Digital Threats: Research and Practice

Network services are processes running on a system with network exposure. A key activity for any network defender, penetration tester, or red team is network attack surface mapping, the act of detecting and categorizing those services through which a threat actor could attempt malicious activity. Many tools have arisen over the years to probe, identify, and classify these services for information and vulnerabilities. In this article, we survey network attack surface mapping by reviewing several prominent tools and their features and then discussing recent works reflecting unique research using those tools. We conclude by covering several promising directions for future research.

Douglas Everson

Long Cheng

Digital Threats Research and Practice

A Survey on Network Attack Surface Mapping

网络攻击面映射综述

Gaining reliable arbitrary code execution through the exploitation of memory corruption vulnerabilities is becoming increasingly more difficult in the face of modern exploit mitigations. Facing this challenge, adversaries have started shifting their attention to data leakage attacks, which can lead to equally damaging outcomes, such as the disclosure of private keys or other sensitive data. In this work, we present a compiler-level defense against data leakage attacks for user-space applications. Our approach strikes a balance between the manual effort required to protect sensitive application data, and the performance overhead of achieving strong data confidentiality. To that end, we require developers to simply annotate those variables holding sensitive data, after which our framework automatically transforms only the fraction of the entire program code that is related to sensitive data operations. We implemented this approach by extending the LLVM compiler, and used it to protect memory-resident private keys in the MbedTLS server, ssh-agent, and a Libsodium-based file signing program, as well as user passwords for Lighttpd and Memcached. Our results demonstrate the feasibility and practicality of our technique: a modest runtime overhead (e.g., 13% throughput reduction for MbedTLS) that is on par with, or better than, existing state-of-the-art memory safety approaches for selective data protection.

Tapti Palit

Fabian Monrose

Michalis Polychronakis

Mitigating Data-only Attacks by Protecting Memory-resident Sensitive Data

The incremental diffusion of machine learning algorithms in supporting cybersecurity is creating novel defensive opportunities but also new types of risks. Multiple researches have shown that machine learning methods are vulnerable to adversarial attacks that create tiny perturbations aimed at decreasing the effectiveness of detecting threats. We observe that existing literature assumes threat models that are inappropriate for realistic cybersecurity scenarios, because they consider opponents with complete knowledge about the cyber detector or that can freely interact with the target systems. By focusing on Network Intrusion Detection Systems based on machine learning, we identify and model the real capabilities and circumstances required by attackers to carry out feasible and successful adversarial attacks. We then apply our model to several adversarial attacks proposed in literature and highlight the limits and merits that can result in actual adversarial attacks. The contributions of this article can help hardening defensive systems by letting cyber defenders address the most critical and real issues and can benefit researchers by allowing them to devise novel forms of adversarial attacks based on realistic threat models.

Giovanni Apruzzese

Mauro Andreolini

Luca Ferretti

Mirco Marchetti

Michele Colajanni

Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems

建模针对网络入侵检测系统的现实对抗攻击

Organizations and their security operation centers often struggle to detect and respond effectively to an extensive quantity of ever-evolving cyberattacks. While collaboration, such as threat intelligence sharing between security teams, and response automation are often discussed in the cybersecurity community, issues like data sensitivity and confidence in detection may hinder their adoption. This work investigates the potentials and challenges of collaboration and automation to enhance incident response processes. We propose a reference architecture for data sharing in threat detection and response, aiming to boost collaborative and automated efforts across organizations while also considering privacy-preserving features. To address these challenges and potentials, we discuss how such a framework could enhance current response processes within and between organizations, validated with results in local attack detection, incident response, and data sharing.

Lasse Nitz

Mehdi Akbari Gurabi

Milan Cermak

Martin Zadnik

David Karpuk

Arthur Drichel

Sebastian Schäfer

Benedikt Holmes

Avikarsha Mandal

On Collaboration and Automation in the Context of Threat Detection and Response with Privacy-Preserving Features

关于威胁检测与响应中隐私保护特性的协作与自动化研究

The phenomenon of the non-consensual distribution of intimate or sexually explicit digital images of adults, a.k.a. non-consensual pornography (NCP) or revenge pornography, is under the spotlight for the toll it is taking on society. Law enforcement statistics confirm a dramatic global rise in abuses. For this reason, the research community is investigating different strategies to fight and mitigate the abuses and their effects. Since the phenomenon involves different aspects of personal and social interaction among users of social media and content sharing platforms, in the literature it is addressed under different academic disciplines. However, while most of the literature reviews focus on non-consensual pornography either from a social science or psychological perspective, to the best of our knowledge a systematic review of the research on the technical aspects of the problem is still missing. In this work, we present a Systematic Mapping Study (SMS) of the literature, looking at this interdisciplinary phenomenon through a technical lens. Therefore, we focus on the cyber side of the crime of non-consensual pornography with the aim of describing the state-of-the-art and the future lines of research from a technical and quantitative perspective.

Mattia Falduti

Sergio Tessaris

Mapping the Interdisciplinary Research on Non-consensual Pornography: Technical and Quantitative Perspectives

非同意色情内容的跨学科研究图谱：技术与定量视角

With the significant advances in deep generative models for image and video synthesis, Deepfakes and manipulated media have raised severe societal concerns. Conventional machine learning classifiers for deepfake detection often fail to cope with evolving deepfake generation technology and are susceptible to adversarial attacks. Alternatively, invisible image watermarking is being researched as a proactive defense technique that allows media authentication by verifying an invisible secret message embedded in the image pixels. A handful of invisible image watermarking techniques introduced for media authentication have proven vulnerable to basic image processing operations and watermark removal attacks. In response, we have proposed a semi-fragile image watermarking technique that embeds an invisible secret message into real images for media authentication. Our proposed watermarking framework is designed to be fragile to facial manipulations or tampering while being robust to benign image-processing operations and watermark removal attacks. This is facilitated through a unique architecture of our proposed technique consisting of critic and adversarial networks that enforce high image quality and resiliency to watermark removal efforts, respectively, along with the backbone encoder-decoder and the discriminator networks. This allows images shared over the Internet to retain the verifiable watermark as long as facial manipulations or any other Deepfake modification technique is not applied. Thorough experimental investigations on SOTA facial Deepfake datasets demonstrate that our proposed model can embed a \(64\) -bit secret as an imperceptible image watermark that can be recovered with a high-bit recovery accuracy when benign image processing operations are applied while being non-recoverable when unseen Deepfake manipulations are applied. In addition, our proposed watermarking technique demonstrates high resilience to several white-box and black-box watermark removal attacks. Thus, obtaining state-of-the-art performance.

Aakash Varma Nadimpalli

Ajita Rattani

Social Media Authentication and Combating Deepfakes using Semi-fragile Invisible Image Watermarking

社交媒体认证与利用半脆弱不可见图像水印技术对抗深度伪造

In real life, distinct runs of the same artifact lead to the exploration of different paths, due to either system's natural randomness or malicious constructions. These variations might completely change execution outcomes (extreme case). Thus, to analyze malware beyond theoretical models, we must consider the execution of multiple paths. The academic literature presents many approaches for multipath analysis (e.g., fuzzing, symbolic, and concolic executions), but it still fails to answer What's the current state of multipath malware tracing? This work aims to answer this question and also to point out What developments are still required to make them practical? Thus, we present a literature survey and perform experiments to bridge theory and practice. Our results show that (i) natural variation is frequent; (ii) fuzzing helps to discover more paths; (iii) fuzzing can be guided to increase coverage; (iv) forced execution maximizes path discovery rates; (v) pure symbolic execution is impractical, and (vi) concolic execution is promising but still requires further developments.

Marcus Botacin

Fuzzing and Symbolic Execution for Multipath Malware Tracing: Bridging Theory and Practice via Survey and Experiments

模糊测试与符号执行在多路径恶意软件追踪中的应用：通过调查与实验连接理论与实践

Understanding the modus operandi of adversaries aids organizations to employ efficient defensive strategies and share intelligence in the community. This knowledge is often present in unstructured natural language text within threat analysis reports. A translation tool is needed to interpret the modus operandi explained in the sentences of the threat report and convert it into a structured format. This research introduces a methodology named TTPXHunter for automated extraction of threat intelligence in terms of Tactics, Techniques, and Procedures (TTPs) from finished cyber threat reports. It leverages cyber domain-specific state-of-the-art natural language model to augment sentences for minority class TTPs and refine pinpointing the TTPs in threat analysis reports significantly. We create two datasets: an augmented sentence-TTP dataset of \(39,296\) sentence samples and a \(149\) real-world cyber threat intelligence report-to-TTP dataset. Further, we evaluate TTPXHunter on the augmented sentence and report datasets. The TTPXHunter achieves the highest performance of \(92.42\%\) f1-score on the augmented dataset, and it also outperforms existing state-of-the-art TTP extraction method by achieving an f1-score of \(97.09\%\) when evaluated over the report dataset. TTPXHunter significantly improves cybersecurity threat intelligence by offering quick, actionable insights into attacker behaviors. This advancement automates threat intelligence analysis and provides a crucial tool for cybersecurity professionals to combat cyber threats.

Nanda Rani

Bikash Saha

Vikas Maurya

Sandeep Kumar Shukla

TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports

TTPXHunter：从已完成网络威胁报告中提取可操作威胁情报作为TTPs

Advanced persistent threat (APT) attacks present a significant challenge for any organization, as they are difficult to detect due to their elusive nature and characteristics. In this paper, we conduct a comprehensive literature review to investigate the various APT attack detection systems and approaches and classify them based on their threat model and detection method. Our findings reveal common obstacles in APT attack detection, such as correctly attributing anomalous behavior to APT attack activities, limited availability of public datasets and inadequate evaluation methods, challenges with detection procedures, and misinterpretation of requirements. Based on our findings, we propose a reference architecture to enhance the comparability of existing systems and provide a framework for classifying detection systems. In addition, we look in detail at the problems encountered in current evaluations and other scientific gaps, such as a neglected consideration of integrating the systems into existing security architectures and their adaptability and durability. While no one-size-fits-all solution exists for APT attack detection, this review shows that graph-based approaches hold promising potential. However, further research is required for real-world usability, considering the systems’ adaptability and explainability.

Robin Buchta

George Gkoktsis

Felix Heine

Carsten Kleiner

Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends

高级持续性威胁攻击检测系统：方法、挑战与趋势综述

ISSN	2576-5337, 2692-1626
h-index	10

Publication Information	Publisher: Association for Computing Machinery (ACM)，Publishing cycle: ，Journal Type: journal，Open Access Journals: No
Basic data	Year of publication: 2020，Proportion of original research papers: ，Self Citation Rate:， Gold OA Rate:

Digital Threats: Research and Practice

Journal Citation Format

A journal article with 1 author

A journal article with 2 authors

A journal article with 3 authors

A journal article with 5 or more authors

Books Citation Format

Thesis Citation Format

Web sites Citation Format

Patent Citation Format

Staying up late manually editing references? ivySCI automatically matches journals and helps you generate references with a single click.

Share Submission Experience

A Survey on Network Attack Surface Mapping

Mitigating Data-only Attacks by Protecting Memory-resident Sensitive Data

Modeling Realistic Adversarial Attacks against Network Intrusion Detection Systems

On Collaboration and Automation in the Context of Threat Detection and Response with Privacy-Preserving Features

Mapping the Interdisciplinary Research on Non-consensual Pornography: Technical and Quantitative Perspectives

On Collaboration and Automation in the Context of Threat Detection and Response with Privacy-Preserving Features

Social Media Authentication and Combating Deepfakes using Semi-fragile Invisible Image Watermarking

Fuzzing and Symbolic Execution for Multipath Malware Tracing: Bridging Theory and Practice via Survey and Experiments

TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports

Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends