Nowadays, companies, critical infrastructure and governments face cyber attacks every day ranging from simple denial-of-service and password guessing attacks to complex nationstate attack campaigns, so-called advanced persistent threats (APTs). Defenders employ intrusion detection systems (IDSs) among other tools to detect malicious activity and protect network assets. With the evolution of threats, detection techniques have followed with modern systems usually relying on some form of artificial intelligence (AI) or anomaly detection as part of their defense portfolio. While these systems are able to achieve higher accuracy in detecting APT activity, they cannot provide much context about the attack, as the underlying models are often too complex to interpret. This paper presents an approach to explain single predictions (i. e., detected attacks) of any graphbased anomaly detection systems. By systematically modifying the input graph of an anomaly and observing the output, we leverage a variation of permutation importance to identify parts of the graph that are likely responsible for the detected anomaly. Our approach treats the anomaly detection function as a black box and is thus applicable to any whole-graph explanation problems. Our results on two established datasets for APT detection (StreamSpot \& DARPA TC Engagement Three) indicate that our approach can identify nodes that are likely part of the anomaly. We quantify this through our area under baseline (AuB) metric and show how the AuB is higher for anomalous graphs. Further analysis via the Wilcoxon rank-sum test confirms that these results are statistically significant with a p-value of 0.0041\%.

This study explores the pressing need for more effective IT governance and cybersecurity resilience within enterprises by strategically integrating red teaming exercises. Our research approach involved a comprehensive investigation encompassing literature review, surveys, interviews, and robust data analysis. We leveraged established frameworks like ISO 27001:2022, NIST CSF, and COBIT 2019 for model development. The results demonstrate a significant correlation between the frequency of red teaming exercises and higher IT governance maturity, highlighting the positive impact of increased engagement. The study emphasizes the value of incorporating red teaming insights to enhance IT governance maturity and bolster cybersecurity resilience, accounting for organizational size and industry sector variables. It underscores the critical importance of seamlessly integrating red teaming outcomes into governance procedures to fortify cybersecurity defenses and enable organizations to adapt swiftly to evolving threats, thus enhancing their overall security posture. Our model provides a practical roadmap for organizations dedicated to strengthening cybersecurity resilience in today s fast-changing digital landscape.

The ever-evolving and intricate nature of cyber environments, coupled with the escalating risk of cyber-attacks, necessitates robust solutions in the realm of cybersecurity. Knowledge graphs have emerged as a promising avenue for consolidating, representing, managing, and reasoning over cyber threat intelligence. However, applying knowledge graphs to tackle real-world challenges in cyber-attack and defense scenarios remains an area requiring further exploration. This paper aims to address this gap by providing a comprehensive overview of the fundamental concepts, schema design, and construction methodologies for the cybersecurity knowledge graph. To facilitate future research endeavors, we have carefully curated datasets and open-source libraries tailored for knowledge construction and information extraction tasks. Furthermore, we present a detailed comparative review of recent advancements in the application scenarios of cybersecurity knowledge graphs. To provide clarity and organization, we introduce a novel classification framework that categorizes interconnected works into distinct primary categories and subcategories. The paper concludes by outlining potential research directions in the cybersecurity knowledge graph domain, paving the way for further advancements and innovations in the field.

As computing ability continues to rapidly develop, neural networks have found widespread use in various fields. However, in the realm of visible watermarking for image copyright protection, neural networks have made image protection through watermarking less effective. Some research has even shown that watermarks can be removed without damaging to the original image, posing a significant threat to digital copyright protection. In response, the community has introduced adversarial perturbations for watermark protection, but these are sample-specific and time-consuming in real-world scenarios. To address this issue, we propose a new universal adversarial perturbation for watermark removal networks that offers two options. The first option involves adding perturbations to the entire host image, bringing the output of the watermark removal network closer to the original image and providing protection. The second option involves adding perturbations only to the watermark position, reducing the impact of the perturbation on the image and enhancing stealthiness. Our experiments demonstrate that our method effectively resists watermark removal networks and has good generalizability across different images.

As the network security landscape changes with time and market, organizations seek different and innovative approaches to strengthen their security defenses. This paper gives a theoretical explanation, highlighting the combination of honeypots and network monitoring tools as a dynamic strategy for enhancing security within networking environments. By using honeypots along with network monitoring tools, we bring out a multilayered defense strategy aimed at identifying and examining potential attack patterns. Our research dives into the theory of honeypots, their role in diverting malicious attacks, and their relationship with network monitoring tools. This combined framework helps organizations to detect, analyze, and ultimately reduce security threats. Through theoretical inputs and suggestions, this paper presents a framework for organizations seeking to enhance their cybersecurity defenses by exploring the complications of attacks through advanced network monitoring, along with honeypot security mechanisms.

The design and evaluation of cyber-physical systems are complex as it includes mechanical, electrical, and software components leading to a high dimensional space for architectural search and parametric tuning. For each new design, engineers need to define performance objectives, capture data from previous designs, make a model-based design, and then develop and enhance each system in each iteration. To address this problem, we present a combinatorial and parametric design space exploration and optimization technique for automatic design creation. We leverage gradient-free methods to jointly optimize the multiple domains of the cyber-physical systems. Finally, we apply this method in a DARPA design challenge where the goal is to create new designs for unmanned aerial vehicles. We evaluate the new designs on performance benchmarks and demonstrate the effectiveness of gradient-free optimization techniques in automatic design creation.

As cyberattacks are rising, Moving Target Defense (MTD) can be a countermeasure to proactively protect a networked system against cyber-attacks. Despite the fact that MTD systems demonstrate security effectiveness against the reconnaissance of Cyber Kill Chain (CKC), a time-based MTD has a limitation when it comes to protecting a system against the next phases of CKC. In this work, we propose a novel hybrid MTD technique, its implementation and evaluation. Our hybrid MTD system is designed on a real SDN testbed and it uses an intrusion detection system (IDS) to provide an additional MTD triggering condition. This in itself presents an extra layer of system protection. Our hybrid MTD technique can enhance security in the response to multi-phased cyber-attacks. The use of the reactive MTD triggering from intrusion detection alert shows that it is effective to thwart the further phase of detected cyber-attacks. We also investigate the performance degradation due to more frequent MTD triggers.This work contributes to (1) proposing an ML-based rule classification model for predicting identified attacks which helps a decision-making process for security enhancement; (2) developing a hybrid-based MTD integrated with a Network Intrusion Detection System (NIDS) with the consideration of performance and security; and (3) assessment of the performance degradation and security effectiveness against potential real attacks (i.e., scanning, dictionary, and SQL injection attack) in a physical testbed.

Cybercrime continues to pose a significant threat to modern society, requiring a solid emphasis on cyber-attack prevention, detection and response by civilian and military organisations aimed at brand protection. This study applies a novel framework to identify, detect and mitigate phishing attacks, leveraging the power of computer vision technology and artificial intelligence. The primary objective is to automate the classification process, reducing the dwell time between detection and executing courses of action to respond to phishing attacks. When applied to a real-world curated dataset, the proposed classifier achieved relevant results with an F1-Score of 95.76\% and an MCC value of 91.57\%. These metrics highlight the classifier’s effectiveness in identifying phishing domains with minimal false classifications, affirming its suitability for the intended purpose. Future enhancements include considering a fuzzy logic model that accounts for the classification probability in conjunction with the domain creation date and the uniqueness of downloaded resources when accessing the website or domain.

Rising cyber risks have compelled organizations to adopt better cyber-protection measures. This study focused on discovering crucial security metrics and assessing the function of red teaming in enhancing cybersecurity defenses against novel cyber hazards. The PRISMA standard considered nine core research works issued between 2014 and 2023. The inclusion of red teaming best practices can significantly enhance cybersecurity architecture. Accurate simulations of cyber threats during red teaming exercises help identify vulnerabilities, and actively embracing red teaming can amplify an organization s capacity to repel future cyber assaults. Researchers and practitioners can utilize the study s insights to pioneer novel security solutions. Combining red teaming methodologies with relevant metrics is essential for enhancing cybersecurity posture. The study s discoveries grant companies a priceless benefit in navigating the rapidly changing cyber threat environment and reinforcing their cyber protection mechanisms.

Cyber attack scenario reconstruction plays a crucial role in understanding and mitigating security breaches. In this paper, we propose a novel framework that leverages Natural Language Processing (NLP), specifically Named Entity Recognition (NER), and semantic similarity techniques to reconstruct cyber attack scenarios. By analyzing Intrusion Detection alerts, our offline approach identifies relevant entities, detects relationships between them, and measures semantic similarity to uncover hidden patterns and connections. We demonstrate the effectiveness of our framework through experimental evaluations using a public dataset. The results highlight the potential of NLP-based approaches in cyber attack scenario reconstruction.

The Internet of Things (IoT) refers to the growing network of connected physical objects embedded with sensors, software and connectivity. While IoT has potential benefits, it also introduces new cyber security risks. This paper provides an overview of IoT security issues, vulnerabilities, threats, and mitigation strategies. The key vulnerabilities arising from IoT s scale, ubiquity and connectivity include inadequate authentication, lack of encryption, poor software security, and privacy concerns. Common attacks against IoT devices and networks include denial of service, ransom-ware, man-in-the-middle, and spoofing. An analysis of recent literature highlights emerging attack trends like swarm-based DDoS, IoT botnets, and automated large-scale exploits. Recommended techniques to secure IoT include building security into architecture and design, access control, cryptography, regular patching and upgrades, activity monitoring, incident response plans, and end-user education. Future technologies like blockchain, AI-enabled defense, and post-quantum cryptography can help strengthen IoT security. Additional focus areas include shared threat intelligence, security testing, certification programs, international standards and collaboration between industry, government and academia. A robust multilayered defense combining preventive and detective controls is required to combat rising IoT threats. This paper provides a comprehensive overview of the IoT security landscape and identifies areas for continued research and development.

A three-party evolutionary game model is constructed by combining the cyber deception, the defender (intrusion detection system), and the attacker. The attackers choose attack strategies to gain greater benefits. The cyber deception can induce attackers to attack fake vulnerabilities, so as capture and analyze the attackers intentions. The defenders use the captured attacker information to adjust their defense strategies and improve detection of attacks. Using cyber deception to enhance the defender choice of strategy, reduce attacker s profit, enable defender to play their own superior strategy, reduce node resource overhead, and prolong network survival time. Through the capture and feature extraction of attacker s attack information, the attack feature database of intrusion detection system is improved, and the detection probability of the attack by the defender is increased. According to the simulation results, the cyber deception can provide the defender with the attacker s attack information in the process of attack and defense, increase the probability of the defender s successful defense, speed up the convergence speed of the optimal defense strategy, and reduce the convergence speed of the attacker s optimal strategy. It is proved that the cyber deception as a third-party participant can effectively help the defender to protect the security of the network.

Cyber threats have been a major issue in the cyber security domain. Every hacker follows a series of cyber-attack stages known as cyber kill chain stages. Each stage has its norms and limitations to be deployed. For a decade, researchers have focused on detecting these attacks. Merely watcher tools are not optimal solutions anymore. Everything is becoming autonomous in the computer science field. This leads to the idea of an Autonomous Cyber Resilience Defense algorithm design in this work. Resilience has two aspects: Response and Recovery. Response requires some actions to be performed to mitigate attacks. Recovery is patching the flawed code or back door vulnerability. Both aspects were performed by human assistance in the cybersecurity defense field. This work aims to develop an algorithm based on Reinforcement Learning (RL) with a Convoluted Neural Network (CNN), far nearer to the human learning process for malware images. RL learns through a reward mechanism against every performed attack. Every action has some kind of output that can be classified into positive or negative rewards. To enhance its thinking process Markov Decision Process (MDP) will be mitigated with this RL approach. RL impact and induction measures for malware images were measured and performed to get optimal results. Based on the Malimg Image malware, dataset successful automation actions are received. The proposed work has shown 98\% accuracy in the classification, detection, and autonomous resilience actions deployment.

Cybersecurity is an increasingly critical aspect of modern society, with cyber attacks becoming more sophisticated and frequent. Artificial intelligence (AI) and neural network models have emerged as promising tools for improving cyber defense. This paper explores the potential of AI and neural network models in cybersecurity, focusing on their applications in intrusion detection, malware detection, and vulnerability analysis. Intruder detection, or "intrusion detection," is the process of identifying Invasion of Privacy to a computer system. AI-based security systems that can spot intrusions (IDS) use AI-powered packet-level network traffic analysis and intrusion detection patterns to signify an assault. Neural network models can also be used to improve IDS accuracy by modeling the behavior of legitimate users and detecting anomalies. Malware detection involves identifying malicious software on a computer system. AI-based malware machine-learning algorithms are used by detecting systems to assess the behavior of software and recognize patterns that indicate malicious activity. Neural network models can also serve to hone the precision of malware identification by modeling the behavior of known malware and identifying new variants. Vulnerability analysis involves identifying weaknesses in a computer system that could be exploited by attackers. AI-based vulnerability analysis systems use machine learning algorithms to analyze system configurations and identify potential vulnerabilities. Neural network models can also be used to improve the accuracy of vulnerability analysis by modeling the behavior of known vulnerabilities and identifying new ones. Overall, AI and neural network models have significant potential in cybersecurity. By improving intrusion detection, malware detection, and vulnerability analysis, they can help organizations better defend against cyber attacks. However, these technologies also present challenges, including a lack of understanding of the importance of data in machine learning and the potential for attackers to use AI themselves. As such, careful consideration is necessary when implementing AI and neural network models in cybersecurity.

In this research, we evaluate the effectiveness of different MTD techniques on the transformer-based cyber anomaly detection models trained on the KDD Cup’99 Dataset, a publicly available dataset commonly used for evaluating intrusion detection systems. We explore the trade-offs between security and performance when using MTD techniques for cyber anomaly detection and investigate how MTD techniques can be combined with other cybersecurity techniques to improve the overall security of the system. We evaluate their performance using standard metrics such as accuracy and FI score, as well as measures of robustness against adversarial attacks. Our results show that MTD techniques can significantly improve the security of the anomaly detection model, with some techniques being more effective than others depending on the model architecture. We also find that there are trade-offs between security and performance, with some MTD techniques leading to a reduction in model accuracy or an increase in computation time. However, we demonstrate that these tradeoffs can be mitigated by optimizing the MTD parameters for the specific model architecture.

Mission Impact Assessment (MIA) is a critical endeavor for evaluating the performance of mission systems, encompassing intricate elements such as assets, services, tasks, vulnerability, attacks, and defenses. This study introduces an innovative MIA framework that transcends existing methodologies by intricately modeling the interdependencies among these components. Additionally, we integrate hypergame theory to address the strategic dynamics of attack-defense interactions. To illustrate its practicality, we apply the framework to an Internet-of-Things (IoT)-based mission system tailored for accurate, time-sensitive object detection. Rigorous simulation experiments affirm the framework s robustness across a spectrum of scenarios. Our results prove that the developed MIA framework shows a sufficiently high inference accuracy (e.g., 80 \%) even with a small portion of the training dataset (e.g., 20–50 \%).

The current research focuses on the physical security of UAV, while there are few studies on UAV information security. Moreover, the frequency of various security problems caused by UAV has been increasing in recent years, so research on UAV information security is urgent. In order to solve the high cost of UAV experiments, complex protocol types, and hidden security problems, we designe a UAV cyber range and analyze the attack and defense scenarios of three types of honeypot deployment. On this basis, we propose a UAV honeypot active defense strategy based on reinforcement learning. The active defense model of UAV honeypot is described of four dimensions: state, action, reward, and strategy. The simulation results show that the UAV honeypot strategy can maximize the capture of attacker data, which has important theoretical significance for the research of UAV information security.

AssessJet mainly deals with the vulnerability assessment of websites which is passed as the input. The process of detection and assorting the security threats is known as Vulnerability assessment. Security vulnerabilities can be identified by using appropriate security scanning tools on the back-end. This system produces an extensive report that includes various security threats a website in detail which are likely to be faced by the particular website. Report is to be generated in such a way that the client can understand it easily. Using AssessJet, bugs in websites and web applications, including those under development can be identified.

The energy revolution is primarily driven by the adoption of advanced communication technologies that allow for the digitization of power grids. With the confluence of Information Technology (IT) and Operational Technology (OT), energy systems are entering the larger world of Cyber-Physical Systems (CPS). Cyber threats are expected to grow as the attack surface expands, posing a significant operational risk to any cyber-physical system, including the power grid. Substations are the electricity transmission systems’ most critical assets. Substation outages caused by cyber-attacks produce widespread power outages impacting thousands of consumers. To plan and prepare for such rare yet high-impact occurrences, this paper proposes an integrated defense-in-depth framework for power transmission systems to reduce the risk of cyber-induced substation failures. The inherent resilience of physical power systems assesses cyber-attacks’ impact on critical substations. The presented approach integrates the physical implications of substation failures with cyber vulnerabilities to analyze cyber-physical risks holistically.

Unlike traditional defense concepts, active defense is an asymmetric defense concept. It can not only identify potential threats in advance and nip them in the bud but also increase the attack cost of unknown threats by using change, interference, deception, or other means. Although active defense can reverse the asymmetric situation between attacks and defenses, current active defense technologies have two shortcomings: (i) they mainly aim at detecting attacks and increasing the cost of attacks without addressing the underlying problem; and (ii) they have problems such as high deployment costs and compromised system operational efficiency. This paper proposes an active defense architecture based on trap vulnerability with vulnerability as the core and introduces its design concept and specific implementation scheme. We deploy “traps” in the system to lure and find attackers while combining built-in detection, rejection, and traceback mechanisms to protect the system and trace the source of the attack.

Anomaly detection is a challenge well-suited to machine learning and in the context of information security, the benefits of unsupervised solutions show significant promise. Recent attention to Graph Neural Networks (GNNs) has provided an innovative approach to learn from attributed graphs. Using a GNN encoder-decoder architecture, anomalous edges between nodes can be detected during the reconstruction phase. The aim of this research is to determine whether an unsupervised GNN model can detect anomalous network connections in a static, attributed network. Network logs were collected from four corporate networks and one artificial network using endpoint monitoring tools. A GNN-based anomaly detection system was designed and employed to score and rank anomalous connections between hosts. The model was validated against four realistic experimental scenarios against the four large corporate networks and the smaller artificial network environment. Although quantitative metrics were affected by factors including the scale of the network, qualitative assessments indicated that anomalies from all scenarios were detected. The false positives across each scenario indicate that this model in its current form is useful as an initial triage, though would require further improvement to become a performant detector. This research serves as a promising step for advancing this methodology in detecting anomalous network connections. Future work to improve results includes narrowing the scope of detection to specific threat types and a further focus on feature engineering and selection.

The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.

Vendor cybersecurity risk assessment is of critical importance to smart city infrastructure and sustainability of the autonomous mobility ecosystem. Lack of engagement in cybersecurity policies and process implementation by the tier companies providing hardware or services to OEMs within this ecosystem poses a significant risk to not only the individual companies but to the ecosystem overall. The proposed quantitative method of estimating cybersecurity risk allows vendors to have visibility to the financial risk associated with potential threats and to consequently allocate adequate resources to cybersecurity. It facilitates faster implementation of defense measures and provides a useful tool in the vendor selection process. The paper focuses on cybersecurity risk assessment as a critical part of the overall company mission to create a sustainable structure for maintaining cybersecurity health. Compound cybersecurity risk and impact on company operations as outputs of this quantitative analysis present a unique opportunity to strategically plan and make informed decisions towards acquiring a reputable position in a sustainable ecosystem. This method provides attack trees and assigns a risk factor to each vendor thus offering a competitive advantage and an insight into the supply chain risk map. This is an innovative way to look at vendor cybersecurity posture. Through a selection of unique industry specific parameters and a modular approach, this risk assessment model can be employed as a tool to navigate the supply base and prevent significant financial cost. It generates synergies within the connected vehicle ecosystem leading to a safe and sustainable economy.

An end-to-end cyber risk assessment process is presented that is based on the combination of guidelines from the National Institute of Standards \& Technology (NIST), the standard 5\times 5 risk matrix, and quantitative methods for generating loss exceedance curves.The NIST guidelines provide a framework for cyber risk assessment, and the standard 5\times 5 matrix is widely used across the industry for the representation of risk across multiple disciplines. Loss exceedance curves are a means of quantitatively assessing the loss that occurs due to a given risk profile. Combining these different techniques enables us to follow the guidelines, adhere to standard 5\times 5 risk management practices and develop quantitative metrics simultaneously. Our quantification process is based on the consideration of the NASA and JPL Cost Risk assessment modeling techniques as we define the cost associated with the cybersecurity risk profile of a mission as a function of the mission cost.

In recent times, the research looks into the measures taken by financial institutions to secure their systems and reduce the likelihood of attacks. The study results indicate that all cultures are undergoing a digital transformation at the present time. The dawn of the Internet ushered in an era of increased sophistication in many fields. There has been a gradual but steady shift in attitude toward digital and networked computers in the business world over the past few years. Financial organizations are increasingly vulnerable to external cyberattacks due to the ease of usage and positive effects. They are also susceptible to attacks from within their own organisation. In this paper, we develop a machine learning based quantitative risk assessment model that effectively assess and minimises this risk. Quantitative risk calculation is used since it is the best way for calculating network risk. According to the study, a network s vulnerability is proportional to the number of times its threats have been exploited and the amount of damage they have caused. The simulation is used to test the model s efficacy, and the results show that the model detects threats more effectively than the other methods.