No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Securing the Industrial Internet of Things against ransomware attacks: A comprehensive analysis of the emerging threat landscape and detection mechanisms
Abstract
Due to the complexity and diversity of Industrial Internet of Things (IIoT) systems, which include heterogeneous devices, legacy and new connectivity protocols and systems, and distributed networks, sophisticated attacks like ransomware will likely target these systems in the near future. Researchers have focused on studying and addressing ransomware attacks against various platforms in recent years. However, to the best of our knowledge, no existing study investigates the new trends of ransomware tactics and techniques and provides a comprehensive analysis of ransomware attacks and their detection techniques for IIoT systems. Therefore, this paper investigates this attack and its associated detection techniques in IIoT systems in various aspects, including recent ransomware tactics, types, infected operating systems, and platforms. Specifically, we initially discuss the evolution of the IIoT system and its common architecture. Then, we provide an in-depth examination of the development of ransomware attacks and their constituent blocks, outline recent tactics and types of ransomware, and provide an extensive overview of the latest research on detection models. We also summarize numerous significant issues that have yet to be addressed and require further research. We conclude that offensive and defensive research is urgently needed to protect IIoT against ransomware attacks.
... Extensive investigations have illustrated that machine learning and deep learning techniques have been effectively employed to detect ransomware activities, demonstrating significant improvements over traditional signature-based detection systems. Studies revealed that dynamic analysis methods, leveraging behavioral patterns and system interactions, offered promising results in identifying ransomware with high accuracy [10], [15], [16], [17]. Research on static analysis, focusing on examining the code without execution, also contributed to early detection capabilities but faced limitations due to obfuscation techniques used by malware authors [18], [19], [20], [21]. ...
... Hybrid approaches, combining both static and dynamic analysis, were identified as comprehensive solutions, enhancing detection rates and reducing false positives [17], [22], [23]. The application of anomaly detection models based on system call sequences and network traffic analysis emerged as a crucial method for identifying suspicious activities indicative of ransomware [20], [15], [24], [25]. Furthermore, sandboxing environments were extensively studied for their effectiveness in isolating and analyzing ransomware behavior, although their evasion by advanced ransomware poses significant challenges [26], [27]. ...
... The literature consistently documents the rapid evolution of ransomware, with variations becoming increasingly sophisticated in terms of evasion, encryption, and attack vectors [16], [15]. Analysis of ransomware campaigns revealed a shift towards targeting specific industries and organizations, indicating a move from opportunistic to strategic attacks [46], [47]. ...
This study introduces an innovative approach to ransomware detection on Windows operating systems by leveraging Generative Adversarial Networks (GANs) to analyze file system I/O Request Packet (IRP) operations. The proposed method demonstrates a significant improvement in identifying ransomware activities through the dynamic monitoring of IRP operations, distinguishing between benign and malicious behaviors with high accuracy. The research highlights the application of GANs as a powerful tool in cybersecurity, capable of adapting to evolving ransomware tactics without the need for predefined threat signatures. Through rigorous testing, the model showcased notable advancements over traditional detection methods, indicating its potential to enhance real-world cybersecurity defenses. The findings suggest a shift towards more adaptive, machine learning-based solutions for combating the increasing complexity of cyber threats.
... The use of 6G networks to improve M2M communication in Industry 4.0 is associated with certain limitations and challenges, which are presented in Table 5. Table 5. Limitations of 6G in M2M communication [22][23][24][25][26][27][28][29][30][31][32][33]. ...
... • Real-world implementation studies and use cases: Conduct empirical research and field trials to evaluate the performance, reliability, and scalability of 6G M2M communications in real-world industrial environments, identifying practical challenges and opportunities for optimization and improvement. • Human-machine interaction and collaboration: Explore the role of 6G in enabling advanced human-machine interaction and collaboration paradigms, such as augmented reality (AR), VR, and teleoperation, to enhance productivity, safety, and efficiency in workflow within Industry 4.0 [29][30][31][32][33][34][35][36][37][38][39][40]. ...
The sixth generation of mobile networks (6G) has the potential to revolutionize the way we communicate, interact, and use information for machine-to-machine (M2M) communication in Industry 4.0 and Industry 5.0, while also improving coverage in places that were previously considered difficult to access and/or digitally excluded, and supporting more devices and users. The 6G network will have an impact through a combination of many technologies: the Internet of Things (IoT), artificial intelligence/machine learning, virtual and augmented reality, cloud computing, and cyber security. New solutions and architectures and concepts for their use need to be developed to take full advantage of this. This article provides an overview of the challenges in this area and the proposed solutions, taking into account the disruptive technologies that are yet to be developed.
... Vulnerabilities such as unpatched software, default credentials, and insecure communication protocols make IoT devices prime targets for ransomware actors. The encryption of data and disruption of operations can have severe consequences for organizations relying on IoT technologies [20]. • Ransomware Recovery Strategies for IoT Environments: ...
This paper explores the criticality of cybersecurity measures within the realms of IoT and IT systems, emphasizing the integration of resilient architectures to combat the sophisticated array of cyber threats that jeopardize the integrity, confidentiality, and availability of information. It dissects the vulnerabilities inherent in contemporary IoT and IT ecosystems, proposing a layered security approach that marries state-of-the-art encryption, anomaly detection, and security-by-design principles. This research underscores the importance of adaptability, proactive defense mechanisms, and the implementation of comprehensive security policies tailored to the unique challenges posed by the IoT landscape. The findings aim to guide stakeholders in fortifying their networks against escalating cyber threats, ensuring the sustainable and secure expansion of IoT technologies across critical infrastructures.
... Ransomware has evolved from simple malware that locked screens to sophisticated software that encrypts files, exfiltrates data, and threatens public exposure to coerce victims into paying ransoms [14]. Initially targeting individual computers, ransomware attacks have grown in complexity, targeting entire networks and critical infrastructure with tailored approaches [15,16]. Early incidents like the 1989 AIDS Trojan, considered one of the first ransomware attacks, pale in comparison to recent, highly coordinated attacks like WannaCry and NotPetya, which have demonstrated the potential for massive disruption [17,18,19]. ...
... The integration of cloud-based solutions offered real-time data analysis and threat intelligence sharing, yet dependence on internet connectivity and concerns over data sovereignty were noted as drawbacks [4]. Sandbox environments were utilized to safely execute and analyze ransomware, though sophisticated variants capable of detecting and evading these environments were quickly developed [34,35]. Collectively, these viewpoints underscore the dynamic nature of ransomware detection and prevention, highlighting the ongoing arms race between cybersecurity professionals and cybercriminals. ...
Ransomware has emerged as a pervasive threat in the cybersecurity landscape, characterized by its ability to encrypt critical data and demand ransom for its release. Traditional cybersecurity defenses often fall short against sophisticated ransomware attacks due to their reliance on signature-based detection mechanisms and inadequate preventive measures. This paper introduces RanAway, an innovative solution designed to enhance ransomware resilience by leveraging the advanced features of the Microsoft Resilient File System (ReFS). Unlike conventional file systems, ReFS offers enhanced data integrity, automatic error correction, and robust resistance to data degradation—features that are crucial for mitigating the impact of ransomware attacks. RanAway integrates with ReFS to provide real-time monitoring of file system operations, employing heuristic and behavior-based algorithms to detect and prevent ransomware activities effectively. Our findings demonstrate RanAway's significant potential in reducing the risk of ransomware attacks, highlighting its contributions to the field of cybersecurity through innovative use of file system technologies for threat resilience. The deployment of RanAway represents a paradigm shift towards a more integrated and system-level approach in combating ransomware, offering a blueprint for future developments in cybersecurity defenses.
The TCP/IP protocol suite, a cornerstone of modern networking, faces escalating threats from evolving attack vectors targeting its headers. This survey explores emerging trends in TCP/IP header attacks, assessing their potential impact and outlining future directions for defense strategies. By scrutinizing recent research and real-world incidents, the paper aims to offer insights into the evolving threat landscape and provide recommendations for enhancing network security. Key areas of investigation include the historical evolution of TCP/IP header vulnerabilities, the adaptation of attackers' techniques over time, and the development of novel defense mechanisms to counteract these threats. The survey underscores the critical importance of understanding TCP/IP header attacks in contemporary cybersecurity and highlights the necessity for proactive measures to safeguard network infrastructures. By addressing the challenges posed by evolving TCP/IP header attacks and identifying areas for further research and development, this survey contributes to the ongoing efforts to strengthen network defenses and mitigate the risks associated with cyber threats targeting TCP/IP protocols.
The exponential growth of digital connectivity in the logistics landscape has heightened the significance of cybersecurity. This chapter delves into the intricate fabric of securing supply chains against evolving cyber threats, aiming to equip logistics professionals with actionable strategies for resilience. Beginning with analysing the prevailing cyber threat landscape, it illuminates common vulnerabilities and highlights recent impactful attacks targeting supply chains. Understanding the nexus between cybersecurity and logistics resilience becomes pivotal, emphasizing the need for continuous operations amidst adversities. To fortify this resilience, the chapter meticulously navigates through risk assessment methodologies, mitigation strategies, and the imperative role of supply chain visibility. It elaborates on vendor and partner management protocols, advocating for stringent cybersecurity considerations within contractual agreements. Moreover, it outlines robust incident response plans and recovery strategies essential for mitigating cyber incidents' ramifications.
Ransomware on vehicles has the potential to become a real threat to vehicles for the same reason that it has become a significant and persistent menace to IT infrastructure in institutions and businesses: there is a compelling business model behind. Victims of ransomware on vehicles will also have compelling reasons to pay the ransom demanded to regain access to their vehicles, or to restore their vehicles to a properly functioning state. We assume, this would be particularly relevant for commercial vehicles, public vehicles, and for large vehicle fleet owners, since they often serve critical and urgent tasks with high damage potentials and since they have the financial power to pay even high ransoms.
With this article, we will explain how ransomware might be used to attack vehicles and extort drivers and vehicle owners. We will demonstrate that vehicle ransomware can be readily created and deployed, showing that that threat of ransomware on vehicles is real and present. In fact, we believe, that with the growth and importance of interconnected information technology in vehicles together with its continuous standardization, the security threat through ransomware will become even larger.
Hence, we will also give several practical recommendations for preparing ahead against the ransomware threat with holistic multilayered protections, but also extending vehicles and vehicle organizations with the ability to react on potential ransomware attacks with updated defenses and responses.
A variety of data-based services such as cloud services and big data-based services have emerged in recent times. These services store data and derive the value of the data. The reliability and integrity of the data must be ensured. Unfortunately, attackers have taken valuable data as hostage for money in attacks called ransomware. It is difficult to recover original data from files in systems infected by ransomware because they are encrypted and cannot be accessed without keys. There are cloud services to backup data; however, encrypted files are synchronized with the cloud service. Therefore, the original file cannot be restored even from the cloud when the victim systems are infected. Therefore, in this paper, we propose a method to effectively detect ransomware for cloud services. The proposed method detects infected files by estimating the entropy to synchronize files based on uniformity, one of the characteristics of encrypted files. For the experiment, files containing sensitive user information and system files for system operation were selected. In this study, we detected 100% of the infected files in all file formats, with no false positives or false negatives. We demonstrate that our proposed ransomware detection method was very effective compared to other existing methods. Based on the results of this paper, we expect that this detection method will not synchronize with a cloud server by detecting infected files even if the victim systems are infected with ransomware. In addition, we expect to restore the original files by backing up the files stored on the cloud server.
The increase of cybersecurity threats poses a significant risk to the healthcare industry, specifically, healthcare organizations, pharmaceutical companies, and clinics. The increase in the development of smart medical equipment and mobile devices has made the healthcare industry increasingly vulnerable to ransomware, one of the most dangerous types of adaptable malware, intended to prevent entry to the system of an entity or establishment. These cybersecurity breaches consist of illegally obtaining healthcare data and ransomware events involving healthcare organizations. The healthcare industry has taken advantage of the rise of the digital revolution, resulting in unparalleled volumes of data. The healthcare industry is one of the most vital in the world, and thus, CEOs of healthcare organizations should adhere to proposed best practices to establish a strong cyberhygiene that facilitates the efficient distribution of confidential information in the face of these threats. This systematic review of the literature explores how healthcare organizations in the United States protect themselves from cyber-attack. EBook Collection (EBSCO), Google Scholar, MEDLINE, PsycINFO, PubMed, SocINDEX with Full Text, and ScienceDirect databases were sourced to answer this question. Identified themes include employee training, the need for a response plan, and strong data infrastructure.
Traditionally, data centers have been the preferred target for ransomware attacks. However, the increasing number of IoT (Internet-of-Things) devices managing valuable data is attracting the attention of cybercriminals and ransomware towards resource-constrained devices. So far, literature has demonstrated the suitability of monitoring the behavior of devices to detect some malware infections. However, most of these existing solutions have been designed and validated in Windows-based systems without computational restrictions. Thus, this work presents a lightweight policy-based framework that uses behavioral fingerprinting to detect anomalies and classify ransomware affecting resource-constrained and Linux-based sensors. The framework detection capabilities have been validated in a resource-constrained spectrum sensor belonging to ElectroSense, a real crowdsensing platform. In particular, three policies, created as a proof-of-concept, resulted in promising findings in terms of detection performance and time, when identifying anomalies by classifying two recent ransomware samples affecting a Raspberry Pi acting as sensor.
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious threat to organizations with financial loss of billions of dollars. Numerous studies were proposed to address the ransomware threat, including surveys that cover certain aspects of ransomware research. However, no study exists in the literature that gives the complete picture on ransomware and ransomware defense research with respect to the diversity of targeted platforms. Since ransomware is already prevalent in PCs/workstations/desktops/laptops, is becoming more prevalent in mobile devices, and has already hit IoT/CPS recently, and will likely grow further in the IoT/CPS domain very soon, understanding ransomware and analyzing defense mechanisms with respect to target platforms is becoming more imperative. In order to fill this gap and motivate further research, in this paper, we present a comprehensive survey on ransomware and ransomware defense research with respect to PCs/workstations, mobile devices, and IoT/CPS platforms. Specifically, covering 137 studies over the period of 1990-2020, we give a detailed overview of ransomware evolution, comprehensively analyze the key building blocks of ransomware, present a taxonomy of notable ransomware families, and provide an extensive overview of ransomware defense research (i.e., analysis, detection, and recovery) with respect to platforms of PCs/workstations, mobile devices, and IoT/CPS. Moreover, we derive an extensive list of open issues for future ransomware research. We believe this survey will motivate further research by giving a complete picture on state-of-the-art ransomware research.
Smart vehicles-enabled intelligent transportation system (ITS) supports a wide range of applications, such as, but not limited to, traffic planning and management, collision avoidance alert system, automated road speed enforcement, electronic toll collection, and real-time parking management, to name a few. However, it suffers from various types of security and privacy issues due to insecure communication among the entities over public channels. Therefore, an efficient and lightweight security mechanism is essential to protect the data that is both at rest as well as in transit. To this direction, we propose a public blockchain-envisioned secure communication framework for ITS (PBSCF-ITS). The proposed PBSCF-ITS guarantees access control and key management among the vehicle to vehicle, vehicle to roadside unit, and roadside unit to cloud server. We analyze the security of PBSCF-ITS to prove its resilience against various types of possible attacks. Furthermore, the performance of PBSCF-ITS with other related competing schemes has been compared. The obtained results illustrate that PBSCF-ITS outperforms the existing ones. Additionally, the pragmatic study of PBSCF-ITS is conducted to check its influence on various network-related performance parameters, like the number of mined blocks and transactions per block.
The industrial control systems (ICSs) that manage our critical infrastructure are increasingly converging with corporate networks and the Internet as technology and businesses prioritize digital connectivity. These connections make them more vulnerable and available to malicious cyber actors who traditionally targeted the companies’ more public-facing information technology (IT) networks. This paper will review select publicly reported cyber incidents to highlight the continued and growing threat to ICS devices and operational technology (OT) environments. It will summarize the incident and when available, will provide information on the cyber actors, the vulnerabilities they exploited, and any publications the U.S. Government (USG) provided in response. Data belonging to the Department of Homeland Security (DHS) will be used to highlight quantitative trends concerning ICS incidents. This paper builds on “History of Industrial Control System Cyber Incidents” (Hemsley & Fisher 2018), a paper that highlighted select noteworthy threats and incidents to ICS systems up to 2017. This paper will similarly review select incidents occurring after the last previously reviewed incident, Triton/HatMan, December 2017, and will note ICS incident trends including IT/OT convergence and advances in cyber-threat actors’ capabilities in observed in the examined incidents.
The development of cryptocurrency has led to an increase in a type of malware called ransomware. Ransomware is a family of malware that uses malicious techniques to prevent users from accessing their systems or data. Ransomware threatens all industries, from health and hospitals to banks, training centers, and manufacturers of goods. Therefore, early ransomware detection is critical. Most researchers try to identify ransomware by examining the behavior of the software at runtime. Therefore, these approaches are costly and require resources to run every software. In this paper, ransomware detection is conducted without running the software and without any special pre-processing, only using the headers of the executable file. In the proposed approach, a graph is created using the headers of executable files (specifically portable executable files) and then the graph is mapped in an eigenspace using the “Power Iteration” method. This mapping converts an executable file to a feature vector, which is eventually used to train a Random Forest classifier. Acceptable computational complexity in large datasets compared to previous methods and high detection rates are the main advantages of the proposed method.
Ransomware is an ill-famed malware that has received recognition because of its lethal and irrevocable effects on its victims. The irreparable loss caused due to ransomware requires the timely detection of these attacks. Several studies including surveys and reviews are conducted on the evolution, taxonomy, trends, threats, and countermeasures of ransomware. Some of these studies were specifically dedicated to IoT and android platforms. However, there is not a single study in the available literature that addresses the significance of dynamic analysis for the ransomware detection studies for all the targeted platforms. This study also provides the information about the datasets collection from its sources, which were utilized in the ransomware detection studies of the diverse platforms. This study is also distinct in terms of providing a survey about the ransomware detection studies utilizing machine learning, deep learning, and blend of both techniques while capitalizing on the advantages of dynamic analysis for the ransomware detection. The presented work considers the ransomware detection studies conducted from 2019 to 2021. This study provides an ample list of future directions which will pave the way for future research.
Ransomware attacks have emerged as a major cyber-security threat wherein user data is
encrypted upon system infection. Latest Ransomware strands using advanced obfuscation techniques along with offline C2 Server capabilities are hitting Individual users and big corporations alike. This problem has caused business disruption and, of course, financial loss. Since there is no such consolidated framework that can classify, detect and mitigate Ransomware attacks in one go, we are motivated to present Detection Avoidance Mitigation (DAM), a theoretical framework to review and classify techniques, tools, and strategies to detect, avoid and mitigate Ransomware. We have thoroughly investigated different scenarios and compared the already existing state-of-the-art review research against ours. The case study of the infamous Djvu Ransomware is incorporated to illustrate the modus-operandi of the latest Ransomware strands, including some suggestions to contain its spread.
Industrial Internet of Thing (IIoT) systems are considered attractive ransomware targets because they operate critical services that affect human lives and have substantial operational costs. The major concern is with brownfield IIoT systems since they have legacy edge systems that are not fully prepared to integrate with IoT technologies. Various existing security solutions can detect and mitigate such attacks but are often ineffective due to the heterogeneous and distributed nature of the IIoT systems and their interoperability demands. Consequently, developing new detection solutions is essential. Therefore, this paper proposes a novel targeted ransomware detection model tailored for IIoT edge systems. It uses Asynchronous Peer-to-Peer Federated Learning (AP2PFL) and Deep Learning (DL) techniques as a targeted ransomware detection algorithm. The proposed model consists of two modules: 1) Data Purifying Module (DPM) aims to refine and reconstruct a valuable and robust representation of data based on Contractive Denoising Auto-Encoder (CDAE), and 2) Diagnostic and Decision Module (DDM) is used to identify targeted ransomware and its stages based on Deep Neural Network (DNN) and Batch Normalization (BN). The main strengths of this proposed model include: 1) each edge gateway’s modules work cooperatively with its neighbors in an asynchronous manner and without a third party, 2) it deals with both homogeneous and heterogeneous data, and 3) it is robust against evasion attacks. An exhaustive set of experiments on three datasets prove the high effectiveness of the proposed model in detecting targeted ransomware (known and unknown attacks) in brownfield IIoT and the superiority over the state-of-the-art models.
The world is transitioning from the conventional grid to the smart grid at a rapid pace.
Innovation always comes with some flaws; such is the case with a smart grid. One of the major
challenges in the smart grid is to protect it from potential cyberattacks. There are millions of sensors
continuously sending and receiving data packets over the network, so managing such a gigantic
network is the biggest challenge. Any cyberattack can damage the key elements, confidentiality,
integrity, and availability of the smart grid. The overall smart grid network is comprised of customers
accessing the network, communication network of the smart devices and sensors, and the people
managing the network (decision makers); all three of these levels are vulnerable to cyberattacks.
In this survey, we explore various threats and vulnerabilities that can affect the key elements of
cybersecurity in the smart grid network and then present the security measures to avert those threats
and vulnerabilities at three different levels. In addition to that, we suggest techniques to minimize
the chances of cyberattack at all three levels.
Human-to-machine (H2M) communication is an important evolution in the industrial internet of health things (IIoHT), where many H2M interfaces are remotely interacting with industrial and medical assets. Lightweight protocols, such as constrained application protocol (CoAP), have been widely utilised in transferring sensing data of medical devices to end-users in smart satellite-based healthcare IIoT networks (SmartSat-IIoHT). However, such protocols are extensively deployed without appropriate security configurations, making attackers’ mission easier for abusing these protocols to launch advanced cyber threats. This paper, therefore, presents a new threat intelligence framework to examine and model CoAP protocol’s attacks in these systems. We present a ransom denial of service (RDoS) as a new threat that would exploit this protocol’s vulnerabilities. We propose many RDoS attack’s techniques to understand the attack indicators and analyse their behaviour on systems. Moreover, we present a real-time discovery of attacks’ network behaviours using deep learning. The experiment results demonstrate that this proposed discovery model obtains a better performance in revealing RDoS than other conventional machine learning algorithms and accomplishing high fidelity of protecting SmartSat-IIoHT networks.
Although ransomware has been around since the early days of personal computers, its sophistication and aggression have increased substantially over the years. Ransomware, as a type of malware to extort ransom payments from victims, has evolved to deliver payloads in different attack vectors and on multiple platforms, and creating repeated disruptions and financial loss to many victims. Many studies have performed ransomware analysis and/or presented detection, defense or prevention techniques for ransomware. However, because the ransomware landscape has evolved aggressively, many of those studies have become less relevant or even outdated. Previous surveys on anti-ransomware studies have compared the methods and results of the studies they surveyed, but none of those surveys has attempted to critique on the internal or external validity of those studies. In this survey, we first examined the up-to-date concept of ransomware, and listed the inadequacies in current ransomware research. We then proposed a set of unified metrics to evaluate published studies on ransomware mitigation, and applied the metrics to 118 such studies to comprehensively compare and contrast their pros and cons, with the attempt to evaluate their relative strengths and weaknesses. Finally, we forecast the future trends of ransomware evolution, and proposed future research directions.
Healthcare is one of the most vulnerable sectors of cyber-attacks. As it continues to expand exponentially and moves to digitally-enabled healthcare services, cyber-criminals are trying to take advantage of the weaknesses and security vulnerabilities correlated with these shifts. As a result of technical developments, a multitude of highly powerful risks such as Ransomware is facing the healthcare sector. Ransomware is cyber-attack targeting companies and household users and has increased lately due to its productive results. It conflicts have significantly improved over the last few years. The study shows an exhaustive survey on Ransomware attacks and fixes these attacks. The main aim of this study is to classify the solution strategies for Ransomware attacks in healthcare that used to prevent the Ransomware, such as Blockchain technology, Software define network technology, Machine Learning, and other tools as well as to highlight many issues faced by researchers during the process of discovering a way to solve Ransomware attacks in health care systems. In addition, the study will provide scientific benefits to researchers in the field of information security, health institutions, and security companies.
Industrial Internet of Things (IIoTs) are high-value cyber targets due to the nature of the devices and connectivity protocols they deploy. They are easy to compromise and, as they are connected on a large scale with high-value data content, the compromise of any single device can extend to the whole system and disrupt critical functions. There are various security solutions that detect and mitigate intrusions. However, as they lack the capability to deal with an IIoT’s co-existing heterogeneity and interoperability, developing new universal security solutions to fit its requirements is critical. This is challenging due to the scarcity of accurate data about IIoT systems’ activities, connectivities and attack behaviors. In addition, owing to their multi-platform connectivity protocols and multi-vendor devices, collecting and creating such data is also challenging. To tackle these issues, we propose a holistic approach for generating an appropriate intrusion dataset for an IIoT called X-IIoTID, connectivity-and device-agnostic intrusion dataset for fitting the heterogeneity and interoperability of IIoT systems. It includes the behaviors of new IIoT connectivity protocols, activities of recent devices, diverse attack types and scenarios, and various attack protocols. It defines an attack taxonomy and consists of multi-view features, such as network traffic, host resources, logs and alerts. X-IIoTID is evaluated using popular machine and deep learning algorithms and compared with eighteen intrusion datasets to verify its novelty.
Background
Data breaches are an inevitable risk to hospitals operating with information technology. The financial costs associated with data breaches are also growing. The costs associated with a data breach may divert resources away from patient care, thus negatively affecting hospital productivity.
Objective
After a data breach, the resulting regulatory enforcement and remediation are a shock to a hospital’s patient care delivery. Exploiting this shock, this study aimed to investigate the association between hospital data breaches and productivity by using a generalized difference-in-differences model with multiple prebreach and postbreach periods.
Methods
The study analyzed the hospital financial data of the California Office of Statewide Health Planning and Development from 2012 to 2016. The study sample was an unbalanced panel of hospitals with 2610 unique hospital-year observations, including general acute care hospitals. California hospital data were merged with breach data published by the US Department of Health and Human Services. The dependent variable was hospital productivity measured as value added. The difference-in-differences model was estimated using fixed effects regression.
Results
Hospital productivity did not significantly differ from the baseline for 3 years after a breach. Data breaches were not significantly associated with a reduction in hospital productivity. Before a breach, the productivity of hospitals that experienced a data breach maintained a parallel trend with control hospitals.
Conclusions
Hospital productivity was resilient against the shocks from a data breach. Nonetheless, data breaches continue to threaten hospitals; therefore, health care workers should be trained in cybersecurity to mitigate disruptions.
The threat from ransomware continues to grow both in the number of affected victims as well as the cost incurred by the people and organisations impacted in a successful attack. In the majority of cases, once a victim has been attacked there remain only two courses of action open to them; either pay the ransom or lose their data. One common behaviour shared between all crypto ransomware strains is that at some point during their execution they will attempt to encrypt the users’ files. This paper demonstrates a technique that can identify when these encrypted files are being generated and is independent of the strain of the ransomware.
An enhanced mixed file ransomware data set of more than 130,000 files was developed based on the govdocs1(Garfinkel, 2020) corpus. This data set was enriched to contain examples of files that reflect the more modern Microsoft file formats, as well as examples of high entropy file formats such as compressed files and archives. The data set also contained eight different sets of files that were generated as the result of different real-world high profile ransomware attacks such as WannaCry, Ryuk, Phobos, Sodinokibi and NetWalker.
Previous research Penrose et al. (2013); Zhao et al. (2011) has highlighted the difficulty in differentiating between compressed and encrypted files using Shannon entropy as both file types exhibit similar values. One of the experiments described in this paper shows a unique characteristic for the Shannon entropy of encrypted file header fragments. This characteristic was used to differentiate between encrypted files and other high entropy files such as archives. This discovery was leveraged in the development of a file classification model that used the differential area between the entropy curve of a file under analysis and one generated from random data. When comparing the entropy plot values of a file under analysis against one generated by a file containing purely random numbers, the greater the correlation of the plots is, the higher the confidence that the file under analysis contains encrypted data. The experiments demonstrate a high degree of confidence in the accuracy of the model achieving a success rate of more than 99.96% when examining only the first 192 bytes of a file, using a mixed data set of more than 80,000 files. This technique successfully addresses the problem of using file entropy to differentiate compressed and archived files from files encrypted by ransomware in a timely manner.
Industrial IoT (IIoT) is a novel concept of a fully connected, transparent, automated, and intelligent factory setup improving manufacturing processes and efficiency. To achieve this, existing hierarchical models must transition to a fully connected vertical model. Since IIoT is a novel approach, the environment is susceptible to cyber threat vectors, standardization, and interoperability issues, bridging the gaps at the IT/OT ICS (industrial control systems) level. IIoT M2M communication relies on new communication models (5G, TSN ethernet, self-driving networks, etc.) and technologies which require challenging approaches to achieve the desired levels of data security. Currently there are no methods to assess the vulnerabilities/risk impact which may be exploited by malicious actors through system gaps left due to improper implementation of security standards. The authors are currently working on an Industry 4.0 cybersecurity project and the insights provided in this paper are derived from the project. This research enables an understanding of converged/hybrid cybersecurity standards, reviews the best practices, and provides a roadmap for identifying, aligning, mapping, converging, and implementing the right cybersecurity standards and strategies for securing M2M communications in the IIoT.
The rapid convergence of legacy industrial infrastructures with intelligent networking and computing technologies (e.g., 5G, software-defined networking, and artificial intelligence), have dramatically increased the attack surface of industrial cyber-physical systems (CPSs). However, withstanding cyber threats to such large-scale, complex, and heterogeneous industrial CPSs has been extremely challenging, due to the insufficiency of high-quality attack examples. In this article, we propose a novel federated deep learning scheme, named DeepFed, to detect cyber threats against industrial CPSs. Specifically, we first design a new deep learning-based intrusion detection model for industrial CPSs, by making use of a convolu-tional neural network and a gated recurrent unit. Second, we develop a federated learning framework, allowing multiple industrial CPSs to collectively build a comprehensive intrusion detection model in a privacy-preserving way. Further , a Paillier cryptosystem-based secure communication protocol is crafted to preserve the security and privacy of model parameters through the training process. Extensive experiments on a real industrial CPS dataset demonstrate the high effectiveness of the proposed DeepFed scheme in detecting various types of cyber threats to industrial CPSs and the superiorities over state-of-the-art schemes. Index Terms-Data privacy, deep learning, federated learning, industrial cyber-physical system (CPS), intrusion detection.
In recent years, Ransomware has been a critical threat that attacks smartphones. Ransomware is a kind of malware that blocks the mobile’s system and prevents the user of the infected device from accessing their data until a ransom is paid. Worldwide, Ransomware attacks have led to serious losses for individuals and stakeholders. However, the dramatic increase of Ransomware families makes to the process of identifying them more challenging due to their continuously evolved characteristics. Traditional malware detection methods (e.g., statistical-based prevention methods) fail to combat the evolving Ransomware since they result in a high percentage of false positives. Indeed, developing a non-classical, intelligent technique to safeguarding against Ransomware is of significant importance. This paper introduces a new methodology for the detection of Ransomware that is depending on an evolutionary-based machine learning approach. The binary particle swarm optimization algorithm is utilized for tuning the hyperparameters of the classification algorithm, as well as performing feature selection. The support vector machines (SVM) algorithm is used alongside the synthetic minority oversampling technique (SMOTE) for classification. The utilized dataset is collected from various sources, which consists of 10,153 Android applications, where 500 of them are Ransomware. The performance of the proposed approach SMOTE-tBPSO-SVM achieved merits over traditional machine learning algorithms by having the highest scores in terms of sensitivity, specificity, and g-mean.
A crypto-ransomware has the process to encrypt victim’s files. Afterward, the crypto-ransomware requests a ransom for the password of encrypted files to victims. In this paper, we present a novel approach to prevent crypto-ransomware by detecting block cipher algorithms for Internet of Things (IoT) platforms. We extract the sequence and frequency characteristics from the opcode of binary files for the 8-bit Alf and Vegard’s RISC (AVR) processor microcontroller. In other words, the late fusion method is used to extract two features from one source data, learn through each network, and integrate them. We classify the crypto-ransomware virus or harmless software through the proposed method. The general software from AVR packages and block cipher implementations written in C language from lightweight block cipher library(i.e., Fair Evaluation of Lightweight Cryptographic Systems (FELICS)) are trained through the deep learning network and evaluated. The general software and block cipher algorithms are successfully classified by training functions in binary files. Furthermore, we detect binary codes that encrypt a file using block ciphers. The detection rate is evaluated in terms of F-measure, which is the harmonic mean of precision and recall. The proposed method not only achieved 97% detection success rate for crypto-ransomware but also achieved 80% success rate in classification for each lightweight cryptographic algorithm and benign firmware. In addition, the success rate in classification for Substitution-Permutation-Network (SPN) structure, Addition-Rotation-eXclusive-or structures (ARX) structure, and benign firmware is 95%.
Federated Learning is a machine learning scheme in which a shared prediction model can be collaboratively learned by a number of distributed nodes using their locally stored data. It can provide better data privacy because training data are not transmitted to a central server. Federated learning is well suited for edge computing applications and can leverage the the computation power of edge servers and the data collected on widely dispersed edge devices. To build such an edge federated learning system, we need to tackle a number of technical challenges. In this survey, we provide a new perspective on the applications, development tools, communication efficiency, security & privacy, migration and scheduling in edge federated learning.
In today's Industrial Internet of Things (IIoT) environment, where different systems interact with the physical world, the state proposed by the Industry 4.0 standards can lead to escalating vulnerabilities, especially when these systems receive data streams from multiple intermediaries, requiring multilevel security approaches, in addition to link encryption. At the same time taking into account the heterogeneity of the systems included in the IIoT ecosystem and the non-institutionalized interoperability in terms of hardware and software, serious issues arise as to how to secure these systems. In this framework, given that the protection of industrial equipment is a requirement inextricably linked to technological developments and the use of the IoT, it is important to identify the major vulnerabilities and the associated risks and threats and to suggest the most appropriate countermeasures. In this context, this study provides a description of the attacks against IIoT systems, as well as a thorough analysis of the solutions for these attacks, as they have been proposed in the most recent literature.
The frequent use of basic statistical techniques to detect ransomware is a popular and intuitive strategy; statistical tests can be used to identify randomness, which in turn can indicate the presence of encryption and, by extension, a ransomware attack. However, common file formats such as images and compressed data can look random from the perspective of some of these tests. In this work, we investigate the current frequent use of statistical tests in the context of ransomware detection, primarily focusing on false positive rates. The main aim of our work is to show that the current over-dependence on simple statistical tests within anti-ransomware tools can cause serious issues with the reliability and consistency of ransomware detection in the form of frequent false classifications. We determined thresholds for five key statistics frequently used in detecting randomness, namely Shannon entropy, chi-square, arithmetic mean, Monte Carlo estimation for Pi and serial correlation coefficient. We obtained a large dataset of 84,327 files comprising of images, compressed data and encrypted data. We then tested these thresholds (taken from a variety of previous publications in the literature where possible) against our dataset, showing that the rate of false positives is far beyond what could be considered acceptable. False positive rates were often above 50% and even above 90% on several occasions. False negative rates were also generally between 5% and 20%, numbers which are also far too high. As a direct result of these experiments, we determine that relying on these simple statistical approaches is not good enough to detect ransomware attacks consistently. We instead recommend the exploration of higher-order statistics such as skewness and kurtosis for future ransomware detection techniques.
Nowadays, the ransomware became a serious threat challenge the computing world that requires an immediate consideration to avoid financial and moral blackmail. So, there is a real need for a new method that can detect and stop this type of attack. Most of the previous detection methods followed a dynamic analysis technique which involves a complicated process. The present study proposes a novel method based on static analysis to detect ransomware. The significant characteristic of proposed method is dispensing of disassemble process by direct extraction of features from raw byte with the use of frequent pattern mining which remarkably increases the detection speed. The Gain Ratio technique was used for feature selection which exhibited that 1000 features was the optimal number for detection process. The current study involved using random forest classifier with a comprehensive analysis to the effect of both tree and seed numbers on the ransomware detection. The results showed that tree numbers of 100 with seed number of 1 achieved best results in terms of time-consuming and accuracy. The experimental evaluation revealed that the proposed method could achieve a high accuracy of 97.74% for detection ransomware.
Ransomware attacks are taking advantage of the ongoing pandemics and attacking the vulnerable systems in business, health sector, education, insurance, bank, and government sectors. Various approaches have been proposed to combat ransomware, but the dynamic nature of malware writers often bypasses the security checkpoints. There are commercial tools available in the market for ransomware analysis and detection, but their performance is questionable. This paper aims at proposing an AI-based ransomware detection framework and designing a detection tool (AIRaD) using a combination of both static and dynamic malware analysis techniques. Dynamic binary instrumentation is done using PIN tool, function call trace is analyzed leveraging Cuckoo sandbox and Ghidra. Features extracted at DLL, function call, and assembly level are processed with NLP, association rule mining techniques and fed to different machine learning classifiers. Support vector machine and Adaboost with J48 algorithms achieved the highest accuracy of 99.54% with 0.005 false-positive rates for a multi-level combined term frequency approach.
In recent times, ransomware has become the most significant cyber-attack targeting individuals, enterprises, healthcare industries, and the Internet of Things (IoT). Existing security systems like Intrusion Detection and Prevention System (IDPS) and Anti-virus (AV) as a single monitoring agent is complicated and time-consuming, thus fails in ransomware detection. A robust Intrusion Detection Honeypot (IDH) is proposed to address the issues mentioned above. IDH consists of i) Honeyfolder, ii) Audit Watch, and iii) Complex Event Processing (CEP). Honeyfolder is a decoy folder modeled using Social Leopard Algorithm (SoLA), especially for getting attacked and acting as an early warning system to alert the user during the suspicious file activities. AuditWatch is an Entropy module that verifies the entropy of the files and folders. CEP engine is used to aggregate data from different security systems to confirm the ransomware behavior, attack pattern, and promptly respond to them. The proposed IDH is experimentally tested in a secured testbed using more than 20 variants of recent ransomware of all types. The experimental result confirms that the proposed IDH significantly improves the ransomware detection time, rate, and accuracy compared with the existing state of the art ransomware detection model.
While achieving security for Industrial Internet of Things (IIoT) is a critical and non-trivial task, more attention is required for brownfield IIoT systems. This is a consequence of long life cycles of their legacy devices which were initially designed without considering security and IoT connectivity, but they are now becoming more connected and integrated with emerging IoT technologies and messaging communication protocols. Deploying today’s methodologies and solutions in brownfield IIoT systems is not viable, as security solutions must co-exist and fit these systems’ requirements. This necessitates a realistic standardized IIoT testbed that can be used as an optimal format to measure the credibility of security solutions of IIoT networks, analyze IIoT attack landscapes and extract threat intelligence. Developing a testbed for brownfield IIoT systems is considered a significant challenge as these systems are comprised of legacy, heterogeneous devices, communication layers and applications that need to be implemented holistically to achieve high fidelity. In this paper, we propose a new generic end-to-end IIoT security testbed, with a particular focus on the brownfield system and provide details of the testbed’s architectural design and the implementation process. The proposed testbed can be easily reproduced and reconfigured to support the testing activities of new processes and various security scenarios. The proposed testbed operation is demonstrated on different connected devices, communication protocols and applications. The experiments demonstrate that this testbed is effective in terms of its operation and security testing. A comparison with existing testbeds, including a table of features is provided.
Driven by privacy concerns and the visions of Deep Learning, the last four years have witnessed a paradigm shift in the applicability mechanism of Machine Learning (ML). An emerging model, called Federated Learning (FL), is rising above both centralized systems and on-site analysis, to be a new fashioned design for ML implementation. It is a privacy preserving decentralized approach, which keeps raw data on devices and involves local ML training while eliminating data communication overhead. A federation of the learned and shared models is then performed on a central server to aggregate and share the built knowledge among participants. This paper starts by examining and comparing different ML-based deployment architectures, followed by in-depth and in-breadth investigation on FL. Compared to the existing reviews in the field, we provide in this survey a new classification of FL topics and research fields based on thorough analysis of the main technical challenges and current related work. In this context, we elaborate comprehensive taxonomies covering various challenging aspects, contributions and trends in the literature including core system models and designs, application areas, privacy and security and resource management. Further, we discuss important challenges and open research directions towards more robust FL systems.
Today's world is highly network interconnected owing to the pervasiveness of small personal devices (e.g., smartphones) as well as large computing devices or services (e.g., cloud computing or online banking), and thereby each passing minute millions of data bytes are being generated, processed, exchanged, shared, and utilized to yield outcomes in specific applications. Thus, securing the data, machines (devices), and user's privacy in cyberspace has become an utmost concern for individuals, business organizations, and national governments. In recent years, machine learning (ML) has been widely employed in cybersecurity, for example, intrusion or malware detection and biometric-based user authentication. However, ML algorithms are vulnerable to attacks both in the training and testing phases, which usually leads to remarkable performance decreases and security breaches. Comparatively, limited studies have been conducted to understand the essence and degree of the vulnerabilities of ML techniques against security threats and their defensive mechanisms. It is imperative to systematize recent works related to cybersecurity using ML to seek the attention of researchers, scientists , and engineers. Therefore, in this paper, we provide a comprehensive survey of the works that have been carried out most recently (from 2013 to 2018) on ML in cybersecurity, describing the basics of cyber-attacks and corresponding defenses, the basics of the most commonly used ML algorithms, and proposed ML and data mining schemes for cyberse-curity in terms of features, dimensionality reduction, and classification/detection techniques. In this context, this article also provides an overview of adversarial ML, including the security characteristics of deep learning methods. Finally, open issues and challenges in cybersecurity are highlighted and potential future research directions are discussed.
Internet of Things (IoT) devices are used in many facets of modern life, from smart homes to smart cities, including Internet-enabled healthcare systems and industrial control systems. The prevalence and ubiquity of IoT devices makes them extremely attractive targets for malicious actors, in particular for taking control of vulnerable devices and demand ransom from their owners. The aim of this paper is twofold: to investigate the viability of a ransomware-type attack being carried out on IoT devices; and to explore what damage can be inflicted upon devices after they have been compromised. To test whether ransomware is a viable method for attacking IoT devices, we developed our own proof of concept malware for Linux-based IoT devices dubbed "PaperW8". We looked at feasible ways for infecting IoT devices, as well as potential methods for gaining control and applying persistent changes to the target device. We successfully created a proof of concept ransomware, which we tested against six vulnerable IoT devices of various brands and functions , some of which are known to have been targeted in the past but are still widely in use today. Developing this proof of concept tool allowed us to identify the main requirements for a successful ransomware attack against IoT devices. We also determined some limitations of IoT devices that may discourage attackers from developing IoT-specific ransomware, while highlighting workarounds that more determined attackers may use to overcome these obstacles. This paper has demonstrated that IoT ransomware is a credible threat. We implemented a proof of concept tool that can compromise many IoT devices of varying types. We envisage that this work can be used to assist current and future IoT developers to improve the security of their devices, and also to help security researchers in implementing more effective ransomware countermeasures, including for IoT devices.
This paper provides a comprehensive study of Federated Learning (FL) with an emphasis on enabling software and hardware platforms, protocols, real-life applications and use-cases. FL can be applicable to multiple domains but applying it to different industries has its own set of obstacles. FL is known as collaborative learning, where algorithm(s) get trained across multiple devices or servers with decentralized data samples without having to exchange the actual data. This approach is radically different from other more established techniques such as getting the data samples uploaded to servers or having data in some form of distributed infrastructure. FL on the other hand generates more robust models without sharing data, leading to privacy-preserved solutions with higher security and access privileges to data. This paper starts by providing an overview of FL. Then, it gives an overview of technical details that pertain to FL enabling technologies, protocols, and applications. Compared to other survey papers in the field, our objective is to provide a more thorough summary of the most relevant protocols, platforms, and real-life use-cases of FL to enable data scientists to build better privacy-preserving solutions for industries in critical need of FL. We also provide an overview of key challenges presented in the recent literature and provide a summary of related research work. Moreover, we explore both the challenges and advantages of FL and present detailed service use-cases to illustrate how different architectures and protocols that use FL can fit together to deliver desired results.
Ransomware is malware that encrypts the victim’s data and demands a ransom for a decryption key. The increasing number of ransomware families and their variants renders the existing signature-based anti-ransomware techniques useless; thus, behavior-based detection techniques have gained popularity. A difficulty in behavior-based ransomware detection is that hundreds of thousands of system calls are obtained as analysis output, making the manual investigation and selection of ransomware-specific features infeasible. Moreover, manual investigation of the analysis output requires domain experts, who are expensive to hire and unavailable in some cases. Machine learning methods have shown success in a wide range of scientific domains to automate and address the problem of feature selection and extraction from noisy and high-dimensional data. However, automated feature selection is under-explored in malware detection. This study proposes an automated feature selection method that utilizes particle swarm optimization for behavior-based ransomware detection and classification. The proposed method considers the significance of various feature groups of the data in ransomware detection and classification and performs feature selection based on groups’ significance. The experimental results show that, in most cases, the proposed method achieves comparable or significantly better performance than other state-of-the-art methods used in this study for benchmarking. In addition, this article presents an in-depth analysis of the significance of various features groups and the features selected by the proposed method in ransomware detection and classification.
The security of cyber-physical systems (CPSs) forms the heart of critical infrastructure but are often prone to cyber attacks. In the proposed work, the authors take a particular approach to follow the CPS attack investigation wherein the dark web data is considered to be a potential source for cyber attack investigation. The scope of the presented work is confined to offer evidence from dark web crawling that the tremor of cyber attacks on CPSs of critical infrastructure occurs on the dark web. A dark web crawling mechanism is designed to run with entered keywords and harvest the hidden services to create a word cloud visualization. The extended scope of the proposed work is set to develop an analytic engine to investigate each hidden service from the pool of common harvested links to gather attack-specific insights.
Many emerging communication applications transmit packets with small payloads, yet require rich metadata con for the proper functioning of the various involved protocol layers. Packet header compression becomes vital to efficiently support these emerging communication applications in resource-constrained environments, such as the Internet of Things (IoT). As a basis for the survey of the existing packet header compression standards and recent packet header compression research studies, we first introduce a novel set of five principles of packet header compression, namely the principles of identification, definition, placement, compression, and control. Based on these five principles, we survey the major header compression standards, spanning from the Thinwire protocol from 1984, via Robust Header Compression (RoHC) version 1 (2001) and version 2 (2008) to Static Con Header Compression (SCHC, 2020) and QPACK currently in draft status. We also comprehensively survey the recent header compression research studies in the past six years (2016-2021), following the introduced five principles as taxonomy. The survey of header compression research includes novel compression concepts and evaluations in various modern environments, such as in wireless mesh networks. We conclude the survey by outlining major open packet header compression research challenges along the five principles.
An integrated clinical environment (ICE) enables the connection and coordination of the internet of medical things around the care of patients in hospitals. However, ransomware attacks and their spread on hospital infrastructures, including ICE, are rising. Often the adversaries are targeting multiple hospitals with the same ransomware attacks. These attacks are detected by using machine learning algorithms. But the challenge is devising the anti-ransomware learning mechanisms and services under the following conditions: (1) provide immunity to other hospitals if one of them got the attack, (2) hospitals are usually distributed over geographical locations, and (3) direct data sharing is avoided due to privacy concerns. In this regard, this paper presents a federated distributed integrated clinical environment, aka. FedDICE. FedDICE integrates federated learning (FL), which is privacy-preserving learning, to SDN-oriented security architecture to enable collaborative learning, detection, and mitigation of ransomware attacks. We demonstrate the importance of FedDICE in a collaborative environment with up to 4 hospitals and 4 ransomware families, namely WannaCry, Petya, BadRabbit and PowerGhost. Our results find that in both IID and non-IID data setups, FedDICE achieves the centralized baseline performance that needs direct data sharing for detection. However, as a trade-off to data privacy, FedDICE observes overhead in the anti-ransomware model training, e.g., \(28{\times }\) for the logistic regression model. Besides, FedDICE utilizes SDN’s dynamic network programmability feature to remove the infected devices in ICE.
Ransomware is a malware that represents a serious threat to a user’s information privacy. By investigating howransomware works, we may be able to recognise its atomic behaviour. In return, we will be able to detect theransomware at an earlier stage with better accuracy. In this paper, we propose Control Flow Graph (CFG) asan extracting opcode behaviour technique, combined with 4-gram (sequence of 4 “words”) to extract opcodesequence to be incorporated into Trojan Ransomware detection method using K-Nearest Neighbors (K-NN)algorithm. The opcode CFG 4-gram can fully represent the detailed behavioural characteristics of Trojan Ransomware.The proposed ransomware detection method considers the closest distance to a previously identifiedransomware pattern. Experimental results show that the proposed technique using K-NN, obtains the best accuracyof 98.86% for 1-gram opcode and using 1-NN classifier.
To maintain the availability of industrial control systems (ICS), it is important to robustly detect malware infection that spreads within the ICS network. In ICS, a host often communicates with the determined hosts; for instance, a supervisory control host observes and controls the same devices routinely via the network. Therefore, a communication request to the unused internet protocol (IP) address space, i.e., darknet, in the ICS network is likely to be caused by malware in the compromised host in the network. That is, darknet monitoring may enable us to detect malware that tries to spread indiscriminately within the network. On the other hand, clever malware, such as malware determining target hosts of infection with reference to host lists in the networks, infects the confined hosts in the networks, and consequently evades detection by security sensors or honeypots. In this paper, we propose novel deception techniques that lure such malware to our sensor, by embedding the sensor information continuously in the lists of hosts in the ICS networks. In addition, the feasibility of the proposed deception techniques is shown through our simplified implementation by using actual malware samples: WannaCry and Conficker.
Industry 4.0 will provide increased automation, self‐monitoring and improved communication in most industrial sectors in the near future. This can be achieved through a variety of sensors and different cloud platforms controlled through Internet of Things (IoT). The Industry 4.0 era has given innovative solutions to water service providers for distribution, monitoring, leakage detection and water metering. The existing method of managing water in municipalities requires manual attention. Further, water wastage, infrequent water cleaning, and at times contaminated water are considered the main drawbacks in the conventional municipality water management system. The quality of drinking water is one of the vital key elements for a healthy life. Therefore, the concept of Industry 4.0 can be employed to convert a manual into an automated system for managing municipality water. Hence, this paper surveys several research works on automated water management systems. From the extensive survey, it has been decided to propose a Smart Municipality Water Management System (SMWMS) to ensure good public health without water‐borne diseases. This SMWMS assists the municipality in water conservation and in safeguarding public health; it can be widely employed in different applications such as the residential, agricultural and industrial sectors, to name a few.
Ransomware remains an alarming threat in the 21st century. It has evolved from being a simple scare tactic into a complex malware capable of evasion. Formerly, end-users were targeted via mass infection campaigns. Nevertheless, in recent years, the attackers have focused on targeted attacks, since the latter are profitable and can induce severe damage. A vast number of detection mechanisms have been proposed in the literature. We provide a systematic review of ransomware countermeasures starting from its deployment on the victim machine until the ransom payment via cryptocurrency. We define four stages of this malware attack: Delivery, Deployment, Destruction, and Dealing. Then, we assign the corresponding countermeasures for each phase of the attack and cluster them by the techniques used. Finally, we propose a roadmap for researchers to fill the gaps found in the literature in ransomware’s battle.
Ransomware has presented itself as one of the most critical computer threats in the past few years. Along with the increase of user’s data on portable devices, ransomware has also vastly targeted smartphones. In this paper, we present RansomCare, a data-centric detection and mitigation method against smartphone crypto-ransomware. RansomCare can detect and neutralize crypto-ransomware in real-time on smartphones employing dynamic and lightweight static analysis. It is capable of recovering user’s lost files while preserving data privacy, thanks to its backup before modification or deletion. Our solution mainly relies on the structure of the user’s data and data entropy for the detection of crypto-ransomware. We assessed RansomCare on two datasets of recent smartphone crypto-ransomware and performed experiments to evaluate its detection time, accuracy, and performance overhead. We also compared our work with some state-of-the-art commercial and academic solutions. The results reveal that RansomCare is capable of fast detection of crypto-ransomware on smartphones with high accuracy and zero data loss.
In the previous chapters we spoke about analyzing malware samples both statically and dynamically. From the analysis techniques we discussed, we might be able to derive most of the times if a sample file is malware or not. But sometimes malware may not execute in the malware analysis environment, due to various armoring mechanisms implemented inside the malware sample to dissuade analysis and even detection. To beat armoring mechanisms you want to figure out the internals of the malware code so that you can devise mechanisms to bypass them.
Crypto-ransomware is a type of malware whose effect is irreversible even after its detection and removal. Thus, early detection is crucial to protect user files from being encrypted and held to ransom. Several studies have proposed early detection solutions based on the data acquired during the pre-encryption phase of the attacks. However, the lack of sufficient data in the early phases of the attack adversely affects the ability of feature selection techniques in these models to perceive the common characteristics of the attack features, which makes it challenging to reduce the redundant features, consequently decreasing the detection accuracy. Therefore, this study proposes a novel Redundancy Coefficient Gradual Upweighting (RCGU) technique that makes better redundancy-relevancy trade-offs during feature selection. Unlike existing feature significance estimation techniques that rely on the comparison between the candidate feature and the common characteristics of the already-selected features, RCGU compares the mutual information between the candidate feature and each feature in the selected set individually. Therefore, RCGU increases the weight of the redundancy term proportional to the number of already selected features. By integrating the RCGU into the Mutual Information Feature Selection (MIFS) technique, the Enhanced MIFS (EMIFS) was developed. Further improvement was achieved by proposing MM-EMIFS which incorporates the MaxMin approximation with EMIFS to prevent the redundancy overestimation that RCGU could cause when the number of features in the already-selected set increases. The experimental evaluation shows that the proposed techniques achieved accuracy higher than that in related works, which confirms the ability of RCGU to make better redundancy-relevancy trade-offs and select more discriminative pre-encryption attack features compared to existing solutions.