Cyber Operations, Defense, and Forensics
Permanent URI for this collection
Browse
Recent Submissions
Item sysBERT: Improved Behavioral Malware Detection using BERT Trained on sys2vec Embeddings(2025-01-07) Carter, John; Mancoridis, Spiros; Protopapas, PavlosAs malware becomes increasingly stealthy and more difficult to detect, behavioral malware detection has become the preferred method of detection, which uses representative run-time data from the device to determine if an infection has occurred. In this work, we collected kernel-level system calls from a router serving IoT devices during periods of benign behavior and periods of known malware infection. The system calls were processed using our custom-trained sys2vec model, which created contextual embeddings for each system call observed. We then subjected the data to a classifier using a Gated Recurrent Unit (GRU) with an Attention layer. Although this pipeline performed well for noisy, easy-to-detect malware, it struggled with stealthier malware. To combat this, we trained a classifier that uses a custom-trained BERT encoder in place of the GRU/Attention layers, which results in much better detection at a usable false positive rate (FPR) ≤ 1 × 10−5.Item Image Domain Distinct Native Attribute Fingerprinting for Image Forgery Classification(2025-01-07) Mcquagge, Jessica; Rondeau, Christopher; Temple, MichaelImage forgery is becoming more difficult to detect due to advances in AI image generation. As such, the usefulness — and even requirement — for detection techniques that are affordable (computationally and monetarily) as well as intuitive and simple are equally increasing. This work demonstrates the first adoption of Distinct Native Attribute (DNA) Fingerprinting to image and forgery detection to achieve similar results while mitigating the cost of implementation. General image classification results with accuracy of %C = 98.8% support the overall utility while the ability to detect within-category image forgeries produce an average of %C = 81.8%. Using an intuitive and small set of features, preliminary results show an approximate average classification accuracy difference of only %CΔ = −9% from more complex solutions. This work demonstrates the ability to adopt DNA Fingerprinting for image classification, and image forgery using Image Domain DNA (ID-DNA) that is holistically less resource intensive while requiring less time, money, and expert knowledge.Item A Zero Trust Architecture for Critical Operational Technology Systems(2025-01-07) Song, Meng Wee; Nguyen, Thuy; Irvine, CynthiaEvolving business demands increasingly expose modern operational technology (OT) systems to external networks. Their vulnerability to contemporary cybersecurity threats due to legacy software and hardware requires proactive measures. While the Zero Trust (ZT) paradigm has been embraced for IT systems, its use in OT systems is largely uncharted. We present a ZT architectural model to modernize and secure critical OT systems. Using a water treatment OT system, we evaluated the ZT-OT architecture against real-world remote-access and bring-your-own-device (BYOD) use cases. Our results show the ZT-OT architecture can help mitigate vulnerabilities associated with threats in specific cases and we identified limitations concerning legacy components and normal operation. Our approach offers insights into the potential and challenges of ZT in protecting OT systems.Item Development of a Neuromorphic-Friendly Spiking Neural Network for RF Event-based Classification(2025-01-07) Smith, Michael; Temple, Michael; Dean, JamesThis paper provides details for the most recent step taken in RndF-to-CNN-to-SNN classifier transition activity supporting an envisioned RF “event radio” concept. Successful results here include the transition from CNNs to neuromorphic-friendly CNN-derived SNNs and pique sufficient interest for pursuing next-step hardware demonstrations. Consistent with earlier RndF and CNN works that used the same experimentally collected WirelessHART signals, SNN results here show that two-dimensional event-based fingerprinting is best overall using events detected in burst Gabor transform responses. The approximate %𝐶Δ≈−2% decrease in average percent correct classification performance resulting from RF eventization encoding is effectively offset by a complementary %𝐶Δ≈+2% to +3% increase that occurs with the CNN-to-SNN transition. This level of neuromorphic-friendly SNN performance is promising when considering the potential 10X-100X energy efficiencies that remain to be demonstrated.Item Introduction to the Minitrack on Cyber Operations, Defense, and Forensics(2025-01-07) Glisson, William Bradley; Mcdonald, Jeffrey