Nowadays, companies, critical infrastructure and governments face cyber attacks every day ranging from simple denial-of-service and password guessing attacks to complex nationstate attack campaigns, so-called advanced persistent threats (APTs). Defenders employ intrusion detection systems (IDSs) among other tools to detect malicious activity and protect network assets. With the evolution of threats, detection techniques have followed with modern systems usually relying on some form of artificial intelligence (AI) or anomaly detection as part of their defense portfolio. While these systems are able to achieve higher accuracy in detecting APT activity, they cannot provide much context about the attack, as the underlying models are often too complex to interpret. This paper presents an approach to explain single predictions (i. e., detected attacks) of any graphbased anomaly detection systems. By systematically modifying the input graph of an anomaly and observing the output, we leverage a variation of permutation importance to identify parts of the graph that are likely responsible for the detected anomaly. Our approach treats the anomaly detection function as a black box and is thus applicable to any whole-graph explanation problems. Our results on two established datasets for APT detection (StreamSpot \& DARPA TC Engagement Three) indicate that our approach can identify nodes that are likely part of the anomaly. We quantify this through our area under baseline (AuB) metric and show how the AuB is higher for anomalous graphs. Further analysis via the Wilcoxon rank-sum test confirms that these results are statistically significant with a p-value of 0.0041\%.

This study explores the pressing need for more effective IT governance and cybersecurity resilience within enterprises by strategically integrating red teaming exercises. Our research approach involved a comprehensive investigation encompassing literature review, surveys, interviews, and robust data analysis. We leveraged established frameworks like ISO 27001:2022, NIST CSF, and COBIT 2019 for model development. The results demonstrate a significant correlation between the frequency of red teaming exercises and higher IT governance maturity, highlighting the positive impact of increased engagement. The study emphasizes the value of incorporating red teaming insights to enhance IT governance maturity and bolster cybersecurity resilience, accounting for organizational size and industry sector variables. It underscores the critical importance of seamlessly integrating red teaming outcomes into governance procedures to fortify cybersecurity defenses and enable organizations to adapt swiftly to evolving threats, thus enhancing their overall security posture. Our model provides a practical roadmap for organizations dedicated to strengthening cybersecurity resilience in today s fast-changing digital landscape.

The ever-evolving and intricate nature of cyber environments, coupled with the escalating risk of cyber-attacks, necessitates robust solutions in the realm of cybersecurity. Knowledge graphs have emerged as a promising avenue for consolidating, representing, managing, and reasoning over cyber threat intelligence. However, applying knowledge graphs to tackle real-world challenges in cyber-attack and defense scenarios remains an area requiring further exploration. This paper aims to address this gap by providing a comprehensive overview of the fundamental concepts, schema design, and construction methodologies for the cybersecurity knowledge graph. To facilitate future research endeavors, we have carefully curated datasets and open-source libraries tailored for knowledge construction and information extraction tasks. Furthermore, we present a detailed comparative review of recent advancements in the application scenarios of cybersecurity knowledge graphs. To provide clarity and organization, we introduce a novel classification framework that categorizes interconnected works into distinct primary categories and subcategories. The paper concludes by outlining potential research directions in the cybersecurity knowledge graph domain, paving the way for further advancements and innovations in the field.

As computing ability continues to rapidly develop, neural networks have found widespread use in various fields. However, in the realm of visible watermarking for image copyright protection, neural networks have made image protection through watermarking less effective. Some research has even shown that watermarks can be removed without damaging to the original image, posing a significant threat to digital copyright protection. In response, the community has introduced adversarial perturbations for watermark protection, but these are sample-specific and time-consuming in real-world scenarios. To address this issue, we propose a new universal adversarial perturbation for watermark removal networks that offers two options. The first option involves adding perturbations to the entire host image, bringing the output of the watermark removal network closer to the original image and providing protection. The second option involves adding perturbations only to the watermark position, reducing the impact of the perturbation on the image and enhancing stealthiness. Our experiments demonstrate that our method effectively resists watermark removal networks and has good generalizability across different images.

As the network security landscape changes with time and market, organizations seek different and innovative approaches to strengthen their security defenses. This paper gives a theoretical explanation, highlighting the combination of honeypots and network monitoring tools as a dynamic strategy for enhancing security within networking environments. By using honeypots along with network monitoring tools, we bring out a multilayered defense strategy aimed at identifying and examining potential attack patterns. Our research dives into the theory of honeypots, their role in diverting malicious attacks, and their relationship with network monitoring tools. This combined framework helps organizations to detect, analyze, and ultimately reduce security threats. Through theoretical inputs and suggestions, this paper presents a framework for organizations seeking to enhance their cybersecurity defenses by exploring the complications of attacks through advanced network monitoring, along with honeypot security mechanisms.

The design and evaluation of cyber-physical systems are complex as it includes mechanical, electrical, and software components leading to a high dimensional space for architectural search and parametric tuning. For each new design, engineers need to define performance objectives, capture data from previous designs, make a model-based design, and then develop and enhance each system in each iteration. To address this problem, we present a combinatorial and parametric design space exploration and optimization technique for automatic design creation. We leverage gradient-free methods to jointly optimize the multiple domains of the cyber-physical systems. Finally, we apply this method in a DARPA design challenge where the goal is to create new designs for unmanned aerial vehicles. We evaluate the new designs on performance benchmarks and demonstrate the effectiveness of gradient-free optimization techniques in automatic design creation.

As cyberattacks are rising, Moving Target Defense (MTD) can be a countermeasure to proactively protect a networked system against cyber-attacks. Despite the fact that MTD systems demonstrate security effectiveness against the reconnaissance of Cyber Kill Chain (CKC), a time-based MTD has a limitation when it comes to protecting a system against the next phases of CKC. In this work, we propose a novel hybrid MTD technique, its implementation and evaluation. Our hybrid MTD system is designed on a real SDN testbed and it uses an intrusion detection system (IDS) to provide an additional MTD triggering condition. This in itself presents an extra layer of system protection. Our hybrid MTD technique can enhance security in the response to multi-phased cyber-attacks. The use of the reactive MTD triggering from intrusion detection alert shows that it is effective to thwart the further phase of detected cyber-attacks. We also investigate the performance degradation due to more frequent MTD triggers.This work contributes to (1) proposing an ML-based rule classification model for predicting identified attacks which helps a decision-making process for security enhancement; (2) developing a hybrid-based MTD integrated with a Network Intrusion Detection System (NIDS) with the consideration of performance and security; and (3) assessment of the performance degradation and security effectiveness against potential real attacks (i.e., scanning, dictionary, and SQL injection attack) in a physical testbed.

Cybercrime continues to pose a significant threat to modern society, requiring a solid emphasis on cyber-attack prevention, detection and response by civilian and military organisations aimed at brand protection. This study applies a novel framework to identify, detect and mitigate phishing attacks, leveraging the power of computer vision technology and artificial intelligence. The primary objective is to automate the classification process, reducing the dwell time between detection and executing courses of action to respond to phishing attacks. When applied to a real-world curated dataset, the proposed classifier achieved relevant results with an F1-Score of 95.76\% and an MCC value of 91.57\%. These metrics highlight the classifier’s effectiveness in identifying phishing domains with minimal false classifications, affirming its suitability for the intended purpose. Future enhancements include considering a fuzzy logic model that accounts for the classification probability in conjunction with the domain creation date and the uniqueness of downloaded resources when accessing the website or domain.

Rising cyber risks have compelled organizations to adopt better cyber-protection measures. This study focused on discovering crucial security metrics and assessing the function of red teaming in enhancing cybersecurity defenses against novel cyber hazards. The PRISMA standard considered nine core research works issued between 2014 and 2023. The inclusion of red teaming best practices can significantly enhance cybersecurity architecture. Accurate simulations of cyber threats during red teaming exercises help identify vulnerabilities, and actively embracing red teaming can amplify an organization s capacity to repel future cyber assaults. Researchers and practitioners can utilize the study s insights to pioneer novel security solutions. Combining red teaming methodologies with relevant metrics is essential for enhancing cybersecurity posture. The study s discoveries grant companies a priceless benefit in navigating the rapidly changing cyber threat environment and reinforcing their cyber protection mechanisms.

Cyber attack scenario reconstruction plays a crucial role in understanding and mitigating security breaches. In this paper, we propose a novel framework that leverages Natural Language Processing (NLP), specifically Named Entity Recognition (NER), and semantic similarity techniques to reconstruct cyber attack scenarios. By analyzing Intrusion Detection alerts, our offline approach identifies relevant entities, detects relationships between them, and measures semantic similarity to uncover hidden patterns and connections. We demonstrate the effectiveness of our framework through experimental evaluations using a public dataset. The results highlight the potential of NLP-based approaches in cyber attack scenario reconstruction.

Advanced persistent threats (APTs) have novel features such as multi-stage penetration, highly-tailored intention, and evasive tactics. APTs defense requires fusing multi-dimensional Cyber threat intelligence data to identify attack intentions and conducts efficient knowledge discovery strategies by data-driven machine learning to recognize entity relationships. However, data-driven machine learning lacks generalization ability on fresh or unknown samples, reducing the accuracy and practicality of the defense model. Besides, the private deployment of these APT defense models on heterogeneous environments and various network devices requires significant investment in context awareness (such as known attack entities, continuous network states, and current security strategies). In this paper, we propose a few-shot multi-domain knowledge rearming (FMKR) scheme for context-aware defense against APTs. By completing multiple small tasks that are generated from different network domains with meta-learning, the FMKR firstly trains a model with good discrimination and generalization ability for fresh and unknown APT attacks. In each FMKR task, both threat intelligence and local entities are fused into the support/query sets in meta-learning to identify possible attack stages. Secondly, to rearm current security strategies, an finetuning-based deployment mechanism is proposed to transfer learned knowledge into the student model, while minimizing the defense cost. Compared to multiple model replacement strategies, the FMKR provides a faster response to attack behaviors while consuming less scheduling cost. Based on the feedback from multiple real users of the Industrial Internet of Things (IIoT) over 2 months, we demonstrate that the proposed scheme can improve the defense satisfaction rate.

Moving Target Defense - In the modern era, much of worldwide critical operations from a variety of different sectors are managed by industrial control systems (ICS). A typical ICS includes an extensive range of computerized devices, control systems, and networking appliances used to manage efficiently an industrial process across large geographical areas. ICS underpin sensitive and critical national infrastructures such as water treatment and energy production and transportation. The consequences of a successful attack against them can lead to shutting the infrastructure down which has major impacts such as production stoppages or safety implications for people, the environment, and assets. At the same time, running a process while the infrastructure is under attack or compromised also has safety implications, potentially catastrophic. This work-in-progress focuses on an adaptive approach, able to alter the defensive posture while providing assurances about operational capacity (or downgrading it) and safety. Our approach involves transforming policies from simply a means to enforce security requirements defined a priori, to adaptive objects that are capable to evolve in response to unfolding attacks. We use a case study of reconnaissance attacks and moving target defense as a means to realize such adaptive security policies.