Security Analysis of Smart Speaker: Security Attacks and Mitigation

The speech recognition technology has been increasingly common in our lives. Recently, a number of commercial smart speakers containing the personal assistant system using speech recognition came out. While the smart speaker vendors have been concerned about the intelligence and the convenience of their assistants, but there have been little mentions of the smart speakers in security aspects. As the smart speakers are becoming the hub for home automation, its security vulnerabilities can cause critical problems. In this paper, we categorize attack vectors and classify them into hardware-based, network-based, and software-based. With the attack vectors, we describe the detail attack scenarios and show the result of tests on several commercial smart speakers. In addition, we suggest guidelines to mitigate various attacks against smart speaker ecosystem.     

Deep Learning-Based Hybrid Intelligent Intrusion Detection System

Machine learning (ML) algorithms are often used to design effective intrusion detection (ID) systems for appropriate mitigation and effective detection of malicious cyber threats at the host and network levels. However, cybersecurity attacks are still increasing. An ID system can play a vital role in detecting such threats. Existing ID systems are unable to detect malicious threats, primarily because they adopt approaches that are based on traditional ML techniques, which are less concerned with the accurate classification and feature selection. Thus, developing an accurate and intelligent ID system is a priority. The main objective of this study was to develop a hybrid intelligent intrusion detection system (HIIDS) to learn crucial features representation efficiently and automatically from massive unlabeled raw network traffic data. Many ID datasets are publicly available to the cybersecurity research community. As such, we used a spark MLlib (machine learning library)-based robust classifier, such as logistic regression (LR), extreme gradient boosting (XGB) was used for anomaly detection, and a state-of-the-art DL, such as a long short-term memory autoencoder (LSTMAE) for misuse attack was used to develop an efficient and HIIDS to detect and classify unpredictable attacks. Our approach utilized LSTM to detect temporal features and an AE to more efficiently detect global features. Therefore, to evaluate the efficacy of our proposed approach, experiments were conducted on a publicly existing dataset, the contemporary real-life ISCX-UNB dataset. The simulation results demonstrate that our proposed spark MLlib and LSTMAE-based HIIDS significantly outperformed existing ID approaches, achieving a high accuracy rate of up to 97.52% for the ISCX-UNB dataset respectively 10-fold cross-validation test. It is quite promising to use our proposed HIIDS in real-world circumstances on a large-scale.     

Failure experience of programmable logic controllers used in emergency shutdown systems

Microprocessor-based programmable logic controllers (PLCs) are often used in applications to safety shut down a process or facility if unsafe conditions are detected. Increased use of quantitative reliability analysis requires additional and more detailed failure rate estimates for analyzing PLCs. This technical note presents failure rates derived from PLC performance in emergency shutdown (ESD) systems for natural gas compressor stations. The PLCs analyzed operate with roughly 40 inputs processed through three input modules and generate approximately 20 control signals through two output modules. Failure rates range from 0·072/year when the PLC alone was considered to 0·32/year when all types of failures were considered. (All failures include effects that are not necessarily attributable to the PLC microprocessors, such as human errors while working in the PLC cabinets and failures of common power supplies.)     

Social Engineering Attack Classifications on Social Media Using DeepLearning

In defense-in-depth, humans have always been the weakest link in cybersecurity. However, unlike common threats, social engineering poses vulnerabilities not directly quantifiable in penetration testing. Most skilled social engineers trick users into giving up information voluntarily through attacks like phishing and adware. Social Engineering (SE) in social media is structurally similar to regular posts but contains malicious intrinsic meaning within the sentence semantic. In this paper, a novel SE model is trained using a Recurrent Neural Network Long Short Term Memory (RNN-LSTM) to identify well-disguised SE threats in social media posts. We use a custom dataset crawled from hundreds of corporate and personal Facebook posts. First, the social engineering attack detection pipeline (SEAD) is designed to filter out social posts with malicious intents using domain heuristics. Next, each social media post is tokenized into sentences and then analyzed with a sentiment analyzer before being labelled as an anomaly or normal training data. Then, we train an RNN-LSTM model to detect five types of social engineering attacks that potentially contain signs of information gathering. The experimental result showed that the Social Engineering Attack (SEA) model achieves 0.84 in classification precision and 0.81 in recall compared to the ground truth labeled by network experts. The experimental results showed that the semantics and linguistics similarities are an effective indicator for early detection of SEA.     

Software safety analysis of function block diagrams using fault trees

As programmable logic controllers (PLCs) are often used to implement safety–critical embedded software, safety demonstration of PLC code is needed. In this paper, we propose a fault tree analysis technique on Function Block Diagrams (FBDs) which is one of the most widely used PLC programming languages. FBD is currently being used to develop Reactor Protection System (RPS) for a nuclear power plant in South Korea. Our approach to fault tree analysis, which combines fault-oriented and cause/effect-oriented viewpoints, is easy to understand and offers systematic guidelines to ensure safety of PLC code. Domain experts found the approach to be useful through a case study on RPS, and this paper compares completeness and comprehensiveness of the semi-automatically generated fault trees using the proposed approach against the one manually prepared by nuclear safety engineers.     

Detection Technique of Software-Induced Rowhammer Attacks

Side-channel attacks have recently progressed into software-induced attacks. In particular, a rowhammer attack, which exploits the characteristics of dynamic random access memory (DRAM), can quickly and continuously access the cells as the cell density of DRAM increases, thereby generating a disturbance error affecting the neighboring cells, resulting in bit flips. Although a rowhammer attack is a highly sophisticated attack in which disturbance errors are deliberately generated into data bits, it has been reported that it can be exploited on various platforms such as mobile devices, web browsers, and virtual machines. Furthermore, there have been studies on bypassing the defense measures of DRAM manufacturers and the like to respond to rowhammer attacks. A rowhammer attack can control user access and compromise the integrity of sensitive data with attacks such as a privilege escalation and an alteration of the encryption keys. In an attempt to mitigate a rowhammer attack, various hardware- and software-based mitigation techniques are being studied, but there are limitations in that the research methods do not detect the rowhammer attack in advance, causing overhead or degradation of the system performance. Therefore, in this study, a rowhammer attack detection technique is proposed by extracting common features of rowhammer attack files through a static analysis of rowhammer attack codes.     

MSICST: Multiple-Scenario Industrial Control System Testbed for Security Research

A security testbed is an important aspect of Industrial Control System (ICS) security research. However, existing testbeds still have many problems in that they cannot fully simulate enterprise networks and ICS attacks. This paper presents a Multiple-Scenario Industrial Control System Testbed (MSICST), a hardware-in-the-loop ICS testbed for security research. The testbed contains four typical process scenarios: thermal power plant, rail transit, smart grid, and intelligent manufacturing. We use a combination of actual physical equipment and software simulations to build the process scenario sand table and use real hardware and software to build the control systems, demilitarized zone, and enterprise zone networks. According to the ICS cyber kill chain, the attacker is modeled, and two typical attack scenarios are constructed in the testbed. Through research into this security solution, whitelist-based host protection and a new Intrusion Detection System (IDS) are proposed and tested.     

Network Traffic Obfuscation System for IIoT-Cloud Control Systems

One of the latest technologies enabling remote control, operational efficiency upgrades, and real-time big-data monitoring in an industrial control system (ICS) is the IIoT-Cloud ICS, which integrates the Industrial Internet of Things (IIoT) and the cloud into the ICS. Although an ICS benefits from the application of IIoT and the cloud in terms of cost reduction, efficiency improvement, and real-time monitoring, the application of this technology to an ICS poses an unprecedented security risk by exposing its terminal devices to the outside world. An adversary can collect information regarding senders, recipients, and prime-time slots through traffic analysis and use it as a linchpin for the next attack, posing a potential threat to the ICS. To address this problem, we designed a network traffic obfuscation system (NTOS) for the IIoT-Cloud ICS, based on the requirements derived from the ICS characteristics and limitations of existing NTOS models. As a strategy to solve this problem wherein a decrease in the traffic volume facilitates traffic analysis or reduces the packet transmission speed, we proposed an NTOS based on packet scrambling, wherein a packet is split into multiple pieces before transmission, thus obfuscating network analysis. To minimize the ICS modification and downtime, the proposed NTOS was designed using an agent-based model. In addition, for the ICS network traffic analyzer to operate normally in an environment wherein the NTOS is applied, a rule-based NTOS was adopted such that the actual traffic flow is known only to the device that is aware of the rule and is blocked for attackers. The experimental results verified that the same time requested for response and level of difficulty of analysis were maintained by the application of an NTOS based on packet scrambling, even when the number of requests received by the server per second was reduced. The network traffic analyzer of the ICS can capture the packet flow by using the pre-communicated NTOS rule. In addition, by designing an NTOS using an agent-based model, the impact on the ICS was minimized such that the system could be applied with short downtime.     

ESAP: Efficient and secure authentication protocol for roaming user in mobile communication networks

The Global System for Mobile communication (GSM) network is proposed to mitigate the security problems and vulnerabilities observed in the mobile telecommunication system. However, the GSM network is vulnerable to different kinds of attacks such as redirection attack, impersonation attack and Man in-the Middle (MiTM) attack. The possibility of these attacks makes the wireless mobile system vulnerable to fraudulent access and eavesdropping. Different authentication protocols of GSM were proposed to overcome the drawbacks but many of them lead to network signalling overload and increases the call set-up time. In this paper, an efficient and secure authentication and key agreement protocol (ESAP-AKA) is proposed to overcome the flaws of existing authentication protocol for roaming users in the GSM network. The formal verification of the proposed protocol is presented by BAN logic and the security analysis is shown using the AVISPA tool. The security analysis shows that the proposed protocol avoids the different possible attacks on the communication network. The performance analysis based on the fluid flow mobility model shows that the proposed protocol reduces the communication overhead of the network by reducing a number of messages. On an average, the protocol reduces 60% of network signalling congestion overhead as compared with other existing GSM-AKA protocols. Moreover, the protocol not only removes the drawbacks of existing protocols but also accomplishes the needs of roaming users.     

A Practical Approach to Constructing a Knowledge Graph for Cybersecurity

Cyberattack forms are complex and varied, and the detection and prediction of dynamic types of attack are always challenging tasks. Research on knowledge graphs is becoming increasingly mature in many fields. At present, it is very significant that certain scholars have combined the concept of the knowledge graph with cybersecurity in order to construct a cybersecurity knowledge base. This paper presents a cybersecurity knowledge base and deduction rules based on a quintuple model. Using machine learning, we extract entities and build ontology to obtain a cybersecurity knowledge base. New rules are then deduced by calculating formulas and using the path-ranking algorithm. The Stanford named entity recognizer (NER) is also used to train an extractor to extract useful information. Experimental results show that the Stanford NER provides many features and the useGazettes parameter may be used to train a recognizer in the cybersecurity domain in preparation for future work.     

Graphical modeling and computer animation of tensile deformation in polymer liquid crystals (PLCs)

We create polymer liquid crystals (PLCs) on a computer and subject them to constant-force tensile deformations. Molecular dynamics simulation procedure is used and graphical models and animations of crack formation and propagation as a function of time are generated. Special attention is given to realistic rigid LC island geometry and the island spatial distribution in the material. Internal fracture processes can now be easily studied. As a result of the numerous animations recorded, clear patterns in PLC crack initiation and propagation emerge. With the help of the animations, the structure of PLCs may be understood without having to resort to costly laboratory experimentation. Received: 25 September 2000 / Reviewed and accepted: 26 September 2000     

The cybersecurity labour shortage in Europe: Moving to a new concept for education and training

Recruiting, retaining and maintaining sufficient numbers of cybersecurity professionals in the workplace is a constant battle, not only for the technical side of cybersecurity, but also for the overlooked area of non-technical, managerial-related jobs in the cyber sector. This paper addresses the lack of cybersecurity skills in the European labour force market and the actions taken to improve the education in cybersecurity for meeting the identified needs. The paper analyses what kind of topics are missing within the cybersecurity curricula of the high-level educational institutions in Europe and in the courses provided by the cybersecurity trainers on the market. The findings are based on the data collected by the surveys carried out by the European competence centres on cybersecurity and the European CyberSecurity organization. These findings show that there are missing topics in the context of higher education cybersecurity programmes and within the private courses offered on the market. The problem of common programme accreditation of European higher education institutes (HEI) and the competence certifications for different work profiles in the area of cybersecurity are briefly presented and discussed as well. The actions undertaken to improve the education in both sectors are presented and the emerging educational landscape is proposed based on our findings. Recommendations to the stakeholders and scholars for improving the current state of cybersecurity education and training are explained in the concluding section.     

A Secure Communication Protocol for Unmanned Aerial Vehicles

Mavlink is a lightweight and most widely used open-source communication protocol used for Unmanned Aerial Vehicles. Multiple UAVs and autopilot systems support it, and it provides bi-directional communication between the UAV and Ground Control Station. The communications contain critical information about the UAV status and basic control commands sent from GCS to UAV and UAV to GCS. In order to increase the transfer speed and efficiency, the Mavlink does not encrypt the messages. As a result, the protocol is vulnerable to various security attacks such as Eavesdropping, GPS Spoofing, and DDoS. In this study, we tackle the problem and secure the Mavlink communication protocol. By leveraging the Mavlink packet’s vulnerabilities, this research work introduces an experiment in which, first, the Mavlink packets are compromised in terms of security requirements based on our threat model. The results show that the protocol is insecure and the attacks carried out are successful. To overcome Mavlink security, an additional security layer is added to encrypt and secure the protocol. An encryption technique is proposed that makes the communication between the UAV and GCS secure. The results show that the Mavlink packets are encrypted using our technique without affecting the performance and efficiency. The results are validated in terms of transfer speed, performance, and efficiency compared to the literature solutions such as MAVSec and benchmarked with the original Mavlink protocol. Our achieved results have significant improvement over the literature and Mavlink in terms of security.     

SMINER: Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases

Despite the advances in automated vulnerability detection approaches, security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems. Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage. Therefore, it is an essential task to discover unrestricted and misimplemented behaviors of a system. However, it is a daunting task for security experts to discover such vulnerabilities in advance because it is time-consuming and error-prone to analyze the whole code in detail. Also, most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities. This paper proposes SMINER, a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors. SMINER first collects unit test cases for the target system from the official repository. Next, preprocess the collected code fragments. SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing. To demonstrate the effectiveness of SMINER, this paper evaluates SMINER against Robot Operating System (ROS), a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration (NASA). From the evaluation, we discovered two real-world vulnerabilities in ROS.     

Secure Multifactor Remote Access User Authentication Framework for IoT Networks

The term IoT refers to the interconnection and exchange of data among devices/sensors. IoT devices are often small, low cost, and have limited resources. The IoT issues and challenges are growing increasingly. Security and privacy issues are among the most important concerns in IoT applications, such as smart buildings. Remote cybersecurity attacks are the attacks which do not require physical access to the IoT networks, where the attacker can remotely access and communicate with the IoT devices through a wireless communication channel. Thus, remote cybersecurity attacks are a significant threat. Emerging applications in smart environments such as smart buildings require remote access for both users and resources. Since the user/building communication channel is insecure, a lightweight and secure authentication protocol is required. In this paper, we propose a new secure remote user mutual authentication protocol based on transitory identities and multi-factor authentication for IoT smart building environment. The protocol ensures that only legitimate users can authenticate with smart building controllers in an anonymous, unlinkable, and untraceable manner. The protocol also avoids clock synchronization problem and can resist quantum computing attacks. The security of the protocol is evaluated using two different methods: (1) informal analysis; (2) model check using the automated validation of internet security protocols and applications (AVISPA) toolkit. The communication overhead and computational cost of the proposed are analyzed. The security and performance analysis show that our protocol is secure and efficient.     

Machine Learning with Dimensionality Reduction for DDoS Attack Detection

With the advancement of internet, there is also a rise in cybercrimes and digital attacks. DDoS (Distributed Denial of Service) attack is the most dominant weapon to breach the vulnerabilities of internet and pose a significant threat in the digital environment. These cyber-attacks are generated deliberately and consciously by the hacker to overwhelm the target with heavy traffic that genuine users are unable to use the target resources. As a result, targeted services are inaccessible by the legitimate user. To prevent these attacks, researchers are making use of advanced Machine Learning classifiers which can accurately detect the DDoS attacks. However, the challenge in using these techniques is the limitations on capacity for the volume of data and the required processing time. In this research work, we propose the framework of reducing the dimensions of the data by selecting the most important features which contribute to the predictive accuracy. We show that the ‘lite’ model trained on reduced dataset not only saves the computational power, but also improves the predictive performance. We show that dimensionality reduction can improve both effectiveness (recall) and efficiency (precision) of the model as compared to the model trained on ‘full’ dataset.     

拟态防御技术

网络空间安全处于易攻难守的非平衡态势,主动防御技术作为网络空间防御技术的新星,其研究热度不断提高。本文以入侵容忍技术和移动目标防御技术为主线概括了主动防御技术的发展,并介绍了拟态防御技术理论、工程实践以及测试情况。通过分析对比拟态防御和入侵容忍、移动目标的异同,提出网络安全再平衡战略的研究重点和方向,为国家网络空间安全发展提供借鉴和参考。     

Investigating the influence of governance determinants on reporting cybersecurity incidents to police: Evidence from Canadian organizations’ perspectives

Government agencies and standard setters require organizations operating in critical infrastructure sectors to disclose cybersecurity incidents, yet little is known about whether organizations report these incidents to law enforcement. This study examines this issue based on data from the 2017–2021 periods of the Canadian Survey of Cybersecurity and Cybercrime administered to Canadian organizations. We assessed the effects of governance determinants along with cyber incidents and their impacts using partial least squares equation modelling to identify the relationships between these factors and cybersecurity incidents reported to police services. To conceptualize these relationships, we developed a framework based on resource-dependence theory, protection motivation theory, and previous empirical evidence. The overall governance determinants as well as the impacts of the incidents explained 51% of the intention to report cybersecurity incidents to police, and the intensity of the impacts explained 30% of these intentions to signal incidents to law enforcement. The results also revealed that the intensity of cyber incident impacts dictates the attitudes of organizations towards reporting digital attacks. This study makes a significant theoretical contribution to the information security literature and has practical implications for standard setters and government agencies that aim to combat cybersecurity incidents.     

Using Object Detection Network for Malware Detection and Identification in Network Traffic Packets

In recent years, the number of exposed vulnerabilities has grown rapidly and more and more attacks occurred to intrude on the target computers using these vulnerabilities such as different malware. Malware detection has attracted more attention and still faces severe challenges. As malware detection based traditional machine learning relies on exports’ experience to design efficient features to distinguish different malware, it causes bottleneck on feature engineer and is also time-consuming to find efficient features. Due to its promising ability in automatically proposing and selecting significant features, deep learning has gradually become a research hotspot. In this paper, aiming to detect the malicious payload and identify their categories with high accuracy, we proposed a packet-based malicious payload detection and identification algorithm based on object detection deep learning network. A dataset of malicious payload on code execution vulnerability has been constructed under the Metasploit framework and used to evaluate the performance of the proposed malware detection and identification algorithm. The experimental results demonstrated that the proposed object detection network can efficiently find and identify malicious payloads with high accuracy.     

Adversarial Active Learning for Named Entity Recognition in Cybersecurity

Owing to the continuous barrage of cyber threats, there is a massive amount of cyber threat intelligence. However, a great deal of cyber threat intelligence come from textual sources. For analysis of cyber threat intelligence, many security analysts rely on cumbersome and time-consuming manual efforts. Cybersecurity knowledge graph plays a significant role in automatics analysis of cyber threat intelligence. As the foundation for constructing cybersecurity knowledge graph, named entity recognition (NER) is required for identifying critical threat-related elements from textual cyber threat intelligence. Recently, deep neural network-based models have attained very good results in NER. However, the performance of these models relies heavily on the amount of labeled data. Since labeled data in cybersecurity is scarce, in this paper, we propose an adversarial active learning framework to effectively select the informative samples for further annotation. In addition, leveraging the long short-term memory (LSTM) network and the bidirectional LSTM (BiLSTM) network, we propose a novel NER model by introducing a dynamic attention mechanism into the BiLSTM-LSTM encoderdecoder. With the selected informative samples annotated, the proposed NER model is retrained. As a result, the performance of the NER model is incrementally enhanced with low labeling cost. Experimental results show the effectiveness of the proposed method.