International Journal of Information Security
Volume:14 Issue: 2, Jul 2022

Today, intrusion detection systems are used in the networks as one of the essential methods to detect new attacks. Usually, these systems deal with a broad set of data and many features. Therefore, selecting proper features and benefitting from previously learned knowledge is suitable for efficiently detecting new attacks. A new graph-based method for online feature selection is proposed in this article to increase the accuracy in detecting attacks. In the proposed method, irrelevant features are first removed by inputting a limited number of instances. Then, features are clustered based on graph theory to reduce the search space. After the arrival of new instances at each stage, new clusters of features are created that may differ from the clusters created in the previous step. Therefore, to find the appropriate clusters, these two clusters are combined to select some relevant features with minimum redundancy. The evaluation results show that the proposed method has better performance, for instance classification with a lesser run time than similar online feature selection methods. The proposed method is also faster with a suitable accuracy in instances classification compared to some offline methods.

Web application firewalls (WAFs) are used for protecting web applications from attacks such as SQL injection, cross-site request forgery, and cross-site scripting. As a result of the growing complexity of web attacks, WAFs need to be tested and updated on a regular basis. There are various tools and techniques to verify the correct performance of WAFs but most of them are manual or use brute-force attacks, so suffer from poor efficacy. In this work, we propose a solution based on Reinforcement Learning (RL) to discover malicious payloads, which can bypass WAFs. We provide an RL framework with an environment compatible with OpenAI gym toolset standards. This environment is employed for training agents to implement WAF circumvention tasks. The agent mutates a malicious payload syntax using a set of modification operators as actions, without changes to its semantic. Then, upon WAF's reaction to the payload, the environment ascertains a reward for the agent. Eventually, based on the rewards, the agent learns a suitable sequence of mutations for any malicious payload. The payloads, which bypass the WAF can determine rules defects, which can be further used in rule tuning for rule-based WAFs. Also, it can enrich the machine learning-based datasets for retraining. We use Q-learning, advantage actor-critic (A2C), and proximal policy optimization (PPO) algorithms with the deep neural network. Our solution is successful in evading signature-based and machine learning-based WAFs. While we focus on SQL injection in this work, the method can be simply extended to use for any string-based injection attacks.

Fragile watermarking is a technique of authenticating the originality of the media (e.g., image). Although the watermark is destroyed with any small modification (tamper), it may be used to recover the original image. There is no method yet, based on our knowledge, to guarantee the perfect recovery of small tampers. Although data-bits are embedded in Least Significant Bits of some other pixel(s), a tamper may destroy both data and authentication sets which makes recovery impossible. In this paper, a novel fragile watermarking scheme is proposed for both tamper detection and tampered image recovery. Here, all bits are reorganized in virtual pixels distributed in the image called as Distributed Pixels (DP). Distance of each pair of bits in a DP is sufficiently large. This is why; tampers smaller than a threshold, cannot destroy more than one bit of a DP. Hamming code guarantees that changing at most one bit can be perfectly detected and recovered. Then, Hamming (7,4) is extended to (8,5) to support embedding in eight-bits pixels. According to the experimental results, the proposed method could perfectly detect and recover the tampered parts not greater than a quarter of image in diameter. It also achieved acceptable performance in other conditions, compared to state-of-the-art methods.

This paper analyses the security and efficiency of some notable privacy preserving data aggregation schemes, SP2DAS, 3PDA, and EPPA. For SP2DAS and 3PDA schemes, We show that despite the designers’ claims, there are efficient forgery attacks on the signature scheme used. We present aselective forgery attack on the signature scheme of SP2DAS in the key-only attack model and a selective forgery attack on the 3PDA’s signature scheme in the known-message attack model,requiring only two pairs of message-signature. These attacks enable the attacker to inject any arbitrary faulty data into the data aggregated by the network, without being detected, which is a serious threat to the performance of the whole network. We also present an improved version of the broadcast encryption scheme used in EPPA scheme, in which the decryption key is half, the decryption complexity is half, and the ciphertext size is 3=4 of the original one. The semantic security of the proposed scheme is proved under the same assumption as the original scheme.

A steganography system must embed the message in an unseen and unrecognizable manner in the cover signal. Embedding information in transform coefficients, especially Discrete Wavelet Transform (DWT), is one of the most successful approaches in this field. The proposed method in this paper has two main steps. In the first step, the XOR logical function was used to embed two bits of data in the adjacent DWT coefficient pair. No change in the coefficients will occur if the XOR result of the two bits of low-value data of the two adjacent coefficients is identical to the two bits of secret data. Otherwise, one or both of the coefficient(s) will need a one-unit increase or decrease. In the second step, the genetic algorithm was used to select, between the two possible solutions, a new value for the adjacent coefficient pair that needs to be changed. Using the genetic algorithm, the selections were made such that the generated stego image experienced the least change relative to the cover image. The results of comparing this method with the existing methods in low- and high-level embedding showed that the proposed method was successful in producing stego images with high-quality criteria. In addition, the SPAM steganalysis method did not show high accuracy in its detection. One of the benefits of the proposed method is the need for a short key to embed and extract the secret message. This issue increases the security and feasibility of the proposed method.

With the spread of information technology in human life, data protection is a critical task. On the other hand, malicious programs are developed, which can manipulate sensitive and critical data and restrict access to this data. Ransomware is an example of such a malicious program that encrypts data, restricts users' access to the system or their data, and then request a ransom payment. Many types of research have been proposed for ransomware detection. Most of these methods attempt to identify ransomware by relying on program behavior during execution. The main weakness of these methods is that it is not explicit how long the program should be monitored to show its real behavior. Therefore, sometimes, these researches cannot detect ransomware early. In this paper, a new method for ransomware detection is proposed that does not need executing the program and uses the PE header of the executable file. To extract effective features from the PE header file, an image is constructed based on PE header. Then, according to the advantages of Convolutional Neural Networks in extracting features from images and classifying them, CNN is used. The proposed method achieves high detection rates. Our results indicate the usefulness and practicality of our method for ransomware detection.

The certificateless public key cryptography (CL-PKC) setting, makes it possible to overcome the problems of the conventional public key infrastructure and the ID-Based public key cryptography, concurrently. A certificateless signcryption (CL-SC) scheme is an important cryptographic primitive which provides the goals of a signature scheme and an encryption scheme both at once, in a certificateless setting. In addition to the basic security requirements of a CL-SC scheme (i. e. the unforgeability and the confidentiality), a new security notion called as the known session specific temporary information security (KSSTIS) has been proposed in the literature, recently. This security notion guarantees the confidentiality of the message even if the temporary information, used for creating the signcryption on the message, reveals. However, as discussed in the literature, there are not any secure CL-SC schemes in the standard model (i. e. without the assumption of random oracles) which guarantees the KSSTIS. In this paper, three recently proposed CL-SC schemes (Caixue, Shan and Ullah et al.'s schemes) are analyzed and it is shown that these schemes not only do not satisfy the KSSTIS, but also they do not even provide the basic security requirements of a CL-SC scheme. Furthermore, an enhanced secure CL-SC scheme is proposed in the standard model which satisfies the KSSTIS.

Since their introduction, cognitive radio networks, as a new solution to the problem of spectrum scarcity, have received great attention from the research society. An important field in database driven cognitive radio network studies is pivoted on their security issues. A critical issue in this context is user's location privacy, which is potentially under serious threat. The query process by secondary users from the database is one of the points where the problem rises. In this paper, we propose a Privacy Preserving Query Process (PPQP), accordingly. PPQP is a cryptography-based protocol, which takes advantage of properties of some well-known cryptosystems. This method lets secondary users deal in the process of spectrum query without sacrificing their location information. Analytical assessment of PPQP's privacy preservation capability shows that it preserves location privacy for secondary users against different adversaries, with very high probability. Relatively low communicational cost is a significant property of our novel protocol.