Search Results (6)

The Antimalware Scan Interface (AMSI) plays a crucial role in detecting malware within Windows operating systems. This paper presents ScriptBlock Smuggling, a novel evasion and log spoofing technique exploiting PowerShell and .NET environments to circumvent the AMSI. By focusing on the manipulation of ScriptBlocks within the Abstract Syntax Tree (AST), this method creates dual AST representations, one for compiler execution and another for antivirus and log analysis, enabling the evasion of AMSI detection and challenging traditional memory patching bypass methods. This research provides a detailed analysis of PowerShell’s ScriptBlock creation and its inherent security features and pinpoints critical limitations in the AMSI’s capabilities to scrutinize ScriptBlocks and the implications of log spoofing as part of this evasion method. The findings highlight potential avenues for attackers to exploit these vulnerabilities, suggesting the possibility of a new class of AMSI bypasses and their use for log spoofing. In response, this paper proposes a synchronization strategy for ASTs, intended to unify the compilation and malware scanning processes to reduce the threat surfaces in PowerShell and .NET environments. Full article

With the rapid development of intelligent speech technologies, automatic speaker verification (ASV) has become one of the most natural and convenient biometric speaker recognition approaches. However, most state-of-the-art ASV systems are vulnerable to spoofing attack techniques, such as speech synthesis, voice conversion, and replay speech. Due to the symmetry distribution characteristic between the genuine (true) speech and spoof (fake) speech pair, the spoofing attack detection is challenging. Many recent research works have been focusing on the ASV anti-spoofing solutions. This work investigates two types of new acoustic features to improve the performance of spoofing attacks. The first features consist of two cepstral coefficients and one LogSpec feature, which are extracted from the linear prediction (LP) residual signals. The second feature is a harmonic and noise subband ratio feature, which can reflect the interaction movement difference of the vocal tract and glottal airflow of the genuine and spoofing speech. The significance of these new features has been investigated in both the t-stochastic neighborhood embedding space and the binary classification modeling space. Experiments on the ASVspoof 2019 database show that the proposed residual features can achieve from 7% to 51.7% relative equal error rate (EER) reduction on the development and evaluation set over the best single system baseline. Furthermore, more than 31.2% relative EER reduction on both the development and evaluation set shows that the proposed new features contain large information complementary to the source acoustic features. Full article

Modern-day aircraft are flying computer networks, vulnerable to ground station flooding, ghost aircraft injection or flooding, aircraft disappearance, virtual trajectory modifications or false alarm attacks, and aircraft spoofing. This work lays out a data mining process, in the context of big data, to determine flight patterns, including patterns for possible attacks, in the U.S. National Air Space (NAS). Flights outside the flight patterns are possible attacks. For this study, OpenSky was used as the data source of Automatic Dependent Surveillance-Broadcast (ADS-B) messages, NiFi was used for data management, Elasticsearch was used as the log analyzer, Kibana was used to visualize the data for feature selection, and Support Vector Machine (SVM) was used for classification. This research provides a solution for attack mitigation by packaging a machine learning algorithm, SVM, into an intrusion detection system and calculating the feasibility of processing US ADS-B messages in near real time. Results of this work show that ADS-B network attacks can be detected using network attack signatures, and volume and velocity calculations show that ADS-B messages are processable at the scale of the U.S. Next Generation (NextGen) Air Traffic Systems using commodity hardware, facilitating real time attack detection. Precision and recall close to 80% were obtained using SVM. Full article

Global navigation satellite system (GNSS) spoofing poses a significant threat to maritime logistics. Many maritime electronic devices rely on GNSS time, positioning, and speed for safe vessel operation. In this study, inertial measurement unit (IMU) and Doppler velocity log (DVL) devices, which are important in the event of GNSS spoofing or outage, are considered in conventional navigation. A velocity integration method using IMU and DVL in terms of dead-reckoning is investigated in this study. GNSS has been widely used for ship navigation, but IMU, DVL, or combined IMU and DVL navigation have received little attention. Military-grade sensors are very expensive and generally cannot be utilized in smaller vessels. Therefore, this study focuses on the use of consumer-grade sensors. First, the performance of a micro electromechanical system (MEMS)-based yaw rate angle with DVL was evaluated using 60 min of raw data for a 50 m-long ship located in Tokyo Bay. Second, the performance of an IMU-MEMS using three gyroscopes and three accelerometers with DVL was evaluated using the same dataset. A gyrocompass, which is equipped on the ship, is used as a heading reference. The results proved that both methods could achieve less than 1 km horizontal error in 60 min. Full article

We consider how to protect Unmanned Aerial Vehicles (UAVs) from Global Positioning System (GPS) spoofing attacks to provide safe navigation. The Global Navigation Satellite System (GNSS) is widely used for locating drones and is by far the most popular navigation solution. This is because of the simplicity and relatively low cost of this technology, as well as the accuracy of the transmitted coordinates. Nevertheless, there are many security threats to GPS navigation. These are primarily related to the nature of the GPS signal, as an intruder can jam and spoof the GPS signal. We discuss methods of protection against this type of attack and have developed an experimental stand and conducted scenarios of attacks on a drone’s GPS system. Data from the UAV’s flight log were collected and analyzed in order to see the attack’s impact on sensor readings. From this we identify a new method for detecting UAV anomalies by analyzing changes in internal parameters of the UAV. This self-diagnosis method allows a UAV to independently assess the presence of changes in its own subsystems indicative of cyber attacks. Full article

Currently Global Navigation Satellite Systems (GNSSs) are the primary source for the determination of absolute position, navigation, and time (PNT) for merchant vessel navigation. Nevertheless, the performance of GNSSs can strongly degrade due to space weather events, jamming, and spoofing. Especially the increasing availability and adoption of low cost jammers lead to the question of how a continuous provision of PNT data can be realized in the vicinity of these devices. In general, three possible solutions for that challenge can be seen: (i) a jamming-resistant GNSS receiver; (ii) the usage of a terrestrial backup system; or (iii) the integration of GNSS with other onboard navigation sensors such as a speed log, a gyrocompass, and inertial sensors (inertial measurement unit—IMU). The present paper focuses on the third option by augmenting a classical IMU/GNSS sensor fusion scheme with a Doppler velocity log. Although the benefits of integrated IMU/GNSS navigation system have been already demonstrated for marine applications, a performance evaluation of such a multi-sensor system under real jamming conditions on a vessel seems to be still missing. The paper evaluates both loosely and tightly coupled fusion strategies implemented using an unscented Kalman filter (UKF). The performance of the proposed scheme is evaluated using the civilian maritime jamming testbed in the Baltic Sea. Full article