HU Liang,XIE Nan-nan,LIU Zhi-yu,CHAI Sheng

DOI: https://doi.org/10.3969/j.issn.0372-2112.2013.09.013

2013-01-01

Abstract:Multi-stage attacks recognize process have similar relationship with solving intelligent planning problems.Intelligent planning is used in multi-stage attacks recognition, in order to achieve the attack scenarios recognition.A multi-stage attack recognition model based on intelligent planning is proposed, and based on this, a multi-stage attack scenario recognition algorithm is realized.Experiments on DARPA datasets shows this algorithm have acceptable accuracy and completeness rate in multi-stage recognition.

Jorge Lucangeli Obes,Carlos Sarraute,Gerardo Richarte

DOI: https://doi.org/10.48550/arXiv.1306.4044

2013-06-20

Abstract:Assessing network security is a complex and difficult task. Attack graphs have been proposed as a tool to help network administrators understand the potential weaknesses of their network. However, a problem has not yet been addressed by previous work on this subject; namely, how to actually execute and validate the attack paths resulting from the analysis of the attack graph. In this paper we present a complete PDDL representation of an attack model, and an implementation that integrates a planner into a penetration testing tool. This allows to automatically generate attack paths for penetration testing scenarios, and to validate these attacks by executing the corresponding actions -including exploits- against the real target network. We present an algorithm for transforming the information present in the penetration testing tool to the planning domain, and show how the scalability issues of attack graphs can be solved using current planners. We include an analysis of the performance of our solution, showing how our model scales to medium-sized networks and the number of actions available in current penetration testing tools.

Cryptography and Security,Artificial Intelligence

Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Lingzhi Wang,Zhenyuan Li,Zonghan Guo,Yi Jiang,Kyle Jung,Kedar Thiagarajan,Jiahui Wang,Zhengkai Wang,Emily Wei,Xiangmin Shen,Yan Chen

2025-01-01

Abstract:Adversarial dynamics are intrinsic to the nature of offense and defense in cyberspace, with both attackers and defenders continuously evolving their technologies. Given the wide array of security products available, users often face challenges in selecting the most effective solutions. Furthermore, traditional benchmarks based on single-point attacks are increasingly inadequate, failing to accurately reflect the full range of attacker capabilities and falling short in properly evaluating the effectiveness of defense products. Automated multi-stage attack simulations offer a promising approach to enhance system evaluation efficiency and aid in analyzing the effectiveness of detection systems. However, simulating a full attack chain is complex and requires significant time and expertise from security professionals, facing several challenges, including limited coverage of attack techniques, a high level of required expertise, and a lack of execution detail. In this paper, we model automatic attack simulation as a planning problem. By using the Planning Domain Definition Language (PDDL) to formally describe the attack simulation problem, and combining domain knowledge of both the problem and the domain space, we enable the planning of attack paths through standardized, domain-independent planning algorithms. We explore the potential of Large Language Models (LLMs) to summarize and analyze knowledge from existing attack documentation and reports, facilitating automated attack planning. We introduce Aurora, a system that autonomously simulates full attack chains based on external attack tools and threat intelligence reports.

Cryptography and Security

Jian-Wei ZHUGE,Xin-Hui HAN,Zhi-Yuan YE,Wei ZOU

DOI: https://doi.org/10.3321/j.issn:0254-4164.2006.08.013

2006-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Based on the classical plan recognition methods in the domain of artificial intelligence, and considering the characteristics of attack plan recognition problem in the domain of network security operation, this paper extends the goal graph model, introducing the observation node to distinguish the planner’s actions and the recognizer’s observations against the actions, replacing the unitary action nodes using the hierarchy composed with detail actions and abstract actions, maintaining the precondition and effect conditions between the actions and security states in the abstract action level according to the abstract attack patterns, therefore, proposes the Extended Goal Graph(EGG) model. Furthermore, this paper proposes an attack plan recognition algorithm based on the Extended Goal Graph, the algorithm can recognize the hidden attack intention and plan from the large volume of low level intrusion detection system alerts correctly and effectively. Through the experiments using DARPA 2000 intrusion scenario correlation benchmark dataset and in-the-wild botnet scenarios data captured in the honeynet, the results show the completeness and soundness of the algorithm, as well as its advantage beyond the alert correlation systems such as TIAA [5] .

Carlos Sarraute

DOI: https://doi.org/10.48550/arXiv.1307.7808

2013-07-30

Abstract:Penetration Testing is a methodology for assessing network security, by generating and executing possible attacks. Doing so automatically allows for regular and systematic testing. A key question then is how to automatically generate the attacks. A natural way to address this issue is as an attack planning problem. In this thesis, we are concerned with the specific context of regular automated pentesting, and use the term "attack planning" in that sense. The following three research directions are investigated. First, we introduce a conceptual model of computer network attacks, based on an analysis of the penetration testing practices. We study how this attack model can be represented in the PDDL language. Then we describe an implementation that integrates a classical planner with a penetration testing tool. This allows us to automatically generate attack paths for real world pentesting scenarios, and to validate these attacks by executing them. Secondly, we present efficient probabilistic planning algorithms, specifically designed for this problem, that achieve industrial-scale runtime performance (able to solve scenarios with several hundred hosts and exploits). These algorithms take into account the probability of success of the actions and their expected cost (for example in terms of execution time, or network traffic generated). Finally, we take a different direction: instead of trying to improve the efficiency of the solutions developed, we focus on improving the model of the attacker. We model the attack planning problem in terms of partially observable Markov decision processes (POMDP). This grounds penetration testing in a well-researched formalism. POMDPs allow the modelling of information gathering as an integral part of the problem, thus providing for the first time a means to intelligently mix scanning actions with actual exploits.

Artificial Intelligence,Cryptography and Security

YU Zhong,YU Hui,LI Wei-hua

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.06.035

2007-01-01

Abstract:Through analyzing and studying the characteristics of large-scale network intrusion detection,a system structure which based on multi-agents alliance was proposed.In which,we use the plan knowledge chart to describe the intruder's attack attention,and through analyzing its strategy,proposed a method of work division and coordination amongst the multi-agents alliance.

Li Zhang,Zhao Li,Huali Ren,Xiao Yu,Yuxi Ma,Quanxin Zhang

DOI: https://doi.org/10.1002/int.22874

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:The broad application of artificial intelligence (AI) shows more and more vulnerabilities. Adversaries have more opportunities to attack AI systems. For example, unmanned vehicles may be interfered with by adversaries in path planning, resulting in unmanned vehicles being unable to move according to the planned route, and even serious safety problems. On the other side, the portrait technology can extract highly refined characteristics of different attack strategies, so that unmanned vehicles can defend themselves based on the characteristics of each attack. Existing research lacks intelligent attack research on path planning in the field of unmanned vehicles, and lacks portraits of attack behaviors in this scenario. This paper combines multiagent reinforcement learning technology, time-series segmentation clustering technology, and knowledge graph technology to study the portrait technology of adversary intelligent attack behavior in the field of unmanned vehicle path planning. First, the simulation results of unmanned vehicle path planning are obtained, and the steps of adversary attack behavior are extracted by using Toeplitz inverse covariance-based clustering time-series segmentation cluster technology. Second, the knowledge graph is used to save the attack strategy, so as to form the attack behavior portrait of unmanned vehicle path planning. The test on the Neo4j platform shows that our method is universal, can effectively describe the attack steps for unmanned vehicle path planning, and provides the basis for attack detection to establish the defense system of unmanned vehicles.

Zhang Hengwei,Yang Haopu,Wang Jindong,Li Tao

DOI: https://doi.org/10.14257/ijsia.2017.11.1.17

2017-01-01

International Journal of Security and Its Applications

Abstract:In order to correctly analyze the multi-step attack and comprehensively assess the network security situation, a multistep attack-oriented assessing method of network security situation is proposed. The security events are clustered into different attack scenarios for identifying attackers. Based on the causal correlation between every attack scenario, the attack traces and attack phase can be distinguished. Finally, the quantitative criterion is established to realize the assessment of network security situation. Two network attack and defense experiments are used to verify the correctness and effectiveness, and the result shows the proposed method can truly depict the actual attack.

Safaa O. Al-Mamory,Zhai Jianhong,Zhang Hongli

2008-01-01

Abstract:Building attack scenario is one of the most important aspects in network security. This paper proposed a system which collects intrusion alerts, clusters them as sub-attacks using alerts abstraction, aggregates the similar sub-attacks, and then correlates and generates correlation graphs. The scenarios were represented by alert classes instead of alerts themselves so as to reduce the required rules and have the ability of detecting new variations of attacks. The proposed system is capable of passing some of the missed attacks. To evaluate system effectiveness, it was tested with different datasets which contain multi-step attacks. Compressed and easily understandable correlation graphs which reflect attack scenarios were generated. The proposed system can correlate related alerts, uncover the attack strategies, and detect new variations of attacks.

Kartik Talamadupula,Octavian Udrea,Anton Riabov,Anand Ranganathan

DOI: https://doi.org/10.48550/arXiv.1305.2561

2013-05-12

Abstract:As network traffic monitoring software for cybersecurity, malware detection, and other critical tasks becomes increasingly automated, the rate of alerts and supporting data gathered, as well as the complexity of the underlying model, regularly exceed human processing capabilities. Many of these applications require complex models and constituent rules in order to come up with decisions that influence the operation of entire systems. In this paper, we motivate the novel "strategic planning" problem -- one of gathering data from the world and applying the underlying model of the domain in order to come up with decisions that will monitor the system in an automated manner. We describe our use of automated planning methods to this problem, including the technique that we used to solve it in a manner that would scale to the demands of a real-time, real world scenario. We then present a PDDL model of one such application scenario related to network administration and monitoring, followed by a description of a novel integrated system that was built to accept generated plans and to continue the execution process. Finally, we present evaluations of two different automated planners and their different capabilities with our integrated system, both on a six-month window of network data, and using a simulator.

Artificial Intelligence

Zhang Lianhua,Zhang Renlong,Bai Yingcai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2007.10.074

2007-01-01

Abstract:Attack scenario modeling and recognizing technology can provide the security system operator(SSO) with the high-level attack views and precise decision information for response,and it has been a hot research direction in network and information security domain.In order to succeed in attacking,attackers often use different steps and various skills such as mutation,re-sequencing,substitution,distribution,looping etc.to construct almost infinite attack scenarios.The variation in attack steps and diversity in scenario constructions lead to difficulties in attack scenario modeling and recognizing.On the basis of researches of the present attack scenario modeling technologies,a new attack scenario modeling using Requires/Provides relation represented by Capability is proposed,which can take both the various attack steps and diverse scenario constructions into consideration simultaneously.

Aaron Zimba,Hongsong Chen,Zhaoshun Wang,Mumbi Chishimba

DOI: https://doi.org/10.1016/j.future.2020.01.032

IF: 7.307

2020-01-01

Future Generation Computer Systems

Abstract:Advanced Persistent Threats (APT) present the most sophisticated types of attacks to modern networks which have proved to be very challenging to address. Using sophisticated attack techniques, attackers remotely control infected machines and exfiltrate sensitive information from organizations and governments. Security products deployed by enterprise networks based on traditional defenses often fail at detecting APT infections because of the dynamic nature of the APT attack process. To overcome the current limitations of attack network dynamics faced in APT studies, an innovative APT attack detection model based on a semi-supervised learning approach and complex networks characteristics is proposed in this paper. The entire targeted network is modeled as a small-world network and the evolving APT-Attack Network (APT-AN) as a scale-free network. Finite state machines are employed to model the state transitions of the nodes in the time domain in order to characterize the state changes during the APT attack process. The effectiveness of the model is demonstrated by applying it to real-world data from a large-scale enterprise network consisting of 17,684 hosts from the Los Alamos security lab. The proposed approach analyzes efficiently the large-scale dataset to reveal APT attack characteristics between the command and control center and the victim hosts. The final result is a ranked list of suspicious hosts participating in APT attack activities. The average detection precision of three APT stage is 90.5% in our proposed APT detection framework. The results show that the model can effectively detect the suspicious hosts at different stages of the APT attack process.

Peng Zeng,Ling-da Wu,Wen-wei Chen

2006-01-01

Abstract:Recent applications of plan recognition require observing agents whose behavior is reactive, in that the observed agent may be so intelligent as to coordinate their plans. With the analysis of these domain characteristics in military plan recognition, we propose that the multi- agent tactical plan recognition is essentially a problem about abduction, and detail the knowledge organization and logical description by extend the discussion of real military tactical problem which forms the foundation of the logical links between the elements in tactical plan recognition process, finally a recognition algorithm is introduced with the basis of former abduction framework.

Shunhong Song,Yuliang Lu,Weiwei Cheng,Huan Yuan

DOI: https://doi.org/10.1109/icsps.2010.5555265

2010-01-01

Abstract:Most network attack models have the problem of lacking ablility to describe all types of attack patterns in deltail, with no consideration of attacker's skill and policy. To address the problem, this paper proposes a well-structured model that abstracts the relation between attacker capability and victim vulnerability, the relation between knowledge, resource and capability of attacker. Both these two relations can be used to support automatic correlating of vulnerability exploits to build all the attack paths from the attacker to the target. The basic block of the model is a logical formula called capability, which is used to abstract consistently and precisely all levels of accesses obtained by the attacker in each step of a multistage attack. A flexible extensible language based on Pyke is developed to specify the model and derive inference rules to define logical relations between different capabilities, and a demonstration is given to show how it can be used in security applications such as vulnerability analysis and attack generation.

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Zhuo Ning,Jian Gong

DOI: https://doi.org/10.1007/978-3-540-72590-9_122

2007-01-01

Abstract:Intrusion plan prediction and recognition is a critical and challenging task for NIDS. Among several approaches proposed so far, probability inference using causal network seems to be one of the most promising mechanisms. Our analysis shows that the polytree is limited in its expressiveness, and belief updating in max-k-connected networks is hard for all k >= 2 [12]. To find a tradeoff between expressive power and inference efficiency, this paper extends the structure of causal network from polytree to max-1-connected Bayesian network, and proposes a new intrusion plan prediction algorithm IPR on it. We evaluate the approach using LLOS1.0, and the results demonstrate that IPR can predict the occurrence probability of DDOS when Sandmind attack occurs to gain root privilege, and then confirm the prediction in the beginning of Syn flooding.

Jianyi Liu,Bowen Liu,Ru Zhang,Cong Wang

DOI: https://doi.org/10.1007/978-3-030-24265-7_6

2019-01-01

Abstract:In order to find attack patterns from a large number of redundant alert logs, build multi-step attack scenarios, and eliminate the false alerts of the alert logs, this paper proposes a new multi-step attack scenario construction model, which is divided into two parts: offline mode and online mode. In the offline mode, the known real attack alert log is used to train the neural network for removing error alerts, and eventually to generate a Bayesian network attack graph by alert aggregation processing and causal association attack sequence. In the online mode, a large number of online alert logs are used to update the neural network and the Bayesian network attack graph generated by the previous offline mode, so that the iterative attack graph is more complete and accurate. In the end, we extract a variety of multi-step attack scenarios from the Bayesian network attack graph to achieve the purpose of eliminating false alerts in the redundant IDS alert logs. In order to verify the validity of the algorithm, we use the DARPA 2000 dataset to test, and the results show that the algorithm has higher accuracy.

TIAN Zhi-hong,ZHANG Wei-zhe,ZHANG Yong-zheng,ZHANG Hong-li,LI Yang,JIANG Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.013

2007-01-01

Abstract:To construct attack scenarios and predict intrusion intents automatically,a real-time alert correlation approach based on capability transition model was proposed.By highly abstracting the reasoning evidences,the process complexity is effectively reduced.Experiment results on the DARPA2000 IDS test dataset indicate that the method is effective and efficient.