Recently conducted research demonstrated the potential use of mouse dynamics as a behavioral biometric for user authentication systems. However, the state-of-the-art methods in this field rely on ...classical machine learning methods that necessitate the design of hand crafted mouse features for feature extraction. To simplify the feature extraction process, we leverage various deep learning architectures for mouse movement sequences classification, including convolutional networks, recurrent networks, and a hybrid model which combines convolutional and recurrent layers. It is known that the training of these networks with random initialization of weights on small datasets will produce models that perform poorly. Therefore, we consider a two-dimensional convolutional neural network that allows transfer learning, which is a domain adaptation technique effective for learning on small datasets. Although employing such architecture may seem counterintuitive, since the temporal information is discarded from the input data, the architecture has outperformed all the other deep architectures investigated, as well as a classical machine learning method. In order to understand the features learned, we adopt the layer-wise relevance propagation (LRP) algorithm to compute relevance scores for each part of the mouse curves. In addition, the models are measured for their usability and effectiveness in realistic scenarios.
Due to their rapid growth and deployment, the Internet of things (IoT) have become a central aspect of our daily lives. Unfortunately, IoT devices tend to have many vulnerabilities which can be ...exploited by an attacker. Unsupervised techniques, such as anomaly detection, can be used to secure these devices in a plug-and-protect manner. However, anomaly detection models must be trained for a long time in order to capture all benign behaviors. Furthermore, the anomaly detection model is vulnerable to adversarial attacks since, during the training phase, all observations are assumed to be benign. In this paper, we propose (1) a novel approach for anomaly detection and (2) a lightweight framework that utilizes the blockchain to ensemble an anomaly detection model in a distributed environment. Blockchain framework incrementally updates a trusted anomaly detection model via self-attestation and consensus among the IoT devices. We evaluate our method on a distributed IoT simulation platform, which consists of 48 Raspberry Pis. The simulation demonstrates how the approach can enhance the security of each device and the security of the network as a whole.
•Efficient software exploit detection can be performed on IoT devices by modeling the application’s control-flow over regions of memory. The additional overhead of using the proposed method is negligible (6% CPU and 0.8% memory of a Raspberry Pi 3B).•The modeling (training) of an anomaly detection model can be performed across numerous devices in parallel using an Extensible Markov chain. Safe collaboration requires both self-attestation and abnormality-filtration when sharing and merging knowledge among participants.•Using a blockchain protocol, IoT devices can collaborate with each other on forming a single trusted and robust anomaly detection model.•Collaborative training, using the proposed framework, significantly reduces the train-time, lowers the false positive rate, and makes the overall process resistant to adversarial poising attacks.•Deadlocks in p2p blockchain sharing/collaboration can be prevented through a direct messaging protocol, proven in this paper.
Insight Into Insiders and IT Homoliak, Ivan; Toffalini, Flavio; Guarnizo, Juan ...
ACM computing surveys,
05/2019, Volume:
52, Issue:
2
Journal Article
Peer reviewed
Open access
Insider threats are one of today’s most challenging cybersecurity issues that are not well addressed by commonly employed security solutions. In this work, we propose structural taxonomy and novel ...categorization of research that contribute to the organization and disambiguation of insider threat incidents and the defense solutions used against them. The objective of our categorization is to systematize knowledge in insider threat research while using an existing grounded theory method for rigorous literature review. The proposed categorization depicts the workflow among particular categories that include incidents and datasets, analysis of incidents, simulations, and defense solutions. Special attention is paid to the definitions and taxonomies of the insider threat; we present a structural taxonomy of insider threat incidents that is based on existing taxonomies and the 5W1H questions of the information gathering problem. Our survey will enhance researchers’ efforts in the domain of insider threat because it provides (1) a novel structural taxonomy that contributes to orthogonal classification of incidents and defining the scope of defense solutions employed against them, (2) an overview on publicly available datasets that can be used to test new detection solutions against other works, (3) references of existing case studies and frameworks modeling insiders’ behaviors for the purpose of reviewing defense solutions or extending their coverage, and (4) a discussion of existing trends and further research directions that can be used for reasoning in the insider threat domain.
•We propose a novel set of general descriptive features for malicious email detection.•We leverage our features with ML for the detection of malicious email.•Our novel set of features enhances the ...detection of malicious email using ML.•The classifier which provided the best detection capabilities was Random Forest.•The best detection results were AUC = 0.929, TPR = 0.947, and FPR = 0.03.
In recent years, cyber-attacks against businesses and organizations have increased. Such attacks usually result in significant damage to the organization, such as the loss and/or leakage of sensitive and confidential information. Because email communication is an integral part of daily business operations, attackers frequently leverage email as an attack vector in order to initially penetrate the targeted organization. Email message allows the attacker to deliver dangerous content to the victim, such as malicious attachments or links to malicious websites. Existing email analysis solutions analyze only specific parts of the email using rule-based methods, while other important parts remain unanalyzed. Existing anti-virus engines primarily use signature-based detection methods, and therefore are insufficient for detecting new unknown malicious emails. Machine learning methods have been shown to be effective at detecting maliciousness in various domains and particularly in email. Previous works which used machine learning methods suggested sets of features which offer a limited perspective over the whole email message. In this paper, we propose a novel set of general descriptive features extracted from all email components (header, body, and attachments) for enhanced detection of malicious emails using machine learning methods. The proposed features are extracted just from the email itself; therefore, our features are independent, since the extraction process does not require an Internet connection or the use of external services or other tools, thereby meeting the needs of real-time detection systems. We conducted an extensive evaluation of our new novel features against sets of features suggested by previous academic work using a collection of 33,142 emails which contains 38.73% malicious and 61.27% benign emails. The results show that malicious emails can be detected effectively when using our novel features with machine learning algorithms. Moreover, our novel features enhance the detection of malicious emails when used in conjunction with features suggested by related work. The Random Forest classifier achieved the highest detection rates, with an AUC of 0.929, true positive rate (TPR) of 0.947, and false positive rate (FPR) of 0.03. We also present the IDR (integrated detection rate), a new measure which helps calibrate the threshold of a machine learning classifier in order to achieve the optimal TP and FP rates, which are the most important measures for a real-time and practical cyber-security application.
Data mining techniques that explore data in order to discover hidden patterns and develop predictive models have proven to be effective in tackling information security challenges.
Display omitted
•Real-world adversarial patch using 3D modeling techniques.•Using a 3D digital replica of the target scene to improve the patch’s performance.•An evaluation process that enables ...reproducible experiments in the real world.•Real-world adversarial patches that are robust to unexpected changes in the scene.
Adversarial examples have proven to be a concerning threat to deep learning models, particularly in the image domain. While many studies have examined adversarial examples in the real world, most of them relied on 2D photos of the attack scene. As a result, the attacks proposed may have limited effectiveness when implemented in realistic environments with 3D objects or varied conditions. Some studies on adversarial learning have used 3D objects, however in many cases, other researchers are unable to replicate the real-world evaluation process. In this study, we present a framework that uses 3D modeling to craft adversarial patches for an existing real-world scene. Our approach uses a 3D digital approximation of the scene to simulate the real world. With the ability to add and manipulate any element in the digital scene, our framework enables the attacker to improve the adversarial patch’s impact in real-world settings. We use the framework to create a patch for an everyday scene and evaluate its performance using a novel evaluation process that ensures that our results are reproducible in both the digital space and the real world. Our evaluation results show that the framework can generate adversarial patches that are robust to different settings in the real world.
Computers that contain sensitive information are often maintained in air-gapped isolation. In this defensive measure, a computer is disconnected from the Internet - logically and physically - ...preventing accidental or intentional leakage of sensitive information outward. In recent years it has been shown that malware can leak data over an air-gap by transmitting sonic and ultrasonic signals from a computer speaker. In order to eliminate such acoustic covert channels, current best practice recommends the elimination of speakers in secured computers, thereby creating a so-called ‘audio-gapped’ system.
In this paper, we present ‘Fansmitter,’ a malware that can acoustically exfiltrate data from air-gapped computers, even when audio hardware and speakers are not present. Our method utilizes the noise emitted from the CPU, GPU, and chassis fans. We show that a software can regulate the internal fans’ rotation speed in order to control their acoustic signal, known as blade pass frequency (BPF). Binary data can be modulated and transmitted over these audio signals to a remote microphone (e.g., a nearby smartphone). We present design considerations, including acoustic waveform analysis, data modulation and demodulation, and data transmission and reception. We evaluate the acoustic covert channel with various fans at different distances and present the results. We also discuss issues such as stealth, interference, and countermeasures. Using our method we successfully transmitted data from audio-less, air-gapped computers, to a mobile phone in the same room. We demonstrated an effective transmission at distances of 1–8 m, with a maximum bit rate of 60 bit/min per fan.
The Internet of Things (IoT) is a global ecosystem of information and communication technologies aimed at connecting any type of object (thing), at any time, and in any place, to each other and to ...the Internet. One of the major problems associated with the IoT is the heterogeneous nature of such deployments; this heterogeneity poses many challenges, particularly, in the areas of security and privacy. Specifically, security testing and analysis of IoT devices is considered a very complex task, as different security testing methodologies, including software and hardware security testing approaches, are needed. In this paper, we propose an innovative security testbed framework targeted at IoT devices. The security testbed is aimed at testing all types of IoT devices, with different software/hardware configurations, by performing standard and advanced security testing. Advanced analysis processes based on machine learning algorithms are employed in the testbed in order to monitor the overall operation of the IoT device under test. The architectural design of the proposed security testbed along with a detailed description of the testbed implementation is discussed. The testbed operation is demonstrated on different IoT devices using several specific IoT testing scenarios. The results obtained demonstrate that the testbed is effective at detecting vulnerabilities and compromised IoT devices.