Fig 3 - available via license: Creative Commons Attribution 4.0 International
Content may be subject to copyright.
Source publication
Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps...
Context in source publication
Context 1
... general, the task of event correlation can be defined in the following three stages: (1) calculation of pairwise similarity of events; (2) compilation of sequences of events as steps of a certain process; (3) determining the correspondence of event sequences. Figure 3 shows these stages for security events. Independent events describe system behavior, including anomalies. ...
Similar publications
A plethora of software vulnerabilities are exposed daily, posing a severe threat to the Internet. It is almost impossible for security experts or software developers to deal with all vulnerabilities. Therefore, it is imperative to rapidly assess the severity of the vulnerability to be able to select which one should be given preferential attention....
In the rapidly evolving landscape of cybersecurity, model extraction attacks pose a significant challenge, undermining the integrity of machine learning models by enabling adversaries to replicate proprietary algorithms without direct access. This paper presents a comprehensive study on model extraction attacks towards image classification models,...
Information systems need to process a large amount of event monitoring data. The process of finding the relationships between events is called correlation, which creates a context between independent events and previously collected information in real time and normalizes it for subsequent processing. In cybersecurity, events can determine the steps...
Citations
The digitalization of the modern economy has led to the emergence of information technologies in various areas of human activity. In addition to positive effects, this has enhanced the problem of countering cyber threats. The implementation of cyber threats often impacts serious consequences, especially when it comes to critical information infrastructure. Malware is an important part of the modern landscape of cyber threats; the most high-profile cybercrimes of recent years are associated with the use of malware. In this regard, the problem area of countering malware is actively developing, and one of the promising areas of research in this area is the creation of methods for detecting malware based on machine learning. However, the weak point of many well-known studies is the construction of reliable data sets for machine learning models, when the authors do not disclose the features of the formation, preprocessing and labeling of data on malware. This fact compromises the reproducibility a lot of studies. This paper proposes a methodology for collecting data on malware activity based on the MITRE ATT&CK matrix and Sigma rules and designed for Windows OS. The proposed methodology is aimed at improving the quality of datasets containing malware and legitimate processes behavior’s features, as well as at reducing the time of data label by an expert method. A software stand was prepared and experiments were carried out for testing the methodology. The results of experiments confirmed applicability of our methodology.
Artificial Intelligence (AI) has been considered a revolutionary and world-changing science, although it is still a young field and has a long way to go before it can be established as a viable theory. Every day, new knowledge is created at an unthinkable speed, and the Big Data Driven World is already upon us. AI has developed a wide range of theories and software tools that have shown remarkable success in addressing difficult and challenging societal problems. However, the field also faces many challenges and drawbacks that have led some people to view AI with skepticism. One of the main challenges facing AI is the difference between correlation and causation, which plays an important role in AI studies. Additionally, although the term Cybernetics should be a part of AI, it was ignored for many years in AI studies. To address these issues, the Cybernetic Artificial Intelligence (CAI) field has been proposed and analyzed here for the first time. Despite the optimism and enthusiasm surrounding AI, its future may turn out to be a “catastrophic Winter” for the whole world, depending on who controls its development. The only hope for the survival of the planet lies in the quick development of Cybernetic Artificial Intelligence and the Wise Anthropocentric Revolution. The text proposes specific solutions for achieving these two goals. Furthermore, the importance of differentiating between professional/personal ethics and eternal values is highlighted, and their importance in future AI applications is emphasized for solving challenging societal problems. Ultimately, the future of AI heavily depends on accepting certain ethical values.
The unintentional activities of system users can jeopardize the confidentiality, integrity, and assurance of data on information systems. These activities, known as unintentional insider threat activities, account for a significant percentage of data breaches. A method to mitigate or prevent this threat is using smart systems or artificial intelligence (AI). The construction of an AI requires the development of a taxonomy of activities. The literature review focused on data breach threats, mitigation tools, taxonomy usage in cybersecurity, and taxonomy development using Endnote and Google Scholar. This study aims to develop a taxonomy of unintentional insider threat activities based on narrative descriptions of the breach events in public data breach databases. The public databases were from the California Department of Justice, US Health and Human Services, and Verizon, resulting in 1850 examples of human errors. A taxonomy was constructed to specify the dimensions and characteristics of objects. Text mining and hierarchical cluster analysis were used to create the taxonomy, indicating a quantitative approach. Ward’s agglomeration coefficient was used to ensure the cluster was valid. The resulting top-level taxonomy categories are application errors, communication errors, inappropriate data permissions, lost media, and misconfigurations.
Security monitoring of cyber-physical systems, in particular in important areas such as industry, energy, medicine and others, should be continuous. Information about the security state of the system is typically logged as security events. Due to the increasing complexity and variability of attacks, security analysts spend a lot of time and effort looking for relationships between individual events. This is especially important when discovering multistep attack paths. This paper proposes an approach to correlation of security events in cyber-physical systems based on graph generation and deep learning. The approach includes the reconstruction of the security event sequence graph and the graph node classification based on neural networks. The proposed approach does not require prior knowledge of attacks and predefined event correlation rules. The experimental evaluation is carried out using an industrial cyber-physical system dataset.
The work process of specialists in protection from information consists of many time-consuming tasks, including data collection, datasets formation, and data manual labelling. In this paper, we attempted to help such specialists with a two-model approach based on the iterative online training of binary classifiers. This approach is used for inappropriate information detection and applied on text posts from the VKontakte social network. The first model is used to detect text posts that are corresponding to the selected topic and is trained on the data that is labelled positively and negatively by experts as well as random text data. The second model is used to improve the accuracy of the first model and is trained only on the data that is labelled by the experts. The novelty of the approach lies in the constantly growing dataset, while the classifiers training process takes place during the operator’s work. The approach works with texts of any size and content and applicable for Russian social networks. The research contribution lies in the original approach for inappropriate information detection. The practical significance of the approach lies in the automation of routine tasks to reduce the burden on specialists in the area of protection from information. Experimental evaluation of the approach is focused on its iterative retraining part. For the experiment, text posts of different topics from the VKontakte social network were collected and labelled. Those topics include: Aggression, Dangerous conspiracy theories, Radicalism, Gambling, Prostitution, and Sects. After that, we evaluated precision, recall, F-measure and ROC-AUC metrics for classifiers trained on random subsamples of different sizes and different topics. Those metrics were evaluated for both one-model and two-model implementations of the approach, while the following classifiers were used: linear support vector machine, passive–aggressive classifier, multilayer perceptron. Moreover, the advantages and disadvantages of the approach, as well as future work directions, were indicated.
