WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Xie Yi,Yu Shunzheng

DOI: https://doi.org/10.3969/j.issn.1000-0801.2007.01.023

2007-01-01

Abstract:Distributed denial of service (DDoS) attacks bring a very serious threat to the stability of Internet. DDoS attack methods and tools are becoming more sophisticated, effective and also more difficult to be traced. New forms of DDoS attacks on application layer cause current defense technologies working on TCP or IP level unable to withstand them, which makes a new challenge to the traditional anomaly detection techniques. In this paper, we discuss the rationale of application layer DDoS attacks and the disadvantages of current DDoS detection schemes in dealing with such attacks. At last, a new detection scheme focusing on application layer DDoS attacks defense based on user behavior is proposed. Filtering and blocking are also carried out for the malicious HTTP requests over the application level and TCP level.

Xifeng AN,Weihua LI,Zun LIU

DOI: https://doi.org/10.3321/j.issn:0253-987X.2008.12.013

2008-01-01

Abstract:A novel network security cooperative defense technology is studied and a cooperative control framework based on agent mechanism is proposed to solve the lack of cooperative control and whole effect in traditional defense systems. The technology supports both IPv4 and IPv6 protocols and security modules in the framework are associated with each other to accomplish communication and work together. Furthermore, a network security cooperative defense system is composed and the key functions that support the early-alert, audit, accident recovery, network camouflage and so on are also achieved. The pivotal research is emphasized on the key technologies of system call sequences audit model based on machine learning and cooperative accident recovery. Under the condition of 100 M Data flow speed, the NSCDS software's false negative is less than 6% and its false positive is less than 8%. Besides, all module functions work normally and the system can be used to carry out cooperative defense capability.

XIE Yi,TANG Cheng-hua,HUANG Xiang-nong

DOI: https://doi.org/10.3969/j.issn.1000-1220.2013.09.027

2013-01-01

Abstract:Application-layer DDoS attack is a main threat to most of modern network service providers.The main drawback of conventional detection methods is that they are hard to describe the non-stationary and time-varying user behavior and cannot automatically adjust the model parameters according to the evolution of normal user behavior.In this paper,a new dynamic application-layer DDoS detection approach is proposed.The proposed scheme utilizes semi-Markov chain to describe the profile of normal behavior.A new dynamic recursive algorithm is introduced to adjust the model's parameters.The model is applied to detect the Application-layer DDoS attacks.Experiments based on a real trace are implemented to validate the proposal.

Chengrong WU,Ming YAN,Haolin Jin,Wei LIU,Shiyong ZHANG,Jianping ZENG

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.04.002

2016-01-01

Abstract:Traditional information security defense techniques have the feature of static and passive. Systems and security mechanisms are relatively fixed in a period of time. So attackers can continuously study the static target, and try to find the vulnerability of it. In order to improve the proactivity of security defense, some research programs that tried to“change the rules of the game”had been initialized throughout the world. MTD (moving target defense) and the Mimic-Defense are the emerging ideas of proactive defense. However, to achieve the purpose of proactive defense, in addition to the separate uses of techniques on key points, we also need a framework. Deferent defense mechanisms can be effectively cooperate in the framework to form a general “moving” and controlled proactive defense system. Traditional information system which does not have the build-in proactive defense mechanism can also run in this framework, and be benefited from the proac-tive defense mechanism to enhance the ability of defense. This paper presents a kind of framework that can effectively integrate different levels of proactive defense techniques and mechanisms, and is compatible with the traditional applica-tions. We call it self-transforming proactive defense network framework. This framework can archive the integration of build-in with bolt-on proactive defense techniques, the integration of multi-level and multi-granularity proactive defense techniques. It is compatible with traditional applications which do not have the build-in proactive defense mechanism, and provides ideas.to form a new generation of build-in proactive defense network architecture in the future.

ZHU Yong,LUO Jun-zhou,LI Wei,WANG Peng,QU Yan-sheng

DOI: https://doi.org/10.3969/j.issn.1009-3443.2012.01.007

2012-01-01

Abstract:The varied kinds of services are facing a complicated and unsafe survival environment.The application layer DoS attack is one of the most serious factors that threaten the service survivability.In the research on defense against it,some defects have been found,such as false positive,the need to extra hardware devices,and shortage of defense against the low-rate attack.A novel probability-based sliding window model(PBSWM) was proposed to defend against the application layer DoS attack.PBSWM,deployed in the application layer,uses the sliding window to limit the client request rate and service load,probabilistic transmission control to prevent the high-workload request attack,and the admission control to mitigate occupation of much of the service queue by minority of users.Finally,the experiment results show that PBSWM can mitigate the attacks and improve service survivability.

Di Li,Yikun Hu,Guoqing Xiao,Mingxing Duan,Kenli Li

DOI: https://doi.org/10.1002/cpe.7577

2023-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryWith the rapid development of the internet, cyberspace security issues have become increasingly prominent. The importance of constructing a cyberspace security system is self‐evident, but compared with attackers, defenders in cyberspace are in a castle‐like passive defense state in most cases. Therefore, building a reliable, accurate, timely, and active defense system is challenging. The key is to accurately focus on defense priorities, the anticipation of attackers who will likely succeed, and blocking attacks in a timely manner. In this article, we propose an active defense model based on the interaction of situational awareness and firewalls. First, by biasing the integrity, confidentiality, and availability of assets to get the score of assets, and using the Common Vulnerability Scoring System to assess the threat level of assets, we combine the two to determine the maximum system damage that the asset will suffer if it is lost, and then focus on defense. Meanwhile, log analysis of the network situational awareness platform can predict successful attackers, and then the linked firewall strategy can block these attacks in time before the attackers obtain attack gains. After that, we force the attackers to give up their attacks on the target by increasing the attack cost. We compared our model with iptables auto‐blocking and nginx auto‐blocking, and our model excelled them across the board in terms of comprehensiveness and false positive rate. The experimental results verify thar our active defense model proposed in this article can better reduce the defense cost and increase the attack cost, thus achieving the relatively defense goal.

Jie Yu,Zhoujun Li,Huowang Chen,Xiaoming Chen

DOI: https://doi.org/10.1109/icns.2007.5

2007-01-01

Abstract:Application layer DDoS attacks, which are legitimate in packets and protocols, gradually become a pressing problem for commerce, politics and military. We build an attack model and characterize layer-7 attacks into three classes: session flooding attacks, request flooding attacks and asymmetric attacks. We proposed a mechanism named as DOW (defense and offense wall), which defends against layer-7 attacks using combination of detection technology and currency technology. An anomaly dete-ction method based on K-means clustering is introduced to detect and filter request flooding attacks and asymmetric attacks. To defend against session-flooding attacks, we propose an encouragement model that uses client's session rate as currency. Detection model drops suspicious sessions, while currency model encourages more legitimate sessions. By collaboration of these two models, normal clients could gain higher service rate and lower delay of response time.

CHEN Yulai,SHAN Rongsheng,BAI Yingcai

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.02.062

2007-01-01

Abstract:This paper presents a dynamic defense model of network security, based on which a prototype system is implemented. The system integrates the mechanisms of detection and access control, and has close loop response to the results of attack detection. The system obtains some changes of the service port by network service discrimination and active scan technologies, and then dynamically adjusts and loads the detection module according to these changes, so that the accuracy and efficiency of detection are improved. The experimental results show that the system has a closed-loop dynamic protection mechanism.

Yi Xie,Shun-Zheng Yu

DOI: https://doi.org/10.1109/IMSCCS.2006.159

2006-01-01

Abstract:Countering Distributed Denial of Service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. DDoS attacks are typically carried out at the network layer. However, there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones. In this paper, we consider sophisticated attacks that utilize legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server. Since the attack signature of each application layer DDoS is represented in abnormal user behavior, we propose a countermechanism based on Web user browsing behavior to protect the servers from these attacks. In contrast to prior works, we explore Hidden semi-Markov Model to describe the browsing behaviors of Web users and apply it to implement the anomaly detection for the application layer DDoS attacks which simulate the Web request behaviors of browser and use HTTP requests to launch attacks. By conducting an experiment with a real traffic data, the model shows that it is effective in measuring the user behaviors and detecting the application layer DDoS attacks.

Qi Liu,Hongwei Ruan,Hua Li,Xiaodi Li,Xianrong Wang

DOI: https://doi.org/10.1145/3444370.3444612

2020-01-01

Abstract:Software Defined Network (SDN) is a new networking technology with the advantages of separating data forwarding plane from the control plane, and a growing number of traditional network attacks are left to this new network architecture. However, current solutions only concentrate on several special attacks in SDN and bring out a variety of overhead. In this paper, we consider two levels detection in data forwarding plane: packet level and flow level. We proposed an efficient, effective, real-time and machine learning based mechanism, called REAL-GUARD, to detect and defend network security threats with decision tree methods and without any extra devices. The experiments prove that our mechanism can defend scanning attacks and detect flooding attacks effectively with low additional performance overhead.

Xiaofan Zhou,Simon Yusuf Enoch,Dong Seong Kim

DOI: https://doi.org/10.48550/arXiv.2207.05436

2022-07-12

Cryptography and Security

Abstract:It is challenging for a security analyst to detect or defend against cyber-attacks. Moreover, traditional defense deployment methods require the security analyst to manually enforce the defenses in the presence of uncertainties about the defense to deploy. As a result, it is essential to develop an automated and resilient defense deployment mechanism to thwart the new generation of attacks. In this paper, we propose a framework based on Markov Decision Process (MDP) and Q-learning to automatically generate optimal defense solutions for networked system states. The framework consists of four phases namely; the model initialization phase, model generation phase, Q-learning phase, and the conclusion phase. The proposed model collects real network information as inputs and then builds them into structural data. We implement a Q-learning process in the model to learn the quality of a defense action in a particular state. To investigate the feasibility of the proposed model, we perform simulation experiments and the result reveals that the model can reduce the risk of network systems from cyber attacks. Furthermore, the experiment shows that the model has shown a certain level of flexibility when different parameters are used for Q-learning.

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

Kun Lv,Yun Chen,Changzhen Hu

DOI: https://doi.org/10.1016/j.inffus.2019.01.001

IF: 18.6

2019-01-01

Information Fusion

Abstract:Advanced persistent threats (APTs) pose a grave threat in cyberspace because of their long latency and concealment. In this paper, we propose a hybrid strategy game-based dynamic defense model to optimally allocate constrained secure resources for the target network. In addition, values of profits of players in this game are computed by a novel data-fusion method called NetF. Based on network protocols and log documents, the NetF deciphers data packets collected from different networks to natural language to make them comparable. Using this algorithm, data observed from the Internet and wireless sensor networks (WSNs) can be fused to calculate the comprehensive payoff of every node precisely. The Nash equilibrium can be computed using the value to detect the possibility of a node being a malicious node. Using this method, the dynamic optimal defense strategy can be allocated to every node at different times, which enhances the security of the target network obviously. In experiments, we illustrate the obtained results via case studies of a cluster of heterogeneous networks. The results guide planning of optimal defense strategies for different kinds of nodes at different times.

Huo Chengyi,Wu Zhenqiang,Jian Xiaochun,Zhang Jie

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.12.051

2006-01-01

Abstract:Depending on the PPDR dynamic defense model, synthesize the firewall, intrusion detection system and honeypot, this paper proposed a network security of dynamic defense model. It focused on discovering attackers early, study attackers and product new rules, so that always make network defense instrusion to be placed in the active position.

XIE Yi,YU Shun-Zheng

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.08.029

2007-01-01

Computer Science

Abstract:Distributed Denial of Service(DDoS)attacks are typically carried out at the network layer.However,there is evidence to suggest that application layer DDoS attacks can be more effective than the traditional ones.A sophisticated attack using legitimate application layer HTTP requests from legitimately connected network machines to overwhelm Web server is discussed.A counter-mechanism based on Web user browsing behavior is proposed to protect the servers from these attacks.In contrast to prior works,Hidden semi-Markov Model is explored to describe the browsing behaviors of Web users and to implement the anomaly detection for the application layer flooding attacks.By conducting an experiment with a real traffic data,the model shows that it is effective in measuring the user behaviors and detecting the application layer flooding attacks.

A. Abirami,S. Palanikumar

DOI: https://doi.org/10.24996/ijs.2023.64.11.35

2023-11-30

Iraqi Journal of Science

Abstract:is at an all-time high in the modern period, and the majority of the population uses the Internet for all types of communication. It is great to be able to improvise like this. As a result of this trend, hackers have become increasingly focused on attacking the system/network in numerous ways. When a hacker commits a digital crime, it is examined in a reactive manner, which aids in the identification of the perpetrators. However, in the modern period, it is not expected to wait for an attack to occur. The user anticipates being able to predict a cyberattack before it causes damage to the system. This can be accomplished with the assistance of the proactive forensic framework presented in this study. The proposed system combines a reactive and proactive framework. The proactive part will use machine learning-based classification algorithms to forecast the attack. Once the assault has been predicted, the reactive element of the proposed framework is used to investigate who is attempting to initiate the attack. The suggested system further emphasizes integrity and confidentiality by proposing an encryption method that encrypts the proactive module's report before decrypting it in the reactive module. The suggested elliptical curve cryptography-based security model was compared to several existing security methods in this paper.A comparison of multiple machine learning-based categorization algorithms is also performed in order to determine which is the most suitable for the proposed Network Forensic Framework. Accuracy, recall, precision, and F1 value are the performance metrics used to evaluate the various machine learning-based algorithms. According to the analysis, the suggested Network Forensic Framework is best implemented using the Extreme Gradient Boosting (XGB) technique.

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Hongjun He,Li Luo,Yang Wang,Zhipeng Duan,Zhihe Fang,Wenzheng Zhang

DOI: https://doi.org/10.4028/www.scientific.net/amr.255-260.2197

2011-01-01

Advanced Materials Research

Abstract:With the development of computer technology and network application, the safety of application has become one of the most important research problems in the field of information security. Firstly, the paper analyzes malicious attack approaches for applications. Secondly, this article proposes an application anti-attack model (AAM), and further presents the formal description of the model. Finally, this paper represents its good security properties and proves them.

Kai Xing,Aiping Li,Rong Jiang,Yan Jia

DOI: https://doi.org/10.1109/dsc50466.2020.00018

2020-01-01

Abstract:Cyberspace has been threatened by attacks ever since its birth. With the development of the Internet and artificial intelligence, forms of cyberattacks are emerging in endlessly, and technical means are constantly being renovated. In particular, advanced persistent threats are intensifying. How to effectively prevent this type of attack has become the focus, and attack detection and defense technology has made great progress. This article mainly discusses the research progress of APT attack detection and defense strategies at home and abroad, and focuses on the practice of using machine learning to perform attack detection while elaborating on traditional attack detection methods. Defense strategy is about how to use game theory to find the best defense strategy in limited resources, dynamic information flow tracking and cloud platform.