Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

SUN Xian-jun,LIN Chuang,JIANG Yi-xin,LIU Wei-dong

2011-01-01

Abstract:Intricate malwares can result in the failure of Virtual System,and enable the system to be in an unsafe state and difficult to restore.The existing policies thwarting this extreme attack are ineffective.In this paper,based on cooperative recovery among multiple Virtual Machines and agent-based lightweight intrusion detection,an efficient recovery mechanism is proposed for Virtualization systems against malware attacks.The basic policy is to deploy an Emergency Response/Recovery(ER) agent on Virtual Machine to identify the state of the system,and cooperative security among multiple nodes is carried out so that the infected nodes can be rapidly recovered.Simulation results also demonstrate the practicality and efficiency of the proposed schemes.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/tcsii.2020.2999875

2020-01-01

Abstract:In this brief, we analyze the damage caused by malware-induced cyber attacks in Cyber-Physical Power Systems (CPPSs). Incubation period and detection probability of the malware are considered in our analytical framework. From attacker's perspective, the trade-off between attack effectiveness and detection risk is studied to help choose the best attack timing and obtain the maximum payoff. Moreover, we conduct case studies in CPPSs formed by coupling IEEE 118-Bus System with scale-free communication networks. Simulation results reveal that the maximum expected payoff for the attacker is affected by the coupling pattern and the structure of communication network in CPPSs.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Chengcheng Zhao,Jianping He,Jiming Chen

DOI: https://doi.org/10.1109/tsipn.2017.2742859

2017-01-01

IEEE Transactions on Signal and Information Processing over Networks

Abstract:This paper investigates the problem of resilient consensus under malicious attacks for multiagent systems. Compared with most of existing works, a more general attack model is considered, where malicious agents can neighbor and collude with each other and the number of tolerable attacks is not limited by the network connectivity, which makes the problem more challenging. To solve this problem, we exploit the mobile agents as the detectors, and design the resilient consensus algorithm with mobile detectors (MRCA). MRCA includes basic average iteration process and the detection algorithms of both static and mobile agents. We prove that under MRCA, malicious agents will be detected by mobile agents and isolated by normal agents in finite time in expectation and thus the convergence can be achieved. We also show that MRCA can tolerate neighboring malicious attacks and the number of tolerable attacks is not limited by the network connectivity. Simulations are conducted to demonstrate the effectiveness of MRCA and validate the correctness of the theoretical results.

Chang-Ting Lin,Chunming Wu,Min Huang,Zhenyu Wen,Qiumei Cheng

DOI: https://doi.org/10.1109/SRDSW.2016.21

2016-01-01

Abstract:IP address mutation is a proactive defense method that is used to reduce the risk of network attacks, especially to deal with the worm propagation attacks. However, previous work did not give much consideration to the negative effects that IP address mutation could bring to network performance. To be specific, there is a trade-off between network performance and security, which implies that when a security mechanism is reinforced, network performance would be impaired and vice versa. Therefore, in order to achieve the optimal balance between performance and security, an optimal solution should be provided. In this paper, we propose an adaptive IP mutation defense method which is based on temporal-dimension, to dynamically control the mutation interval according to real-time measurable metrics, assurance and avoidance. This method leverages a genetic algorithm to achieve the optimization of performance-security trade-off. We then evaluate our method in a simulated computer cluster environment, including 1024 hosts, and demonstrate that our method can successfully find the optimal solution according to the experimental results. For example, it can reduce the worm propagation significantly, while maintaining the network performance in a predefined level.

Alesia Chernikova,Nicolò Gozzi,Simona Boboila,Priyanka Angadi,John Loughner,Matthew Wilden,Nicola Perra,Tina Eliassi-Rad,Alina Oprea

DOI: https://doi.org/10.1007/978-3-031-17140-6_26

2022-10-09

Abstract:Self-propagating malware (SPM) has led to huge financial losses, major data breaches, and widespread service disruptions in recent years. In this paper, we explore the problem of developing cyber resilient systems capable of mitigating the spread of SPM attacks. We begin with an in-depth study of a well-known self-propagating malware, WannaCry, and present a compartmental model called SIIDR that accurately captures the behavior observed in real-world attack traces. Next, we investigate ten cyber defense techniques, including existing edge and node hardening strategies, as well as newly developed methods based on reconfiguring network communication (NodeSplit) and isolating communities. We evaluate all defense strategies in detail using six real-world communication graphs collected from a large retail network and compare their performance across a wide range of attacks and network topologies. We show that several of these defenses are able to efficiently reduce the spread of SPM attacks modeled with SIIDR. For instance, given a strong attack that infects 97% of nodes when no defense is employed, strategically securing a small number of nodes (0.08%) reduces the infection footprint in one of the networks down to 1%.

Cryptography and Security,Dynamical Systems,Spectral Theory,Applications

Yong Li,Pan Hui,Depeng Jin,Li Su,Lieguang Zeng

DOI: https://doi.org/10.1109/SAHCN.2011.5984913

2011-01-01

Abstract:As malware attacks become more frequent in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to contain serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, and the malware can infect the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of optimal distribution of content-based signatures of malware to minimize the number of infected nodes, which can help to detect the corresponding malware and to disable further propagation. We model the defense system with realistic assumptions addressing all the above challenges, which have not been addressed in previous analytical work. Based on the proposed framework of optimizing the system welfare utility through the signature allocation, we provide an encounter-based distributed algorithm based on Metropolis sampler. Through extensive simulations with both synthetic and real mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.

Baihao Peng,Junfeng Liu,Jun Zeng

DOI: https://doi.org/10.1109/tifs.2023.3324386

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The advent of smart terminals and the IOT era has prompted the emergence of the multiplex network system. With the rapid information transmission in multiplex networks, security incidents caused by malicious attackers occur frequently. In light of the foregoing, this paper concentrates on modeling and analyzing the propagation process of multiplex networks. Particularly, this paper proposes an epidemic-based RCMO (Running- Confined- Malfuntioned- Overhauled) model after considering the operating state of equipment and a class of visibility-aware malware. After that, the stability analysis of the equilibria is performed to verify the effectiveness of the propagation threshold obtained in RCMO. Then, we introduce static controls including unique control, target control, acquaintance control, and pulse control, as well as dynamic controls including continuous-time and pulsed forms to the suppression strategies for preventing the spread of malware. Furthermore, the control strategies are cross-combined into $6\times 6$ hybrid maintenance strategies (HMS), and the simulation analysis is performed from three perspectives: evolution of state variables, accumulation of revenue, and change of controls. We discovered through experimental results that the optimal HMS to inhibit the propagation of malware and the HMS with the highest revenue are always different under various network topologies, but they are all hybrid combinations of continuous-time and pulse controls. To some extent, dynamic control can reduce discrepancies between the HMS and generate approximate returns. Finally, we propose a few cyber defense recommendations for network administrators.

computer science, theory & methods,engineering, electrical & electronic

Lin Zhang,Xin Chen,Fanxin Kong,Alvaro A. Cardenas

DOI: https://doi.org/10.1109/rtss49844.2020.00028

2021-01-01

ACM Transactions on Embedded Computing Systems

Abstract:The increasing autonomy and connectivity in cyber-physical systems (CPS) come with new security vulnerabilities that are easily exploitable by malicious attackers to spoof a system to perform dangerous actions. While the vast majority of existing works focus on attack prevention and detection, the key question is "what to do after detecting an attack?". This problem attracts fairly rare attention though its significance is emphasized by the need to mitigate or even eliminate attack impacts on a system. In this article, we study this attack response problem and propose novel real-time recovery for securing CPS. First, this work's core component is a recovery control calculator using a Linear-Quadratic Regulator (LQR) with timing and safety constraints. This component can smoothly steer back a physical system under control to a target state set before a safe deadline and maintain the system state in the set once it is driven to it. We further propose an Alternating Direction Method of Multipliers (ADMM) based algorithm that can fast solve the LQR-based recovery problem. Second, supporting components for the attack recovery computation include a checkpointer, a state reconstructor, and a deadline estimator. To realize these components respectively, we propose (i) a sliding-windowbased checkpointing protocol that governs sufficient trustworthy data, (ii) a state reconstruction approach that uses the checkpointed data to estimate the current system state, and (iii) a reachability-based approach to conservatively estimate a safe deadline. Finally, we implement our approach and demonstrate its effectiveness in dealing with totally 15 experimental scenarios which are designed based on 5 CPS simulators and 3 types of sensor attacks.

Lingfeng Wang,Zhaoxi Liu

DOI: https://doi.org/10.1109/TPWRS.2022.3222309

IF: 7.326

2023-11-01

IEEE Transactions on Power Systems

Abstract:The cybersecurity of electric power grids is emerging as a critical challenge for the power industry in the transformation of modern power systems towards the future smart grid. It is of great importance to enhance the resilience of power systems against potential cyber threats. In this paper, a distributionally robust recovery resource allocation method based on the tri-level defender-attacker-defender (D-A-D) model is proposed to enhance the resilience of power systems in the face of malicious cyberattacks. The proposed recovery resource allocation method is able to optimally distribute the recovery resources among the substations in the grid to mitigate the impacts of successful cyberattacks during the recovery process, and improve the resilience performance of power systems against the attacks. In the proposed model, the recovery resource represents the available resource that can be expended to support the recovery efforts of the cyber-physical power system. It is expected to accelerate the recovery process of the system after successful attacks. The recovery resource may include necessary software, hardware, and labor force. Meanwhile, a distributionally robust optimization (DRO) model is proposed to address the uncertainty of the power system operation conditions, e.g., renewable energy resources (RESs). In order to verify the proposed system defense method, case studies were conducted on the IEEE Reliability Test System RTS-79. The results of the case studies show that the proposed method can provide a robust solution to recovery resource allocation for mitigating the risk of potential cyberattacks.

Computer Science,Environmental Science,Engineering

Cheng-Jie Xiong,Yan-Fu Li,Min Xie,Szu-Hui Ng,Thong-Ngee Goh

DOI: https://doi.org/10.1007/978-3-642-10619-4_38

2009-01-01

Abstract:Distributed systems are widely deployed in industries where high computational capability and low cost are required. Distributed software architecture is very important in the distributed system. However, since most distributed systems are designed based on a network structure, distributed software is very vulnerable to malware attacks. Due to the popularity of distributed system, it is vital to study the effects of malware attack on distributed systems. In this paper, we studied the malware attack behaviors by a Markov process model. The states of the object homogeneous distributed system can be derived by analyzing the Markov model, with which the service reliability and service availability can be further obtained. An illustrative demonstration is also presented.

Yong Li,Pan Hui,Depeng Jin,Li Su,Lieguang Zeng

DOI: https://doi.org/10.1109/TMC.2012.255

IF: 6.075

2014-01-01

IEEE Transactions on Mobile Computing

Abstract:As malware attacks become more frequently in mobile networks, deploying an efficient defense system to protect against infection and to help the infected nodes to recover is important to prevent serious spreading and outbreaks. The technical challenges are that mobile devices are heterogeneous in terms of operating systems, the malware infects the targeted system in any opportunistic fashion via local and global connectivity, while the to-be-deployed defense system on the other hand would be usually resource limited. In this paper, we investigate the problem of how to optimally distribute the content-based signatures of malware, which helps to detect the corresponding malware and disable further propagation, to minimize the number of infected nodes. We model the defense system with realistic assumptions addressing all the above challenges that have not been addressed in previous analytical work. Based on the framework of optimizing the system welfare utility, which is the weighted summation of individual utility depending on the final number of infected nodes through the signature allocation, we propose an encounter-based distributed algorithm based on Metropolis sampler. Through theoretical analysis and simulations with both synthetic and realistic mobility traces, we show that the distributed algorithm achieves the optimal solution, and performs efficiently in realistic environments.

Yanli Liu,Meng Cui

DOI: https://doi.org/10.1007/978-3-030-51431-0_39

2020-07-24

Abstract:Since the new century, with the gradual popularization of computer networks around the world, network security defense methods have become more sophisticated and comprehensive, but they are still unable to defend against increasingly sophisticated and increasingly globalized virus attacks. In the process of network use and promotion, the influence of viruses on the network and hackers’ attacks have become an important factor threatening network security. Especially when people use the Internet to pay funds, remittances and other online financial activities, network security has become a constant topic. Establishing an efficient network security incident response system is of great significance for the network to better play its role. Based on the research of network security monitoring, network attack defense, network data backup and recovery theory and technology, this paper studies the strategy model of network security incident response, and uses relevant theories and methods of software engineering, combined with programming languages, to achieve Related application modules of this model. This article implements a low-cost, high-performance multi-data backup and recovery system that works in conjunction with other security devices and systems in the network. The overall structure and workflow are analyzed and designed to achieve multi-point backup and Fast recovery, efficient synchronization strategy for remote data, etc. The experimental research found that the network security incident response system can effectively reduce the security risk of the internal network, with a security proportion of more than 92%.

Yong Li,Yu Gong,Depeng Jin,Li Su,Lieguang Zeng,Pan Hui

DOI: https://doi.org/10.1145/1942268.1942286

2010-01-01

Abstract:As malware attacks become more popular in mobile handsets formed Delay Tolerant Networks (DTN), deploying an efficient defense system for helping the infected nodes to kill the malwares is important to prevent serious spreading and outbreak. In reality, the handset devices are heterogeneous in terms of operate systems, the malwares infect the targeted system in any opportunistic ways via local and global connectivity, while the to-be-deployed defense system is usually resource-limited. These points makes this problem technically challenging. In this paper, we investigate the problem of optimal malware defense system deployment with realistic assumptions that specific types of malwares can only infect the targeted system and the capacity of the defense system is limited, which are usually ignored in previous analytical work for simplicity reason. Based on the proposed framework of optimizing the anti-malware software allocation for the defense system, we give a greedy algorithm to obtain the optimal solution.

Yixin Jiang,Xuzhu Dong,Aidong Xu,Yunan Zhang,Xiaoyun Kuang,Shiyong Dai,Jinhua Huang

DOI: https://doi.org/10.1109/ei256261.2022.10116819

2022-01-01

Abstract:To tackle the network attack problem, combined with the characteristics of a stealthy attack against a stability control system, a multi-agent wide-area protection scheme for distributed cyber energy systems is proposed. The scheme adopts distributed multi-layer architecture, which is composed of substation stability control devices distributed in different areas and monitoring terminal of control center. By collecting the measurement updates of each station randomly and dynamically, the online real-time detection of the distributed cyber energy system is realized with the specified anomaly detection algorithm. The simulation results show that this method can detect the attack on the distributed cyber energy system in time, and effectively avoid the physical damage of power generator.

Jinshu Su,Xiaofeng Wang,Wei Shi,Indrakshi Ray

DOI: https://doi.org/10.1002/sec.1276

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:The rapid growth of distributed and networking technologies has made our information system more vulnerable to attack threats, malicious behaviors, and unpredictable failures. As the emergence of botnets and advanced persistent threat attacks, the traditional defense technology cannot cope well with the new large-scale and obfuscated malwares. In distributed and virtualized environments, the trust risk of applications has been increased considerably, which made it vital to propose new trust access control technologies. In addition, the complicated system usually comprises a large number of components that are susceptible to unpredictable failures. We need new designs of resilient infrastructure and dependable services. The papers in this special issue focus on the security, trust, and resilience management for distributed and networking computing paradigms, such as wireless sensor network, P2P network, ad hoc networks, virtualized network, and software-defined network. The contributions of these papers are outlined next. To locate the real source of the Internet attacks, existing work is easy to be evaded by attackers and difficult to justify the stepping stones. Sheng Wen et al. introduce the consistent causality probability to detect the stepping stones. They formulate the ranges of abnormal causality probabilities according to the different network conditions and further implement self-adaptive methods to capture stepping stones. To extract signatures for malwares, most existing string-based signatures extracting methods have the problem of inaccuracy and time consuming. Sun Hao et al. present a system for automatically extracting signatures from large-scale malwares, named AutoMal. The system can extract both byte signatures and hashed signatures from the malware network flows with high accuracy. Multi-interface multi-channel can reduce the channel interference and improve the network capacity for multi-hop wireless ad hoc networks. Tong Zhao et al. design a dynamic channel assignment algorithm that can dynamically switch the channels to the less busy ones by monitoring the channel usages. Moreover, the algorithm is designed in a fully distributed way with low overhead For the task allocation in wireless sensor networks (WSNs), traditional solutions for high-performance computing cannot be directly used in WSNs because of limitations of resource availability and shared communication medium. Wenzhong Guo et al. design a discrete particle swarm optimization to generate a structure of the parallel coalitions, and then introduce the game theory and

Yaoquan Yang,Guiyun Liu,Zhongwei Liang,Hanjie Chen,Linhe Zhu,Xiaojing Zhong

DOI: https://doi.org/10.1016/j.chaos.2023.113703

2023-07-07

Chaos, Solitons and Fractals

Abstract:Rechargeable wireless underground sensor network (WUSN) and wireless aboveground sensor network (WASN) provide information transfer services for acquiring aboveground and underground interactive data. However, due to the limited energy, computation, storage and the open environment, sensors are often attacked by malware and their power supply is usually exhausted earlier. In this paper, a novel model with two-layer structure is proposed to depict the dynamic process of malware cross-propagation between rechargeable WUSN and WASN, which takes into account both infection delay and low energy. To further overcome the problem of malware propagation and battery depletion, three hybrid control strategies including continuous recovery, impulse quarantine with isolation delay and pulse charging are proposed. Then, to suppress malware propagation under the minimum cost, the necessary conditions for the model-based knowledge-driven optimal control (MKOC) are solved by the variational method. Moreover, to improve the practical utilization of MKOC, the novel neural network-based data-driven control (NNDC) is proposed based on feedforward neural network (FNN), gated recurrent unit (GRU) and long short-term memory (LSTM). Finally, through numerical simulations, the effects of various quarantine parameters on the total costs and the influence of each control strategy on state curves and control curves are revealed, respectively; meanwhile, the effectiveness of MKOC and NNDC is evaluated by comparing their control costs.

mathematics, interdisciplinary applications,physics, mathematical, multidisciplinary

Phillip Lee,Andrew Clark,Basel Alomair,Linda Bushnell,Radha Poovendran

DOI: https://doi.org/10.48550/arXiv.1603.04374

2016-09-21

Abstract:Malware propagation poses a growing threat to networked systems such as computer networks and cyber-physical systems. Current approaches to defending against malware propagation are based on patching or filtering susceptible nodes at a fixed rate. When the propagation dynamics are unknown or uncertain, however, the static rate that is chosen may be either insufficient to remove all viruses or too high, incurring additional performance cost. In this paper, we formulate adaptive strategies for mitigating multiple malware epidemics when the propagation rate is unknown, using patching and filtering-based defense mechanisms. In order to identify conditions for ensuring that all viruses are asymptotically removed, we show that the malware propagation, patching, and filtering processes can be modeled as coupled passive dynamical systems. We prove that the patching rate required to remove all viruses is bounded above by the passivity index of the coupled system, and formulate the problem of selecting the minimum-cost mitigation strategy. Our results are evaluated through numerical study.

Systems and Control,Cryptography and Security

Lin Zhang,Kaustubh Sridhar,Mengyu Liu,Pengyuan Lu,Xin Chen,Fanxin Kong,Oleg Sokolsky,Insup Lee

DOI: https://doi.org/10.1109/RTAS58335.2023.00024

2023-01-01

Abstract:Cyber-physical systems (CPSs) leverage computations to operate physical objects in real-world environments, and increasingly more CPS-based applications have been designed for life-critical applications. Therefore, any vulnerability in such a system can lead to severe consequences if exploited by adversaries. In this paper, we present a data predictive recovery system to safeguard the CPS from sensor attacks, assuming that we can identify compromised sensors from data. Our recovery system guarantees that the CPS will never encounter unsafe states and will smoothly recover to a target set within a conservative deadline. It also guarantees that the CPS will remain within the target set for a specified period. Major highlights of our paper include (i) the recovery procedure works on nonlinear systems, (ii) the method leverages uncorrupted sensors to relieve uncertainty accumulation, and (iii) an extensive set of experiments on various nonlinear benchmarks that demonstrate our framework's performance and efficiency.