Search for: All records

Intrusion detection systems (IDSes) are critical building blocks for securing Internet-of-Things (IoT) devices and networks. Advances in AI techniques are contributing to enhancing the efficiency of IDSes, but their performance typically depends on high-quality training datasets. The scarcity of such datasets is a major concern for the effective use of machine learning for IDSes in IoT networks. To address such a need, we present IoTDSCreator - a tool for the automatic generation of labeled datasets able to support various devices, connectivity technologies, and attacks. IoTDSCreator provides a user with DC-API, an API by which the user can describe a target network and an attack scenario against it. Based on the description, the framework configures the network, leveraging virtualization techniques on user-provided physical machines, performs single or multi-step attacks, and finally returns labeled datasets. Thereby, IoTDSCreator dramatically reduces the manual effort for generating labeled and diverse datasets. We release the source code of IoTDSCreator and 16 generated datasets with 193 features based on 26 types of IoT devices, 2 types of communication links, and 15 types of IoT applications. 

In applying deep learning for malware classifica- tion, it is crucial to account for the prevalence of malware evolution, which can cause trained classifiers to fail on drifted malware. Existing solutions to address concept drift use active learning. They select new samples for analysts to label and then retrain the classifier with the new labels. Our key finding is that the current retraining techniques do not achieve optimal results. These techniques overlook that updating the model with scarce drifted samples requires learning features that remain consistent across pre-drift and post-drift data. The model should thus be able to disregard specific features that, while beneficial for the classification of pre-drift data, are absent in post-drift data, thereby preventing prediction degradation. In this paper, we propose a new technique for detecting and classifying drifted malware that learns drift-invariant features in malware control flow graphs by leveraging graph neural networks with adversarial domain adaptation. We compare it with existing model retraining methods in active learning-based malware detection systems and other domain adaptation techniques from the vision domain. Our approach significantly improves drifted malware detection on publicly available benchmarks and real-world malware databases reported daily by security companies in 2024. We also tested our approach in predicting multiple malware families drifted over time. A thorough evaluation shows that our approach outperforms the state-of-the-art approaches. 

Not AvailableDisaggregated computer architectures are an interesting paradigm according to which the components of a traditional monolithic server, such as CPU, memory, storage, and networking, are separated into distinct, often independently managed units that communicate over a network. Disaggregation not only offers benefits such as greater flexibility, scalability, and resource optimization but can also improve security. For example, in the context of enterprise routing, it can offer fine-grained control over the network that allows one to deploy security policies, access control rules, and threat detection mechanisms more precisely, ensuring that only authorized traffic flows through the enterprise environment. It makes patch management easier because its modularity allows different components to be patched independently. The same benefits also apply to cellular networks. Disaggregation is a key feature of the Open Radio Access Network (O-RAN) paradigm, whose goal is to make the radio access network intelligent, virtualized, and fully interoperable. However, disaggregation also introduces several unique security risks, such as increased attack surfaces, increased exposure of sensitive data, increased difficulty in tracing data provenance, insecure isolation among different components, and insecure APIs. In addition, well-known security technologies, such as trusted execution environments, may have to be redesigned in the context of disaggregated architectures. In this paper, after an overview of these benefits and concerns, we focus on the research approaches proposed to address some of these concerns for network fabric, O-RAN, and trusted execution environments. 

The rampant occurrence of cybersecurity breaches imposes substantial limitations on the progress of network infras- tructures, leading to compromised data, financial losses, potential harm to individuals, and disruptions in essential services. The current security landscape demands the urgent development of a holistic security assessment solution that encompasses vul- nerability analysis and investigates the potential exploitation of these vulnerabilities as attack paths. In this paper, we propose GRAPHENE, an advanced system designed to provide a detailed analysis of the security posture of computing infrastructures. Using user-provided information, such as device details and software versions, GRAPHENE performs a comprehensive secu- rity assessment. This assessment includes identifying associated vulnerabilities and constructing potential attack graphs that adversaries can exploit. Furthermore, it evaluates the exploitabil- ity of these attack paths and quantifies the overall security posture through a scoring mechanism. The system takes a holistic approach by analyzing security layers encompassing hardware, system, network, and cryptography. Furthermore, GRAPHENE delves into the interconnections between these layers, exploring how vulnerabilities in one layer can be leveraged to exploit vulnerabilities in others. In this paper, we present the end-to-end pipeline implemented in GRAPHENE, showcasing the systematic approach adopted for conducting this thorough security analysis. 

Internet of Things (IoT) cyber threats, exemplified by jackware and crypto mining, underscore the vulnerability of IoT devices. Due to the multi-step nature of many attacks, early detection is vital for a swift response and preventing malware propagation. However, accurately detecting early-stage attacks is challenging, as attackers employ stealthy, zero-day, or adversarial machine learning to evade detection. To enhance security, we propose ARIoTEDef, an Adversarially Robust IoT Early Defense system, which identifies early-stage infections and evolves autonomously. It models multi-stage attacks based on a cyber kill chain and maintains stage-specific detectors. When anomalies in the later action stage emerge, the system retroactively analyzes event logs using an attention-based sequence-to-sequence model to identify early infections. Then, the infection detector is updated with information about the identified infections. We have evaluated ARIoTEDef against multi-stage attacks, such as the Mirai botnet. Results show that the infection detector’s average F1 score increases from 0.31 to 0.87 after one evolution round. We have also conducted an extensive analysis of ARIoTEDef against adversarial evasion attacks. Our results show that ARIoTEDef is robust and benefits from multiple rounds of evolution.