Qiumei Cheng,Chunming Wu,Bin Hu,Dezhang Kong,Boyang Zhou

DOI: https://doi.org/10.1109/globecom38437.2019.9013291

2019-01-01

Abstract:The intrusion response system is dedicated to automatically respond to sophisticated network intrusions, which is a sequential decision-making problem for autonomous agents. The current Markov decision process (MDP) or stochastic games based solutions suffer from several weaknesses: (i) The MDPbased approach is unable to explicitly model the opponents; (ii) The Nash equilibrium approach of stochastic games cannot handle the condition with multi equilibria. Existing studies have not considered the cognitive ability of the agent and lack of explicit opponent modeling. Inspired by recursive reasoning, this paper introduces a theory of mind (ToM)-based stochastic game-theoretic approach to reason about the beliefs and behaviors of the attackers. Each agent maintains different order ToM beliefs concerning his opponent with explicit opponent modeling. In order to accurately predict the attacker's action with nested beliefs, we utilize the Bayesian attack graph (BAG) to model multi-step attacks scenarios. In addition, the agent is allowed to learn from new information to adjust his beliefs and learning speed. Simulation results validate that ToM modeling performs well in the intrusion response system than random defense actions. Besides, a defender with first-order ToM beliefs always wins an attacker with zero-order ToM beliefs.

Wu Tao,Wang Chong-Jun,Xie Jun-Yuan

2010-01-01

Abstract:Intrusion detection,as an active measure to assure information security,has been receiving intensive attention and has recently become the focus of the computer security especially the network security research communities.In order to avoid being detected,however,intrusion events have evolved to become intelligent and distributive,making them good at concealing their purposes and so penetrating the intrusion detection system.To deal with this problem,as this paper does,techniques involving artificial intelligence and machine learning are brought in.This paper models intrusion and its detection as two multi-agent systems that have conflict interests,and holds the opinion that to intrude is just to device and execut attacking plans aiming to achieve certain objectives,the key of intrusion detection then is to analyze the observed opopnent's actions perceived as abnormal and reveal their intentions,which is then a classical intention recognition problem.Be is justifiable,we noticed that the traditional KEY-HOLE observing method for intention recognition is not suitable to be used here,because the environment for intrusion detection usually has an attack-defense nature thus is dynamic and can be extremely complex,making it expectable that failures to report intrusions and false reports of intrusions do happen,as a result acquiring a complete and true action sequence of the intruder is impossible.Under this circumstance,to design a strategy so robust that can recognize the intruder's intention using just an action sequence which not only contains only part of the intruder's complete action squence and also unknownly includs some misclassified actions is desperated needed,and this is exactly what this paper may contribute.Further than proposing the two multi-agent systems model,this paper sees the intrusion process as a Partially Observable Markov Decision Process(POMDP),and then estimates the intruder's intention as the output of the process.In this cae intention of the intruder can be recognized through an incomplete and defective action sequence it has just taken.The effectiveness of the proposed method is proved by experiments on data set contributed by DARPA.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

Xin Zan,Feng Gao,Jiuqiang Han,Yu Sun

DOI: https://doi.org/10.1109/mines.2009.277

2009-01-01

Abstract:Recently, several approaches for intrusion correlation and attack scenario analysis have been proposed. However, these approaches all focus on the flooding alert reduction or high-level alert correlation. In this paper, we study the problem of tracking and predicting of attack intentions. We use hidden markov models to represent the typical attack scenarios and design a complete framework named HMM-AIP composed of online tracking and prediction module and offline model training module. A novel and effective tracking and predicting attack intention algorithm is presented. We perform experiments to validate our algorithm and the results show that our approach can identify false alert and give the creditable prediction result when the alert observation sequence fits the typical attack scenarios nicely.

Yan Li,Jingtai Liu,Haifeng Li,Xiang Lu,Lei Sun

DOI: https://doi.org/10.1109/mfi.2012.6343001

2012-01-01

Abstract:As the competitive networked robot system has the characteristics of strong interaction and high real-time request, the present control methods which are mostly used for the collaborative networked robot system may not be directly applied to the competitive one. Thus the hierarchical control architecture for the competitive networked robot system is proposed in this paper in order to adapt to its two characteristics above. To deal with the system observation uncertainty caused by noise and time delay, and the system action uncertainty caused by the opponent in the meantime, the control architecture based on Partially Observable Markov Decision Processes (POMDP) has been adopted by the executive layer to select the action of the maximum expected reward, thus fulfilling the intention of the strategy layer effectively. In addition, the introduction of the executive layer has successfully freed the strategic layer from the tasks that should have been completed by its bottom layer alone, thus enabling the strategic layer to focus more on its strategic design. In this paper, the networked robot system named Tele-LightSaber with a high degree of confrontation is designed and implemented, and the experiment results show the validity and efficiency of the proposed method on TLS platform.

Carlos Sarraute,Olivier Buffet,Joerg Hoffmann

DOI: https://doi.org/10.48550/arXiv.1307.8182

2013-07-31

Abstract:Penetration Testing is a methodology for assessing network security, by generating and executing possible hacking attacks. Doing so automatically allows for regular and systematic testing. A key question is how to generate the attacks. This is naturally formulated as planning under uncertainty, i.e., under incomplete knowledge about the network configuration. Previous work uses classical planning, and requires costly pre-processes reducing this uncertainty by extensive application of scanning methods. By contrast, we herein model the attack planning problem in terms of partially observable Markov decision processes (POMDP). This allows to reason about the knowledge available, and to intelligently employ scanning actions as part of the attack. As one would expect, this accurate solution does not scale. We devise a method that relies on POMDPs to find good attacks on individual machines, which are then composed into an attack on the network as a whole. This decomposition exploits network structure to the extent possible, making targeted approximations (only) where needed. Evaluating this method on a suitably adapted industrial test suite, we demonstrate its effectiveness in both runtime and solution quality.

Artificial Intelligence,Cryptography and Security

Xin Zan,Feng Gao,Jiuqiang Han,Xiaoyong Liu

DOI: https://doi.org/10.1109/icinfa.2010.5512396

2010-01-01

Abstract:In recent years, automated intrusion response has become a promising research problem in network security. Several approaches have been proposed to perform an effective automated response policy. However, these approaches have some limitations, i.e., heavily depending on attack alerts and not taking in account uncertainty of system runtime state. In this paper, we present a comprehensive sequential decision-making based automated intrusion response approach. We utilize different decision approaches and models to respectively represent and reason about attack activities and system runtime state in view of their different dynamic nature. We perform some experiments to validate proposed approach and the results show that our approach has good performance in response accuracy to different attack scenarios and robustness against false alerts.

LI Hui,ZHENG Qing-hua,HAN Chong-zhao,GUAN Xiao-hong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2005.04.013

2005-01-01

Abstract:A fuzzy multiple hypothesis intrusion scenarios building algorithm was proposed based on multiple hypothesis tracking(MHT)theory which originated from information fusion. The algorithm could automatically analyze and organize alarms produced by intrusion detection systems to form credible attack segments and finally generate intrusion scenarios. The whole process can be divided into three steps, which were hypothesis generation, fuzzy hypothesis assessment and hypothesis management. Experiments on the DARPA2000 IDS test dataset show that the algorithm is effective and efficient.

Kuo Zhang,Zheng-Guang Wu

DOI: https://doi.org/10.1109/iccss53909.2021.9722027

2021-01-01

Abstract:False data injection attack(FDIA) is a traditional attack for the smart grid. There are many methods for the detection of the FDIA, but few of them can send the attack alarm successfully without an attack model. In this paper, we propose a reinforcement learning-based FDIA detection method for the distributed smart grid. The detection problem is formulated as a partially observable Markov decision process(POMDP) problem, and the observation of the POMDP can be obtained from the estimation of state and attack which come from the Kalman filter. By using the Sarsa algorithm, we can get a Q-table through online training. Finally, we use the IEEE-118 bus power system to evaluate the performance of our detector, and numerical results show the accurate response for the FDIA.

Xiaoxue Ma,Yun Li,Yan Gao

DOI: https://doi.org/10.1007/s11276-023-03382-w

IF: 2.701

2023-06-14

Wireless Networks

Abstract:For the current problems of complex network state, difficulty in fast response to intrusion and poor adaptation of response decision in fog computing environment, in this paper, we propose an intrusion response decision method based on a combination of deep learning and reinforcement learning based on game theory (Minimax-DQN). First, a Markov game is used as the standard to construct the intrusion response decision model in the fog computing environment. Second, two different sets of random variables are defined considering the possible behavioral choices taken by the attacker and the fog computing intrusion detection systems (FC-IDS), and the continuous state space formed by the game between the attacker and the FC-IDS is processed using a deep Q-network. Finally, the Minimax algorithm is used to solve the optimal value function in a specific state, and the best intrusion response strategy is obtained according to the training output after the training is completed. Three sets of experiments are conducted to compare the results of the Minimax-DQN algorithm, the DQN algorithm and the random strategy. The experimental results data prove that the model and the proposed algorithm can greatly improve the probability of IDS winning in the game process with the attacker, and thus effectively solve the problem of intrusion response decision in fog environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenrui Zhao,Weidong Chen

DOI: https://doi.org/10.1016/j.robot.2021.103736

IF: 3.7

2021-01-01

Robotics and Autonomous Systems

Abstract:Object manipulation planning in clutter suffers from perception uncertainties due to occlusion, as well as action constraints required by collision avoidance. Partially observable Markov decision process (POMDP) provides a general model for planning under uncertainties. But a manipulation task usually have a large action space, which not only makes task planning intractable but also brings significant motion planning effort to check action feasibility. In this work, a new kind of hierarchical POMDP is presented for object manipulation tasks, in which a brief abstract POMDP is extracted and utilized together with the original POMDP. And a hierarchical belief tree search algorithm is proposed for efficient online planning, which constructs fewer belief nodes by building part of the tree with the abstract POMDP and invokes motion planning fewer times by determining action feasibility with observation function of the abstract POMDP. A learning mechanism is also designed in case there are unknown probabilities in transition and observation functions. This planning framework is demonstrated with an object fetching task and the performance is empirically validated by simulations and experiments.

Huikang Liu,Wolfram Wiesemann,Man-Chung Yue

2024-04-02

Abstract:Factored Markov decision processes (MDPs) are a prominent paradigm within the artificial intelligence community for modeling and solving large-scale MDPs whose rewards and dynamics decompose into smaller, loosely interacting components. Through the use of dynamic Bayesian networks and context-specific independence, factored MDPs can achieve an exponential reduction in the state space of an MDP and thus scale to problem sizes that are beyond the reach of classical MDP algorithms. However, factored MDPs are typically solved using custom-designed algorithms that can require meticulous implementations and considerable fine-tuning. In this paper, we propose a mathematical programming approach to solving factored MDPs. In contrast to existing solution schemes, our approach leverages off-the-shelf solvers, which allows for a streamlined implementation and maintenance; it effectively capitalizes on the factored structure present in both state and action spaces; and it readily extends to the largely unexplored class of robust factored MDPs, whose transition kernels are only known to reside in a pre-specified ambiguity set. Our numerical experiments demonstrate the potential of our approach.

Optimization and Control

Aditya Shinde,Prashant Doshi,Omid Setayeshfar

DOI: https://doi.org/10.48550/arXiv.2007.09512

2020-07-19

Abstract:This paper presents an intelligent and adaptive agent that employs deception to recognize a cyber adversary's intent. Unlike previous approaches to cyber deception, which mainly focus on delaying or confusing the attackers, we focus on engaging with them to learn their intent. We model cyber deception as a sequential decision-making problem in a two-agent context. We introduce factored finitely nested interactive POMDPs (I-POMDPx) and use this framework to model the problem with multiple attacker types. Our approach models cyber attacks on a single honeypot host across multiple phases from the attacker's initial entry to reaching its adversarial objective. The defending I-POMDPx-based agent uses decoys to engage with the attacker at multiple phases to form increasingly accurate predictions of the attacker's behavior and intent. The use of I-POMDPs also enables us to model the adversary's mental state and investigate how deception affects their beliefs. Our experiments in both simulation and on a real host show that the I-POMDPx-based agent performs significantly better at intent recognition than commonly used deception strategies on honeypots.

Multiagent Systems,Cryptography and Security

Megha Bose,Praveen Paruchuri,Akshat Kumar

2024-08-16

Abstract:Moving Target Defense (MTD) has emerged as a proactive and dynamic framework to counteract evolving cyber threats. Traditional MTD approaches often rely on assumptions about the attackers knowledge and behavior. However, real-world scenarios are inherently more complex, with adaptive attackers and limited prior knowledge of their payoffs and intentions. This paper introduces a novel approach to MTD using a Markov Decision Process (MDP) model that does not rely on predefined attacker payoffs. Our framework integrates the attackers real-time responses into the defenders MDP using a dynamic Bayesian Network. By employing a factored MDP model, we provide a comprehensive and realistic system representation. We also incorporate incremental updates to an attack response predictor as new data emerges. This ensures an adaptive and robust defense mechanism. Additionally, we consider the costs of switching configurations in MTD, integrating them into the reward structure to balance execution and defense costs. We first highlight the challenges of the problem through a theoretical negative result on regret. However, empirical evaluations demonstrate the frameworks effectiveness in scenarios marked by high uncertainty and dynamically changing attack landscapes.

Cryptography and Security,Artificial Intelligence,Machine Learning

Wenrui Zhao,Weidong Chen

DOI: https://doi.org/10.1109/robio54168.2021.9739277

2021-01-01

Abstract:Searching for a target object in clutter by a robot needs to solve perception uncertainty due to occlusion among objects, the robot has to move objects to gather information about where the target may locate. Meanwhile, we hope that the robot could execute as few actions as possible to get the target. Partially observable Markov decision process (POMDP) is proper to model this task, but it is hard to solve for large scale problems. And action feasibility of robotic manipulation must be identified by motion planning, which is time-consuming. We adopt hierarchical POMDP to reduce the complexity of POMDP planning. Besides, we propose methods to reduce the times of motion planning, the key idea is assigning reward to actions related to feasibility probability, instead of identifying action feasibility at the beginning. Simulations under various scenes show that our methods are effective and efficient.

Zongzhang Zhang,Xiaoping Chen

2012-01-01

Abstract:Planning in partially observable Markov decision processes (POMDPs) remains a challenging topic in the artificial intelligence community, in spite of recent impressive progress in approximation techniques. Previous research has indicated that online planning approaches are promising in handling large-scale POMDP domains efficiently as they make decisions on demand instead of proactively for the entire state space. We present a Factored Hybrid Heuristic Online Planning (FHHOP) algorithm for large POMDPs. FHHOP gets its power by combining a novel hybrid heuristic search strategy with a recently developed factored state representation. On several benchmark problems, FHHOP substantially outperformed state-of-the-art online heuristic search approaches in terms of both scalability and quality.

Xiaofan Zhou,Simon Yusuf Enoch,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2207.05436

2022-07-12

Cryptography and Security

Abstract:It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.

Lu Yu,Richard R. Brooks

DOI: https://doi.org/10.1007/978-3-319-75683-7_15

2017-09-22

Abstract:With the rapid development of Internet and the sharp increase of network crime, network security has become very important and received a lot of attention. We model security issues as stochastic systems. This allows us to find weaknesses in existing security systems and propose new solutions. Exploring the vulnerabilities of existing security tools can prevent cyber-attacks from taking advantages of the system weaknesses. We propose a hybrid network security scheme including intrusion detection systems (IDSs) and honeypots scattered throughout the network. This combines the advantages of two security technologies. A honeypot is an activity-based network security system, which could be the logical supplement of the passive detection policies used by IDSs. This integration forces us to balance security performance versus cost by scheduling device activities for the proposed system. By formulating the scheduling problem as a decentralized partially observable Markov decision process (DEC-POMDP), decisions are made in a distributed manner at each device without requiring centralized control. The partially observable Markov decision process (POMDP) is a useful choice for controlling stochastic systems. As a combination of two Markov models, POMDPs combine the strength of hidden Markov Model (HMM) (capturing dynamics that depend on unobserved states) and that of Markov decision process (MDP) (taking the decision aspect into account). Decision making under uncertainty is used in many parts of business and <a class="link-external link-http" href="http://science.We" rel="external noopener nofollow">this http URL</a> use here for security <a class="link-external link-http" href="http://tools.We" rel="external noopener nofollow">this http URL</a> adopt a high-quality approximation solution for finite-space POMDPs with the average cost criterion, and their extension to DEC-POMDPs. We show how this tool could be used to design a network security framework.

Cryptography and Security

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Ping Liu,Bo Xu,Fang Hu,Haifeng Yu,Li Jin

DOI: https://doi.org/10.4028/www.scientific.net/amm.241-244.1133

2012-01-01

Applied Mechanics and Materials

Abstract:Taking the botnet incident response plan decision-making as an example, we construct a new model by using action decomposition. In this model we introduce action layer, relation between sub-actions and decompose the complex incident response plan into many layers. This model provides a graphic representation of the complex plan. By analyzing the decomposing method and the action node structure, we prove that the store space size of this graphic representation is not increased exponentially when the action node added.