Shunhong Song,Yuliang Lu,Weiwei Cheng,Huan Yuan

DOI: https://doi.org/10.1109/icsps.2010.5555265

2010-01-01

Abstract:Most network attack models have the problem of lacking ablility to describe all types of attack patterns in deltail, with no consideration of attacker's skill and policy. To address the problem, this paper proposes a well-structured model that abstracts the relation between attacker capability and victim vulnerability, the relation between knowledge, resource and capability of attacker. Both these two relations can be used to support automatic correlating of vulnerability exploits to build all the attack paths from the attacker to the target. The basic block of the model is a logical formula called capability, which is used to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage attack. A flexible extensible language based on Pyke is developed to specify the model and derive inference rules to define logical relations between different capabilities, and a demonstration is given to show how it can be used in security applications such as vulnerability analysis and attack generation.

QIN Junning,HAN Jiajia,ZHOU Sheng,WU Chunming,CHEN Shuangxi,ZHAO Ruoyan,ZHANG Jiangyu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020143

2020-01-01

Abstract:The unbalanced development status of network security was introduced.The main hazards and the mechanism model of penetration testing were described,and the inherent shortcomings of many existing traditional defense methods were analyzed.However,new method of the mimic defense model makes the attack information obtained invalid by dynamically selecting the executive set and adaptively changing the system composition.The same attack mode is difficult to be maintained or reproduced.Based on the attack chain model,the traditional defensetechnology and mimic defense technology were analyzed and compared,and it was demonstrated that it had a protective role in multiple stages of the attack chain.Finally,the effectiveness and superiority of the mimic defense was verified by experiments,and the model was summarized and prospected.

TIAN Zhi-hong,ZHANG Wei-zhe,ZHANG Yong-zheng,ZHANG Hong-li,LI Yang,JIANG Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.013

2007-01-01

Abstract:To construct attack scenarios and predict intrusion intents automatically,a real-time alert correlation approach based on capability transition model was proposed.By highly abstracting the reasoning evidences,the process complexity is effectively reduced.Experiment results on the DARPA2000 IDS test dataset indicate that the method is effective and efficient.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Song XIONG,Jun ZHOU,Wei-jun HU

DOI: https://doi.org/10.3969/j.issn.1002-0640.2014.06.038

2014-01-01

Abstract:With complexity and diversity of the attack and defense simulation entities,higher level modeling method is requested for the current distributed simulation system. The conceptual model is selected as the interaction tool for different personnel and platforms. The definition of Conceptual Model of Attack and Defense (CMAD)is proposed based on the analysis of countermeasure simulation demand,and the CMAD based simulation framework and incorporate modeling process are studied. For being applied to HLA simulation,the design and key methods of CMAD assistant development tools are researched. The application value is proved with an instance of air-surface countermeasure simulation.

Sung -Do Chi,Jong Sou Park,Ki -Chan Jung,Jang -Se Lee

DOI: https://doi.org/10.1007/3-540-47719-5_26

2001-01-01

Abstract:The major objective of this paper is to develop the network security modeling and cyber attack simulation that is able to classify threats, specify attack mechanisms, verify protection mechanisms, and evaluate consequences. To do this, we have employed the advanced modeling and simulation concepts such as System Entity Structure / Model Base framework, DEVS (Discrete Event System Specification) formalism, and experimental frame concept underlying the object-oriented S/W environment. Our approach is to show the difference from others in that (i) it supports a hierarchical and modular modeling environment, (ii) it generates the command-level behavior of cyber attack scenario, (iii) it provides an efficient model building environment based on the experimental frame concept, and (iv) it supports the vulnerability analysis of given node on the network. Simulation test performed on sample network system will illustrate our techniques.

CHEN Chun-xia,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.07.040

2005-01-01

Abstract:It needs to further investigate t echnology of network attack to protect the network security. Attack models can help in describing and analyzing the course of attack structurely and effectively, further more, they can help in sharing the security knowledge and improving the efficiency of attack detectio n and security prediction. This article analyzes and compares several attack mod els in common use at present,and then prospects the future directions of attack model research in the end.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Safaa O. Al-mamory,Hongli Zhang,Ayad R. Abbas

DOI: https://doi.org/10.1109/IJCNN.2008.4633994

2008-01-01

Abstract:The Intrusion detection system (IDS) is a security technology that attempts to identify network intrusions. Defending against multistep intrusions which prepare for each other is a challenging task. In this paper, the Context-Free Grammar (CFG) was used to describe the multistep attacks using alerts classes. Based on the CFGs, the modified LR parser was employed to generate the parse trees of the scenarios presented in the alerts. Instead of searching all the received alerts for those that prepare for a new alert, we only search for the latest alertpsilas type of each scenario. Consequently, the proposed system has an attractive time complexity. The experiments were performed on two different sets of network traffic traces, using different open-source and commercial IDSs. The detected scenarios are represented by Correlation Graphs (CGs). The experimental results show that the CFG can describe multistep attacks explicitly and the modified LR parser, based on the CFG, can construct scenarios successfully.

Zhang Lianhua,Zhang Jie,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.08.047

2006-01-01

Abstract:Security model need the feature attributes of the protected information system.For example,alert correlation analysis can evaluate whether the alert is false or not by comparing the attack prerequisite with the configuration information of attacked destination information system.A new information system model from the security view is proposed in this paper,which include both the static structure and dynamic activity.The model incorporates the present related information model such as NERD,Netmap etc.and,more inportantly,it provides a bridge between the security theory research and engineering practice.

Zhang Hengwei,Yang Haopu,Wang Jindong,Li Tao

DOI: https://doi.org/10.14257/ijsia.2017.11.1.17

2017-01-01

International Journal of Security and Its Applications

Abstract:In order to correctly analyze the multi-step attack and comprehensively assess the network security situation, a multistep attack-oriented assessing method of network security situation is proposed. The security events are clustered into different attack scenarios for identifying attackers. Based on the causal correlation between every attack scenario, the attack traces and attack phase can be distinguished. Finally, the quantitative criterion is established to realize the assessment of network security situation. Two network attack and defense experiments are used to verify the correctness and effectiveness, and the result shows the proposed method can truly depict the actual attack.

Nurbol,XIE Nan-nan,LIU Zhi-yu,HU Liang,CHAI Sheng

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.06.010

2013-01-01

Abstract:In network intrusion detection ,the modes of attack are more and more complex and diversified .Network multi-stage attack has been the main form of current attack .Intelligent planning was used in artificial intelligence ,makes the fields knowl-edge as planning domain ,and the issues to be solved as planning problems .In this paper ,intelligent planning was used in recognition of multi-stage attack ,and based on this ,a multi-stage planning problem recognize model was proposed ,in order to provide an useful exploration of network attack data formal description .The model is described in PDDL ,and evaluation shows the proposed model have well availability .

Sipei Zhou,Yiliang Tang,Yiwen Wu,Yunkai Wei,Supeng Leng

DOI: https://doi.org/10.1109/icct46805.2019.8947089

2019-01-01

Abstract:In confronting communication environments, the attackers can tamper with messages and consequently deceive the receivers as long as the malicious actions are not recognized. Although numerous works have been done to alleviate the damage of such threat, no special model has been formed to demonstrate the accurate capability bounds of the attackers and defenders in such confrontations so far. Inspired by this problem as well as the Shannon channel capacity model, this paper converts the confronting capability problems into channel capacity issues, and forms the capability models for both the attackers in information deceiving and the receivers in information achieving. The models, which are rigorously proved, reveal the capability upper bounds of the attackers and the receivers in message tampering confrontations, no matter any specific measures the confronting peers taking. Extensive simulations are implemented and the results verify the effectiveness of the proposed models, which simultaneously indicate the optimal strategies of both the attackers and the receivers.

Xiaohu Li,Shouhuai Xu

2007-01-01

Abstract:Traditional security analyses are often geared towards cryptographic primitives or protocols. Although such analyses are absolutely necessary, they cannot address a defender’s need for insight into which aspects of a networked system have a significant impact on its security, and how to tune its configurations or parameters so as to improve security, against coordinated internal and external attacks. Such insights may only be offered by appropriate theoretic security models, which have long been sought but not much progress has been made. This paper reports our first step towards modeling coordinated internal and external attacks against networked systems.

Weina Niu,Xiaosong Zhang,Guowu Yang,Ruidong Chen,Dong Wang

DOI: https://doi.org/10.1587/transinf.2016inp0007

2017-01-01

IEICE Transactions on Information and Systems

Abstract:Advanced Persistent Threat (APT) is one of the most serious network attacks that occurred in cyberspace due to sophisticated techniques and deep concealment. Modeling APT attack process can facilitate APT analysis, detection, and prediction. However, current techniques focus on modeling known attacks, which neither reflect APT attack dynamically nor take human factors into considerations. In order to overcome this limitation, we propose a Targeted Complex Attack Network (TCAN) model for APT attack process based on dynamic attack graph and network evolution. Compared with current models, our model addresses human factors by conducting a two-layer network structure. Meanwhile, we present a stochastic model based on states change in the target network to specify nodes involved in the procedure of this APT. Besides, our model adopts time domain to expand the traditional attack graph into dynamic attack network. Our model is featured by flexibility, which is proven through changing the related parameters. In addition, we propose dynamic evolution rules based on complex network theory and characteristics of the actual attack scenarios. Finally, we elaborate a procedure to add nodes by a matrix operation. The simulation results show that our model can model the process of attack effectively. key words: attack process modeling, APT, TCAN, complex network theory

Taqwa Ahmed Alhaj,Maheyzah Md Siraj,Anazida Zainal,Inshirah Idris,Anjum Nazir,Fatin Elhaj,Tasneem Darwish

DOI: https://doi.org/10.48550/arXiv.2110.08662

2021-10-17

Abstract:A Network Intrusion Detection System (NIDS) is a network security technology for detecting intruder attacks. However, it produces a great amount of low-level alerts which makes the analysis difficult, especially to construct the attack scenarios. Attack scenario construction (ASC) via Alert Correlation (AC) is important to reveal the strategy of attack in terms of steps and stages that need to be launched to make the attack successful. In most of the existing works, alerts are correlated by classifying the alerts based on the cause-effect relationship. However, the drawback of these works is the identification of false and incomplete correlations due to the infiltration of raw alerts. To address this problem, this work proposes an effective ASC model to discover the complete relationship among alerts. The model is successfully experimented using two types of datasets, which are DARPA 2000, and ISCX2012. The Completeness and Soundness of the proposed model are measured to evaluate the overall correlation effectiveness.

Cryptography and Security

hasan cam,pierre mouallem,yilin mo,bruno sinopoli,benjamin nkrumah

DOI: https://doi.org/10.1109/CogSIMA.2014.6816560

2014-01-01

Abstract:A distributed cyber control system comprises various types of assets, including sensors, intrusion detection systems, scanners, controllers, and actuators. The modeling and analysis of these components usually require multi-disciplinary approaches. This paper presents a modeling and dynamic analysis of a distributed cyber control system for situational awareness by taking advantage of control theory and time Petri net. Linear time-invariant systems are used to model the target system, attacks, assets influences, and an anomaly-based intrusion detection system. Time Petri nets are used to model the impact and timing relationships of attacks, vulnerability, and recovery at every node. To characterize those distributed control systems that are perfectly attackable, algebraic and topological attackability conditions are derived. Numerical evaluation is performed to determine the impact of attacks on distributed control system.

HU Liang,XIE Nan-nan,LIU Zhi-yu,CHAI Sheng

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.09.013

2013-01-01

Abstract:Multi-stage attacks recognize process have similar relationship with solving intelligent planning problems.Intelligent planning is used in multi-stage attacks recognition, in order to achieve the attack scenarios recognition.A multi-stage attack recognition model based on intelligent planning is proposed, and based on this, a multi-stage attack scenario recognition algorithm is realized.Experiments on DARPA datasets shows this algorithm have acceptable accuracy and completeness rate in multi-stage recognition.

Xin YANG,Hui LI,Jiangxing WU,Peng YI

DOI: https://doi.org/10.1360/ssi-2019-0224

2020-01-01

Abstract:Cyber mimic defenses have recently emerged as a dynamic heterogeneity redundancy architecture, which adjust the asymmetry between defenders and attackers by reconfiguring the system according to the network scenario. Some studies have investigated the effectiveness of security models, however, there is still a lack of convincing and practical methods to assess CMD networks quantitatively. Thus, in this paper, we propose a two-dimension model that calculates those details as a digital result to compare different CMD networks. In addition, the proposed method demonstrates good scalability in different networks. Specifically, in the first dimension, i.e., attacking a single node, we elaborate on system configurations and employ the Generalized Stochastic Petri net model to capture the effectiveness of different behaviors from gamers. To quantify the impacts of those behaviors, we parameterized them using a Poisson process, common vulnerabilities and exposures, and the common vulnerability scoring system. In the second dimension, we adopt Markov chains and the Martingale theory to analyze the attack process along the attack chain. Finally, security metrics and countermeasures under different scenarios are presented to verify the effectiveness of CMD, which provides some guidance for designing future systems with acceptable cost.

Xiaodong Zang,Jian Gong,Xinchang Zhang,Guiqing Li

DOI: https://doi.org/10.1016/j.cose.2023.103420

IF: 5.105

2023-01-01

Computers & Security

Abstract:Nowadays, new-generation threats often use multiple means or perform several steps to intrude into networks and ultimately reach their objective. These new threats have multi-staged, and we can understand their intrusion pattern from the kill-chain defensive model. This paper focuses on fusing heterogeneous threat intelligence collected from security information and event management systems to reconstruct multi-step attack scenarios and discover critical attack paths. However, the need for an agreed-upon vocabulary to represent the heterogeneous threat intelligence makes it difficult to model the attack scenarios accurately and efficiently. Therefore, we devise a heterogeneous threat intelligence fusing approach for real-time reconstruction of the attack scenarios. Firstly, we use structured threat information expression (STIX) to format heterogeneous threat intelligence (TI). We analyze the causal relationship of each heterogeneous threat intelligence and piece them together. Then, we model the multi-stage attack scenario reconstruction as a community discovery problem. We mine the attack scenarios with semantic correlation weight and a community detection algorithm. We finally use the open-source benchmark datasets (DARPA 2000, CICIDS 2017) and the real Internet traffic captured from the China Education Research Network backbone (CERNET) to evaluate our work. Extensive results demonstrate that our proposal can accurately reconstruct multi-step attack scenarios and discover covert C&C channels.