Shixiong Zhao,Rui Gu,Haoran Qiu,Tsz On Li,Yuexuan Wang,Heming Cui,Junfeng Yang

DOI: https://doi.org/10.1109/DSN.2018.00033

2018-01-01

Abstract:Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

L. Sujihelen,Rajasekhar Boddu,S. Murugaveni,Ms. Arnika,Anandakumar Haldorai,Pundru Chandra Shaker Reddy,Suili Feng,Jiayin Qin

DOI: https://doi.org/10.1155/2022/7252791

2022-06-01

Wireless Communications and Mobile Computing

Abstract:Wireless sensor network (WSN) is an emerging technology used in emergency scenarios. There are a number of possible threats to WSNs because they use unsupervised IP addresses. Securing networks with unattended sensors is a real challenge nowadays. Sensor nodes lack power and storage, making them incompatible with normal security checks. It will be vital to make advancements in sensor network architecture and protocol design. There will be more vulnerability to attack if there is a lack of security. Especially, one key attack is node replication which induces the sensor node to acts as an original node, collecting data from the network and sending it to the attacker. In dynamic WSN, detecting an assault is difficult to find replica nodes. Therefore, this paper proposes a Strategic Security System (SSS) to discover replica nodes in static and dynamic distributed WSNs. It is mainly focused on enhancing detection accuracy, time delay, and communication overhead. The present system includes Single Stage Memory Random Walk with Network Division (SSRWND) and a Random-walk-based approach to detect clone attacks (RAWL). The proposed system has less memory and better detection accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tianning Zang,Xiao-chun Yun,Tianyi Zang,Yongzheng Zhang,Chaoguang Men

DOI: https://doi.org/10.1109/icpads.2010.88

2010-01-01

Abstract:On open digital computing infrastructure, various large-scale and complicated malicious behaviors are increasingly threatening the security of digital computing infrastructure. In this paper, a Cooperative Work Model (CRM) is presented by extending the conceptions of the Universal Turing Machine to deal with the threats. Then the Cooperative Work System Framework (CWSF) is derived from the model. Based on the framework, two practical Cooperative Work Systems (CWSs) are developed to track and analyze the Botnet and DDoS on digital computing infrastructure respectively. The systems collectively use and coordinate various monitoring systems distributed in the back-bone network of the infrastructure. The experimental results of analyzing typical security events show that the framework and systems are efficient and effective to collaboratively use diverse related network systems for monitoring and analyzing the large-scale network events. Currently, the systems are running steadily in the monitoring environment of a large-scale back-bone network.

Yawei Zhang,Xiaojun Ye,Feng Xie,Yong Peng

DOI: https://doi.org/10.1109/CIT.2009.69

2009-01-01

Abstract:Security mechanisms within DBMSs are far from effective to detect and prevent anomalous behavior of applications and intrusions from attackers. In fact, intrusions executed by unauthorized users to explore system vulnerabilities, and malicious database transactions executed by authorized users, both cannot be detected and prevented by typical security mechanisms. In this paper we proposed a database intrusion detection system architecture based on the database communication content detection mechanism. Implementation strategies for main components are detailed. Besides, we investigate several critical intrusion detection approaches used in the practice.

Dong Yongle,Qian Jun,Shi Meilin

DOI: https://doi.org/10.1109/CCECE.2003.1226031

2003-01-01

Abstract:Widespread attacks involving multiple hosts/networks happen more frequently as internetworking among computer systems via the Internet becomes more widely and keeps rapid increase. Due to lack of information, it can be quite difficult for conventional intrusion detection systems to identify such attacks in progress. Cooperative intrusion detection, on the basis of information sharing, is proved as a necessary measure to detect widespread attacks by other researcher D. Frincke (2000), Polla, D. et al., (1998). This paper presents a cooperative approach for intrusion detection that provides a method for individual ID components working cooperatively to perform concerted detections. Being constructed on the basis of ID components, CoIDS can adopt both existed (usually more mature) and new ID techniques. This makes CoIDS extensible and scalable. In addition, an ID component is essentially an autonomous agent, which makes CoIDS available with certain loss of functionality even when the intrusion detection manager does not work. Its reliability is also improved because failure of one ID component will not cause any other to stop working. Furthermore, it improved the accuracy of detection for conventional intrusions by validating analysis result with data from different ID components.

Dalin He,Huanyu Wang,Tuo Deng,Jishi Liu,Junnian Wang

DOI: https://doi.org/10.1016/j.cose.2024.104135

IF: 5.105

2024-09-27

Computers & Security

Abstract:The widespread deployment of IIoT edge devices makes them attractive victims for malicious activities. Consequently, how to implement trustworthy operations becomes a realistic topic in embedded systems. While most current physical systems for detecting malicious activities primarily focus on identifying known intrusion codes at the block level, they ignore that even an unnoticeable injected function can result in system-wide loss of security. In this paper, we propose a framework called CNDSW built on deep-learning side-channel analysis for function-level industrial control flow integrity monitoring. By collaboratively utilizing correlation analysis and deep-learning techniques, the dual window sliding monitoring mechanism in the proposed CNDSW framework demonstrates a real-time code intrusion tracking capacity on embedded controllers with a 99% detection accuracy on average. Instead of focusing on known block-level intrusions, we experimentally show that our model is feasible to detect function-level code intrusions without knowing the potential threat type. Besides, we further explore how different configurations of the CNDSW framework can help the monitoring process with different emphases and to which extent the model can concurrently detect multiple code intrusion activities. All our experiments are conducted on 32-bit ARM Cortex-M4 and 8-bit RISC MCUs across five different control flow programs, providing a comprehensive evaluation of the framework's capabilities.

computer science, information systems

Jaydip Sen

DOI: https://doi.org/10.48550/arXiv.1111.0382

2011-11-02

Cryptography and Security

Abstract:The current intrusion detection systems have a number of problems that limit their configurability, scalability and efficiency. There have been some propositions about distributed architectures based on multiple independent agents working collectively for intrusion detection. However, these distributed intrusion detection systems are not fully distributed as most of them centrally analyze data collected from distributed nodes which may lead to a single point of failure. In this paper, a distributed intrusion detection architecture is presented that is based on autonomous and cooperating agents without any centralized analysis components. The agents cooperate by using a hierarchical communication of interests and data, and the analysis of intrusion data is made by the agents at the lowest level of the hierarchy. This architecture provides significant advantages in scalability, flexibility, extensibility, fault tolerance, and resistance to compromise. A proof-of-concept prototype is developed and experiments have been conducted on it. The results show the effectiveness of the system in detecting intrusive activities.

Wenbo Dai,Shengyu Li,Li Lu,Yalan Ye,Fanjun Meng,Dashun Zhang

DOI: https://doi.org/10.1109/iciba52610.2021.9688212

2021-01-01

Abstract:The attacks and defenses in industrial control system(ICS) security has been in an asymmetrical situation. Due to the closeness, specificity and complexity of ICS, it has more vulnerabilities and deeper hidden backdoors. The traditional “remedy” type of defense is difficult to prevent increasingly complex attack methods. Starting from the attack chain model, this paper analyzes shortcomings of traditional ICS defense technology, and proposes an ICS security system structure based on mimic defense. Digital twin technology is used to build executive entities of mimic defense model, and increase the dynamic and heterogeneity of ICS. The system structure based on mimic defense has better protection against unknown vulnerabilities, and reduces the probability of being attacked successfully, improve the ICS's ability to withstand attacks through endogenous security at the system level, and alleviate the passive and lagged situation of ICS defense.

Wenyan Liu,Fucai Chen,Hongchao Hu,Guozhen Cheng,Shumin Huo,Hao Liang

DOI: https://doi.org/10.1109/cyberc.2017.39

2017-10-01

Abstract:In cyberspace, unknown zero-day attacks can bring safety hazards. Traditional defense methods based on signatures are ineffective. Based on the Cyberspace Mimic Defense (CMD) architecture, the paper proposes a framework to detect the attacks and respond to them. Inputs are assigned to all online redundant heterogeneous functionally equivalent modules. Their independent outputs are compared and the outputs in the majority will be the final response. The abnormal outputs can be detected and so can the attack. The damaged executive modules with abnormal outputs will be replaced with new ones from the diverse executive module pool. By analyzing the abnormal outputs, the correspondence between inputs and abnormal outputs can be built and inputs leading to recurrent abnormal outputs will be written into the zero-day attack related database and their reuses cannot work any longer, as the suspicious malicious inputs can be detected and processed. Further responses include IP blacklisting and patching, etc. The framework also uses honeypot like executive module to confuse the attacker. The proposed method can prevent the recurrent attack based on the same exploit.

Ke Chen,Gang Chen,Jinxiang Dong

DOI: https://doi.org/10.1007/11563952_79

2005-01-01

Abstract:Database intrusion detection has been an important research area in database security. It focuses on malicious transaction attacks, which cannot be handled by traditional database security mechanisms, such as authorization, access control, integrity control, and so on. Although there have appeared some intrusion detection systems, current researches on malicious transaction detection are limited in accuracy and efficiency. Inspired by natural immune system, we propose a novel immunity-based intrusion detection solution for database system in this paper. It provides an additional layer of defense against DBMS misuse, especially malicious transactions. The ability to learn and to adapt to the environment dynamically entitles the system to detect both known and unknown malicious transaction intrusions efficiently. Simulations show that the database intrusion detection system based on data immunity can accelerate detection of malicious transaction attacks and improve its accuracy without causing any other performance penalty.

Prabhat Kumar,A.K.M. Najmul Islam

2024-09-05

Abstract:Enterprise industrial networks face threats that risk data and operations. However, designing efficient threat detection system is challenging due to data scarcity, especially where privacy is a concern. The complexity of enterprise industrial network data adds to this challenge, causing high false positives and interpretation issues. Towards this, we use IS computational design science paradigm to develop a two-stage cyber threat detection system for enterprise-level IS that are both secure and capable of adapting to evolving technological and business environments. The first stage generates synthetic industrial network data using a modified generative adversarial network. The second stage develops a novel bidirectional gated recurrent unit and a modified attention mechanism for effective threat detection. We also use shapley additive explanations and a decision tree technique for enhancing interpretability. Our analysis on two public datasets shows the frameworks high precision in threat detection and offers practical cybersecurity solutions and methodological advancements.

Cryptography and Security

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/jiot.2022.3164723

IF: 10.6

2022-01-01

IEEE Internet of Things Journal

Abstract:Programmable logic controllers (PLCs), i.e., the core of control systems, are well-known to be vulnerable to a variety of cyber attacks. To mitigate this issue, we design PLC-Sleuth, a novel noninvasive intrusion detection/localization system for PLCs, which is built on a set of control invariants—i.e., the correlations between sensor readings and the concomitantly triggered PLC commands—that exist pervasively in all control systems. Specifically, taking the system's supervisory control and data acquisition log as input, PLC-Sleuth abstracts/identifies the system's control invariants as a control graph using data-driven structure learning, and then monitors the weights of graph edges to detect anomalies thereof, which is in turn, a sign of intrusion. We have implemented and evaluated PLC-Sleuth using both a platform of ethanol distillation system (EDS) and a realistically simulated Tennessee Eastman (TE) process. The results show that PLC-Sleuth can: 1) identify control invariants with 100%/98.11% accuracy for EDS/TE; 2) detect PLC intrusions with 98.33%/0.85 ‰ true/false positives (TPs/FPs) for EDS and 100%/0% TP/FP for TE; and 3) localize intrusions with 93.22%/96.76% accuracy for EDS/TE.

computer science, information systems,telecommunications,engineering, electrical & electronic

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Mingxi Li,Yan Xiong,Wenchao Huang,Xiancun Zhou,Xuangou Wu

DOI: https://doi.org/10.2991/iccsee.2013.257

2013-01-01

Abstract:Wireless sensor networks (WSNs) consist of a large number of sensor nodes which are deployed without selfdefense capability. The node replication attack is a specific attack mode to WSN and the detection of node replication attacks in WSNs became a fundamental problem. In this paper, we proposed a range-assisted distributed protocol (RADP) to detect node replication attacks in WSNs. The contributions of this work are threefold. First, we showed that the known solutions do not completely meet our requirements. Second, we tried to use wireless ranging information to detect node replication attacks. Third, we proposed a novel protocol for the detection of node replication attacks and Extensive theoretical analysis and experiment verified that it can maintain a high detection probability with low accuracy ranging among nodes. Keywords-wireless sensor networks; replication attacks; detection protocol; range-assisted.

Ruey-Maw Chen,Kuo-Ta Hsieh

DOI: https://doi.org/10.1002/dac.1289

2011-06-01

International Journal of Communication Systems

Abstract:Dependence on the Internet is increasing dramatically. Therefore, many researchers have given great attention to the issue of how to tighten Internet security. This study proposes a new scheme for the distributed intrusion prevention system (DIPS), in which the concept of ‘union’ is presented for satisfying the increasing requirements of Internet security issues. In this proposed design, the network intrusion detection system (NIDS) applies a misuse detection technique to detect well‐known intrusion behavior on the Internet. Meanwhile, for anomaly detection technique, a tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to reveal previously undiscovered intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service (DDoS) attacks inside the protected allied network is also covered. To increase the detection accuracy, reduction of false positives and false negatives is also accomplished. Experimental results reveal that the suggested network security system scheme is effective and efficient in resolving the intrusion activity problem of real network environments. Copyright © 2011 John Wiley & Sons, Ltd. In this work, a new system scheme of the allied distributed intrusion prevention system was implemented to meet the increasing Internet security issues. A network intrusion detection system (NIDS) applies misuse detection technique to detect well‐known intrusion behaviors on the Internet. Meanwhile, for anomaly detection technique, a designed tool named ‘Scent’ (a network traffic sniffer) is combined with conditional legitimate probability to find out new intrusion packets that do not match the intrusion signatures in NIDS. Moreover, blocking distributed denial‐of‐service attacks inside the protected allied network is also designed. To increase the detection accuracy, reducing false positive and false negative are also accomplished.

telecommunications,engineering, electrical & electronic

Peng Ning,Sushil Jajodia,X. Sean Wang

2013-01-01

Abstract:Intrusion Detection In Distributed Systems: An Abstraction-Based Approach presents research contributions in three areas with respect to intrusion detection in distributed systems. The first contribution is an abstraction-based approach to addressing heterogeneity and autonomy of distributed environments. The second contribution is a formal framework for modeling requests among cooperative IDSs and its application to Common Intrusion Detection Framework (CIDF). The third contribution is a novel approach to coordinating different IDSs for distributed event correlation.

Guangsong Li,Wei Wang,Keke Gai,Yazhe Tang,Benchao Yang,Xueming Si

DOI: https://doi.org/10.1007/s11265-019-01473-6

2020-04-15

Journal of Signal Processing Systems

Abstract:The long-term existence of various vulnerabilities and backdoors in software and hardware makes security threats of the cyberspace more and more serious. Cyberspace mimic defense tries to use uncertain defense to deal with uncertain threat and construct the risk-controlled information system based on components with security flaws. However, mimic defense system is at a preliminary stage of research. It is necessary to pay more attention to the new theory. This paper further expands the ideas from mimic defense system and proposes a typical framework for the system. Then principles of mimic transformation design are explained. This paper also describes concepts of mimic operator and mimic awareness function. Effectiveness of mimic defense system is showed by simulations of mimic defense web server.