-
White paper on cybersecurity in the healthcare sector. The HEIR solution
Authors:
Konstantinos Lampropoulos,
Apostolis Zarras,
Eftychia Lakka,
Polyanthi Barmpaki,
Kostas Drakonakis,
Manos Athanatos,
Herve Debar,
Andreas Alexopoulos,
Aristeidis Sotiropoulos,
George Tsakirakis,
Nikos Dimakopoulos,
Dimitris Tsolovos,
Matthias Pocs,
Michalis Smyrlis,
Ioannis Basdekis,
Georgios Spanoudakis,
Ovidiu Mihaila,
Bogdan Prelipcean,
Eliot Salant,
Sotiris Athanassopoulos,
Petros Papachristou,
Ioannis Ladakis,
John Chang,
Evangelos Floros,
Konstantinos Smyrlis
, et al. (7 additional authors not shown)
Abstract:
The healthcare sector is increasingly vulnerable to cyberattacks due to its growing digitalization. Patient data, including medical records and financial information, are at risk, potentially leading to identity theft and patient safety concerns. The European Union and other organizations identify key areas for healthcare system improvement, yet the industry still grapples with inadequate security…
▽ More
The healthcare sector is increasingly vulnerable to cyberattacks due to its growing digitalization. Patient data, including medical records and financial information, are at risk, potentially leading to identity theft and patient safety concerns. The European Union and other organizations identify key areas for healthcare system improvement, yet the industry still grapples with inadequate security practices. In response, the HEIR project offers a comprehensive cybersecurity approach, promoting security features from various regulatory frameworks and introducing tools such as the Secure Healthcare Framework and Risk Assessment for Medical Applications (RAMA). These measures aim to enhance digital health security and protect sensitive patient data while facilitating secure data access and privacy-aware techniques. In a rapidly evolving threat landscape, HEIR presents a promising framework for healthcare cybersecurity.
△ Less
Submitted 16 October, 2023;
originally announced October 2023.
-
CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description
Authors:
Mustafizur Shahid,
Hervé Debar
Abstract:
When a new computer security vulnerability is publicly disclosed, only a textual description of it is available. Cybersecurity experts later provide an analysis of the severity of the vulnerability using the Common Vulnerability Scoring System (CVSS). Specifically, the different characteristics of the vulnerability are summarized into a vector (consisting of a set of metrics), from which a severit…
▽ More
When a new computer security vulnerability is publicly disclosed, only a textual description of it is available. Cybersecurity experts later provide an analysis of the severity of the vulnerability using the Common Vulnerability Scoring System (CVSS). Specifically, the different characteristics of the vulnerability are summarized into a vector (consisting of a set of metrics), from which a severity score is computed. However, because of the high number of vulnerabilities disclosed everyday this process requires lot of manpower, and several days may pass before a vulnerability is analyzed. We propose to leverage recent advances in the field of Natural Language Processing (NLP) to determine the CVSS vector and the associated severity score of a vulnerability from its textual description in an explainable manner. To this purpose, we trained multiple BERT classifiers, one for each metric composing the CVSS vector. Experimental results show that our trained classifiers are able to determine the value of the metrics of the CVSS vector with high accuracy. The severity score computed from the predicted CVSS vector is also very close to the real severity score attributed by a human expert. For explainability purpose, gradient-based input saliency method was used to determine the most relevant input words for a given prediction made by our classifiers. Often, the top relevant words include terms in agreement with the rationales of a human cybersecurity expert, making the explanation comprehensible for end-users.
△ Less
Submitted 16 November, 2021;
originally announced November 2021.
-
Anomalous Communications Detection in IoT Networks Using Sparse Autoencoders
Authors:
Mustafizur Rahman Shahid,
Gregory Blanc,
Zonghua Zhang,
Hervé Debar
Abstract:
Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, smart home or e-healthcare. However, security remains as one of the paramount concern as many IoT devices are vulnerable. Moreover, IoT malware are constantly evolving and getting more sophisticated. IoT devices are intended to perform very specific tasks, so their networking behavior is expected to be re…
▽ More
Nowadays, IoT devices have been widely deployed for enabling various smart services, such as, smart home or e-healthcare. However, security remains as one of the paramount concern as many IoT devices are vulnerable. Moreover, IoT malware are constantly evolving and getting more sophisticated. IoT devices are intended to perform very specific tasks, so their networking behavior is expected to be reasonably stable and predictable. Any significant behavioral deviation from the normal patterns would indicate anomalous events. In this paper, we present a method to detect anomalous network communications in IoT networks using a set of sparse autoencoders. The proposed approach allows us to differentiate malicious communications from legitimate ones. So that, if a device is compromised only malicious communications can be dropped while the service provided by the device is not totally interrupted. To characterize network behavior, bidirectional TCP flows are extracted and described using statistics on the size of the first N packets sent and received, along with statistics on the corresponding inter-arrival times between packets. A set of sparse autoencoders is then trained to learn the profile of the legitimate communications generated by an experimental smart home network. Depending on the value of N, the developed model achieves attack detection rates ranging from 86.9% to 91.2%, and false positive rates ranging from 0.1% to 0.5%.
△ Less
Submitted 26 December, 2019;
originally announced December 2019.
-
An n-sided polygonal model to calculate the impact of cyber security events
Authors:
Gustavo Gonzalez-Granadillo,
Joaquin Garcia-Alfaro,
Hervé Debar
Abstract:
This paper presents a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) in a polygonal systems of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, communication protocols, physical and logical resources, etc.). Every axis is composed of entities that contribute to the execution of the…
▽ More
This paper presents a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) in a polygonal systems of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, communication protocols, physical and logical resources, etc.). Every axis is composed of entities that contribute to the execution of the security event. Each entity has an associated weighting factor that measures its contribution using a multi-criteria methodology named CARVER. The graphical representation of cyber events is depicted as straight lines (one dimension) or polygons (two or more dimensions). Geometrical operations are used to compute the size (i.e, length, perimeter, surface area) and thus the impact of each event. As a result, it is possible to identify and compare the magnitude of cyber events. A case study with multiple security events is presented as an illustration on how the model is built and computed.
△ Less
Submitted 16 November, 2017;
originally announced November 2017.
-
Combining Technical and Financial Impacts for Countermeasure Selection
Authors:
Gustavo Gonzalez-Granadillo,
Christophe Ponchel,
Gregory Blanc,
Hervé Debar
Abstract:
Research in information security has generally focused on providing a comprehensive interpretation of threats, vulnerabilities, and attacks, in particular to evaluate their danger and prioritize responses accordingly. Most of the current approaches propose advanced techniques to detect intrusions and complex attacks but few of these approaches propose well defined methodologies to react against a…
▽ More
Research in information security has generally focused on providing a comprehensive interpretation of threats, vulnerabilities, and attacks, in particular to evaluate their danger and prioritize responses accordingly. Most of the current approaches propose advanced techniques to detect intrusions and complex attacks but few of these approaches propose well defined methodologies to react against a given attack. In this paper, we propose a novel and systematic method to select security countermeasures from a pool of candidates, by ranking them based on the technical and financial impact associated to each alternative. The method includes industrial evaluation and simulations of the impact associated to a given security measure which allows to compute the return on response investment for different candidates. A simple case study is proposed at the end of the paper to show the applicability of the model.
△ Less
Submitted 16 October, 2014;
originally announced November 2014.
-
Formalization of malware through process calculi
Authors:
Gregoire Jacob,
Eric Filiol,
Herve Debar
Abstract:
Since the seminal work from F. Cohen in the eighties, abstract virology has seen the apparition of successive viral models, all based on Turing-equivalent formalisms. But considering recent malware such as rootkits or k-ary codes, these viral models only partially cover these evolved threats. The problem is that Turing-equivalent models do not support interactive computations. New models have th…
▽ More
Since the seminal work from F. Cohen in the eighties, abstract virology has seen the apparition of successive viral models, all based on Turing-equivalent formalisms. But considering recent malware such as rootkits or k-ary codes, these viral models only partially cover these evolved threats. The problem is that Turing-equivalent models do not support interactive computations. New models have thus appeared, offering support for these evolved malware, but loosing the unified approach in the way. This article provides a basis for a unified malware model founded on process algebras and in particular the Join-Calculus. In terms of expressiveness, the new model supports the fundamental definitions based on self-replication and adds support for interactions, concurrency and non-termination allows the definition of more complex behaviors. Evolved malware such as rootkits can now be thoroughly modeled. In terms of detection and prevention, the fundamental results of undecidability and isolation still hold. However the process-based model has permitted to establish new results: identification of fragments from the Join-Calculus where malware detection becomes decidable, formal definition of the non-infection property, approximate solutions to restrict malware propagation.
△ Less
Submitted 20 April, 2009; v1 submitted 3 February, 2009;
originally announced February 2009.
-
Malware Detection using Attribute-Automata to parse Abstract Behavioral Descriptions
Authors:
Gregoire Jacob,
Herve Debar,
Eric Filiol
Abstract:
Most behavioral detectors of malware remain specific to a given language and platform, mostly PE executables for Windows. The objective of this paper is to define a generic approach for behavioral detection based on two layers respectively responsible for abstraction and detection. The first abstraction layer remains specific to a platform and a language. This first layer interprets the collecte…
▽ More
Most behavioral detectors of malware remain specific to a given language and platform, mostly PE executables for Windows. The objective of this paper is to define a generic approach for behavioral detection based on two layers respectively responsible for abstraction and detection. The first abstraction layer remains specific to a platform and a language. This first layer interprets the collected instructions, API calls and arguments and classifies these operations as well as the involved objects according to their purpose in the malware lifecycle. The second detection layer remains generic and is totally interoperable between the different abstraction components. This layer relies on parallel automata parsing attribute-grammars where semantic rules are used for object ty** (object classification) and object binding (data-flow). To feed detection and to experiment with our approach we have developed two different abstraction components: one processing system call traces from native code and one processing the VBScript interpreted language. The different experimentations have provided promising detection rates, in particular for script files (89%), with almost none false positives. In the case of process traces, the detection rate remains significant (51%) but could be increased by more sophisticated collection tools.
△ Less
Submitted 2 February, 2009;
originally announced February 2009.