Exploitability prediction of software vulnerabilities

The number of security failure discovered and disclosed publicly are increasing at a pace like never before. Wherein, a small fraction of vulnerabilities encountered in the operational phase are exploited in the wild. It is difficult to find vulnerabilities during the early stages of software development cycle, as security aspects are often not known adequately. To counter these security implications, firms usually provide patches such that these security flaws are not exploited. It is a daunting task for a security manager to prioritize patches for vulnerabilities that are likely to be exploitable. This paper fills this gap by applying different machine learning techniques to classify the vulnerabilities based on previous exploit-history. Our work indicates that various vulnerability characteristics such as severity, type of vulnerabilities, different software configurations, and vulnerability scoring parameters are important features to be considered in judging an exploit. Using such methods, it is possible to predict exploit-prone vulnerabilities with an accuracy >85%. Finally, with this experiment, we conclude that supervised machine learning approach can be a useful technique in predicting exploit-prone vulnerabilities.     

Blockchain Technology Based Information Classification Management Service

Hyper-connectivity in Industry 4.0 has resulted in not only a rapid increase in the amount of information, but also the expansion of areas and assets to be protected. In terms of information security, it has led to an enormous economic cost due to the various and numerous security solutions used in protecting the increased assets. Also, it has caused difficulties in managing those issues due to reasons such as mutual interference, countless security events and logs’ data, etc. Within this security environment, an organization should identify and classify assets based on the value of data and their security perspective, and then apply appropriate protection measures according to the assets’ security classification for effective security management. But there are still difficulties stemming from the need to manage numerous security solutions in order to protect the classified assets. In this paper, we propose an information classification management service based on blockchain, which presents and uses a model of the value of data and the security perspective. It records transactions of classifying assets and managing assets by each class in a distributed ledger of blockchain. The proposed service reduces assets to be protected and security solutions to be applied, and provides security measures at the platform level rather than individual security solutions, by using blockchain. In the rapidly changing security environment of Industry 4.0, this proposed service enables economic security, provides a new integrated security platform, and demonstrates service value.     

SMINER: Detecting Unrestricted and Misimplemented Behaviors of Software Systems Based on Unit Test Cases

Despite the advances in automated vulnerability detection approaches, security vulnerabilities caused by design flaws in software systems are continuously appearing in real-world systems. Such security design flaws can bring unrestricted and misimplemented behaviors of a system and can lead to fatal vulnerabilities such as remote code execution or sensitive data leakage. Therefore, it is an essential task to discover unrestricted and misimplemented behaviors of a system. However, it is a daunting task for security experts to discover such vulnerabilities in advance because it is time-consuming and error-prone to analyze the whole code in detail. Also, most of the existing vulnerability detection approaches still focus on detecting memory corruption bugs because these bugs are the dominant root cause of software vulnerabilities. This paper proposes SMINER, a novel approach that discovers vulnerabilities caused by unrestricted and misimplemented behaviors. SMINER first collects unit test cases for the target system from the official repository. Next, preprocess the collected code fragments. SMINER uses pre-processed data to show the security policies that can occur on the target system and creates a test case for security policy testing. To demonstrate the effectiveness of SMINER, this paper evaluates SMINER against Robot Operating System (ROS), a real-world system used for intelligent robots in Amazon and controlling satellites in National Aeronautics and Space Administration (NASA). From the evaluation, we discovered two real-world vulnerabilities in ROS.     

The usual suspects? A novel extension to AcciMap using accident causation model tenets

Previous examination of the most widely used systems based accident causation models identified a series of core accident causation tenets. It is believed that these core tenets, referred to as ‘systems thinking tenets’, are the first step to a proactive approach to system safety. The article examines the Kimberly Ultramarathon fire and the extent that the systems thinking tenets can be applied using Rasmussen’s AcciMap technique. The findings suggest that indeed the tenets can be identified and further expose the specific system vulnerabilities that led to the Kimberly Ultramarathon accident. The tenets are a beneficial addition to the AcciMap technique providing the analyst a means to classify system properties leading to accidents. Implications for practice and future research steps are discussed.     

主流操作系统安全弱点的综合量化评估

在前期研究工作的基础上,将基于指数的微观分析和基于风险和的宏观分析相结合,提出了一种综合量化评估主流操作系统安全弱点的方法,并对Windows NT、Redhat Linux和Solaris等3大主流操作系统6个版本的1081个弱点实施了评估.该方法能够有效地分析各操作系统版本的演进对其安全性的影响,以及横向比较操作系统在不同层次、不同方面的安全状况.     

An Asset-Based Approach to Mitigate Zero-Day Ransomware Attacks

This article presents an asset-based security system where security practitioners build their systems based on information they own and not solicited by observing attackers’ behavior. Current security solutions rely on information coming from attackers. Examples are current monitoring and detection security solutions such as intrusion prevention/detection systems and firewalls. This article envisions creating an imbalance between attackers and defenders in favor of defenders. As such, we are proposing to flip the security game such that it will be led by defenders and not attackers. We are proposing a security system that does not observe the behavior of the attack. On the contrary, we draw, plan, and follow up our own protection strategy regardless of the attack behavior. The objective of our security system is to protect assets rather than protect against attacks. Virtual machine introspection is used to intercept, inspect, and analyze system calls. The system call-based approach is utilized to detect zero-day ransomware attacks. The core idea is to take advantage of Xen and DRAKVUF for system call interception, and leverage system calls to detect illegal operations towards identified critical assets. We utilize our vision by proposing an asset-based approach to mitigate zero-day ransomware attacks. The obtained results are promising and indicate that our prototype will achieve its goals.     

Comprehensive Information Security Evaluation Model Based on Multi-Level Decomposition Feedback for IoT

The development of the Internet of Things (IoT) calls for a comprehensive information security evaluation framework to quantitatively measure the safety score and risk (S&R) value of the network urgently. In this paper, we summarize the architecture and vulnerability in IoT and propose a comprehensive information security evaluation model based on multi-level decomposition feedback. The evaluation model provides an idea for information security evaluation of IoT and guides the security decision maker for dynamic protection. Firstly, we establish an overall evaluation indicator system that includes four primary indicators of threat information, asset, vulnerability, and management, respectively. It also includes eleven secondary indicators of system protection rate, attack detection rate, confidentiality, availability, controllability, identifiability, number of vulnerabilities, vulnerability hazard level, staff organization, enterprise grading and service continuity, respectively. Then, we build the core algorithm to enable the evaluation model, wherein a novel weighting technique is developed and a quantitative method is proposed to measure the S&R value. Moreover, in order to better supervise the performance of the proposed evaluation model, we present four novel indicators includes residual risk, continuous conformity of residual risk, head-to-tail consistency and decrease ratio, respectively. Simulation results show the advantages of the proposed model in the evaluation of information security for IoT.     

A Secure Communication Protocol for Unmanned Aerial Vehicles

Mavlink is a lightweight and most widely used open-source communication protocol used for Unmanned Aerial Vehicles. Multiple UAVs and autopilot systems support it, and it provides bi-directional communication between the UAV and Ground Control Station. The communications contain critical information about the UAV status and basic control commands sent from GCS to UAV and UAV to GCS. In order to increase the transfer speed and efficiency, the Mavlink does not encrypt the messages. As a result, the protocol is vulnerable to various security attacks such as Eavesdropping, GPS Spoofing, and DDoS. In this study, we tackle the problem and secure the Mavlink communication protocol. By leveraging the Mavlink packet’s vulnerabilities, this research work introduces an experiment in which, first, the Mavlink packets are compromised in terms of security requirements based on our threat model. The results show that the protocol is insecure and the attacks carried out are successful. To overcome Mavlink security, an additional security layer is added to encrypt and secure the protocol. An encryption technique is proposed that makes the communication between the UAV and GCS secure. The results show that the Mavlink packets are encrypted using our technique without affecting the performance and efficiency. The results are validated in terms of transfer speed, performance, and efficiency compared to the literature solutions such as MAVSec and benchmarked with the original Mavlink protocol. Our achieved results have significant improvement over the literature and Mavlink in terms of security.     

An integrated framework for software vulnerability detection,analysis and mitigation: an autonomic system

Nowadays, the number of software vulnerabilities incidents and the loss due to occurrence of software vulnerabilities are growing exponentially. The current existing security strategies, the vulnerability detection and remediating approaches are not intelligent, automated, self-managed and not competent to combat against the vulnerabilities and security threats, and to provide secured self-managed software environment to the organizations. Hence, there is a strong need to devise an intelligent and automated approach to optimize security and prevent the occurrence of vulnerabilities or mitigate the vulnerabilities. The autonomic computing is a nature-inspired and self-management-based computational model. In this paper, an autonomic-computing-based integrated framework is proposed to detect, fire the trigger of alarm, assess, classify, prioritize, mitigate and manage the software vulnerability automatically. The proposed framework uses a knowledge base and inference engine, which automatically takes the remediating actions on future occurrence of software security vulnerabilities through self-configuration, self-healing, self-prevention and self-optimization as per the needs. The proposed framework is beneficial to industry and society in various aspects because it is an integrated, cross-concern and intelligent framework and provides more secured self-managed environment to the organizations. The proposed framework reduces the security risks and threats, and also monetary and reputational loss. It can be embedded easily in existing software and incorporated or implemented as an inbuilt integral component of the new software during software development.     

An Efficient Internet Traffic Classification System Using Deep Learning for IoT

Internet of Things (IoT) defines a network of devices connected to the internet and sharing a massive amount of data between each other and a central location. These IoT devices are connected to a network therefore prone to attacks. Various management tasks and network operations such as security, intrusion detection, Quality-of-Service provisioning, performance monitoring, resource provisioning, and traffic engineering require traffic classification. Due to the ineffectiveness of traditional classification schemes, such as port-based and payload-based methods, researchers proposed machine learning-based traffic classification systems based on shallow neural networks. Furthermore, machine learning-based models incline to misclassify internet traffic due to improper feature selection. In this research, an efficient multilayer deep learning based classification system is presented to overcome these challenges that can classify internet traffic. To examine the performance of the proposed technique, Moore-dataset is used for training the classifier. The proposed scheme takes the pre-processed data and extracts the flow features using a deep neural network (DNN). In particular, the maximum entropy classifier is used to classify the internet traffic. The experimental results show that the proposed hybrid deep learning algorithm is effective and achieved high accuracy for internet traffic classification, i.e., 99.23%. Furthermore, the proposed algorithm achieved the highest accuracy compared to the support vector machine (SVM) based classification technique and k-nearest neighbours (KNNs) based classification technique.     

Design of an Information Security Service for Medical Artificial Intelligence

The medical convergence industry has gradually adopted ICT devices, which has led to legacy security problems related to ICT devices. However, it has been difficult to solve these problems due to data resource issues. Such problems can cause a lack of reliability in medical artificial intelligence services that utilize medical information. Therefore, to provide reliable services focused on security internalization, it is necessary to establish a medical convergence environment-oriented security management system. This study proposes the use of system identification and countermeasures to secure system reliability when using medical convergence environment information in medical artificial intelligence. We checked the life cycle of medical information and the flow and location of information, analyzed the security threats that may arise during the life cycle, and proposed technical countermeasures to overcome such threats. We verified the proposed countermeasures through a survey of experts. Security requirements were defined based on the information life cycle in the medical convergence environment. We also designed technical countermeasures for use in the security management systems of hospitals of diverse sizes.     

Managing Security-Risks for Improving Security-Durability of Institutional Web-Applications: Design Perspective

The advanced technological need, exacerbated by the flexible time constraints, leads to several more design level unexplored vulnerabilities. Security is an extremely vital component in software development; we must take charge of security and therefore analysis of software security risk assumes utmost significance. In order to handle the cyber-security risk of the web application and protect individuals, information and properties effectively, one must consider what needs to be secured, what are the perceived threats and the protection of assets. Security preparation plans, implements, tracks, updates and consistently develops safety risk management activities. Risk management must be interpreted as the major component for tackling security efficiently. In particular, during application development, security is considered as an add-on but not the main issue. It is important for the researchers to stress on the consideration of protection right from the earlier developmental stages of the software. This approach will help in designing software which can itself combat threats and does not depend on external security programs. Therefore, it is essential to evaluate the impact of security risks during software design. In this paper the researchers have used the hybrid Fuzzy AHP-TOPSIS method to evaluate the risks for improving security durability of different Institutional Web Applications. In addition, the e-component of security risk is measured on software durability, and vice versa. The paper’s findings will prove to be valuable for enhancing the security durability of different web applications.     

Electronics in nuclear power programme of India—An overview

This paper presents an overview of state-of-the art developments in electronics for nuclear power programme of India. Indigenous activities in instrumentation and control (I&C) in the areas of detector development, nuclear instrumentation, monitoring and control electronics and special sensors paved the way to self-reliance in nuclear industry. Notable among the recent I&C systems developed for 540 MWe reactors are Liquid Zone Control System (LZCS), flux mapping system and advance reactor regulating system. In a nuclear plant, apart from ensuring functional requirements, design of electronics needs to meet high level of reliability, safety and security standards. Therefore, a lot of importance is attached to activities such as design review, testing, operation, maintenance and qualifications of I&C systems. Induction of computer based I&C systems mandated a rigorous verification process commensurate with the safety class of the system as specified in Atomic Energy Regulatory Board (AERB) safety guides. Software reliability is assured by following strict development life cycle combined with zero-defect policy and is verified through verification and validation (V&V) process. Development of new techniques in data transmissions with optical fibres as transmission medium and wireless networks in control systems is being pursued. With new I&C systems, efforts were made to utilize the same hardware and software platforms for various plant applications, i.e., for standardization. Thrust was given to use Field Programmable Gate Arrays (FPGA) and Application Specific Integrated Circuits (ASIC) in order to improve the reliability of system by reducing component count. It has become imperative to develop modern contemporary solutions like ASICs, HMCs, System on Chip (SOC) and detector mounted electronics and towards that various ASICs and HMCs have been developed in-house to meet the challenges.     

e-Commerce security — A life cycle approach

The rapid evolution of computing and communication technologies and their standardizations have made the boom in e-commerce possible. Lowering of the cost of operation, increase in the speed of transactions, and easy global reach to customers and vendors have been the reasons for the overwhelming popularity of this new way of commerce. This article examines the issues related to the security of the assets and transactions in the e-commerce components and activities. Since large public money is involved in the transactions, the role of information security and privacy is not exaggerated in this kind of business. After examining the technologies used in e-commerce, the article goes on to identify the security requirement of e-commerce systems from perceived threats and vulnerabilities. Then e-commerce security is viewed as an engineering management problem and a life cycle approach is put forward. How the e-commerce systems can be made secure using the life cycle approach is outlined. The relevant standards and laws are also discussed in the perspective of e-commerce. The article closes with some future research directions and conclusions.     

Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

To detect security vulnerabilities in a web application, the security analyst must choose the best performance Security Analysis Static Tool (SAST) in terms of discovering the greatest number of security vulnerabilities as possible. To compare static analysis tools for web applications, an adapted benchmark to the vulnerability categories included in the known standard Open Web Application Security Project (OWASP) Top Ten project is required. The information of the security effectiveness of a commercial static analysis tool is not usually a publicly accessible research and the state of the art on static security tool analyzers shows that the different design and implementation of those tools has different effectiveness rates in terms of security performance. Given the significant cost of commercial tools, this paper studies the performance of seven static tools using a new methodology proposal and a new benchmark designed for vulnerability categories included in the known standard OWASP Top Ten project. Thus, the practitioners will have more precise information to select the best tool using a benchmark adapted to the last versions of OWASP Top Ten project. The results of this work have been obtaining using widely acceptable metrics to classify them according to three different degree of web application criticality.     

Assessment of information impacts in power system security against malicious attacks in a general framework

In the analysis of power systems security, recently a new concern related to possible malicious attacks caught much attention. Coordination among different transmission system operators (TSO) in an interconnected power system to counteract such attacks has become an important problem. This paper presents a general framework for describing the physical, cyber and decision-making aspects of the problem and their interrelations; within this framework, an analytic tool for the assessment of information impacts in handling on-line security after a malicious attack is proposed and discussed. The model is based on the socially rational multi-agent systems and the equilibrium of a fictitious play is considered to analyze the impacts of various levels of information available to the interconnected system operators on the outcomes of the decision-making process under attack. A 34-buses test system, with 3 systems interconnected by tie-lines, is presented to illustrate the model and compare the impacts of different information scenarios.     

Optical Security System with Fourier Plane encoding

We propose a new technique for security verification of personal documents and other forms of personal identifications such as ID cards, passports, or credit cards. In this technique a primary pattern that might be a phase-encoded image is convolved by a random code. The information is phase encoded on the personal document. Therefore the information cannot be reproduced by an intensity detector such as a CCD camera. An optical processor based on the nonlinear joint transform correlator is used to perform the verification and the validation of documents with this technique. By verification of the biometrics information and the random code simultaneously, the proposed optical system determines whether a card is authentic or is being used by an authorized person. We tested the performance of the optical system for security and validation in the presence of input noise and in the presence of distortion of the information on the card. The performance of the proposed method is evaluated by use of a number of metrics. Statistical analysis of the system is performed to investigate the noise tolerance and the discrimination against false inputs for security verification.     

Security Threats to Business Information Systems Using NFC Read/Write Mode

Radio Frequency IDentification (RFID) and related technologies such as Near Field Communication (NFC) are becoming essential in industrial contexts thanks to their ability to perform contactless data exchange, either device-to-device or tag-to-device. One of the three main operation modes of NFC, called read/write mode, makes use of the latter type of interaction. It is extensively used in business information systems that make use of NFC tags to provide the end-user with augmented information in one of several available NFC data exchange formats, such as plain text, simple URLs or enriched URLs. Using a wide variety of physical form factors, NFC-compatible tags (wireless transponders) are currently available in many locations with applications going from smart posters, contactless tokens, tap-and-go payments or transport ticketing to automated device configuration, patient identification at hospitals or inventory management within supply chains. Most of these applications handle sensitive processes or data. This paper proposes a complete security threat model for the read/write operation mode of NFC used in Next Generation Industrial IoT (Nx-IIoT) contexts. This model, based on a well-known methodology, STRIDE, allows developers and users to identify NFC applications vulnerabilities or weaknesses, analyze potential threats, propose risk management strategies, and design mitigation mechanisms to mention only some significant examples.     

Fast prediction of loadability margins using neural networks to approximate security boundaries of power systems

Determining loadability margins to various security limits is of great importance for the secure operation of a power system, especially in the current deregulated environment. Here, a novel approach is proposed for fast prediction of loadability margins of power systems based on neural networks. Static security boundaries, comprised of static voltage stability limits, oscillatory stability limits and other operating limits such as generator power output limits, are constructed by means of loading the power system until these security limits are reached from a base operating point along various loading directions. Back-propagation neural networks for different contingencies are trained to approximate the security boundaries. A search algorithm is then employed to predict the loadability margins from any stable operating points along arbitrary loading directions through an iterative technique based on the trained neural networks. The simulation results for the IEEE two-area benchmark system and the IEEE 50-machine test system demonstrate the effectiveness of the proposed method for on-line prediction of loadability margins     

Statistical Process Control‐Based Intrusion Detection and Monitoring

Intrusion detection systems have a vital role in protecting computer networks and information systems. In this article, we applied a statistical process control (SPC)–monitoring concept to a certain type of traffic data to detect a network intrusion. We proposed an SPC‐based intrusion detection process and described it and the source and the preparation of data used in this article. We extracted sample data sets that represent various situations, calculated event intensities for each situation, and stored these sample data sets in the data repository for use in future research. This article applies SPC charting methods for intrusion detection. In particular, it uses the basic security module host audit data from the MIT Lincoln Laboratory and applies the Shewhart chart, the cumulative sum chart, and the exponential weighted moving average chart to detect a denial of service intrusion attack. The case study shows that these SPC techniques are useful for detecting and monitoring intrusions. Copyright © 2013 John Wiley & Sons, Ltd.