When detecting cyberattacks in Industrial settings, it is not sufficient to determine whether the system is suffering a cyberattack. It is also fundamental to explain why the system is under a cyberattack and which are the assets affected. In this context, the Anomaly Detection based on Machine Learning (ML) and Deep Learning (DL) techniques showed great performance when detecting cyberattacks in industrial scenarios. However, two main limitations hinder using them in a real environment. Firstly, most solutions are trained using a supervised approach, which is impractical in the real industrial world. Secondly, the use of black‐box ML and DL techniques makes it impossible to interpret the decision made by the model. This article proposes an interpretable and semi‐supervised system to detect cyberattacks in Industrial settings. Besides, our proposal was validated using data collected from the Tennessee Eastman Process. To the best of our knowledge, this system is the only one that offers interpretability together with a semi‐supervised approach in an industrial setting. Our system discriminates between causes and effects of anomalies and also achieved the best performance for 11 types of anomalies out of 20 with an overall recall of 0.9577, a precision of 0.9977, and a F1‐score of 0.9711.

In this manuscript, we propose a system to detect cyberattacks in an industrial scenario following a semi‐supervised Anomaly Detection approach. Furthermore, the system is also capable of interpreting the output of the system to determine the root causes of the cyberattacks, allowing to concentrate effort where the cyberattacks is happening to mitigate it more efficiently.image

Identity‐based Matchmaking Encryption (IB‐ME) is an extension notion of matchmaking encryption (CRYPTO 2019), where a sender and a receiver can specify an access policy for the other party. In IB‐ME, data encryption is performed by not only a receiver identity but also a sender's encryption key. Nevertheless, previous IB‐ME schemes have not considered the problem of efficient revocation. Hence, the authors introduce a new notion of revocable IB‐ME (RIB‐ME) and formalise the syntax and security model of RIB‐ME. In particular, the authors give an effective and simple construction of RIB‐ME in the standard model, whose security is reduced to the hardness of decisional bilinear Diffie—Hellman problem and computational Diffie—Hellman problem. In addition, the authors show two extensions of our RIB‐ME scheme to consider chosen‐ciphertext security and forward privacy.

RIB‐ME provides the features of data confidentiality, sender authenticity and efficient revocation, where the security can be reduced to static assumptions in the standard model.image

The misunderstanding and incorrect configurations of cryptographic primitives have exposed severe security vulnerabilities to attackers. Due to the pervasiveness and diversity of cryptographic misuses, a comprehensive and accurate understanding of how cryptographic misuses can undermine the security of an Android app is critical to the subsequent mitigation strategies but also challenging. Although various approaches have been proposed to detect cryptographic misuse in Android apps, studies have yet to focus on estimating the security risks of cryptographic misuse. To address this problem, the authors present an extensible framework for deciding the threat level of cryptographic misuse in Android apps. Firstly, the authors propose a general and unified specification for representing cryptographic misuses to make our framework extensible and develop adapters to unify the detection results of the state‐of‐the‐art cryptographic misuse detectors, resulting in an adapter‐based detection tool chain for a more comprehensive list of cryptographic misuses. Secondly, the authors employ a misuse‐originating data‐flow analysis to connect each cryptographic misuse to a set of data‐flow sinks in an app, based on which the authors propose a quantitative data‐flow‐driven metric for assessing the overall risk of the app introduced by cryptographic misuses. To make the per‐app assessment more useful for app vetting at the app‐store level, the authors apply unsupervised learning to predict and classify the top risky threats to guide more efficient subsequent mitigation. In the experiments on an instantiated implementation of the framework, the authors evaluate the accuracy of our detection and the effect of data‐flow‐driven risk assessment of our framework. Our empirical study on over 40,000 apps, and the analysis of popular apps reveal important security observations on the real threats of cryptographic misuse in Android apps.

1. A new scheme assembling multiple crypto‐misuse detectors as a toolchain to detect a more comprehensive list of cryptographic vulnerabilities of Android apps. 2. A risk assessment of cryptographic misuses based on misuse‐originating data‐flow analysis indicating important risk patterns with an empirical study.image

Tor traffic tracking is valuable for combating cybercrime as it provides insights into the traffic active on the Tor network. Tor‐based application traffic classification is one of the tracking methods, which can effectively classify Tor application services. However, it is not effective in classifying specific applications due to more complicated traffic patterns in the spatial and temporal dimensions. As a solution, the authors propose FlowMFD, a novel Tor‐based application traffic classification approach using amount‐frequency‐direction (MFD) chromatographic features and spatial‐temporal modelling. Expressly, FlowMFD mines the interaction pattern between Tor applications and servers by analysing the time series features (TSFs) of different size packets. Then MFD chromatographic features (MFDCF) are designed to represent the pattern. Those features integrate multiple low‐dimensional TSFs into a single plane and retain most pattern information. In addition, FlowMFD utilises a cascaded model with a two‐dimensional convolutional neural network (2D‐CNN) and a bidirectional gated recurrent unit to capture spatial‐temporal dependencies between MFDCF. The authors evaluate FlowMFD under the public ISCXTor2016 dataset and the self‐collected dataset, where we achieve an accuracy of 92.1% (4.2%↑) and 88.3% (4.5%↑), respectively, outperforming state‐of‐the‐art comparison methods.

To address the problem that existing Tor traffic classification methods are less efficient at classifying specific applications in the Tor network, the authors propose FlowMFD, a novel traffic classification approach using amount‐frequency‐direction (MFD) chromatographic features and spatial‐temporal modelling. FlowMFD improves classification accuracy by mining the interaction patterns between the Tor applications and servers.image

In the field of symmetric key cryptography, the security against distinguishing attacks is one of the crucial security requirements. With advancements in computing capabilities and cryptanalysis techniques in recent years, more efficient methods have been proposed for exploring distinguishers using Mixed‐Integer Linear Programing (MILP) or satisfiability problem (SAT), thereby updating the security bounds of various ciphers. Piccolo is a lightweight block cipher proposed at CHES in 2011, with support 80‐bit and 128‐bit keys. Designers have undergone a rough security evaluation against differential, impossible differential, and related‐key differential attacks, based on nibble‐wise estimations due to the limitation of computational resource. Here, the authors perform bit‐level evaluations on Piccolo block cipher against differential, integral and impossible differential attacks by leveraging SAT‐based approaches. For the first time, the authors succeed in identifying optimal differential distinguisher on 6 rounds in the single key setting, and on 10/12 rounds in the related‐key setting for 80‐bit and 128‐bit keys, respectively. For integral attacks, the authors find integral distinguisher up to 7 rounds. Although the number of attacked rounds is the same as that of the previous attack, the authors find the 56th ordered integral distinguisher, which enable reducing the data complexity for attacks from 2⁶³ to 2⁵⁶. As a result, the authors find the 7‐round impossible differentials which is the same number of rounds as the previous nibble‐wise evaluation.

The authors conducted bit‐level evaluations of the Piccolo block cipher against differential, integral, and impossible differential attacks using SAT‐based approaches. Authors’ work successfully identified the optimal differential distinguisher against differential and related‐key differential attacks. Additionally, the authors discovered the 56th ordered integral distinguisher and obtained rigorous results against impossible attacks.image