by Florian Skopik (AIT Austrian Institute of Technology) and Kyriakos Stefanidis  (ISI)

Cybercrime has grown to a profitable multi-billion-dollar business. The number of reported criminal offences is continuously rising every year. The reasons for this development are the ever-increasing dependency on IT technology for almost every business, the opportunity for attackers to operate in the dark, and the continuously growing attack surface. With the adoption of new computing paradigms, such as cloud computing and the Internet of Things, not only new opportunities for legitimate businesses arise, but also new ways for criminals to make profit or to attack and de-stabilise a country’s economy or society. In recent years, we have witnessed the rise of ransomware attacks on a large scale, Distributed Denial of Service (DDoS) attacks with high volumes that have never been observed before, and data leaks that massively harmed global businesses. Besides stealing business-critical data, harming or blackmailing individuals or organisations, large-scale attacks on critical infrastructures of a region or nation-state have become a severe threat. Some examples are the recent attacks on the US-East-Coast Colonial Pipeline, one of the largest US pipeline operators, and the use of cybersecurity attacks on Ukrainian infrastructures. Finally, the ever-growing de-stabilising disinformation campaigns and cyberwar practices in general are increasingly shaping social and political conflicts. Thousands of high-impact attacks have already demonstrated the vulnerability of complex interconnected systems.

by Evangelos Markatos (FORTH and University of Crete), Mary Aiken, Julia Davidson (University of East London), Alexey Kirichenko (F-Secure Corporation) and David Wright (Trilateral Research)

Over the past few years, we have seen cybercrime rising to become a trillion-dollar business world-wide. Although the cost of cybercrime was close to $5.5 trillion in 2020 [1], it is now estimated to double by 2025 [2]. To put this number in perspective, a cost of $10.5 trillion a year is $28 billion per day, or $20 million a minute, or close to $330,000 a second. At such staggering rates, it is imperative to understand the drivers of cybercrime and how they can be mitigated.

by Ross King (AIT Austrian Institute of Technology GmbH), Georgios Kioumourtzis (IANUS Consulting) and Georgios Papadopoulos (FORTH-ICS)

The European Union’s Internal Security Fund (ISF) will contribute to ensuring a high level of security in the Union, by supporting actions that help to prevent and combat terrorism and radicalisation, serious and organised crime, and cybercrime. One such project that has launched in January 2022 is Anti-FinTer: Versatile artificial intelligence investigative technologies for revealing online cross-border financing activities of terrorism.

by George Tsakalidis, (Financial and Economic Crime Unit - S.D.O.E. (Operational Directorate of Macedonia)) and Kostas Vergidis, (University of Macedonia)

A systematised investigation process for copyright-related cybercrime offences has been designed in the Business Process Model and Notation (BPMN) and implemented by financial crime investigators of a Law Enforcement Agency. The proposed approach has increased the efficiency of the performed investigations and the dissemination of knowledge to relevant agencies.

by Sara Ferreira (University of Porto), Mário Antunes (Polytechnic of Leiria) and Manuel E. Correia (University of Porto)

Tampered multimedia content is increasingly being used in a broad range of cybercrime activities. The spread of fake news, misinformation, digital kidnapping, and ransomware-related crimes are among the most recurrent crimes in which manipulated digital photos are being used as an attacking vector. One of the linchpins of accurately detecting manipulated multimedia content is the use of machine learning and deep learning algorithms. This work proposed a dataset of photos and videos suitable for digital forensics, which has been used to benchmark Support Vector Machines (SVM) and Convolution Neural Networks algorithms (CNN). An SVM-based module for the Autopsy digital forensics open-source application has also been developed. This was evaluated as a very capable and useful forensic tool, winning second place on the OSDFCon international Autopsy modules competition.

by Rudolf Mayer (SBA Research)

Anomaly detection is an important part of countering cybercrime, by detecting e.g., fraud or intrusions. Especially with an ever-growing amount of data (such as logs or transactions) being collected, automated analysis of these data for malicious behaviour becomes essential. In several settings, such analysis might be performed by third parties or be collaborative, to learn from more and diverse experiences by different collaborators. Thus, means to access such often confidential data in a privacy-preserving manner are required. Collaborative Learning and synthetic data are two promising approaches to fulfil this purpose.

by Hui Han (Fraunhofer IESE) and Jingyue Li (NTNU)

Tiny machine learning (TinyML) is the intersection of machine learning (ML) algorithms and embedded systems (hardware and software) in terms of low latency, low power, and small size. It allows data to be kept mainly on edge devices and to be processed and have ML tasks run directly in the device. Therefore, the TinyML paradigm is expected to preserve AI security and combat cybercrimes. In this study, we explore how TinyML, the cutting-edge of ML technologies, solves relevant AI security problems (including cybercrimes) from the AI lifecycle aspect: data engineering, model engineering and model deployment. Finally, we discuss the opportunities for future research.

by Levente Buttyán (Budapest University of Technology and Economics) and Rudolf Ferenc (University of Szeged)

Embedded devices are increasingly connected to the Internet to provide new and innovative applications in many domains. However, these IoT devices can also contain security vulnerabilities, which allow attackers to compromise them using malware. We report on our recent work on using machine learning for efficient and effective malware detection on resource-constrained IoT devices.

by Giacomo Iadarola, Fabio Martinelli (IIT-CNR) and Francesco Mercaldo (University of Molise and IIT-CNR)

Cybercriminals can use a device compromised by malware for a plethora of purposes. Malicious intentions include the theft of confidential data, using the victim's computer to perform further criminal acts, or data ciphering to ask a ransom. Recently, deep learning is widely considered for malware detection. The main problem in the real-world adoption of these methods is due to their “black box” working mechanism i.e., the security analyst must trust the prediction without the possibility to understand the reason why an application is detected as malicious. In this article we discuss a malicious family detector, providing a mechanism aimed to assess the prediction trustworthiness and explainability. Real-world case studies are discussed to show the effectiveness of the proposed method.

by Davide Ceolin (CWI)

Predicting the quality of the information online is a key step to contrast the spread of dis- and misinformation. Transparency and explainability of information quality prediction are key elements to increase their trustability and usefulness. We at CWI work on fostering online information quality explainability through transparent AI pipelines that combine argumentation reasoning, crowdsourcing, and logical reasoning.

by Manuel Kern and Florian Skopik

In the last decade there was a clear paradigm shift from focusing only on prevention and protection to also including detection and response. While prevention and protection are indispensable to enable a baseline security, it is presumed that attackers have already compromised systems to some extent (“presumption of compromise”). The fact that professional attackers often operate in the network over a long period of time has long been known in cyber security research. A key pillar of a holistic security approach is therefore the early detection of attackers in the network. But still, the average time to detect attackers remains high. In the course of a study commissioned by IBM Security [L1], the average time it takes to detect a data breach is quantified with a time period of 212 days, five days longer than the year before.

by Max Landauer, Florian Skopik, Markus Wurzenberger and Wolfgang Hotwagner (AIT)

Cyber security leverages intrusion detection systems that analyse log data and network traffic to disclose suspicious activities and protect networks against cyberattacks. Verifying the functionality and measuring the effectiveness of these detection systems is not trivial, since it usually is not desirable to launch actual attacks in an organisation’s productive infrastructure. Therefore, such evaluations are often carried out in isolated testbeds, i.e., simulated networks comprising components and applications that are representative of their real-world counterparts in terms of configuration, scale, and utilisation. However, setting up and maintaining such testbeds is complex and labour-intensive, particularly when experiments are required to be reproducible and adaptable. To alleviate these issues, we developed the Kyoushi Testbed Environment, an open-source simulation framework that enables automatic and parallel testbed instantiation through model-driven design, simulation of normal user activities to generate a baseline workload, injection of attack scenarios with variations, and labelling of collected log data.

by Gianluigi Folino, Francesco Sergio Pisani (ICAR-CNR) and Carla Otranto Godano (HFactor Security)

In the field of cybersecurity, it is of great interest to analyse user logs in order to prevent data breach issues caused by user behaviour (human factor). A scalable framework based on the Elastic Stack (ELK) to process and store log data coming from digital footprints of different users and from applications is proposed. The system exploits the scalable architecture of ELK by running on top of a Kubernetes platform, and adopts ensemble-based machine learning algorithms to classify user behaviour and to eventually detect anomalies in behaviour.

by Robert Luh (University of Vienna and St. Pölten University of Applied Sciences) and Michael Galhuber (St. Pölten University of Applied Sciences)

Timestamps are among the most expressive artefacts in a digital forensic investigation. Our research shows that the distinct patterns caused by the interaction with individual files can yield more insight than previously documented and enables application fingerprinting within a Windows environment through timestamps alone. Furthermore, we classify timestamp forgery tools and present a means to detect their use.

by Patrick Kochberger, Sebastian Schrittwieser (University of Vienna) and Edgar R. Weippl (SBA Research)

In cybercrime, malware plays a weighty role and malware authors heavily rely on different code obfuscation techniques such as packing, virtualisation, or control flow transformations, and other anti-analysis methods to hide malicious functionality in binary code. With thousands of new malware samples emerging every day, efficient analysis is crucial for fighting malware-based cybercrime. We present a novel meta-framework for malware analysis that helps find the optimal analysis strategy for a malware sample. The research for the work was conducted in a joint project together with the University of Gent in Belgium [L1].

by Jan Kohlrausch (DFN-CERT)

At DFN-CERT, we work on augmenting Security Metrics with a family of stochastic models. For a given Security Metric, an Autoregressive Integrated Moving Average (ARIMA) model is selected that encapsulates the sequence of metrics results and provides objective mathematical properties. This additional mathematical layer results in a better understanding of the metrics properties, facilitates decision-making processes, and supports situational awareness in Threat Intelligence.

by Lasse Nitz (Fraunhofer FIT), Martin Zadnik (CESNET), Mehdi Akbari Gurabi (Fraunhofer FIT), Mischa Obrecht (Dreamlab Technologies AG) and Avikarsha Mandal (Fraunhofer FIT)

Effective incident response relies on taking accurate and timely measures in reaction to cybersecurity incidents. The increase in both the number and variety of cyberattacks, however, makes it challenging for incident handlers to keep up with this task. In the H2020 project SAPPAN, we take a practical look at this problem and explore the sharing of incident handling information, the automation of incident response processes, as well as the relationship between these two topics, to assist human operators in their work.

by Christophe Ponsard, Philippe Massonet, Valery Ramon (CETIC)

Coping with cybercrime in the scope of increasingly open and interconnected systems is a difficult challenge. DevSecOps provide an adequate framework to keep in control of this perpetual race. We show here how it can be efficiently supported by an internal model-based analysis and automation approach together with the external threat intelligence sharing.

by Phil Cobley (MSAB), Georgina Humphries (NMPS), Harry Manifavas (FORTH-ICS), Rune Nordvik (NMPS), Matthew Sorell (Univ. of Adelaide)

Mobile devices, especially smartphones, constitute a major source of evidence in criminal activities investigated by law enforcement agencies (LEAs) [1]. Mobile devices present unique challenges; therefore, it is vital to empower all players involved in solving and judging cases where mobile data plays a significant role. FORMOBILE [L1], an EU-funded H2020 project aims to establish a complete end-to-end forensic investigation chain for mobile devices by developing the first standard for mobile forensics, novel tools, and a targeted training programme.

by Christos Alexakos (ISI/ATHENA RC), Kristina Livitckaia (ITI/CERTH), Mike Anastasiadis (ITI/CERTH), Dimitrios Serpanos (University of Patras)

The importance of cybersecurity for Internet of Vehicles (IoV) systems is indisputable as possible attacks can cause the loss of lives. In nIoVe project, a cybersecurity framework has been developed. This framework includes tools for accurate detection of the propagation trends and root cause analysis of the attacks, providing additional knowledge for cyberattacks against lookalike infrastructures.

by Robert Luh and Sebastian Eresheim (University of Vienna & St. Pölten University of Applied Sciences)

PenQuest is a digital multi-player game that allows users to recreate or emulate cyberattacks on a game board representing freely configurable IT infrastructures. The game’s model incorporates a multitude of security concepts and threat vocabularies translated into technical and organisational actions. PenQuest is intended to assist risk assessment, support the reconstruction of adversarial events, and gamify security education.

by Jochen Hense, Simon Tjoa, Peter Kieseberg (St. Pölten University of Applied Sciences, Austria)

Traditional security education often focuses on teaching theoretical concepts but lacks hands-on experience. However, many aspects of modern security, especially in the incident management domain, cannot be taught in the abstract; they must be experienced. Our Cyber Defence Centre (CDC) allows us to train students in a simulated environment where they gain skills in detecting attacks, closing vulnerabilities, and responding to security breaches in a realistic but safe setting.

by Giorgia Bassi, Stefania Fabbri and Anna Vaccarelli (IIT-CNR)

Ludoteca del Registro.it is a project implemented by the Registro.it (the Registry of .it Internet domains) of the Institute of Informatics and Telematics of the CNR (National Research Council) in Pisa, aimed to help students develop more responsible use of the Internet, with a focus on cybersecurity topics.