Rising cyber risks have compelled organizations to adopt better cyber-protection measures. This study focused on discovering crucial security metrics and assessing the function of red teaming in enhancing cybersecurity defenses against novel cyber hazards. The PRISMA standard considered nine core research works issued between 2014 and 2023. The inclusion of red teaming best practices can significantly enhance cybersecurity architecture. Accurate simulations of cyber threats during red teaming exercises help identify vulnerabilities, and actively embracing red teaming can amplify an organization s capacity to repel future cyber assaults. Researchers and practitioners can utilize the study s insights to pioneer novel security solutions. Combining red teaming methodologies with relevant metrics is essential for enhancing cybersecurity posture. The study s discoveries grant companies a priceless benefit in navigating the rapidly changing cyber threat environment and reinforcing their cyber protection mechanisms.

Cyber attack scenario reconstruction plays a crucial role in understanding and mitigating security breaches. In this paper, we propose a novel framework that leverages Natural Language Processing (NLP), specifically Named Entity Recognition (NER), and semantic similarity techniques to reconstruct cyber attack scenarios. By analyzing Intrusion Detection alerts, our offline approach identifies relevant entities, detects relationships between them, and measures semantic similarity to uncover hidden patterns and connections. We demonstrate the effectiveness of our framework through experimental evaluations using a public dataset. The results highlight the potential of NLP-based approaches in cyber attack scenario reconstruction.

The Internet of Things (IoT) refers to the growing network of connected physical objects embedded with sensors, software and connectivity. While IoT has potential benefits, it also introduces new cyber security risks. This paper provides an overview of IoT security issues, vulnerabilities, threats, and mitigation strategies. The key vulnerabilities arising from IoT s scale, ubiquity and connectivity include inadequate authentication, lack of encryption, poor software security, and privacy concerns. Common attacks against IoT devices and networks include denial of service, ransom-ware, man-in-the-middle, and spoofing. An analysis of recent literature highlights emerging attack trends like swarm-based DDoS, IoT botnets, and automated large-scale exploits. Recommended techniques to secure IoT include building security into architecture and design, access control, cryptography, regular patching and upgrades, activity monitoring, incident response plans, and end-user education. Future technologies like blockchain, AI-enabled defense, and post-quantum cryptography can help strengthen IoT security. Additional focus areas include shared threat intelligence, security testing, certification programs, international standards and collaboration between industry, government and academia. A robust multilayered defense combining preventive and detective controls is required to combat rising IoT threats. This paper provides a comprehensive overview of the IoT security landscape and identifies areas for continued research and development.

A three-party evolutionary game model is constructed by combining the cyber deception, the defender (intrusion detection system), and the attacker. The attackers choose attack strategies to gain greater benefits. The cyber deception can induce attackers to attack fake vulnerabilities, so as capture and analyze the attackers intentions. The defenders use the captured attacker information to adjust their defense strategies and improve detection of attacks. Using cyber deception to enhance the defender choice of strategy, reduce attacker s profit, enable defender to play their own superior strategy, reduce node resource overhead, and prolong network survival time. Through the capture and feature extraction of attacker s attack information, the attack feature database of intrusion detection system is improved, and the detection probability of the attack by the defender is increased. According to the simulation results, the cyber deception can provide the defender with the attacker s attack information in the process of attack and defense, increase the probability of the defender s successful defense, speed up the convergence speed of the optimal defense strategy, and reduce the convergence speed of the attacker s optimal strategy. It is proved that the cyber deception as a third-party participant can effectively help the defender to protect the security of the network.

Cyber threats have been a major issue in the cyber security domain. Every hacker follows a series of cyber-attack stages known as cyber kill chain stages. Each stage has its norms and limitations to be deployed. For a decade, researchers have focused on detecting these attacks. Merely watcher tools are not optimal solutions anymore. Everything is becoming autonomous in the computer science field. This leads to the idea of an Autonomous Cyber Resilience Defense algorithm design in this work. Resilience has two aspects: Response and Recovery. Response requires some actions to be performed to mitigate attacks. Recovery is patching the flawed code or back door vulnerability. Both aspects were performed by human assistance in the cybersecurity defense field. This work aims to develop an algorithm based on Reinforcement Learning (RL) with a Convoluted Neural Network (CNN), far nearer to the human learning process for malware images. RL learns through a reward mechanism against every performed attack. Every action has some kind of output that can be classified into positive or negative rewards. To enhance its thinking process Markov Decision Process (MDP) will be mitigated with this RL approach. RL impact and induction measures for malware images were measured and performed to get optimal results. Based on the Malimg Image malware, dataset successful automation actions are received. The proposed work has shown 98\% accuracy in the classification, detection, and autonomous resilience actions deployment.

Cybersecurity is an increasingly critical aspect of modern society, with cyber attacks becoming more sophisticated and frequent. Artificial intelligence (AI) and neural network models have emerged as promising tools for improving cyber defense. This paper explores the potential of AI and neural network models in cybersecurity, focusing on their applications in intrusion detection, malware detection, and vulnerability analysis. Intruder detection, or "intrusion detection," is the process of identifying Invasion of Privacy to a computer system. AI-based security systems that can spot intrusions (IDS) use AI-powered packet-level network traffic analysis and intrusion detection patterns to signify an assault. Neural network models can also be used to improve IDS accuracy by modeling the behavior of legitimate users and detecting anomalies. Malware detection involves identifying malicious software on a computer system. AI-based malware machine-learning algorithms are used by detecting systems to assess the behavior of software and recognize patterns that indicate malicious activity. Neural network models can also serve to hone the precision of malware identification by modeling the behavior of known malware and identifying new variants. Vulnerability analysis involves identifying weaknesses in a computer system that could be exploited by attackers. AI-based vulnerability analysis systems use machine learning algorithms to analyze system configurations and identify potential vulnerabilities. Neural network models can also be used to improve the accuracy of vulnerability analysis by modeling the behavior of known vulnerabilities and identifying new ones. Overall, AI and neural network models have significant potential in cybersecurity. By improving intrusion detection, malware detection, and vulnerability analysis, they can help organizations better defend against cyber attacks. However, these technologies also present challenges, including a lack of understanding of the importance of data in machine learning and the potential for attackers to use AI themselves. As such, careful consideration is necessary when implementing AI and neural network models in cybersecurity.

In this research, we evaluate the effectiveness of different MTD techniques on the transformer-based cyber anomaly detection models trained on the KDD Cup’99 Dataset, a publicly available dataset commonly used for evaluating intrusion detection systems. We explore the trade-offs between security and performance when using MTD techniques for cyber anomaly detection and investigate how MTD techniques can be combined with other cybersecurity techniques to improve the overall security of the system. We evaluate their performance using standard metrics such as accuracy and FI score, as well as measures of robustness against adversarial attacks. Our results show that MTD techniques can significantly improve the security of the anomaly detection model, with some techniques being more effective than others depending on the model architecture. We also find that there are trade-offs between security and performance, with some MTD techniques leading to a reduction in model accuracy or an increase in computation time. However, we demonstrate that these tradeoffs can be mitigated by optimizing the MTD parameters for the specific model architecture.

Mission Impact Assessment (MIA) is a critical endeavor for evaluating the performance of mission systems, encompassing intricate elements such as assets, services, tasks, vulnerability, attacks, and defenses. This study introduces an innovative MIA framework that transcends existing methodologies by intricately modeling the interdependencies among these components. Additionally, we integrate hypergame theory to address the strategic dynamics of attack-defense interactions. To illustrate its practicality, we apply the framework to an Internet-of-Things (IoT)-based mission system tailored for accurate, time-sensitive object detection. Rigorous simulation experiments affirm the framework s robustness across a spectrum of scenarios. Our results prove that the developed MIA framework shows a sufficiently high inference accuracy (e.g., 80 \%) even with a small portion of the training dataset (e.g., 20–50 \%).

The current research focuses on the physical security of UAV, while there are few studies on UAV information security. Moreover, the frequency of various security problems caused by UAV has been increasing in recent years, so research on UAV information security is urgent. In order to solve the high cost of UAV experiments, complex protocol types, and hidden security problems, we designe a UAV cyber range and analyze the attack and defense scenarios of three types of honeypot deployment. On this basis, we propose a UAV honeypot active defense strategy based on reinforcement learning. The active defense model of UAV honeypot is described of four dimensions: state, action, reward, and strategy. The simulation results show that the UAV honeypot strategy can maximize the capture of attacker data, which has important theoretical significance for the research of UAV information security.

AssessJet mainly deals with the vulnerability assessment of websites which is passed as the input. The process of detection and assorting the security threats is known as Vulnerability assessment. Security vulnerabilities can be identified by using appropriate security scanning tools on the back-end. This system produces an extensive report that includes various security threats a website in detail which are likely to be faced by the particular website. Report is to be generated in such a way that the client can understand it easily. Using AssessJet, bugs in websites and web applications, including those under development can be identified.

The energy revolution is primarily driven by the adoption of advanced communication technologies that allow for the digitization of power grids. With the confluence of Information Technology (IT) and Operational Technology (OT), energy systems are entering the larger world of Cyber-Physical Systems (CPS). Cyber threats are expected to grow as the attack surface expands, posing a significant operational risk to any cyber-physical system, including the power grid. Substations are the electricity transmission systems’ most critical assets. Substation outages caused by cyber-attacks produce widespread power outages impacting thousands of consumers. To plan and prepare for such rare yet high-impact occurrences, this paper proposes an integrated defense-in-depth framework for power transmission systems to reduce the risk of cyber-induced substation failures. The inherent resilience of physical power systems assesses cyber-attacks’ impact on critical substations. The presented approach integrates the physical implications of substation failures with cyber vulnerabilities to analyze cyber-physical risks holistically.

Unlike traditional defense concepts, active defense is an asymmetric defense concept. It can not only identify potential threats in advance and nip them in the bud but also increase the attack cost of unknown threats by using change, interference, deception, or other means. Although active defense can reverse the asymmetric situation between attacks and defenses, current active defense technologies have two shortcomings: (i) they mainly aim at detecting attacks and increasing the cost of attacks without addressing the underlying problem; and (ii) they have problems such as high deployment costs and compromised system operational efficiency. This paper proposes an active defense architecture based on trap vulnerability with vulnerability as the core and introduces its design concept and specific implementation scheme. We deploy “traps” in the system to lure and find attackers while combining built-in detection, rejection, and traceback mechanisms to protect the system and trace the source of the attack.

Anomaly detection is a challenge well-suited to machine learning and in the context of information security, the benefits of unsupervised solutions show significant promise. Recent attention to Graph Neural Networks (GNNs) has provided an innovative approach to learn from attributed graphs. Using a GNN encoder-decoder architecture, anomalous edges between nodes can be detected during the reconstruction phase. The aim of this research is to determine whether an unsupervised GNN model can detect anomalous network connections in a static, attributed network. Network logs were collected from four corporate networks and one artificial network using endpoint monitoring tools. A GNN-based anomaly detection system was designed and employed to score and rank anomalous connections between hosts. The model was validated against four realistic experimental scenarios against the four large corporate networks and the smaller artificial network environment. Although quantitative metrics were affected by factors including the scale of the network, qualitative assessments indicated that anomalies from all scenarios were detected. The false positives across each scenario indicate that this model in its current form is useful as an initial triage, though would require further improvement to become a performant detector. This research serves as a promising step for advancing this methodology in detecting anomalous network connections. Future work to improve results includes narrowing the scope of detection to specific threat types and a further focus on feature engineering and selection.

The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.

Vendor cybersecurity risk assessment is of critical importance to smart city infrastructure and sustainability of the autonomous mobility ecosystem. Lack of engagement in cybersecurity policies and process implementation by the tier companies providing hardware or services to OEMs within this ecosystem poses a significant risk to not only the individual companies but to the ecosystem overall. The proposed quantitative method of estimating cybersecurity risk allows vendors to have visibility to the financial risk associated with potential threats and to consequently allocate adequate resources to cybersecurity. It facilitates faster implementation of defense measures and provides a useful tool in the vendor selection process. The paper focuses on cybersecurity risk assessment as a critical part of the overall company mission to create a sustainable structure for maintaining cybersecurity health. Compound cybersecurity risk and impact on company operations as outputs of this quantitative analysis present a unique opportunity to strategically plan and make informed decisions towards acquiring a reputable position in a sustainable ecosystem. This method provides attack trees and assigns a risk factor to each vendor thus offering a competitive advantage and an insight into the supply chain risk map. This is an innovative way to look at vendor cybersecurity posture. Through a selection of unique industry specific parameters and a modular approach, this risk assessment model can be employed as a tool to navigate the supply base and prevent significant financial cost. It generates synergies within the connected vehicle ecosystem leading to a safe and sustainable economy.

An end-to-end cyber risk assessment process is presented that is based on the combination of guidelines from the National Institute of Standards \& Technology (NIST), the standard 5\times 5 risk matrix, and quantitative methods for generating loss exceedance curves.The NIST guidelines provide a framework for cyber risk assessment, and the standard 5\times 5 matrix is widely used across the industry for the representation of risk across multiple disciplines. Loss exceedance curves are a means of quantitatively assessing the loss that occurs due to a given risk profile. Combining these different techniques enables us to follow the guidelines, adhere to standard 5\times 5 risk management practices and develop quantitative metrics simultaneously. Our quantification process is based on the consideration of the NASA and JPL Cost Risk assessment modeling techniques as we define the cost associated with the cybersecurity risk profile of a mission as a function of the mission cost.

In recent times, the research looks into the measures taken by financial institutions to secure their systems and reduce the likelihood of attacks. The study results indicate that all cultures are undergoing a digital transformation at the present time. The dawn of the Internet ushered in an era of increased sophistication in many fields. There has been a gradual but steady shift in attitude toward digital and networked computers in the business world over the past few years. Financial organizations are increasingly vulnerable to external cyberattacks due to the ease of usage and positive effects. They are also susceptible to attacks from within their own organisation. In this paper, we develop a machine learning based quantitative risk assessment model that effectively assess and minimises this risk. Quantitative risk calculation is used since it is the best way for calculating network risk. According to the study, a network s vulnerability is proportional to the number of times its threats have been exploited and the amount of damage they have caused. The simulation is used to test the model s efficacy, and the results show that the model detects threats more effectively than the other methods.

Over the past decade, the number of cyber attack incidents targeting critical infrastructures such as the electrical power system has increased. To assess the risk of cyber attacks on the cyber-physical system, a holistic approach is needed that considers both system layers. However, the existing risk assessment methods are either qualitative in nature or employ probabilistic models to study the impact on only one system layer. Hence, in this work, we propose a quantitative risk assessment method for cyber-physical systems based on probabilistic and deterministic techniques. The former uses attack graphs to evaluate the attack likelihood, while the latter analyzes the potential cyber-physical impact. This is achieved through a dynamic cyber-physical power system model, i.e., digital twin, able to simulate power system cascading failures caused by cyber attacks. Additionally, we propose a domain-specific language to describe the assets of digital substations and thereby model the attack graphs. Using the proposed method, combined risk metrics are calculated that consider the likelihood and impact of cyber threat scenarios. The risk assessment is conducted using the IEEE 39-bus system, consisting of 27 user-defined digital substations. These substations serve as the backbone of the examined cyber system layer and as entry-points for the attackers. Results indicate that cyber attacks on specific substations can cause major cascading failures or even a blackout. Thereby, the proposed method identifies the most critical substations and assets that must be cyber secured.

Cybersecurity is largely based on the use of frameworks (ISO27k, NIST, etc.) which main objective is compliance with the standard. They do not, however, address the quantification of the risk deriving from a threat scenario. This paper proposes a methodology that, having evaluated the overall capability of the controls of an ISO27001 framework, allows to select those that mitigate a threat scenario and evaluate the risk according to a Cybersecurity Risk Quantification model.

Cybersecurity risk analysis is crucial for orga-nizations to assess, identify, and prioritize possible threats to their systems and assets. Organizations aim to estimate the loss cost in case cybersecurity risks occur to decide the control actions they should invest in. Quantitative risk analysis aids organizations in making well-informed decisions about risk mitigation strategies and resource allocation. Therefore, organizations must use quantitative risk analysis methods to identify and prioritize risks rather than relying on qualitative methods. This paper proposes a spreadsheet-based quantitative risk analysis method based on verbal likelihoods. Our approach relies on tables constructed by experts that map between linguistic likelihood and possible probability ranges. Using linguistic terms to estimate the probability of risk occurrence will help experts apply quantitative estimation easily by using common language as input, thus eliminating the need to assign precise probabilities. We experimented with real examples to validate our approach s accuracy and reliability and compared our results with those obtained from another method. Also, we conducted tests to measure our model s performance and robustness. Our study showcases the effectiveness of our approach and demonstrates its potential for risk analysts to use it in real-world applications.

In modern conditions, the relevance of the problem of assessing the information security risks for automated systems is increasing. Risk assessment is defined as a complex multi-stage task. Risk assessment requires prompt decision-making for effective information protection. To solve this problem, a method for automating risk assessment based on fuzzy cognitive maps is proposed. A fuzzy cognitive map is a model that can be represented as a directed graph in which concepts and connections between them have own weights. The automation process allows evaluate complex relationships between factors and threats, providing a more comprehensive risk assessment. The application of fuzzy cognitive maps proved to be an effective tool for automation, promptness, and quality in risk assessment.

Cyber security is a critical problem that causes data breaches, identity theft, and harm to millions of people and businesses. As technology evolves, new security threats emerge as a result of a dearth of cyber security specialists equipped with up-to-date information. It is hard for security firms to prevent cyber-attacks without the cooperation of senior professionals. However, by depending on artificial intelligence to combat cyber-attacks, the strain on specialists can be lessened. as the use of Artificial Intelligence (AI) can improve Machine Learning (ML) approaches that can mine data to detect the sources of cyberattacks or perhaps prevent them as an AI method, it enables and facilitates malware detection by utilizing data from prior cyber-attacks in a variety of methods, including behavior analysis, risk assessment, bot blocking, endpoint protection, and security task automation. However, deploying AI may present new threats, therefore cyber security experts must establish a balance between risk and benefit. While AI models can aid cybersecurity experts in making decisions and forming conclusions, they will never be able to make all cybersecurity decisions and judgments.

Anomaly detection is a challenge well-suited to machine learning and in the context of information security, the benefits of unsupervised solutions show significant promise. Recent attention to Graph Neural Networks (GNNs) has provided an innovative approach to learn from attributed graphs. Using a GNN encoder-decoder architecture, anomalous edges between nodes can be detected during the reconstruction phase. The aim of this research is to determine whether an unsupervised GNN model can detect anomalous network connections in a static, attributed network. Network logs were collected from four corporate networks and one artificial network using endpoint monitoring tools. A GNN-based anomaly detection system was designed and employed to score and rank anomalous connections between hosts. The model was validated against four realistic experimental scenarios against the four large corporate networks and the smaller artificial network environment. Although quantitative metrics were affected by factors including the scale of the network, qualitative assessments indicated that anomalies from all scenarios were detected. The false positives across each scenario indicate that this model in its current form is useful as an initial triage, though would require further improvement to become a performant detector. This research serves as a promising step for advancing this methodology in detecting anomalous network connections. Future work to improve results includes narrowing the scope of detection to specific threat types and a further focus on feature engineering and selection.

Cyberattacks, particularly those that take place in real time, will be able to target an increasing number of networked systems as more and more items connect to the Internet of items. While the system is operational, it is susceptible to intrusions that might have catastrophic consequences, such as the theft of sensitive information, the violation of personal privacy, or perhaps physical injury or even death. These outcomes are all possible while the system is operational. A mixed-methods research approach was required in order to fulfill the requirements for understanding the nature and scope of real-time assaults on IoT-powered cybersecurity infrastructure. The quantitative data that was utilized in this research came from an online survey of IoT security professionals as well as an analysis of publicly available information on IoT security incidents. For the purpose of gathering qualitative data, in-depth interviews with industry experts and specialists in the area of Internet of Things security were conducted. The authors provide a novel method for identifying cybersecurity flaws and breaches in cyber-physical systems, one that makes use of deep learning in conjunction with blockchain technology. This method has the potential to be quite useful. Their proposed technique compares and evaluates unsupervised and deep learning-based discriminative methods, in addition to introducing a generative adversarial network, in order to determine whether cyber threats are present in IICs networks that are powered by IoT. The results indicate an improvement in performance in terms of accuracy, reliability, and efficiency in recognizing all types of attacks. The dropout value was found to be 0.2, and the epoch value was set at 25.

The escalating visibility of secure direct object reference (IDOR) vulnerabilities in API security, as indicated in the compilation of OWASP Top 10 API Security Risks, highlights a noteworthy peril to sensitive data. This study explores IDOR vulnerabilities found within Android APIs, intending to clarify their inception while evaluating their implications for application security. This study combined the qualitative and quantitative approaches. Insights were obtained from an actual penetration test on an Android app into the primary reasons for IDOR vulnerabilities, underscoring insufficient input validation and weak authorization methods. We stress the frequent occurrence of IDOR vulnerabilities in the OWASP Top 10 API vulnerability list, highlighting the necessity to prioritize them in security evaluations. There are mitigation recommendations available for developers, which recognize its limitations involving a possibly small and homogeneous selection of tested Android applications, the testing environment that could cause some inaccuracies, and the impact of time constraints. Additionally, the study noted insufficient threat modeling and root cause analysis, affecting its generalizability and real-world relevance. However, comprehending and controlling IDOR dangers can enhance Android API security, protect user data, and bolster application resilience.