Search Results (104)

Digitalization has resulted in ships being equipped with more computerized systems. Even though this transformation has improved navigational safety and operational efficiency, it has also raised cyber security concerns significantly. To address such concerns, this study proposes a national Maritime Cyber Security Operations Center (M-SOC) concept, aiming at protecting vessels against cyber-attacks. The proposed concept was developed by following a SOC-related guideline published by MITRE. Subsequently, the initial draft was evaluated through the Focus Group technique. Thematic Data Analysis was employed to analyze feedback from domain experts. By considering expert input, the draft concept was improved. Consequently, the 11-element recommendation presented in the study contributes to the development of a center capable of detecting and responding to cyber threats targeting ships within a designated sea zone. The operation of M-SOCs is expected to enhance the cyber resilience of the maritime ecosystem at the national level. Full article

Conventional machine-learning-based defenses are unable to generalize well to novel chains of ATT&CK actions. Being inefficient with low telemetry budgets, they are also unable to provide causal explainability and auditing. We propose a knowledge-based cyber-defense framework that integrates ATT&CK constrained model generation, budget-constrained reinforcement learning, and graph-based causal explanation into a single auditable pipeline. The framework formalizes the synthesis of zero-day chains of attacks using a grammar-formalized ATT&CK database and compiles them into the Zeek-aligned witness telemetry. This allows for efficient training of detection using the generated data within limited sensor budgets. The Cyber-Threat Knowledge Graph (CTKG) stores dynamically updated inter-relational semantics between tactics, techniques, hosts, and vulnerabilities. This enhances the decision state using causal relations. The sensor budget policy selects the sensoring and containment decisions within explicit bounds of costs and latency. The inherent defense-provenance features enable a traceable explanation of each generated alarm. Extensive evaluations of the framework using the TTP holdouts of the zero-day instances show remarkable improvements over conventional techniques in terms of low-FPR accuracy, TTD, and calibration. Full article

Background: The maritime industry, vital for global trade, faces escalating cyber threats in 2025. Critical port infrastructures are increasingly vulnerable due to rapid digitalization and the integration of IT and operational technology (OT) systems. Methods: Using 112 incidents from the Maritime Cyber Attack Database (MCAD, 2020–2025), we developed a novel quantitative risk assessment model based on a Threat-Vulnerability-Impact (T-V-I) framework, calibrated with MITRE ATT&CK techniques and validated against historical incidents. Results: Our analysis reveals a 150% rise in incidents, with OT compromise identified as the paramount threat (98/100 risk score). Ports in Poland and Taiwan face the highest immediate risk (95/100), while the Panama Canal is assessed as the most probable next target (90/100). State-sponsored actors from Russia, China, and Iran are responsible for most high-impact attacks. Conclusions: This research provides a validated, data-driven framework for prioritizing defensive resources. Our findings underscore the urgent need for engineering-grade solutions, including network segmentation, zero-trust architectures, and proactive threat intelligence integration to enhance maritime cyber resilience against evolving threats. Full article

This work focuses on finding frequent patterns in continuous flow network traffic Big Data using incremental frequent pattern mining. A newly created Zeek Conn Log MITRE ATT&CK framework labeled dataset, UWF-ZeekData24, generated using the Cyber Range at The University of West Florida, was used for this study. While FP-Growth is effective for static datasets, its standard implementation does not support incremental mining, which poses challenges for applications involving continuously growing data streams, such as network traffic logs. To overcome this limitation, a staged incremental FP-Growth approach is adopted for this work. The novelty of this work is in showing how incremental FP-Growth can be used efficiently on continuous flow network traffic, or streaming network traffic data, where no rebuild is necessary when new transactions are scanned and integrated. Incremental frequent pattern mining also generates feature subsets that are useful for understanding the nature of the individual attack tactics. Hence, a detailed understanding of the features or feature subsets of the seven different MITRE ATT&CK tactics is also presented. For example, the results indicate that core behavioral rules, such as those involving TCP protocols and service associations, emerge early and remain stable throughout later increments. The incremental FP-Growth framework provides a structured lens through which network behaviors can be observed and compared over time, supporting not only classification but also investigative use cases such as anomaly tracking and technique attribution. And finally, the results of this work, the frequent itemsets, will be useful for intrusion detection machine learning/artificial intelligence algorithms. Full article

Small and Medium-sized Enterprises (SMEs) face disproportionately high risks from Advanced Persistent Threats (APTs), which often evade traditional cybersecurity measures. Existing frameworks catalogue adversary tactics and defensive solutions but provide limited quantitative guidance for allocating limited resources under uncertainty, a challenge amplified by the growing use of AI in both offensive operations and digital forensics. This paper proposes a game-theoretic model for improving digital forensic readiness (DFR) in SMEs. The approach integrates the MITRE ATT&CK and D3FEND frameworks to map APT behaviors to defensive countermeasures and defines 32 custom DFR metrics, weighted using the Analytic Hierarchy Process (AHP), to derive utility functions for both attackers and defenders. The main analysis considers a non-zero-sum attacker–defender bimatrix game and yields a single Nash equilibrium in which the attacker concentrates on Impact-oriented tactics and the defender on Detect-focused controls. In a synthetic calibration across ten organizational profiles, the framework achieves a median readiness improvement of 18.0% (95% confidence interval: 16.3% to 19.7%) relative to pre-framework baselines, with targeted improvements in logging and forensic preservation typically reducing key attacker utility components by around 15–30%. A zero-sum variant of the game is also analyzed as a robustness check and exhibits consistent tactical themes, but all policy conclusions are drawn from the empirical non-zero-sum model. Despite relying on expert-driven AHP weights and synthetic profiles, the framework offers SMEs actionable, equilibrium-informed guidance for strengthening forensic preparedness against advanced cyber threats. Full article

This research proposes a heterogeneous graph neural network (GNN) framework to attribute advanced persistent threat (APT) activity using enriched cyber threat intelligence (CTI). We construct a tripartite graph linking APT groups, contextualised Tactics, Techniques, and Procedures (TTPs), and their Cyber Kill Chain (CKC) stages. TTP nodes are embedded with Sentence-BERT (SBERT) vectors for semantic similarity, while CKC stages provide procedural context. This design captures both behavioural semantics and attack-stage relationships, enabling robust and interpretable attribution. Empirical evaluation on the APTNotes corpus achieves a Macro-F1 score of 0.84 and 85% accuracy, addressing limitations in baselines such as DeepOP (technique prediction without CKC integration) and APT-MMF (no procedural or temporal TTP modelling). The framework is suitable for Security Operations Centres (SOCs), enabling faster and more accurate decision-making during incident response. Overall, the study advances automated and explainable APT attribution for practical SOC deployment. Full article

The increasing scale and operational complexity of cyberattacks have exposed the limitations of static taxonomies for representing multistage threat scenarios. This study addresses the need for more flexible classification models by proposing a relational taxonomy of cyberattacks grounded in documented incidents. Therefore, the main objective is to propose a relational taxonomy that encodes direct transitions across eight groups in a dependency matrix and a directed graph while preserving traceability to MITRE ATT&CK. The taxonomy was validated by an independent panel of experts who assessed methodological clarity and operational utility. The results reveal consistent transition patterns across groups, delineate reproducible escalation routes, and pinpoint cut-off points linked to specific detection and control activities, providing an operational map of progression and intervention. The conclusions show that the taxonomy clarifies escalation paths, strengthens alignment across security monitoring and incident response functions, threat intelligence workflows and training, and provides an operational structure to manage interdependencies, anticipate escalation and focus monitoring on critical points. Full article

Cyber Threat Intelligence (CTI) reports are essential resources for identifying the Tactics, Techniques, and Procedures (TTPs) of hackers and cyber threat actors. However, these reports are often lengthy and unstructured, which limits their suitability for automatic mapping to the MITRE ATT&CK framework. This study designs and compares five hybrid classification models that combine statistical features (TF-IDF), transformer-based contextual embeddings (BERT and ModernBERT), and topic-level representations (BERTopic) to automatically classify CTI reports into 12 ATT&CK tactic categories. Experiments using the rcATT dataset, consisting of 1490 public threat reports, show that the model integrating TF-IDF and ModernBERT achieved a micro-precision of 72.25%, reflecting a 10.07-percentage-point improvement in detection precision compared with the baseline. The model combining TF-IDF and BERTopic achieved a micro F_0.5 of 67.14% and a macro F_0.5 of 63.20%, demonstrating balanced performance across both frequent and rare tactic classes. These findings indicate that integrating statistical, contextual, and semantic representations can improve the balance between precision and recall while enabling clearer interpretation of model outputs in multi-label CTI classification. Furthermore, the proposed model shows potential applicability for improving detection efficiency and reducing analyst workload in Security Operations Center (SOC) environments. Full article

The rapid evolution of cyber threats requires intelligence sharing between organizations while ensuring data privacy and contributor credibility. Existing centralized cyber threat intelligence (CTI) systems suffer from single points of failure, privacy concerns, and vulnerability to adversarial manipulation. This paper introduces TrustFed-CTI, a novel trust-aware federated learning framework designed for privacy-preserving CTI collaboration across distributed organizations. The framework integrates a dynamic reputation-based trust scoring system to evaluate member reliability, along with differential privacy and secure multi-party computation to safeguard sensitive information. A trust-weighted model aggregation mechanism further mitigates the impact of adversarial participants. A context-aware trust engine continuously monitors the consistency of threat patterns, authenticity of data sources, and contribution quality to dynamically adjust trust scores. Extensive experiments on practical datasets including APT campaign reports, MITRE ATT&CK indicators, and honeypot logs demonstrate a 22.6% improvement in detection accuracy, 28% faster convergence, and robust resistance to up to 35% malicious participants. The proposed framework effectively addresses critical vulnerabilities in decentralized CTI collaboration, offering a scalable and privacy-preserving mechanism for secure intelligence sharing without compromising organizational autonomy. Full article

Traditional network threat detection based on signatures is becoming increasingly inadequate as network threats and attacks continue to grow in their novelty and sophistication. Such advanced network threats are better handled by anomaly detection based on Machine Learning (ML) models. However, conventional anomaly-based network threat detection with traditional ML and Deep Learning (DL) faces fundamental limitations. Graph Neural Networks (GNNs) and Transformers are recent deep learning models with innovative architectures, capable of addressing these challenges. Reinforcement learning (RL) can facilitate adaptive learning strategies for GNN- and Transformer-based Intrusion Detection Systems (IDS). However, no systematic literature review (SLR) has jointly analyzed and synthesized these three powerful modeling algorithms in network threat detection. To address this gap, this SLR analyzed 36 peer-reviewed studies published between 2017 and 2025, collectively identifying 56 distinct network threats via the proposed threat classification framework by systematically mapping them to Enterprise MITRE ATT&CK tactics and their corresponding Cyber Kill Chain stages. The reviewed literature consists of 23 GNN-based studies implementing 19 GNN model types, 9 Transformer-based studies implementing 13 Transformer architectures, and 4 RL-based studies with 5 different RL algorithms, evaluated across 50 distinct datasets, demonstrating their overall effectiveness in network threat detection. Full article

Public CVE feeds add tens of thousands of entries each year, overwhelming patch-management capacity. We model the CWE–CVE–CPE triad and, for each CWE, build count-weighted product co-exposure graphs by projecting CVE–CPE links. Because native graphs are highly fragmented, we estimate graph-distance box-counting dimensions component-wise on the fragmented graphs using greedy box covering on unweighted shortest paths, then assess significance on the largest component of reconnected graphs. Significance is evaluated against degree-preserving nulls, reporting null percentiles, a z-score–based p-value, and complementary KS checks. We further characterise meso-scale organisation via normalized rich-club coefficients and k-core structure. Additionally, we quantify percolation sensitivity on the reconnected graphs by contrasting targeted removals with random failures for budgets of 1%, 5%, 10%, and 20%. This quantification involves tracking changes in largest-component size, average shortest-path length on the LCC, and global efficiency, and an amplification factor at 10%. Our corpus covers the MITRE CWE Top 25; we report high-level summaries for all 25 and perform the deepest null-model and sensitivity analyses on a subset of 12 CWEs selected on the basis of CVE volume. This links self-similar topology on native fragments with rich-club/core organisation and disruption sensitivity on reconnections, yielding actionable, vendor/software-type-aware mitigation cues. Structural indices are used descriptively to surface topological hotspots within CWE-conditioned product networks and are interpreted alongside, not in place of, EPSS/KEV/CVSS severity metrics. Full article

Industrial Internet of Things (IIoT) systems are increasingly exposed to sophisticated and rapidly evolving cyber threats. In response, this work proposes a proactive threat detection framework that leverages pretrained transformer-based language models to identify emerging attack patterns within IIoT ecosystems. This work introduces a transformer-based framework that fine-tunes domain-specific pretrained models (SecBERT, SecRoBERTa, CyBERT), derives potential attack-path patterns from vulnerability–tactic mappings, and incorporates a retrieval-based fallback mechanism. The fallback not only improves robustness under uncertainty, but also provides a practical solution to the absence of labeled datasets linking ICS-specific MITRE ATT&CK tactics with vulnerabilities, thereby filling a key research gap. Experiments show that the fine-tuned models substantially outperform traditional machine learning baselines; SecBERT achieves the best balance while maintaining high inference efficiency. Overall, the framework advances vulnerability-driven threat modeling in IIoT and offers a foundation for the proactive identification of attack patterns. Full article

The recent growing adversarial activity against critical systems, such as the power grid, has raised attention on the necessity of appropriate measures to manage the related risks. In this setting, our research focuses on developing tools for early detection of adversarial activities, taking into account the specificities of the energy sector. We developed a framework to design and deploy AI-based detection models, and since one cannot risk disrupting regular operation with on-site tests, we also included a testbed for evaluation and fine-tuning. In the test environment, adversarial activity that produces realistic artifacts can be injected and monitored, and evidence analyzed by the detection models. In this paper we concentrate on the emulation of attacks inside our framework: A tool called SecuriDN is used to define, through a graphical interface, the network in terms of devices, applications, and protection mechanisms. Using this information, SecuriDN produces sequences of attack steps (based on the MITRE ATT&CK project) that are interpreted and executed by software called Netsploit. A case study related to Distributed Energy Resources is presented in order to show the process stages, highlight the possibilities given by our framework, and discuss possible limitations and future improvements. Full article

Optimal sensor placement (OSP) is concerned with determining a configuration for a collection of sensors, including sensor type, number, and location, that yields the best evaluation according to a predefined measure of efficacy. Central to the OSP problem is the need for a method to evaluate candidate sensor configurations. Despite the wide use of cybersecurity sensors for the protection of network systems against cyber attacks, there is limited research focused on OSP for defensive cybersecurity, and limited research on evaluation methods for cybersecurity sensor configurations that consider both the sensor data source locations and the sensor analytics/rules used. This paper seeks to address these gaps by providing an extensible mathematical model for the evaluation of cybersecurity sensor configurations, including sensor data source locations and analytics, meant to defend against cyber attacks. We demonstrate model usage via a case study on a representative network system subject to multi-step attacks that employ real cyber attack techniques recorded in the MITRE ATT&CK knowledge base and protected by a configuration of defensive cybersecurity sensors. The proposed model supports the potential for adaptation of techniques and methods developed for OSP in other problem domains than the cybersecurity domain. Full article

Accurate and timely information regarding the locations and types of crops cultivated is essential for sustainable agriculture and ensuring food security. However, accurately mapping season-specific crop types in tropical and subtropical regions is challenging due to smallholder farms, fragmented fields, predominant clouds, and limited seasonal reference data. To address these limitations, this study employed optical and radar satellite data in conjunction with machine learning algorithms, including Random Forest (RF), Support Vector Machine (SVM), and Gradient Tree Boosting (GBoost), utilizing a large number of reference datasets across crop seasons. To validate the results, extensive field visits were undertaken throughout the year. Our focus centered on two regions in Thailand recognized for their small fields and frequent overcast conditions. Utilizing over 8000 reference points, we mapped 12 crop types in Chaiyaphum province and 13 crop types in Suphan Buri province for three cropping seasons in 2023. The RF algorithm proved to be the most effective, demonstrating superior performance across all seasons in comparison to the other models, achieving an overall accuracy exceeding 85%, with classifications for sugarcane and rice exceeding 90%. The resultant maps identified sugarcane, rice, and cassava as the principal crops in the region. This research exemplifies a methodology for producing highly accurate seasonal crop maps, providing valuable tools for making informed decisions for crop sustainable management, thereby supporting sustainable agriculture practices. Our findings underscore the potential of Earth observation satellites and machine learning algorithms in addressing significant agricultural challenges and facilitating the development of more resilient strategies for food security. Full article