Shanglin Dai,Yuehan Chi,Zhongwei Qiao,Xiaoyu Ji

DOI: https://doi.org/10.1109/ei250167.2020.9347116

2020-01-01

Abstract:With the development of computer technology, information technology, big data, artificial intelligence, and industrial automation technology, information technology has been widely used in the field of industrial control. However, microgrid terminals generally work in an open environment and have the computing power and wireless communication functions, making them more vulnerable to attacks and threatening the security of the power grid. This paper proposes a method of using message flow to build a safety monitoring model and evaluates it through experiments. We use the external characteristics of network traffic flow to generate the model, that is, the specific content of network traffic is not considered. We validate that it is feasible to detect attacks with a detection accuracy above 95% by using machine learning methods.

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Wei Yang,Chao Liu,Hongwei Yan,Yu Yao,F. Yan,M. Li,X. Hou,Y. Long

DOI: https://doi.org/10.1051/e3sconf/202452201039

2024-05-07

E3S Web of Conferences

Abstract:With the development of digitalization, industrial control network have more connections and open to external network, which breaks their "isolation" from Internet and makes them more vulnerable to be attacked especially by malicious code. To model and analyze the impact of different containment strategies for attacks by malicious code in the industrial control network, the SUIQMR model is established to simulate malicious code propagation. Since the industrial control network is often coupled with Internet, industrial control coupling network is also considered in the SUIQMR model and the containment strategies of quarantine,benign worms and honeypot are added into the model to evaluate their effect against malicious code propagation.The simulation results show the effectiveness of our model.

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Guowen Wu,Yanchun Zhang,Hong Zhang,Shoujian Yu,Shui Yu,Shigen Shen

DOI: https://doi.org/10.1016/j.adhoc.2024.103504

IF: 4.816

2024-04-10

Ad Hoc Networks

Abstract:Industrial Internet of Things (IIoT) is a product of deep integration between Internet of Things (IoT) and industrial control networks. As an important component of IIoT, Programmable Logic Controller (PLC) has become a springboard for many hackers to disrupt industrial networks by spreading viruses. It's known that worm can cause enormous loss. Therefore, revealing the rules of worm spread in PLC networks and exploring methods to inhibit worm spread are increasingly important. To this end, we propose a new worm spread model named SIHQR with time delay. Additionally, we establish a game model between susceptible and infected nodes in order to express the infection rate by several game parameters. Through analysis, we discuss the conditions for the emergence of three scenarios: disease-free equilibrium, endemic equilibrium and Hopf bifurcation. We study the stability at the equilibrium points and obtain an expression for a threshold value which determines whether the system exhibits endemic equilibrium or Hopf bifurcation. In the experimental section, we analyze the impact of initial values of node states and the magnitude of game parameters on worm spread in the three aforementioned scenarios. Finally, we propose a method to mitigate or even eliminate the Hopf bifurcation. The experimental results show that the proposed model has welldone performance.

computer science, information systems,telecommunications

Xiangjun Meng,Zhifeng Zhao,Rongpeng Li,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2017.8171066

2017-01-01

Abstract:Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.

Yongkang Huang,Hongxia Chen

Abstract:This paper mainly studies computer virus propagation models in networks based on the stability and control. The method of this study is through the learning of computer virus emergence, infection and transmission characteristics from the essence to proceed with further discussion and exploration. Then from the perspective of the stability and control, qualitative analysis is carried out and corresponding coping strategies are put forward to deal with the current three common types of the infection and spread of computer viruses in networks. Through the theoretical knowledge and the study of infection and transmission correlation mechanism about network virus control in different types of networks, two kinds of computer virus infection and spread models are built. The first is SIS Model, and the second is SIR Model. Then the two models will be deeply analyzed and explored through building mathematical models, and the two kinds of computer virus infection and spread models are compared and analyzed scientifically based on in-depth analysis. And that is very important for coping with computer virus control popular in network at present.

Computer Science,Engineering

Shouhuai Xu,Wenlian Lu,Li Xu,Zhenxin Zhan

DOI: https://doi.org/10.1145/2555613

2014-01-01

ACM Transactions on Autonomous and Adaptive Systems

Abstract:Theoretical modeling of computer virus/worm epidemic dynamics is an important problem that has attracted many studies. However, most existing models are adapted from biological epidemic ones. Although biological epidemic models can certainly be adapted to capture some computer virus spreading scenarios (especially when the so-called homogeneity assumption holds), the problem of computer virus spreading is not well understood because it has many important perspectives that are not necessarily accommodated in the biological epidemic models. In this article, we initiate the study of such a perspective, namely that of adaptive defense against epidemic spreading in arbitrary networks. More specifically, we investigate a nonhomogeneous Susceptible-Infectious-Susceptible (SIS) model where the model parameters may vary with respect to time. In particular, we focus on two scenarios we call semi-adaptive defense and fully adaptive defense, which accommodate implicit and explicit dependency relationships between the model parameters, respectively. In the semi-adaptive defense scenario, the model’s input parameters are given; the defense is semi-adaptive because the adjustment is implicitly dependent upon the outcome of virus spreading. For this scenario, we present a set of sufficient conditions (some are more general or succinct than others) under which the virus spreading will die out; such sufficient conditions are also known as epidemic thresholds in the literature. In the fully adaptive defense scenario, some input parameters are not known (i.e., the aforementioned sufficient conditions are not applicable) but the defender can observe the outcome of virus spreading. For this scenario, we present adaptive control strategies under which the virus spreading will die out or will be contained to a desired level.

Shouhuai Xu,Wenlian Lu,Li Xu,Zhenxin Zhan

DOI: https://doi.org/10.1145/2555613

2014-01-01

Abstract:Theoretical modeling of computer virus/worm epidemic dynamics is an important problem that has attracted many studies. However, most existing models are adapted from biological epidemic ones. Although biological epidemic models can certainly be adapted to capture some computer virus spreading scenarios (especially when the so-called homogeneity assumption holds), the problem of computer virus spreading is not well understood because it has many important perspectives that are not necessarily accommodated in the biological epidemic models. In this article, we initiate the study of such a perspective, namely that of adaptive defense against epidemic spreading in arbitrary networks. More specifically, we investigate a nonhomogeneous Susceptible-Infectious-Susceptible (SIS) model where the model parameters may vary with respect to time. In particular, we focus on two scenarios we call semi-adaptive defense and fully adaptive defense, which accommodate implicit and explicit dependency relationships between the model parameters, respectively. In the semi-adaptive defense scenario, the model’s input parameters are given; the defense is semi-adaptive because the adjustment is implicitly dependent upon the outcome of virus spreading. For this scenario, we present a set of sufficient conditions (some are more general or succinct than others) under which the virus spreading will die out; such sufficient conditions are also known as epidemic thresholds in the literature. In the fully adaptive defense scenario, some input parameters are not known (i.e., the aforementioned sufficient conditions are not applicable) but the defender can observe the outcome of virus spreading. For this scenario, we present adaptive control strategies under which the virus spreading will die out or will be contained to a desired level.

Guowen Wu,Lanlan Xie,Hong Zhang,Jianhua Wang,Shigen Shen,Shigen Shen,Shui Yu

DOI: https://doi.org/10.1016/j.jnca.2023.103608

IF: 7.574

2023-05-01

Journal of Network and Computer Applications

Abstract:Social Internet of Things (SIoT) with deep integration of Internet of Things and social networks has become a target of a large number of hackers who attempt to spread viruses for breaching data confidentiality and service reliability. Therefore, exposing the law of virus spread with social characteristics and addressing historical dependence of infection and recovery rates in an SIoT are urgent problems to be solved at present. To this end, we propose a novel virus spread model (STSIR) based on an epidemic theory's analysis framework and individual-group game theory, which more reasonably describes viruses spread among devices considering people behavior. Aiming at the characteristics of SIoTs including limited social distance and dynamic number variation of people and devices, we adopt and improve the traditional epidemic model SIR to reveal the form of viruses continuously spreading to neighbor nodes. We then introduce an individual-group game to establish the attack and defense model between infected SIoT nodes and susceptible SIoT nodes, in order to not only obtain the mixed Nash equilibrium solution by using a payoff matrix but also solve the dependence of the infection and recovery rates on historical experience. Further, we establish differential equations to represent the model STSIR, which are the basis of proving the existence of model equilibrium points and analyzing stability mathematically. Finally, the effectiveness of the model STSIR in curbing virus spread is verified by simulating two equilibrium points. Under the same conditions in an SIoT, the model STSIR reduce viruses by ∼45% more than the model SIS, and saves stabilization time cost by ∼66.7% compared with the model SIR, which proves that the model STSIR is obviously more effective.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Hui Xia,Li Li,Xiangguo Cheng,Chao Liu,Tie Qiu

DOI: https://doi.org/10.1109/jiot.2020.2990365

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:The construction of smart cities is the concentrated embodiment of the application of Internet of Things (IoT), which provides a variety of solutions to various problems faced by urban development and urban management. However, the openness, dynamics, and heterogeneity of city IoT increase the risk of attacks, especially the social attributes contained in such systems accelerate virus propagation. To reduce the risk and harm of virus propagation, it is of great significance to analyze the mode and the characteristics of virus propagation. This article proposes a dynamic virus propagation model [i.e., Ignorant- $D{K_{s}}$ – $HN$ -Exposed- $Pvirus$ -Spread-Recover (IDEPSR)], which focuses on two social attributes (i.e., intelligent device's propagation capability and identification ability). First, this article presents a new algorithm (i.e., $D{K_{s}}$ – $HN$ ) to measure the first attribute based on the evidence theory and an improved K-shell method. The $D{K_{s}}$ – $HN$ merges the direct influence of a particular node and the indirect influence of 1-hop neighbors by utilizing the combination rules of the evidence theory. Second, this article proposes a Pvirus method to measure the second attribute based on the social hierarchy theory and the nonnegative matrix factor method. Every -ntelligent device can identify its trust relationship with other devices by using the Pvirus, and then the probability of virus activation lurking in devices can be predicted. Finally, a real data set is used to simulate a social-aware city IoT environment. Convincing experimental results show that the IDEPSR is more reasonable in design and good in performance. The IDEPSR performs better in controlling the virus propagation than the other five models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Linfeng Wu,Wei Ruan,Keda Sun,Liang Chen,Liu Yang,Tingting Ye

DOI: https://doi.org/10.1109/ICNSC52481.2021.9702185

2021-01-01

Abstract:At present, the security situation in the industrial internet is becoming more and more serious. Various threats such as network attacks, malicious code and vulnerability utilization are gradually increasing. Consequently, it is urgent to study industrial threat detection methods. In order to tackle typical network attacks, system vulnerabilities and malicious operations, a real-time intelligent industrial threat detection method is proposed by analyzing the network data in the industrial control system. Particularly, artificial intelligence technique, adversarial sample generation technique and deep learning model are used in the method. Besides, the proposed method is achieved in the real network, and the corresponding industrial threat detection platform is developed. The results show that the developed threat detection platform can detect a variety of typical network attacks, system vulnerabilities, malicious code, etc. At the same time, the platform has good throughput and compatibility and is suitable for the actual industrial environment.

Jinhuan Hou,Fuqiang Ding

DOI: https://doi.org/10.1155/2022/8587906

2022-01-25

Scientific Programming

Abstract:This study analyzes and designs a network security management system based on the K-means algorithm. Through the investigation of network security managers, this article uses structured modeling technology to derive the system’s logical business functions, which are data acquisition function, data analysis function, and post-processing function. This study uses a three-tier architecture to design the system, describes the system data business processing flow, and gives the key flow of the K-means algorithm application. In addition, the system database is designed to provide support for system data processing. This study proposes a dual-network text matching model based on local interactive components. This model composes two modalities of single-modal short text data: a positional structural modal for describing local interactions and a global semantic understanding modal for extracting global semantic information. Two heterogeneous networks are used to extract two modalities. The principle of complementarity of modalities is realized by constructing the differences of each modal. At the same time, through the attention mechanism, the position information of the position structure modal is transferred to the global semantic understanding modal to obtain consistent comprehensive information so as to realize the principle of modal consistency. On this basis, by designing low-order interaction functions and high-order interaction functions, and using long- and short-term memory networks, we have, respectively, improved the position structure modal and global semantic understanding modal. The theoretical analysis and simulation results of the model show that the propagation characteristics of the network worm are completely determined by the threshold R0 required for its existence. When R0 >1, the network worm will become popular even with a small initial infection number; conversely, even if the initial infection machine is large, the network worm will eventually become extinct. The research results of this article also show that the introduction of mobile devices has an important impact on the defense technology of network worms. To curb network worms that use both the network and mobile devices to spread, and to increase the proportion of machines that have never been infected with the virus, the most effective method is to control the number of mobile devices and reduce the possibility of cross-infection between mobile devices and machines. The simulation results show that, regardless of whether dynamic isolation and antivirus software are considered, the local area network-based choke method given in this study can effectively curb intelligent network worms that have slow scanning rates and clear scanning targets. In addition, the choke method presented in this article can determine the choke threshold without affecting the normal network scanning behavior of users in the local area network.

computer science, software engineering

Wei Tang,Hui Yang,Jinxiu Pi

DOI: https://doi.org/10.1155/2024/3943882

IF: 8.993

2024-05-29

International Journal of Intelligent Systems

Abstract:The proliferation of computer viruses has escalated in recent years, posing threats not only to individuals' safety and property but also to societal well‐being. Consequently, effectively curtailing virus spread has become an urgent imperative. To address this issue, our paper introduces a new virus propagation model and associated control strategy. First, diverging from conventional approaches in network virus literature, we propose a susceptible‐latent‐breaking‐out‐recovered‐susceptible (SLBRS) virus propagation model tailored to the topological characteristics of scale‐free networks, thus comprehensively incorporating network structure's impact on virus propagation. Second, we analyze the model's foundational properties, derive the basic reproduction number, and demonstrate the existence and global asymptotic stability of disease‐free equilibrium. Finally, leveraging global stability of the model at the disease‐free equilibrium, we integrate the target immunization strategy (TIS) and the acquaintance immunization strategy (AIS) to devise an optimal control strategy. The paper's findings offer fresh insights into disease‐free equilibrium existence and stability, furnishing a more dependable approach to curbing network virus dissemination. The simulation results demonstrate the persistent presence of network viruses in the absence of control measures and the instability of the disease‐free equilibrium. However, effective control is achieved after implementing immunization measures.

computer science, artificial intelligence

Zakariya Ammar,Ahmad AlSharif

DOI: https://doi.org/10.1145/3301551.3301586

2018-01-01

Abstract:This paper deals with the developing model of a honeynet that depends on the Internet of things (IoT). Due to significant of industrial services, such model helps enhancement of information security detection in industrial domain, the model is designed to detect adversaries whom attempt to attack industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems. The model consists of hardware and software aspects, designed to focus on ICS services that managed remotely via SCADA systems. In order to prove the work of the model, a few of security tools are used such as Shodan, Nmap and others. These tools have been applied locally inside LAN and globally via internet to get proving results. Ultimately, results contain a list of protocols and ports that represent industry control services. To clarify outputs, it contains tcp/udp ports 623, 102, 1025 and 161 which represent respectively IPMI, S7comm, KAMSTRAP and SNMP services.

Mousa Tayseer Jafar,Lu-Xing Yang,Gang Li,Xiaofan Yang

2024-01-20

Abstract:The rapid proliferation of Internet of Things (IoT) devices in recent years has resulted in a significant surge in the number of cyber-attacks targeting these devices. Recent data indicates that the number of such attacks has increased by over 100 percent, highlighting the urgent need for robust cybersecurity measures to mitigate these threats. In addition, a cyber-attack will begin to spread malware across the network once it has successfully compromised an IoT network. However, to mitigate this attack, a new patch must be applied immediately. In reality, the time required to prepare and apply the new patch can vary significantly depending on the nature of the cyber-attack. In this paper, we address the issue of how to mitigate cyber-attacks before the new patch is applied by formulating an optimal control strategy that reduces the impact of malware propagation and minimise the number of infected devices across IoT networks in the smart home. A novel node-based epidemiological model susceptible, infected high, infected low, recover first, and recover complete(SI_HI_LR_FR_C) is established with immediate response state for the restricted environment. After that, the impact of malware on IoT devices using both high and low infected rates will be analyzed. Finally, to illustrate the main results, several numerical analyses are carried out in addition to simulate the real-world scenario of IoT networks in the smart home, we built a dataset to be used in the experiments.

Cryptography and Security

Yanli Liu,Meng Cui

DOI: https://doi.org/10.1007/978-3-030-51431-0_39

2020-07-24

Abstract:Since the new century, with the gradual popularization of computer networks around the world, network security defense methods have become more sophisticated and comprehensive, but they are still unable to defend against increasingly sophisticated and increasingly globalized virus attacks. In the process of network use and promotion, the influence of viruses on the network and hackers’ attacks have become an important factor threatening network security. Especially when people use the Internet to pay funds, remittances and other online financial activities, network security has become a constant topic. Establishing an efficient network security incident response system is of great significance for the network to better play its role. Based on the research of network security monitoring, network attack defense, network data backup and recovery theory and technology, this paper studies the strategy model of network security incident response, and uses relevant theories and methods of software engineering, combined with programming languages, to achieve Related application modules of this model. This article implements a low-cost, high-performance multi-data backup and recovery system that works in conjunction with other security devices and systems in the network. The overall structure and workflow are analyzed and designed to achieve multi-point backup and Fast recovery, efficient synchronization strategy for remote data, etc. The experimental research found that the network security incident response system can effectively reduce the security risk of the internal network, with a security proportion of more than 92%.

Wei Yang,Yu Yao,Tong Zhao,Yao Shan

DOI: https://doi.org/10.1109/TII.2023.3240739

IF: 12.3

2023-10-01

IEEE Transactions on Industrial Informatics

Abstract:Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neural network-based ICS honeypot scheme named NeuPot that improves security from two aspects: 1) honeypot interaction; and 2) cyber threats detection capability. NeuPot can respond to attacker requests depending on a specific industrial scenario without constant communication with the ICS and detect malicious traffic. To create this honeypot scheme, a new seq2seq time-series forecast model guided by Huber loss is designed to simulate the long-term changes in actual ICS physical processes. Second, a Modbus honeypot framework is created to react to changes in these ICS physical processes in their interactions with attackers and to capture various cyber threats against the ICS. Further, a novel loss function for industrial protocol-level malicious traffic detection is devised to identify known and unknown threats. According to our experiments, the proposed honeypot scheme is highly effective and outperforms state-of-the-art schemes in terms of interactivity and in detecting cyber threats.

Computer Science,Engineering