Shangqing Cui,Dongqin Feng

DOI: https://doi.org/10.1109/icpeca56706.2023.10076096

2023-01-01

Abstract:With the application of Internet technologies in the industrial field, industrial control systems (ICS) have the possibility of suffering malicious network attacks. Because ICS is widely used in critical infrastructure, designing attack detection algorithms for it can effectively reduce losses. Many papers have built physical models for cyber-attacks against ICS and the corresponding detection algorithms have been proposed. However, the detection performance can be further improved. This paper establishes the simulation attack on the Tennessee Eastman (TE) process and proposes an improved support vector machine (SVM) method to detect integrity attacks. This algorithm uses contribution plots and recursive feature elimination to select features. Compared with the principal component analysis (PCA) feature extraction, the detection accuracy is improved. After adding system dynamics to the algorithm, the time to detect attacks is advanced.

Wu Yang,Xiao-Chun Yun,Jian-Hua Li

DOI: https://doi.org/10.1007/11610496_114

2006-01-01

Abstract:In recent years, with the rapid development of network technique and network bandwidth, the network attacking events for web servers such as DOS/PROBE are becoming more and more frequent. In order to detect these types of intrusions in the new network environment more efficiently, this paper applies new machine learning methods to intrusion detection and proposes an efficient algorithm based on vector quantization and support vector machine for intrusion detection (VQ-SVM). The algorithm firstly reduces the network auditing dataset by using VQ techniques, produces a codebook as the training example set, and then adopts fast training algorithm for SVM to build intrusion detection model on the codebook. The experiment results indicate that the combined algorithm of VQ-SVM can greatly improve the learning and detecting efficiency of the traditional SVM-based intrusion detection model.

ZHAO Dong-ping,ZHENG Wei-bin,ZHANG De-yun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.035

2005-01-01

Abstract:To address the problem of application-level web security,an adaptive intrusion detection system is proposed,which is embedded directly in the Web server.In order to define all the valid requests for anomaly detection and misuse detection,the techniques which observe the clients' access behavior relevancy and adjust their personal policies dynamically are employed.The experiments indicate that the proposed system can not only confirm the valid request but also defend the new attack behavior and detect the old attack event.Based on the proposed method,the detecting rate is over 95.8% under common attack scanning.

Dalia Nashat,Xiaohong Jiang,Michitaka Kameyama

DOI: https://doi.org/10.1587/transcom.e93.b.1113

2010-01-01

IEICE Transactions on Communications

Abstract:The Distributed Denial of Service attack (DDoS) is one of the major threats to network security that exhausts network bandwidth and resources. Recently, an efficient approach Live Baiting was proposed for detecting the identities of DDoS attackers in web service using low state overhead without requiring either the models of legitimate requests nor anomalous behavior. However, Live Baiting has two limitations. First, the detection algorithm adopted in Live Baiting starts with a suspects list containing all clients, which leads to a high false positive probability especially for large web service with a huge number of clients. Second, Live Baiting adopts a fixed threshold based on the expected number of requests in each bucket during the detection interval without the consideration of daily and weekly traffic variations. In order to address the above limitations, we first distinguish the clients activities (Active and Non-Active clients during the detection interval) in the detection process and then further propose a new adaptive threshold based on the Change Point Detection method, such that we can improve the false positive probability and avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted on real Web trace to demonstrate the detection efficiency of the proposed scheme in comparison with the Live Baiting detection scheme.

Jiachen Zhu,Futai Zou

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2019.00079

2019-01-01

Abstract:The existing machine learning algorithms are costly when it comes to retraining the detection model. However, domains used in different types of malicious activities vary a lot depending on their complex purposes. In order to detect malicious domains in large scale traffic data in real time, a modified SVM algorithm (F-SVM) is proposed in this paper. F-SVM draws lessons from the idea of feedback learning, and it is able to solve the problem of insufficient labeled samples and high cost of updating models. Experimental results show that F-SVM algorithm is capable to keep a high precision rate through whole detection process while simple SVM model has a detection fall as the detection process goes on. F-SVM model's high efficiency in updating detection model makes it suitable for online detection.

Daoxin Pan,Wei Bai,Siyu Zhang,Futai Zou

DOI: https://doi.org/10.1109/wicom.2012.6478492

2012-01-01

Abstract:Search Engines not only provides internet users with useful information, but also helps hackers find vulnerable websites to exploit. This paper presents an algorithm that detects malicious queries from search engine traffic. To evaluate our algorithm, we take 3000 queries from Google Hacking Database as seed, and detect malicious queries from Google traffic with a detection rate of 98.7% and a false positive rate of 2.9%. Experimental results show that the algorithm is effective on detecting and preventing latest types of attacks.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

ZHOU Yong-lu,WU Hai-yan,JIANG Dong-xing

DOI: https://doi.org/10.3969/j.issn.1671-0428.2012.05.004

2012-01-01

Abstract:As traditional security techniques fail to protect web applications from attacks,more research has focus on intrusion detection for web applications.Access logs are the most important data source for intrusion detection.However,log files usually contain a huge quantity of records.Without effective methods,it is not feasible for administrator to inspect and locate intrusions.Misuse detection and anomaly detection models have been proposed to solve this problem.This paper conducts intrusion detection over a real web application based on statistical anomaly-based models.The result shows these models can effectively detect attacks like SQL injection.

Li Xu,Zhenxin Zhan,Shouhuai Xu,Keyin Ye

DOI: https://doi.org/10.48550/arXiv.1408.1993

2014-08-09

Abstract:Malicious websites are a major cyber attack vector, and effective detection of them is an important cyber defense task. The main defense paradigm in this regard is that the defender uses some kind of machine learning algorithms to train a detection model, which is then used to classify websites in question. Unlike other settings, the following issue is inherent to the problem of malicious websites detection: the attacker essentially has access to the same data that the defender uses to train its detection models. This 'symmetry' can be exploited by the attacker, at least in principle, to evade the defender's detection models. In this paper, we present a framework for characterizing the evasion and counter-evasion interactions between the attacker and the defender, where the attacker attempts to evade the defender's detection models by taking advantage of this symmetry. Within this framework, we show that an adaptive attacker can make malicious websites evade powerful detection models, but proactive training can be an effective counter-evasion defense mechanism. The framework is geared toward the popular detection model of decision tree, but can be adapted to accommodate other classifiers.

Cryptography and Security,Artificial Intelligence

Xinyu Gong,Huidi Zhu,Ruofan Deng,Fu Wang,Jialiang Lu

DOI: https://doi.org/10.1109/smartcloud.2019.00048

2019-01-01

Abstract:Deep learning (DL) techniques have provided state-of-the-art results for many machine learning tasks. In response to the increasing demand for web security, many researchers have been focusing on applying DL to detect web attacks. However, these works just pay attention to the detection accuracy, not the robustness of the detection model itself. In this paper, we proved that it is possible to generate adversarial web requests by modifying only a few characters of them, which can lead the existing DL based model to wrong predictions. The attackers may take this vulnerability to trigger false positive alarms or even disable the whole detection model. As the defensive measure, we propose to use a combined method of kernel density estimation and model uncertainty estimation to detect these adversaries. Through experiment, we report a ROC-AUC of over 95% of detecting these adversarial web requests.

Tieming Chen,Xuebo Qiu,Zhengqiu Weng,Tiantian Zhu,Mingqi Lv,Keda Sun

DOI: https://doi.org/10.1155/2024/6964759

IF: 1.968

2024-11-08

Security and Communication Networks

Abstract:Anomaly detection is essential to ensuring system security and reliability. As one of the basic techniques in the cyberattack, the existing malicious traffic classification method has been facing diverse challenges such as insufficient samples, poor denoising ability, and weak generalization of the classification model. In this paper, we propose a novel method for detecting malicious HTTP traffic based on a framework (HTTPSmell; it refers to the sniffing of some network attacks launched by exploiting the HTTP protocol.)), and XSS dataset obtained from GitHub that automatically applies a deep learning model with high generalization ability even under a small training dataset. With HTTPSmell, we are able to achieve positive results from a semisupervised model that leverages the unsupervised data augmentation (UDA) and the keywords library avoidance (KLA)‐based data augmentation method that holds higher learning generalization, higher scenario coverage rate, and better detection efficiency in the smaller training samples. Finally, we demonstrate through comprehensive experiments in the realistic enterprise environment that HTTPSmell can achieve an accuracy of 96.77% for identifying complex and advanced cyberattacks, while only maintaining a constant 60 MB of memory and sustaining up to 27 k/s throughput.

computer science, information systems,telecommunications

Xinyu Huang,Yuanming Wu

DOI: https://doi.org/10.1109/jsen.2022.3166601

IF: 4.3

2022-01-01

IEEE Sensors Journal

Abstract:Wireless sensor networks (WSNs) are prone to attack due to open work conditions and broadcast communication. The selective forwarding attack, one of the inner attacks in WSNs, is the hardest attack to detect among denial of service (DoS) attacks. The malicious nodes which launch the selective forwarding attack will drop part of or all the data packets they received. Many proposed detection methods against selective forwarding attacks have low accuracy or high algorithm complexity, especially when the attacker works its way in the network along with several attacks, such as blackhole, wormhole, and Distributed Denial of Service (DDoS). Here, an artificial immune system based on the danger model is established to detect network attacks. To promote detection accuracy and reduce computation, we have proposed a screen-confirm scheme. In the screening phase, the scheme first obtains the danger signals from nodes' energy consumption, forwarding rate, connect duration, transmission frequency, and transmission time, then it screens out the suspected selective forwarding attacks from DoS attacks using a support vector machine (SVM). After that, in the confirming phase, we select an optimal danger threshold and calculate the outputs of the suspected ones, then confirm them by comparing outputs and threshold. The simulation results show that our scheme's missing detection rate (MDR) is close to 1.3% and keeps the false detection rate (FDR) lower than 4.3% when the malicious ratio is 10%. Moreover, compared with other related work, our proposed method offers a lower algorithm complexity.

engineering, electrical & electronic,instruments & instrumentation,physics, applied

Xiao-Feng Wang,Jing-Li Zhou,Sheng-Sheng Yu,Long-Zheng Cai

DOI: https://doi.org/10.1007/11540007_39

2006-01-01

Abstract:HTTP request exploitations take substantial portion of network-based attacks. This paper presents a novel anomaly detection framework, which uses data mining technologies to build four independent detection models. In the training phase, these models mine specialty of every web program using web server log files as data source, and in the detection phase, each model takes the HTTP requests upon detection as input and calculates at least one anomalous probability as output. All the four models totally generate eight anomalous probabilities, which are weighted and summed up to produce a final probability, and this probability is used to decide whether the request is malicious or not. Experiments prove that our detection framework achieves close to perfect detection rate under very few false positives.

Zhengqi Wang,Xiaobing Feng,Yukun Niu,Chi Zhang,Jue Su

DOI: https://doi.org/10.1109/nana.2017.58

2017-01-01

Abstract:Nowadays, with the rapid development of the Internet and the growing network business, the amount of the websites is experiencing an explosive growth and the malicious websites threaten is becoming the biggest threaten in the Internet age. As a result, there have been broad interests in developing systems to detect the malicious web pages before the end users visits those websites. In order to make the detection more and more accurate, the analysis process becomes more and more costly, sometimes even requiring several seconds for a single page. Therefore, performing this analysis on a large set of web pages containing hundreds of millions of samples can be impossible. Our paper proposes a two-step detection system based on machine learning algorithm called TSMWD. The first step of TSMWD provides a fast and reliable large-scale detection on the countless unknown web pages. It can quickly discard the vast majority of benign web pages by using the static analysis techniques based on the modified Naïve-Bayesian classifier and forward the unknown samples to the second-step which can make a quite precise final detection. Due to the 99% web pages in the Internet are benign ones, the system's detection speed can be improved greatly.

Zhenqing Qu,Xiang Ling,Ting Wang,Xiang Chen,Shouling Ji,Chunming Wu

DOI: https://doi.org/10.1109/TIFS.2024.3350911

2024-01-09

Abstract:As the first defensive layer that attacks would hit, the web application firewall (WAF) plays an indispensable role in defending against malicious web attacks like SQL injection (SQLi). With the development of cloud computing, WAF-as-a-service, as one kind of Security-as-a-service, has been proposed to facilitate the deployment, configuration, and update of WAFs in the cloud. Despite its tremendous popularity, the security vulnerabilities of WAF-as-a-service are still largely unknown, which is highly concerning given its massive usage. In this paper, we propose a general and extendable attack framework, namely AdvSQLi, in which a minimal series of transformations are performed on the hierarchical tree representation of the original SQLi payload, such that the generated SQLi payloads can not only bypass WAF-as-a-service under black-box settings but also keep the same functionality and maliciousness as the original payload. With AdvSQLi, we make it feasible to inspect and understand the security vulnerabilities of WAFs automatically, helping vendors make products more secure. To evaluate the attack effectiveness and efficiency of AdvSQLi, we first employ two public datasets to generate adversarial SQLi payloads, leading to a maximum attack success rate of 100% against state-of-the-art ML-based SQLi detectors. Furthermore, to demonstrate the immediate security threats caused by AdvSQLi, we evaluate the attack effectiveness against 7 WAF-as-a-service solutions from mainstream vendors and find all of them are vulnerable to AdvSQLi. For instance, AdvSQLi achieves an attack success rate of over 79% against the F5 WAF. Through in-depth analysis of the evaluation results, we further condense out several general yet severe flaws of these vendors that cannot be easily patched.

Cryptography and Security

Biagio Montaruli,Giuseppe Floris,Christian Scano,Luca Demetrio,Andrea Valenza,Luca Compagna,Davide Ariu,Luca Piras,Davide Balzarotti,Battista Biggio

2024-11-30

Abstract:Many Web Application Firewalls (WAFs) leverage the OWASP Core Rule Set (CRS) to block incoming malicious requests. The CRS consists of different sets of rules designed by domain experts to detect well-known web attack patterns. Both the set of rules to be used and the weights used to combine them are manually defined, yielding four different default configurations of the CRS. In this work, we focus on the detection of SQL injection (SQLi) attacks, and show that the manual configurations of the CRS typically yield a suboptimal trade-off between detection and false alarm rates. Furthermore, we show that these configurations are not robust to adversarial SQLi attacks, i.e., carefully-crafted attacks that iteratively refine the malicious SQLi payload by querying the target WAF to bypass detection. To overcome these limitations, we propose (i) using machine learning to automate the selection of the set of rules to be combined along with their weights, i.e., customizing the CRS configuration based on the monitored web services; and (ii) leveraging adversarial training to significantly improve its robustness to adversarial SQLi manipulations. Our experiments, conducted using the well-known open-source ModSecurity WAF equipped with the CRS rules, show that our approach, named ModSec-AdvLearn, can (i) increase the detection rate up to 30%, while retaining negligible false alarm rates and discarding up to 50% of the CRS rules; and (ii) improve robustness against adversarial SQLi attacks up to 85%, marking a significant stride toward designing more effective and robust WAFs. We release our open-source code at <a class="link-external link-https" href="https://github.com/pralab/modsec-advlearn" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security

Senhao Wen,Zhiyuan Zhao,Hanbing Yan

DOI: https://doi.org/10.1145/3199478.3199500

2018-03-16

Abstract:We are increasingly relying on HTML(Hypertext Markup Language) web-pages, including online shopping, obtaining information and handling official business, whether on a mobile phone or on a computer. But the underground industry or deliberate attacker has also targeted us. They forges misleading URLs(UniformResourceLocators) and web-pages with various tricky skills which are difficult to identify even for the professionals, so as to steal money, manipulate our devices, monitor our lives. Currently, most of the malicious websites detecting technology is based on features of URLs or Web page elements, which make us feel upset, because it is difficult to extract all the features, and its hysteresis quality make it hard to meet the requirement of tracking the rapid changes of malicious web sites, especially the phishing websites. This paper design a thorough associated analysis model of web-pages using the technology of topic tracking, topic abnormal discovery, web-page visual similarity assessment, web-page structure analyzing, URL analyzing, Internet Resources analyzing and so on, to solve the problem of missing detecting malicious websites, especially with unknown features. The detecting model is able to discover the forged payment web-pages, fake web page which damage the reputation of the relevant organization, personal attack web-pages, tampered web page, web-page trojan, etc. In the meantime, it can track the topic of underground industry and sense the topic evolution. According to our experiments, it is effective and has high accuracy.

Luo Jian,Wang Yijun,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1000-386x.2013.05.001

2013-01-01

Abstract:In this paper,a dynamic malicious web page detection model is designed and implemented,and based on mining the data of Capture-HPC honeypot logs,the high false-alarm rate problem in honeypot system has been solved.The system converts honeypot logs into operation and data mining sequences,from which the attribution feature information can be extracted effectively by cluster analysis,and be the white and black list of differentiation basis after optimisation.In the paper we validate through an experiment the rationality of the model design and the effectiveness of model in false-alarm reduction.