A Machine Learning Approach for Anomaly Detection to Secure Smart Grid Systems

The rapid industrial growth in cyber-physical systems has led to upgradation of the traditional power grid into a network communication infrastructure. The benefits of integrating smart components have brought about security issues as attack perimeter has increased. In this chapter, firstly, the authors train the network on the results generated by the uncompromised grid network result dataset and then extract valuable features by the various system calls made by the kernel on the grid and after that internal operations being performed. Analyzing the metrics and predicting how the call lists are differing in call types, parameters being passed to the OS, the size of the system calls, and return values of the calls of both the systems and identifying benign devices from the compromised ones in the test bed are done. Predictions can be accurately made on the device behavior in the smart grid and calculating the efficiency of correct detection vs. false detection according to the confusion matrix, and finally, accuracy and F-score will be computed against successful anomaly detection behavior.

Toward Identifying APT Malware through API System Calls

Self-developed malware was usually used by advanced persistent threat (APT) attackers to launch APT attacks. Therefore, we can enhance the understanding and cognition of APT attacks by comprehending the behavior of APT malware. Unfortunately, the current research cannot effectively explain the relationship between the recognition, detection, and defense of APT. The model of similar studies also lacks an explanation about it. To defend against APT attacks and inquire about the similarity of different APT attacks, this study proposes an APT malware classification method based on a combination of multiple deep learning algorithms and transfer learning by collecting malware used in several famous APT groups in public. By extracting the application programming interface (API) system calls, with the vector representation of features by combining dynamic LSTM and attention algorithm, we can obtain API at different APT families classification contributions trained dynamic. Thus, we used transfer learning to perform multiple classifications of the APT family. This study aims to reduce the burden of network security staff from reviewing a large number of suspicious files when defending against APT attacks. Additionally, it can effectively intercept them in the initial invasion stage of APT to perform targeted defense against specific APT attacks by combining threat intelligence in public. The experimental result shows that the proposed method can achieve 99.2% in distinguishing common malware from APT malware and assign APT malware to different APT families with an accuracy of 95.5%.

Using Graph Representation in Host-Based Intrusion Detection

Cybersecurity has become an important part of our daily lives. As an important part, there are many researches on intrusion detection based on host system call in recent years. Compared to sentences, a sequence of system calls has unique characteristics. It contains implicit pattern relationships that are less sensitive to the order of occurrence and that have less impact on the classification results when the frequency of system calls varies slightly. There are also various properties such as resource consumption, execution time, predefined rules, and empirical weights of system calls. Commonly used word embedding methods, such as Bow, TI-IDF, N-Gram, and Word2Vec, do not fully exploit such relationships in sequences as well as conveniently support attribute expansion. To solve these problems, we introduce Graph Representation based Intrusion Detection (GRID), an intrusion detection framework based on graph representation learning. It captures the potential relationships between system calls to learn better features, and it is applicable to a wide range of back-end classifiers. GRID utilizes a new sequence embedding method Graph Random State Embedding (GRSE) that uses graph structures to model a finite number of sequence items and represent the structural association relationships between them. A more efficient representation of sequence embeddings is generated by random walks, word embeddings, and graph pooling. Moreover, it can be easily extended to sequences with attributes. Our experimental results on the AFDA-LD dataset show that GRID has an average improvement of 2% using the GRSE embedding method comparing to others.

Testing Platform Invoke as a Tool for Shellcode Injection in Windows Applications

This paper investigates software attacks based on shellcode injection in Windows applications. The attack uses platform invoke to inject binary code by means of system calls. This creates a separate threat that carries the payload. The paper overviews protections against shellcode injection and thus analyzes the injection methods as well. Analysis models the injection of malicious code in a Windows app process. As a result, the paper proposes a step-by-step injection method. Experimental injection of user code in PowerShell is performed to test the method. The paper further shows the assembly code of the system call as an example of finding their IDs in the global system call table; it also shows part of the source code for the injection of binary executable code. Various counterattacks are proposed in the form of software control modules based on architecture drivers. The paper analyzes the feasibility of using dynamic invoke, which the authors plan to do later on.

Duality relations for overlaps of integrable boundary states in AdS/dCFT

The encoding of all possible sets of Bethe equations for a spin chain with SU(N|M) symmetry into a QQ-system calls for an expression of spin chain overlaps entirely in terms of Q-functions. We take a significant step towards deriving such a universal formula in the case of overlaps between Bethe eigenstates and integrable boundary states, of relevance for AdS/dCFT, by determining the transformation properties of the overlaps under fermionic as well as bosonic dualities which allows us to move between any two descriptions of the spin chain encoded in the QQ-system. An important part of our analysis involves introducing a suitable regularization for singular Bethe root configurations.