security requirements demanded today. We are working on a proposal based on blockchain that solves the security problems identified in this work

Detecting Malware in Cyberphysical Systems Using Machine Learning: a Survey

Among the scientific literature, it has not been possible to find a consensus on the definition of the limits or properties that allow differentiating or grouping the cyber-physical systems (CPS) and the Internet of Things (IoT). Despite this controversy the papers reviewed agree that both have become crucial elements not only for industry but also for society in general. The impact of a malware attack affecting one of these systems may suppose a risk for the industrial processes involved and perhaps also for society in general if the system affected is a critical infrastructure. This article reviews the state of the art of the application of machine learning in the automation of malware detection in cyberphysical systems, evaluating the most representative articles in this field and summarizing the results obtained, the most common malware attacks in this type of systems, the most promising algorithms for malware detection in cyberphysical systems and the future lines of research in this field with the greatest potential for the coming years

Building a dataset through attack pattern modeling and analysis system

The different types of cyber-attacks on information and telecommunications systems are becoming increasingly sophisticated and complex, with several defined phases (attack pattern). Therefore, it is necessary to research and develop new infrastructures to understand and detect them. This work addresses the design and implementation of a system capable of detecting, analyzing, modeling and visualizing attack patterns in real time to build a dataset with labeled events attacks. The system consists of the three subsystems, detection of attack events subsystem; attack events analysis subsystem to model active patterns based on Common Attack Pattern Enumeration and Classification (CAPEC) definitions; and the attack pattern visualization subsystem. The results obtained from the attacks carried out over a period of six months under a series of assumptions are shown. These results have allowed the construction of a dataset with attack events labelled according to the possible attack patterns to which they belong. The developed system can provide an organization with a very real situational awareness of the cybersecurity situation

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality

On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination

A systematic approach to analysis for assessing the security level of cyber-physical systems in the electricity sector

In a context of digitalization and technological evolution in all aspects of our lives, the electricity sector could not be left behind. This opens up a new range of possibilities until now unthinkable, which will facilitate the progress and services that we will be able to enjoy thanks to the development of the smart grid. But it also poses new challenges, both technological and in terms of cybersecurity, as the electricity sector takes on an increasingly important role in our lives. Therefore, after an analysis of the main incidents that have affected the energy sector, a general study is made of the standards that affect it, especially the IEEE 1686 and IEC 62,351 standards, in order to develop a simple and practical methodology to assess the level of security of the cyber-physical systems and equipment that makes up an electrical installation. The aforementioned methodology is developed based on a selection of specific requirements from the aforementioned standards that will serve as a starting point for the development of a series of specific compliance tests to assess the equipment to be installed or modified in a smart grid. This is because every measure is too little to put a stop to the successes achieved so far by cybercriminals. To this end, it is necessary to set out one of the many routes initiated by the many standards, norms, and laws, and thus define an effective and efficient path that will allow us to establish secure pillars on which to build the future

Prevention and fighting against web attacks through anomaly detection technology. A systematic review

Numerous techniques have been developed in order to prevent attacks on web servers. Anomaly detection techniques are based on models of normal user and application behavior, interpreting deviations from the established pattern as indications of malicious activity. In this work, a systematic review of the use of anomaly detection techniques in the prevention and detection of web attacks is undertaken; in particular, we used the standardized method of a systematic review of literature in the field of computer science, proposed by Kitchenham. This method is applied to a set of 88 papers extracted from a total of 8041 reviewed papers, which have been published in notable journals. This paper discusses the process carried out in this systematic review, as well as the results and findings obtained to identify the current state of the art of web anomaly detection