Chunming Zhang,Fengji Luo,Mingyang Sun,Gianluca Ranzi

DOI: https://doi.org/10.1109/tnse.2020.3015220

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Advanced Metering Infrastructure (AMI) is a critical and fundamental component of smart grids. Cyber security of AMI thus has direct implications to smart grid's secure and reliable operations. This paper establishes analytical models for studying AMI system's robustness with presence of Distributed Denial-of-Service (DDoS) attacks. This paper firstly proposes a state transition model for individual smart meter nodes and data collector nodes in an AMI communication network; based on this, a dynamic differential system is formulated to describe the network's state evolution. We analyze the dynamic differential system's stability under DDoS attacks and propose a defending strategy, which optimally allocate defending resources in the AMI network, aiming at mitigating the DDoS's threaten with minimum defending loss and cost. Extensive simulations are conducted to validate the proposed method under different AMI network topologies.

Qiang Liu,Jian-ping Yin,Zhi-ping Cai,Ming Zhu

DOI: https://doi.org/10.1109/NSS.2010.52

2010-01-01

Abstract:Distributed Denial of Service (DDoS) attack is one of main threats to Internet security. Due to the spatio-temporal properties of the attack, it is possible to detect the attack at its early stage. In this paper, we propose a novel method of DDoS threat assessment based on network vulnerability analysis. Both the multi-phase character in the temporal dimension and the impacts in the spatial dimension are concerned in our method. We use three metrics to assess threat, namely the ratio of progress, botnet size, and bots distribution. Experimental results show that our method is sensitive to the changes of attack states, and is easy to be implemented in an early warning system because of its simplicity.

Quan-zhen SONG,Xiu-zhen CHEN,Jin MA

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.01.019

2017-01-01

Abstract:DDoS attack, with easy launch and hard defence, is always a matter of concern in network security. Aiming at common in-flood DDoS attacks (cc attack), the security assessment method based on rough set algorithms is proposed, thus to achieve real-time quantitative assessment of security threats. By measuring changes in related indices of network and system performance before and after attack, a series of indices for evaluating DDoS attacks, are determined, then further with rough set algorithm the sample decision table of DDoS attacks, is analyzed, the normalized importance of each index calculated,and the weight of each index acguired. Finally the security situation value is obtained by weighted summation of the chosen indices. Experiments show that this method can effectively quantify the changes of system security state before and after attack. Compared with the existing security assessment methods, the security evaluation method based on rough set theory can determine the weight of indices without any reliance on prior knowledge, and objectively evaluate and predict the DDoS attack.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Zhen Cao,Zhi Guan,Zhong Chen,Jian-Bin Hu,Li-Yong Tang

DOI: https://doi.org/10.1007/s11390-010-9330-4

2010-01-01

Abstract:Denial-of-Service (DoS) attacks are virulent to both computer and networked systems. Modeling and evaluating DoS attacks are very important issues to networked systems; they provide both mathematical foundations and theoretic guidelines to security system design. As defense against DoS has been built more and more into security protocols, this paper studies how to evaluate the risk of DoS in security protocols. First, we build a formal framework to model protocol operations and attacker capabilities. Then we propose an economic model for the risk evaluation. By characterizing the intruder capability with a probability model, our risk evaluation model specifies the “Value-at-Risk” (VaR) for the security protocols. The “Value-at-Risk” represents how much computing resources are expected to lose with a given level of confidence. The proposed model can help users to have a better understanding of the protocols they are using, and in the meantime help designers to examine their designs and get clues of improvement. Finally we apply the proposed model to analyze a key agreement protocol used in sensor networks and identify a DoS flaw there, and we also validate the applicability and effectiveness of our risk evaluation model by applying it to analyze and compare two public key authentication protocols.

Xiu-Zhen Chen,Qing-Hua Zheng,Xiao-Hong Guan,Chen-Guang Lin,Jie Sun

DOI: https://doi.org/10.1016/j.cose.2004.08.009

IF: 5.105

2005-01-01

Computers & Security

Abstract:How to evaluate network security threat quantitatively is one of key issues in the field of network security, which is vital for administrators to make decision on the security of computer networks. A novel model of security threat evaluation with a series of quantitative indices is proposed on the analysis of prevalent network intrusions. This model is based on multiple behavior information fusion and two indices of privilege validity and service availability that are proposed to evaluate the impact of prevalent network intrusions on system security, so as to provide security evolution over time, i.e., monitor security changes with respect to modification of security factors. The Markov model and the algorithm of D-S evidence reasoning are proposed to measure these two indices, respectively. Compared with other methods, this method mitigates the impact of unsuccessful intrusions on threat evaluation. It evaluates the impact of important intrusions on system security comprehensively and helps administrators to insight into intrusion steps, determine security state and identify dangerous intrusion traces. Testing in a real network environment shows that this method is reasonable and feasible in alleviating the tremendous task of data analysis and facilitating the understanding of the security evolution of the system for its administrators.

Adam Bargteil,David Bindel,Yan Chen

2000-01-01

Abstract:Denial of Service (DoS) attacks are increasing in fre- quency, severity and sophistication. Most previous work has focused on DoS attacks which take advan- tage of a protocol to launch the attack. We take the view that DoS attack is any malicious action which reduces the availability of some resource to some users. We set as a goal a general methodol- ogy for measuring the resilience of a system to broad classes of attacks. As a first step toward this ambi- tious goal, we have studied the effect of a variety of attacks on directory services in a network setting.

Yan Chen,Adam Bargteil,David Bindel,Randy H. Katz,John Kubiatowicz

DOI: https://doi.org/10.1007/3-540-45600-7_37

2001-01-01

Abstract:Network Denial of Service (DoS) attacks are increasing in frequency, severity and sophistication, making it desirable to measure the resilience of systems to DoS attacks. In this paper, we propose a simulation-based methodology and apply it to attacks on object location services such as DNS. Our results allow us to contrast the DoS resilience of three distinct architectures for object location.

WANG Hui-ying,ZHOU Ning,CHEN Xiu-zhen,LI Jian-hua

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.14.036

2008-01-01

Computer Engineering and Applications Journal

Abstract:The increasing use of the Internet and attacks make it necessary to develop techniques that analyze network and service availability.Monitoring and quantifying network component behavior is key to make network reliable and robust.By using situation analysis,this paper proposes an approach to network service availability evaluation which is aimed at certain systems.The contribution of this paper is two-fold:First,key-factors and secondly,the system.This approach can provide a direct situation analysis to the certain services and can also analyze the system resource usage,thus havs a concrete and whole scope of the system situation.The effectiveness of this approach is approved by the large amounts of experiments in both normal and DDOS attacked network.

QINGtao WU,Zhiqing SHAO,Xiyuan QIAN

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.10.049

2006-01-01

Abstract:Distributed denial of service (DDoS) attacks are major threats to availability of computer network. A detection model for early DDoS attacks is presented, which involves with probability distributions of normal behavior on computer network and DDoS attacks detection threshold. The model employs statistical analysis of data from network connections to find the probability distributions of normal behavior. Based on the probability distributions, the threshold is set for detecting attacks. Also, the feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of the model in detecting DDoS attacks. Furthermore, this model provides some directed sense for other network security detection research.

Bin Yuan,Fan Zhang,Jun Wan,Huan Zhao,Shui Yu,Deqing Zou,Qiangsheng Hua,Hai Jin

DOI: https://doi.org/10.1007/s11432-022-3593-7

2023-01-01

Science China Information Sciences

Abstract:Software-defined networks (SDNs) present a novel network architecture that is widely used in various datacenters. However, SDNs also suffer from many types of security threats, among which a distributed denial of service (DDoS) attack, which aims to drain the resources of SDN switches and controllers, is one of the most common. Once the switch or controller is damaged, the network services can be affected. Many defense schemes against DDoS attacks have been proposed from the perspective of attack detection; however, such defense schemes are known to suffer from a time consuming and unpromising accuracy, which could result in an unavailable network service before specific countermeasures are taken. To address this issue through a systematic investigation, we propose an elaborate resource-management mechanism against DDoS attacks in an SDN. Specifically, by considering the SDN topology, we leverage the M/M/c queuing model to measure the resistance of an SDN to DDoS attacks. Network administrators can therefore invest a reasonable number of resources into SDN switches and SDN controllers to defend against DDoS attacks while guaranteeing the quality of service (QoS). Comprehensive analyses and empirical data-based experiments demonstrate the effectiveness of the proposed approach.

Muhai Li,Ming Li,Xiuying Jiang

DOI: https://doi.org/10.5555/1457999.1458004

2008-01-01

Abstract:With the proliferation of Internet applications and network-centric services, network and system security issues are more important than before. In the past few years, cyber attacks, including distributed denial-of-service (DDoS) attacks, have a significant increase on the Internet, resulting in degraded confidence and trusts in the use of Internet. However, the present DDoS attack detection techniques face a problem that they cannot distinguish flooding attacks from abrupt changes of legitimate activity. In this paper, we give a model for detecting DDoS attacks based on network traffic feature to solve the problem above. In order to apply the model conveniently, we design its implementation algorithm. By using actual data to evaluate the algorithm, the evaluation result shows that it can identify DDoS attacks.

Tingting Yao,Qinghua Zheng,Xiaohong Guan,Xiuzhen Chen

DOI: https://doi.org/10.3321/j.issn:0253-987X.2006.04.011

2006-01-01

Abstract:After analyzing malicious attacks against network that affect the service availability and would lead to the abnormal change of the network traffic, a method to evaluate the security situation of real-time traffic of hosts is presented. A group of statistic that can reflect the network traffic features in a fixed time window are selected as the evaluation metrics. Based on the large samples, the information entropy gain method is applied to determine the importance of evaluation results for different metrics. Then, using hierarchical weighted method, the evaluation results are regarded as the normalized abnormality value to evaluate the real time traffic of host networks. Experiments and testing show that this method can reasonably evaluate the host network abnormal flows caused by the DDoS, DoS worm and other attacks, and has good evaluation results for new attacks that cause abnormal change of network traffic.

Yang Wang,Chuang Lin,Quan-Lin Li,Yuguang Fang

DOI: https://doi.org/10.1016/j.comnet.2007.02.011

IF: 5.493

2007-01-01

Computer Networks

Abstract:In most network security analysis, researchers mainly focus on qualitative studies on security schemes and possible attacks, and there are few papers on quantitative analysis in the current literature. In this paper, we propose one queueing model for the evaluation of the denial of service (DoS) attacks in computer networks. The network under DoS attacks is characterized by a two-dimensional embedded Markov chain model. With this model, we can develop a memory-efficient algorithm for finding the stationary probability distribution which can be used to find other interesting performance metrics such as the connection loss probability and buffer occupancy percentages of half-open connections for regular traffic and attack traffic. Different from previous works in the literature, this paper gives a more general analytical approach to the study of security measures of a computer network under DoS attacks. We hope that our approach opens a new avenue to the quantitative evaluation of more complicated security schemes in computer networks.

Qing-tao WU,You-gen ZHANG,Zhi-qing SHAO

DOI: https://doi.org/10.3969/j.issn.1006-3080.2006.05.019

2006-01-01

Abstract:Distributed Denial-of-Service (DDoS) attacks are a major threat to availability of computer networks. In this paper, a novel scheme for early detection of DDoS attacks is proposed, which is involved with probability distributions of normal behavior on computer networks and DDoS attacks detection model. The scheme employed statistical analysis of data from network connections to generate the probability distributions of normal network connections. Based on the probability distributions, DDoS attacks detection model is presented. The feasibility of the scheme is validated through the simulated test. The experimental results show the effectiveness of our scheme in detecting DDoS attacks. Also, this scheme provides some direction significance for other network security detection research.

Xiaming Ye,Junhua Zhao,Yan Zhang,Fushuan Wen

DOI: https://doi.org/10.3390/en8065266

IF: 3.2

2015-01-01

Energies

Abstract:The distribution automation system (DAS) is vulnerable to cyber-attacks due to the widespread use of terminal devices and standard communication protocols. On account of the cost of defense, it is impossible to ensure the security of every device in the DAS. Given this background, a novel quantitative vulnerability assessment model of cyber security for DAS is developed in this paper. In the assessment model, the potential physical consequences of cyber-attacks are analyzed from two levels: terminal device level and control center server level. Then, the attack process is modeled based on game theory and the relationships among different vulnerabilities are analyzed by introducing a vulnerability adjacency matrix. Finally, the application process of the proposed methodology is illustrated through a case study based on bus 2 of the Roy Billinton Test System (RBTS). The results demonstrate the reasonability and effectiveness of the proposed methodology.

肖军,云晓春,张永铮

DOI: https://doi.org/10.3724/sp.j.1016.2010.01713

2010-01-01

Chinese Journal of Computers

Abstract:Mitigating Distributed Denial-of-Service(DDoS)attacks becomes more challenging with increasing available resources and techniques for attackers.Current network-layer security devices fail to counter application-layer DDoS(App-DDoS)attacks for the normal traffic feature on the network layer.In this paper,to handle App-DDoS attacks,a novel defense model is proposed.App-DDoS attack is divided into 5 types based on the attack URL generating way.Based on the differences between normal sessions and attack sessions,the paper proposes the session behavior suspicion parameters and the session suspicion model,which can be used to differentiate normal sessions from App-DDoS sessions accurately.The model is combined with 3 forwarding policies,including First-Come First-Serve(FCFS),Low Suspicion First(LSF)and Round Robin respectively to defend against 5 types of App-DDoS attacks.Simulation result with real Web trace shows that these forwarding policies perform well when the forwarding rate equals to the maximum normal request arrival rate,and FCFS and Round Robin perform better than LSF on the normal request response delay.

Xiaohu Li,Timothy Paul Parker,Shouhuai Xu

DOI: https://doi.org/10.1109/tdsc.2008.75

2011-01-01

Abstract:Traditional security analyses are often geared toward cryptographic primitives or protocols. Although such analyses are necessary, they cannot address a defender's need for insight into which aspects of a networked system having a significant impact on its security, and how to tune its configurations or parameters so as to improve security. This question is known to be notoriously difficult to answer, and the state of the art is that we know little about it. Toward ultimately addressing this question, this paper presents a stochastic model for quantifying security of networked systems. The resulting model captures two aspects of a networked system:1) the strength of deployed security mechanisms such as intrusion detection systems and 2) the underlying vulnerability graph, which reflects how attacks may proceed. The resulting model brings the following insights: 1) How should a defender “tune” system configurations (e.g., network topology) so as to improve security? 2) How should a defender “tune” system parameters (e.g., by upgrading which security mechanisms) so as to improve security? 3) Under what conditions is the steady-state number of compromised entities of interest below a given threshold with a high probability? Simulation studies are conducted to confirm the analytic results, and to show the tightness of the bounds of certain important metric that cannot be resolved analytically.

Jiuxin Cao,Bin Yu,Fang Dong,Xiangying Zhu,Shuai Xu

DOI: https://doi.org/10.1002/cpe.3590

2015-01-01

Concurrency and Computation Practice and Experience

Abstract:Cloud data centers today usually lack network resource isolation. Meanwhile, it is easy to deploy and terminate large number of malicious virtual machines (VMs) in a few seconds while the administrator is probably difficult to identify these malicious VMs immediately. These features open doors for attackers to launch denial-of-service (DoS) attacks that target at degrading the quality of cloud service. This paper studies an attack scenario that malicious tenants use cloud resources to launch DoS attack targeting at data center subnets. Unlike traditional data flow based detections, which heavily depend on the pattern of data flows, we propose an approach that takes advantage of virtual machine status including CPU usage and network usage to identify the attack. We notice that malicious virtual machines exhibit similar status patterns when attack is launched. Based on this observation, information entropy is applied in monitoring the status of virtual machines to identify the attack behaviors. We conduct our experiments in the campus-wide data center, and the results show our detection system can promptly and accurately response to DoS attacks.

Guoxing Zhang,Shengming Jiang,Gang Wei,Quansheng Guan

DOI: https://doi.org/10.1145/1582379.1582403

2009-01-01

Abstract:Denial-of-Service (DoS) attacks especially distributed DoS (DDoS) attacks have become significant and increasing threats to the Internet. Huge efforts from both academia and industry have been made on detection and defense of DDoS attacks. However, most detection and defense schemes do not directly aim at protecting the victim of attacks itself (e.g., servers) but attack sources or intermediate network units. Although locating and identifying attacking sources are critical to stop attacks and for legal procedure, rapid and efficient predicting DDoS attacks to happen in the server is more important to reduce damage caused by attacks and even prevent attacks from happening. However, this part has not been addressed sufficiently in the literature. In this paper, we first briefly review research efforts on DDoS attacks, and then discuss a method to define and quantify attacks to severs based on available service rates. This is because the server is often the direct victim of DDoS attacks and the one-point failure of the entire service system. No matter whether there are attacks undergoing, if a sever is overloaded even by normal service requests, the effect imposed to a service system is equivalent to that of attacks. A prediction method for the available service rate of the protected server is then proposed, which applies the Auto Regressive Integrated Auto Regressive (ARIMA) model. Finally, we investigate the proposed prediction method to predict DDoS attacks through simulation studies with NS2. The simulation results show that the prediction algorithm is effective to predict most attacks.