Abstract: Discriminating between computer-generated images (CGIs) and photographic images (PIs) is not a new problem in digital image forensics. However, with advances in rendering techniques supported by strong hardware and in generative adversarial networks, CGIs are becoming indistinguishable from PIs in both human and computer perception. This means that malicious actors can use CGIs for spoofing facial authentication systems, impersonating other people, and creating fake news to be spread on social networks. The methods developed for discriminating between CGIs and PIs quickly become outdated and must be regularly enhanced to be able to reduce these attack surfaces. Leveraging recent advances in deep convolutional networks, we have built a modular CGI--PI discriminator with a customized VGG-19 network as the feature extractor, statistical convolutional neural networks as the feature transformers, and a discriminator. We also devised a probabilistic patch aggregation strategy to deal with high-resolution images. This proposed method outperformed a state-of-the-art method and achieved accuracy up to 100%.

Abstract: A Vehicular Ad hoc NETwork (VANET) is a self-organized network, formed by vehicles and some fixed equipment on roads called Roads Side Units (RSUs). Vehicular communications are expected to share different kinds of information between vehicles and infrastructure. Because of these specifications, securing VANET constitutes a difficult and challenging task that has attracted the interest of many researchers. In a previous work, we proposed a Clustering Mechanism for VANET (CMV) and its inherit Trust management scheme (TCMV) to ensure security of communication among vehicles. CMV organizes vehicles into clusters and elected Cluster Heads (CHs), and allows the clusters maintenance while dealing with velocity. On the other side, TCMV computes the credibility of the message by CH using the reputation of vehicles. However, we found that the value of credibility of the message by CH is not enough to verify if an exchanged message is correct or no. In order to provide a secured vehicle communication and to build reliance communication among vehicles, we propose a distributive trust management scheme for VANET to verify the correctness of the message based on the controlling of the vehicle'behavior by a miner and the credibility of message by a CH.

Abstract: In the context of the Industrial Internet of Things, communication technology, originally used in home and office environments, is introduced into industrial applications. Commercial off-the-shelf products, as well as unified and well-established communication protocols make this technology easy to integrate and use. Furthermore, productivity is increased in comparison to classic industrial control by making systems easier to manage, set up and configure. Unfortunately, most attack surfaces of home and office environments are introduced into industrial applications as well, which usually have very few security mechanisms in place. Over the last years, several technologies tackling that issue have been researched. In this work, machine learning-based anomaly detection algorithms are employed to find malicious traffic in a synthetically generated data set of Modbus/TCP communication of a fictitious industrial scenario. The applied algorithms are Support Vector Machine (SVM), Random Forest, k-nearest neighbour and k-means clustering. Due to the synthetic data set, supervised learning is possible. Support Vector Machine and k-nearest neighbour perform well with different data sets, while k-nearest neighbour and k-means clustering do not perform satisfactorily.

Abstract: We present a novel method for static analysis in which we combine data-flow analysis with machine learning to detect SQL injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities in PHP applications. We assembled a dataset from the National Vulnerability Database and the SAMATE project, containing vulnerable PHP code samples and their patched versions in which the vulnerability is solved. We extracted features from the code samples by applying data-flow analysis techniques, including reaching definitions analysis, taint analysis, and reaching constants analysis. We used these features in machine learning to train various probabilistic classifiers. To demonstrate the effectiveness of our approach, we built a tool called WIRECAML, and compared our tool to other tools for vulnerability detection in PHP code. Our tool performed best for detecting both SQLi and XSS vulnerabilities. We also tried our approach on a number of open-source software applications, and found a previously unknown vulnerability in a photo-sharing web application.

Abstract: Ransomware remains a modern trend. Attackers are still using cryptovirology forcing victims to pay. Notable attacks have been spreading since 2012, starting with Reveton's ransomware attack to the more recent 2017 WannaCry, Petya and Bad Rabbit cyberattacks. This Ransomware as a Service (RaaS) can lure criminals into developing tools to perform an attack without previous knowledge of the cryptosystem itself. We present in this paper a graph-based ransomware countermeasure to detect malicious threads. It is a new mechanism that doesn't rely on previously used metrics in the literature to detect ransomware such as Shannon's entropy or system calls. An accurate detection is achieved by our solution. The per-thread file system traversal is sufficient to highlight the malicious behaviors. To the best of our knowledge, no previous study has been conducted in this area. The ransomware collection used in our experiments contains more than 700 active examples of ransomware, that were analyzed in our bar metal sandbox environment.

Abstract: The rise of connectivity, digitalization, robotics, and artificial intelligence (AI) is rapidly changing our society and shaping its future development. During this technological and societal revolution, security has been persistently neglected, yet a hacked robot can act as an insider threat in organizations, industries, public spaces, and private homes. In this paper, we perform a structured security assessment of Pepper, a commercial humanoid robot. Our analysis, composed by an automated and a manual part, points out a relevant number of security flaws that can be used to take over and command the robot. Furthermore, we suggest how these issues could be fixed, thus, avoided in the future. The very final aim of this work is to push the rise of the security level of IoT products before they are sold on the public market.

Abstract: The proliferation of the Internet of Things (IoT) in the context of smart homes entails new security risks threatening the privacy and safety of end users. In this paper, we explore the design space of in-network security for smart home networks, which automatically complements existing security mechanisms with a rule-based approach, i. e., every IoT device provides a specification of the required communication to fulfill the desired services. In our approach, the home router as the central network component then enforces these communication rules with traffic filtering and anomaly detection to dynamically react to threats. We show that in-network security can be easily integrated into smart home networks based on existing approaches and thus provides additional protection for heterogeneous IoT devices and protocols. Furthermore, in-network security relieves users of difficult home network configurations, since it automatically adapts to the connected devices and services.

Abstract: The rapid growth of the Internet in the last years has brought many advantages in the modern society in terms of communication and information sharing. Beside that, new and complex issues are emerging due to the network flexibility, openness and systems integration. The vulnerabilities of systems are the basis of these issues. Unfortunately, such vulnerabilities in the Internet can affect not only virtual environments in an isolated way but this can have serious repercussions in the real world. That is why, identifying new system vulnerability represents an important information for malicious parties. Currently, several tools (e.g. Shodan or Censys), which automatically scan the Internet, are available. They first scan the whole IPv4 public address range and ports in a distributed and random manner and then the obtained results are published on the publicly accessible websites. Such information can be later used for the benign or malicious purposes. In the latter case the main advantage for the potential attackers is that they gain reconnaissance data without even directly contacting the targeted device. Additionally, a large list of potential victims sharing the same vulnerability can be rapidly acquired. In this context, this paper aims at providing an overview of various publicly available network vulnerabilities scanning tools. In particular, first the main scanning tools are identified and classified. Then their main features are described and finally their advantages and disadvantages are highlighted.

Abstract: The ever-increasing rate of sophisticated cyber-attacks and its subsequent impact on networks has remained a menace to the security community. Existing network security solutions, including those applying machine learning algorithms, often centre their detection on the identification of threats in individual network events, which is proven inadequate in detecting sophisticated multi-stage attacks. Similarly, SOC analysts whose roles involve detecting advanced threats are faced with a significant amount of false-positive alerts from the existing tools. Their ability to detect novel attacks or variants of existing ones is limited by the lack of expert input from SOC analysts in their creation of the tools; and the use of features that are closely linked to the structure of specific malware which detection models aim to identify. In this work, we conduct a literature review on malware detection tools, reflect on the features used in these approaches and extend the feature-set with novel ones identified by interviewing experienced SOC analysts. We conduct thematic analysis to the qualitative data obtained from the interviews, and our results indicate not only the presence novel generic malware characteristics based on network and application events (web proxy, firewall, DNS), but identify valuable lessons for developing effective SOCs regarding their structure and processes.

Abstract: In-vehicle security research is challenging because it is hard for most researchers to get a real vehicle for security evaluation. On the other hand, the existing software solutions are either very expensive or having very limited functionality. There is a high demand for a convenient tool which can generate flexible datasets for in-vehicle attack and defense evaluation. In this work, we design and develop an Attack Traffic Generation (ATG) tool for security testing of in-vehicle CAN bus. It removes the barrier for research in this area by providing an open-source software package which works with a cheap, widely available hardware configuration. ATG provides a free and functional toolkit to automotive security researchers for easy and effective interaction with real or simulated CAN bus. One of the most important features of ATG is automatic generation of attack payloads. The payloads can be preconfigured and used within multiple attack modes. ATG can inject attack packets into CAN bus and record the CAN bus traffic in real time. The replay mode enables effective evaluation of CAN bus security implementations using the pre-classified datasets. In addition, a unified data format for raw re-playable CAN sequences enables different automotive research teams to exchange datasets and preform security testing simultaneously against different vehicles and simulation hardware.

Abstract: Mining for crypto currencies is usually performed on high-performance single purpose hardware or GPUs. However, mining can be easily parallelized and distributed over many less powerful systems. Cryptojacking is a new threat on the Internet and describes code included in websites that uses a visitor's CPU to mine for crypto currencies without the their consent. This paper introduces MiningHunter, a novel web crawling framework which is able to detect mining scripts even if they obfuscate their malicious activities. We scanned the Alexa Top 1 million websites for cryptojacking, collected more than 13,400,000 unique JavaScript files with a total size of 246 GB and found that 3,178 websites perform cryptocurrency mining without their visitors' consent. Furthermore, MiningHunter can be used to provide an in-depth analysis of cryptojacking campaigns. To show the feasibility of the proposed framework, three of such campaigns are examined in detail. Our results provide the most comprehensive analysis to date of the spread of cryptojacking on the Internet.

Abstract: The intrinsic use of SDN/NFV technologies in 5G infrastructures promise to enable the flexibility and programmability of networks to ensure lower cost of network and service provisioning and operation, however it brings new challenges and requirements due to new architectural changes. In terms of security, authentication and authorization functions need to evolve towards the new and emerging 5G virtualization platforms in order to meet the requirements of service providers and infrastructure operators. Over the years, a lot of authentication techniques have been used. Now, a wide range of options arise allowing to extend existing authentication and authorization mechanisms. This paper focuses on proposing and showcasing a 5G platform oriented solution among different approaches to integrate authentication and authorization functionalities, an adapted secure and stateless mechanism, providing identity and permissions management to handle not only users, but also system micro-services, in a network functions virtualization management and orchestration (NFV MANO) system, oriented to deploy virtualized services. The presented solution uses the NFV-based SONATA Service Platform which offers capabilities for a continuous integration and delivery DevOps methodology that allow high levels of programmability and flexibility to manage the entire life cycle of Virtual Network Functions, and enables the perfect scenario to showcase different approaches for authentication and authorization mechanisms for users and micro-services in a 5G platform.

Abstract: Current signature detection mechanisms can be easily evaded by malware writers by applying obfuscation techniques. Employing morphing code techniques, attackers are able to generate several variants of one malicious sample, making the corresponding signature obsolete. Considering that the signature definition is a laborious process manually performed by security analysts, in this paper we propose a method, exploiting static analysis and Machine Learning classification algorithms, to identify whether a mobile application is modified by means of one or more morphing techniques. We perform experiments on a real-world dataset of Android applications (morphed and original), obtaining encouraging results in the obfuscation technique(s) identification.

Abstract: The last years brought many novel challenges for the Internet of Things (IoT). Low capital and operational expenditures, massive deployments of devices, reliability and security are among the most crucial ones. The recently introduced Low-power wide area (LPWA) technologies provide one possible way of addressing these challenges. In the current paper, we focus on one of the most mature LPWA technology, namely Sigfox. We provide a brief security assessment of this technology and highlight the main security imperfections. Notably, we also consider the recent changes introduced in the last revision of the Sigfox specification released in the fourth quarter of 2017. Importantly, this paper discusses the highlighted issues and compares three selected cryptographic encryption solutions (AES, ChaCha and OTP) in respect to the main IoT triad of performance, security and cost. We investigate the encryption solutions and characterize their energy consumption in a real-life implementation. The results herein presented are useful for understanding the cost of enabling security aspects and enable selecting the most efficient encryption protocol.

Abstract: Cyber forensics has encountered major obstacles over the last decade and is at a crossroads. This paper presents data that was obtained during the National Workshop on Redefining Cyber Forensics (NWRCF) on May 23-24, 2017 supported by the National Science Foundation and organized by the University of New Haven. Qualitative and quantitative data were analyzed from twenty-four cyber forensics expert panel members. This work identified important themes that need to be addressed by the community, focusing on (1) where the domain currently is; (2) where it needs to go and; (3) steps needed to improve it. Furthermore, based on the results, we articulate (1) the biggest anticipated challenges the domain will face in the next five years; (2) the most important cyber forensics research opportunities in the next five years and; (3) the most important job-ready skills that need to be addressed by higher education curricula over the next five years. Lastly, we present the key issues and recommendations deliberated by the expert panel. Overall results indicated that a more active and coherent group needs to be formed in the cyber forensics community, with opportunities for continuous reassessment and improvement processes in place.

Abstract: Containers have gained immense popularity as a portable and lightweight virtualization solution. They facilitate application development, deployment and distribution across computing environments. Their success is also attributed to the support they offer for DevOps teams and for applications developed using a microservices architecture style. Containers are not the only components in the environment but work closely with other components for managing and supporting them, forming an ecosystem. Architectural modeling can be used as a powerful tool to represent ecosystems which helps understand, build and secure such complex systems. We describe in this paper several models we have created for container ecosystem components. These models are abstract, and they help generalize the systems to handle complexity and heterogeneity; they provide a common vocabulary and build holistic and unified views of the systems. The use of UML for modeling improves precision. This can lead to better implementations with respect to reliability, security and interoperability compared to ad hoc methods. A reference architecture will not just facilitate the work of developers and security engineers but also of anyone who aims to ensure compliance, privacy, safety, reliability and/or governance for container ecosystems and we show how to build one. We also describe relationships between container, cloud and IoT ecosystems. This paper is part of our work on developing a security reference architecture for container ecosystems.

Abstract: The Internet of Things (IoT) is everywhere around us. Smart communicating objects offer the digitalization of lives. Thus, IoT opens new opportunities in criminal investigations such as a protagonist or a witness to the event. Any investigation process involves four phases: firstly the identification of an incident and its evidence, secondly device collection and preservation, thirdly data examination and extraction and then finally data analysis and formalization. In recent years, the scientific community sought to develop a common digital framework and methodology adapted to IoT-based infrastructure. However, the difficulty of IoT lies in the heterogeneous nature of the device, lack of standards and the complex architecture. Although digital forensics are considered and adopted in IoT investigations, this work only focuses on collection. Indeed the identification phase is relatively unexplored. It addresses challenges of finding the best evidence and locating hidden devices. So, the traditional method of digital forensics does not fully fit the IoT environment. In this paperwork, we investigate the mobility in the context of IoT at the crime scene. This paper discusses the data identification and the classification methodology from IoT to looking for the best evidences. We propose tools and techniques to identify and locate IoT devices. We develop the recent concept of "digital footprint" in the crime area based on frequencies and interactions mapping between devices. We propose technical and data criteria to efficiently select IoT devices. Finally, the paper introduces a generalist classification table as well as the limits of such an approach.

Abstract: LoRaWAN is the dominant protocol for communication in low-power Wide Area Networks in several European countries, and is being used increasingly in other parts of the world. We identified three vulnerabilities in the LoRaWAN protocol specification that can be used for launching Denial-of-Service (DoS) attacks against end-devices in a LoRaWAN network. We validated that these vulnerabilities can be exploited for DoS attacks by creating and simulating Coloured Petri Net models of relevant parts of the LoRaWAN protocol.

Abstract: In the last decade, crypto-ransomware evolved from a family of malicious software with scarce repercussion in the research community, to a sophisticated and highly effective intrusion method positioned in the spotlight of the main organizations for cyberdefense. Its modus operandi is characterized by fetching the assets to be blocked, their encryption, and triggering an extortion process that leads the victim to pay for the key that allows their recovery. This paper reviews the evolution of crypto-ransomware focusing on the implication of the different advances in communication technologies that empowered its popularization. In addition, a novel defensive approach based on the Self-Organizing Network paradigm and the emergent communication technologies (e.g. Software-Defined Networking, Network Function Virtualization, Cloud Computing, etc.) is proposed. They enhance the orchestration of smart defensive deployments that adapt to the status of the monitoring environment and facilitate the adoption of previously defined risk management policies. In this way it is possible to efficiently coordinate the efforts of sensors and actuators distributed throughout the protected environment without supervision by human operators, resulting in greater protection with increased viability

Abstract: 5G is envisioned as a transformation of the communications architecture towards multi-tenant, scalable and flexible infrastructure, which heavily relies on virtualised network functions and programmable networks. In particular, orchestration will advance one step further in blending both compute and data resources, usually dedicated to virtualisation technologies, and network resources into so-called slices. Although 5G security is being developed in current working groups, slice security is seldom addressed. In this work, we propose to integrate security in the slice life cycle, impacting its management and orchestration that relies on the virtualization/softwarisation infrastructure. The proposed security architecture connects the demands specified by the tenants through as-a-service mechanisms with built-in security functions relying on the ability to combine enforcement and monitoring functions within the software-defined network infrastructure. The architecture exhibits desirable properties such as isolating slices down to the hardware resources or monitoring service-level performance.

Abstract: Increase in usage of electronic communication tools (email, IM, Skype, etc.) in enterprise environments has created new attack vectors for social engineers. Billions of people are now using electronic equipment in their everyday workflow which means billions of potential victims of Social Engineering (SE) attacks. Human is considered the weakest link in cybersecurity chain and breaking this defense is nowadays the most accessible route for malicious internal and external users. While several methods of protection have already been proposed and applied, none of these focuses on chat-based SE attacks while at the same time automation in the field is still missing. Social engineering is a complex phenomenon that requires interdisciplinary research combining technology, psychology, and linguistics. Attackers treat human personality traits as vulnerabilities and use the language as their weapon to deceive, persuade and finally manipulate the victims as they wish. Hence, a holistic approach is required to build a reliable SE attack recognition system. In this paper we present the current state-of-the-art on SE attack recognition systems, we dissect a SE attack to recognize the different stages, forms, and attributes and isolate the critical enablers that can influence a SE attack to work. Finally, we present our approach for an automated recognition system for chat-based SE attacks that is based on Personality Recognition, Influence Recognition, Deception Recognition, Speech Act and Chat History.

Abstract: Detecting violence in videos through automatic means is significant for law enforcement and analysis of surveillance cameras with the intent of maintaining public safety. Moreover, it may be a great tool for protecting children from accessing inappropriate content and help parents make a better informed decision about what their kids should watch. However, this is a challenging problem since the very definition of violence is broad and highly subjective. Hence, detecting such nuances from videos with no human supervision is not only technical, but also a conceptual problem. With this in mind, we explore how to better describe the idea of violence for a convolutional neural network by breaking it into more objective and concrete parts. Initially, our method uses independent networks to learn features for more specific concepts related to violence, such as fights, explosions, blood, etc. Then we use these features to classify each concept and later fuse them in a meta-classification to describe violence. We also explore how to represent time-based events in still-images as network inputs; since many violent acts are described in terms of movement. We show that using more specific concepts is an intuitive and effective solution, besides being complementary to form a more robust definition of violence. When compared to other methods for violence detection, this approach holds better classification quality while using only automatic features.

Abstract: We investigate a Deep Learning based system for malware detection. In the investigation, we experiment with different combination of Deep Learning architectures including Auto-Encoders, and Deep Neural Networks with varying layers over Malicia malware dataset on which earlier studies have obtained an accuracy of (98%) with an acceptable False Positive Rates (1.07%). But these results were done using extensive man-made custom domain features and investing corresponding feature engineering and design efforts. In our proposed approach, besides improving the previous best results (99.21% accuracy and an False Positive Rate of 0.19%) indicates that Deep Learning based systems could deliver an effective defense against malware. Since it is good in automatically extracting higher conceptual features from the data, Deep Learning based systems could provide an effective, general and scalable mechanism for detection of existing and unknown malware.

Abstract: Currently 5G communication networks are gaining on importance among industry, academia, and governments worldwide as they are envisioned to offer wide range of high-quality services and unfaltering user experiences. However, certain security, privacy and trust challenges need to be addressed in order for the 5G networks to be widely welcomed and accepted. That is why in this paper, we take a step towards these requirements and we introduce a dedicated SDN-based integrated security framework for the Internet of Radio Light (IoRL) system that is following 5G architecture design. In particular, we present how TCP SYN-based scanning activities which typically comprise the first phase of the attack chain can be detected and mitigated using such an approach. Enclosed experimental results prove that the proposed security framework has potential to become an effective defensive solution.

Abstract: Modern critical infrastructures such as Smart Grids (SGs) rely heavily on Information and Communication Technology (ICT) systems to monitor and control operations and states within large-scale facilities. The potential offered by SGs includes an effective integration of renewables, a demand-response action and a dynamic pricing system. The increasing use of ICT for the communication infrastructure of modern power systems offers advantages but can give rise to cyber attacks that compromise the security of the SG. To deal efficiently with the security concerns of SGs, a survey of the different attacks that consider the physical as well as the cyber characteristics of modern power grids is required. In the present paper, first the specific differences between SGs with respect to both Information Technology (IT) systems and conventional energy grids are discussed. Thereafter, the specific security requirements of SGs are presented in order to raise awareness of the new security challenges. Finally, a new classification of cyber attacks, based on the architecture of the SG, is proposed and details for each category are provided. The new classification is distinguished by its focus on the cyber-physical security of the SG in particular, which gives a comprehensive overview of the different threats. Thus, this new classification forms the necessary knowledge-basis for the design of respective countermeasures.

Abstract: Attaining and keeping cyber situational awareness is crucial for the proper incident response, especially in critical infrastructures. Incident handlers need to process heterogeneous data, such as network topology and organisation's missions and objectives, to effectively mitigate the threats. The development of tools for attaining cyber situational awareness often faces the problem of effectively obtaining, correlating, and storing such heterogeneous data. In this paper, we present CRUSOE, an extensible layered data model for attaining and keeping information on cyber situational awareness. We conducted interviews with incident handlers from several security teams and evaluated existing requirements on cyber situational awareness to formalise the requirements on the proposed data model so that can be used in today's common network settings. The CRUSOE data model keeps track of missions, systems, networks, hosts, threats, detection and response capabilities, and access control in a network of an organisation. It is also designed to be filled primarily with the data that can be obtained in a semi- or fully-automated fashion in today's common network environments.

Abstract: Cyber situational awareness has become increasingly important for proactive risk management to help detect and mitigate cyber attacks. Being aware of the importance of individual information system assets to the goal or mission of the organisation is critical to help minimise enterprise risk. However current risk assessment methodologies do not give explicit support to assess mission related asset criticality. This paper describes ongoing efforts within the H2020 PROTECTIVE project to define a practical mission-centric risk assessment methodology for use across diverse organisation types.

Abstract: End-to-end (E2E) encryption is an effective measure against privacy infringement. In 2016, it was introduced by WhatsApp for all users (of the latest app version) quasi overnight. However, it is unclear how non-expert users perceived this change, whether they trust WhatsApp as a provider of E2E encryption, and how their communication behavior changed. We conducted semi-structured interviews with twenty WhatsApp users to answer these questions. We found that about half of the participants perceived that even with E2E encryption, their messages could still be eavesdropped, for example by hackers and other criminals, governmental institutions, or WhatsApp's employees and cooperation partners. Many participants correctly identified sender and recipient as weakest points after the introduction of E2E encryption, but misconceptions were still present. For instance, users thought that messages were transmitted directly between two devices without being forwarded or stored on a server, or interpreted 'end-to-end' as a temporally end of communication. The majority of users stated to mistrust WhatsApp and its E2E encryption and presumed image-related reasons for the cost-free implementation. While most participants did not change their communication behavior, they reported to use protection strategies such as sending sensitive content via alternative channels even after the introduction of E2E encryption.

Abstract: The wireless secret key agreement offers information theoretic secrecy with potential for low energy implementations. However, the presented works have concentrated mainly on wireless technologies such as 802.11 or 802.15.4, which are suitable for small scale local networks. This paper gives the first insights on how to establish LoRa based secret key agreement for low-power widea area networks (LPWAN). In particular: 1) characterization of LoRa parameter influence on the key agreement 2) comparison between available channel probing methods and 3) evaluation of several wireless scenarios with off-the-shelf LoRa devices, have been conducted to reveal the optimal hardware settings and the key generation performance. The main results indicate that the instantaneous RSSI measurement capability leads in most cases to lower key disagreement and higher key entropy. A further outcome shows that strong secret keys can be extracted from LoRa node-gateway communication, even when the devices are stationary.