Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

Yu Zheng,Zheng Li,Xiaolong Xu,Qingzhan Zhao

DOI: https://doi.org/10.1016/j.dcan.2021.07.006

IF: 6.348

2021-07-01

Digital Communications and Networks

Abstract:Driven by the rapid development of the Internet of Things, cloud computing and other emerging technologies, the connotation of cyber space is constantly expanding and becoming the fifth dimension of human activities. However, security problems in cyber space are becoming serious, and traditional defense measures (e.g., firewall, intrusion detection systems and security audit) often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with higher and higher degree of coordination and intelligence. By constructing and implementing the diverse strategy of dynamic transformation, the configuration characteristics of systems are constantly changing and the probability of vulnerability exposure is increasing. Therefore, the difficulty and cost of attack are increasing, which provides new ideas for reversing the asymmetric situation of defense and attack in cyber space. Nonetheless, there are few related works that systematically introduce dynamic defense mechanisms for cyber security. The related concepts and development strategies of dynamic defense are rarely analyzed and summarized. To bridge this gap, we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security. Specifically, we firstly introduce basic concepts and define dynamic defense in cyber security. Next, we review the architectures, enabling techniques and methods for moving target defense and mimic defense. This is followed with taxonomically summarizing the implementation and evaluation of dynamic defense. Finally, we discuss some open challenges and opportunities on dynamic defense in cyber security.

Ren Zheng,Wenlian Lu,Shouhuai Xu

DOI: https://doi.org/10.1109/tnet.2019.2912847

2019-01-01

IEEE/ACM Transactions on Networking

Abstract:The recently proposed cybersecurity dynamics approach aims to understand cybersecurity from a holistic perspective by modeling the evolution of the global cybersecurity state. These models describe the interactions between the various kinds of cyber attacks and the various kinds of cyber defenses that take place in complex networks. In this paper, we study a particular kind of cybersecurity dynamics caused by the interactions between two classes of attacks (called push-based attacks and pull-based attacks) and two classes of defenses (called preventive and reactive defenses). The dynamics was previously shown to be globally stable in a special regime of the parameter universe of a model with node-independent and edge-independent parameters, but little is known beyond this regime. In this paper, we prove that the dynamics is globally stable in the entire parameter universe of a more general model with node-dependent and edge-dependent parameters. This means that the dynamics always converges to a unique equilibrium. We also prove that the dynamics converges exponentially to the equilibrium except for a particular parameter regime, in which the dynamics converges polynomially. Since it is often difficult to compute the equilibrium, we propose bounds of the equilibrium and numerically show that these bounds are tighter than those proposed in the literature.

Shouhuai Xu,Wenlian Lu,Hualun Li

DOI: https://doi.org/10.48550/arXiv.1603.08309

2016-03-28

Abstract:The concept of active cyber defense has been proposed for years. However, there are no mathematical models for characterizing the effectiveness of active cyber defense. In this paper, we fill the void by proposing a novel Markov process model that is native to the interaction between cyber attack and active cyber defense. Unfortunately, the native Markov process model cannot be tackled by the techniques we are aware of. We therefore simplify, via mean-field approximation, the Markov process model as a Dynamic System model that is amenable to analysis. This allows us to derive a set of valuable analytical results that characterize the effectiveness of four types of active cyber defense dynamics. Simulations show that the analytical results are inherent to the native Markov process model, and therefore justify the validity of the Dynamic System model. We also discuss the side-effect of the mean-field approximation and its implications.

Cryptography and Security,Social and Information Networks,Dynamical Systems

Yujuan Han,Wenlian Lu,Shouhuai Xu

DOI: https://doi.org/10.1109/tnse.2021.3098443

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Cybersecurity dynamics is a mathematical approach to modeling and analyzing cyber attacker-defender interactions in networks. In this paper, we advance the state-of-the-art in characterizing one kind of cybersecurity dynamics, known as preventive and reactive cyber defense dynamics, which is a family of highly nonlinear dynamical system models. We prove that this family of dynamics in its general form with time-dependent parameters is globally attractive when the time-dependent parameters are ergodic, and is (almost) periodic when the time-dependent parameters have the stronger properties of being (almost) periodic. Our results supersede the state-of-the-art ones, including the recent result that the same family of dynamics in the special case of time-independent parameters is globally convergent. This paper represents a significant advance in the network science approach to theoretical cybersecurity modeling because it makes the so-far weakest assumptions when compared with the literature results.

Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.2010.05683

2020-10-09

Cryptography and Security

Abstract:Cybersecurity Dynamics is new concept that aims to achieve the modeling, analysis, quantification, and management of cybersecurity from a holistic perspective, rather than from a building-blocks perspective. It is centered at modeling and analyzing the attack-defense interactions in cyberspace, which cause a ``natural'' phenomenon -- the evolution of the global cybersecurity state. In this Chapter, we systematically introduce and review the Cybersecurity Dynamics foundation for the Science of Cybersecurity. We review the core concepts, technical approaches, research axes, and results that have been obtained in this endeavor. We outline a research roadmap towards the ultimate research goal, including a systematic set of technical barriers.

Shouhuai Xu

DOI: https://doi.org/10.48550/arXiv.1502.05100

2015-02-18

Abstract:We explore the emerging field of {\em Cybersecurity Dynamics}, a candidate foundation for the Science of Cybersecurity.

Cryptography and Security

Wenlian Lu,Shouhuai Xu,Xinlei Yi

DOI: https://doi.org/10.48550/arXiv.1603.08312

2016-03-28

Abstract:Active cyber defense is one important defensive method for combating cyber attacks. Unlike traditional defensive methods such as firewall-based filtering and anti-malware tools, active cyber defense is based on spreading "white" or "benign" worms to combat against the attackers' malwares (i.e., malicious worms) that also spread over the network. In this paper, we initiate the study of {\em optimal} active cyber defense in the setting of strategic attackers and/or strategic defenders. Specifically, we investigate infinite-time horizon optimal control and fast optimal control for strategic defenders (who want to minimize their cost) against non-strategic attackers (who do not consider the issue of cost). We also investigate the Nash equilibria for strategic defenders and attackers. We discuss the cyber security meanings/implications of the theoretic results. Our study brings interesting open problems for future research.

Cryptography and Security,Social and Information Networks,Systems and Control,Dynamical Systems,Optimization and Control

Bo ZHANG,Wan-cheng WANG,Wei PAN,Wei-hua LI

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.10.029

2005-01-01

Abstract:Recently the Active dynamic network defensive is a new focus in network security. In this article ,the application of coordination and interaction realizes a new defensive system,the dynamic Honey.Building the two layers defensive system makes it possible that firewall, Intrusion Detection System (IDS) and Honey interact effectively. At same time,it improves the defensive capability of network.

Zhenyong Zhang,Ke Zuo,Ruilong Deng,Fei Teng,Mingyang Sun

DOI: https://doi.org/10.1109/jiot.2023.3264492

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Machine learning-based intelligent systems enhanced with Internet of Things (IoT) technologies have been widely developed and exploited to enable the real-time stability assessment of a large-scale electricity grid. However, it has been extensively recognized that the IoT-enabled communication network of power systems is vulnerable to cyberattacks. In particular, system operating states, critical attributes that act as input to the data-driven stability assessment, can be manipulated by malicious actors to mislead the system operator into making disastrous decisions and thus cause major blackouts and cascading events. In this article, we explore the vulnerability of the data-driven power system stability assessment, with a special emphasis on decision tree-based stability assessment (DTSA) approaches, and investigate the feasibility of constructing a physics-constrained adversarial attack (PCAA) to undermine the DTSA. The PCAA is formulated as a nonlinear programming problem considering the misclassification constraint, power limits, and bad data detection, computing potential adversarial perturbations that reverse the “stable/unstable” prediction of the real-time input while remaining invisible/stealthy. Extensive experiments based on the IEEE 68-bus system are conducted to evaluate the impact of PCAAs on predictions of DTSA and their transferability.

Di Li,Yikun Hu,Guoqing Xiao,Mingxing Duan,Kenli Li

DOI: https://doi.org/10.1002/cpe.7577

2023-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryWith the rapid development of the internet, cyberspace security issues have become increasingly prominent. The importance of constructing a cyberspace security system is self‐evident, but compared with attackers, defenders in cyberspace are in a castle‐like passive defense state in most cases. Therefore, building a reliable, accurate, timely, and active defense system is challenging. The key is to accurately focus on defense priorities, the anticipation of attackers who will likely succeed, and blocking attacks in a timely manner. In this article, we propose an active defense model based on the interaction of situational awareness and firewalls. First, by biasing the integrity, confidentiality, and availability of assets to get the score of assets, and using the Common Vulnerability Scoring System to assess the threat level of assets, we combine the two to determine the maximum system damage that the asset will suffer if it is lost, and then focus on defense. Meanwhile, log analysis of the network situational awareness platform can predict successful attackers, and then the linked firewall strategy can block these attacks in time before the attackers obtain attack gains. After that, we force the attackers to give up their attacks on the target by increasing the attack cost. We compared our model with iptables auto‐blocking and nginx auto‐blocking, and our model excelled them across the board in terms of comprehensiveness and false positive rate. The experimental results verify thar our active defense model proposed in this article can better reduce the defense cost and increase the attack cost, thus achieving the relatively defense goal.

Amitai Gilad,Asher Tishler

DOI: https://doi.org/10.1080/10242694.2022.2161739

IF: 1.6

2023-01-17

Defence and Peace Economics

Abstract:Modern countries employ computer networks that manage organizations in the private and public sectors. Cyber-attacks aim to disrupt, block, delete, manipulate or steal the data held in these networks, which challenge these countries' national security. Consequently, cybersecurity programs must be developed to protect these networks from cyber-attacks in a manner that is similar to operations against terrorism. This study presents several models that analyze a contest between a network operator (defender) that deploys costly detectors to protect the network and a capable cyber attacker. Generally, when the deployed detectors become more potent or the defender exhibits higher vigilance, the attacker allocates more resources to R&D to ensure that the attack remains covert. We show that detectors may be substitutes, complements, or even degrade each other, implying that defenders must account for the cyber weapons' characteristics and the attacker's profile and strategic behavior. We derive the optimal number of detectors when the attacker's R&D process features R&D spillovers and show that targeted detectors act as deterrents against high-quality weapons only if the attacker's budget is not substantial. Finally, we demonstrate that common cybersecurity practices may be detrimental from a social-welfare perspective by enhancing an arms race with the attacker.

economics

Zhaofeng Liu,Yinchong Wang,Huashan Chen,Wenlian Lu

DOI: https://doi.org/10.1007/978-3-030-89137-4_13

2021-01-01

Abstract:In this paper, we apply cybersecurity dynamics theory into practical scenarios. We use machine learning models as detection tools of intrusion detection systems and consider cyber attacks against node computers as well as adversarial attacks against machine learning models. We pay our attention to two problems. The first problem is when the network is attacked, how we can observe the states of the network and estimate its equilibrium with a lower cost. We apply an event-based observation and estimation method combined with machine learning-based intrusion detection systems. The second problem is to control the cost and the convergence speed of cybersecurity dynamics when it is under attack. An event-based control method and machine learning-based intrusion detection systems are put into use in this scenario. We simulate both scenarios and analyze the dynamics’ behaviors under an adversarial attack against the machine learning models on intrusion detection systems.

Linan Huang,Quanyan Zhu

DOI: https://doi.org/10.1016/j.cose.2019.101660

2019-11-05

Abstract:Advanced Persistent Threats (APTs) have recently emerged as a significant security challenge for a cyber-physical system due to their stealthy, dynamic and adaptive nature. Proactive dynamic defenses provide a strategic and holistic security mechanism to increase the costs of attacks and mitigate the risks. This work proposes a dynamic game framework to model a long-term interaction between a stealthy attacker and a proactive defender. The stealthy and deceptive behaviors are captured by the multi-stage game of incomplete information, where each player has his own private information unknown to the other. Both players act strategically according to their beliefs which are formed by the multi-stage observation and learning. The perfect Bayesian Nash equilibrium provides a useful prediction of both players' policies because no players benefit from unilateral deviations from the equilibrium. We propose an iterative algorithm to compute the perfect Bayesian Nash equilibrium and use the Tennessee Eastman process as a benchmark case study. Our numerical experiment corroborates the analytical results and provides further insights into the design of proactive defense-in-depth strategies.

Computer Science and Game Theory,Cryptography and Security

Keith Paarporn,Shouhuai Xu

2023-05-24

Abstract:In this paper, we analyze the infection spreading dynamics of malware in a population of cyber nodes (i.e., computers or devices). Unlike most prior studies where nodes are reactive to infections, in our setting some nodes are active defenders meaning that they are able to clean up malware infections of their neighboring nodes, much like how spreading malware exploits the network connectivity properties in order to propagate. We formulate these dynamics as an Active Susceptible-Infected-Susceptible (A-SIS) compartmental model of contagion. We completely characterize the system's asymptotic behavior by establishing conditions for the global asymptotic stability of the infection-free equilibrium and for an endemic equilibrium state. We show that the presence of active defenders counter-acts infectious spreading, effectively increasing the epidemic threshold on parameters for which an endemic state prevails. Leveraging this characterization, we investigate a general class of problems for finding optimal investments in active cyber defense capabilities given limited resources. We show that this class of problems has unique solutions under mild assumptions. We then analyze an Active Susceptible-Infected-Recovered (A-SIR) compartmental model, where the peak infection level of any trajectory is explicitly derived.

Systems and Control

zhanjiang li,yutao xiang,Dongsheng He

DOI: https://doi.org/10.1007/978-3-540-74377-4_92

2007-01-01

Abstract:Currently there is very few data that can describe the whole profile of a DDoS attack. In this paper, the active DDoS defense system deploys a number of sub-systems, such as Flexible Deterministic Packet Marking (FDPM) and Mark-Aided Distributed Filtering (MADF). In addition, two DDoS tools, TFN2K and Trinoo, are adopted and integrated into SSFNet to create virtual DDoS networks to simulate the attacks. Then, simulation experiments are used to evaluate the performance of the active DDoS defense system. At last, we set up a model to describe the interactions between DDoS attack and defense party, which allows us to have a deep insight of the interactions between the attack and defense parties. Experiment results shows that the model can precisely estimate the defense effectiveness of the system when it encounters attacks.

hasan cam,pierre mouallem,yilin mo,bruno sinopoli,benjamin nkrumah

DOI: https://doi.org/10.1109/CogSIMA.2014.6816560

2014-01-01

Abstract:A distributed cyber control system comprises various types of assets, including sensors, intrusion detection systems, scanners, controllers, and actuators. The modeling and analysis of these components usually require multi-disciplinary approaches. This paper presents a modeling and dynamic analysis of a distributed cyber control system for situational awareness by taking advantage of control theory and time Petri net. Linear time-invariant systems are used to model the target system, attacks, assets influences, and an anomaly-based intrusion detection system. Time Petri nets are used to model the impact and timing relationships of attacks, vulnerability, and recovery at every node. To characterize those distributed control systems that are perfectly attackable, algebraic and topological attackability conditions are derived. Numerical evaluation is performed to determine the impact of attacks on distributed control system.

Lu-Xing Yang,Pengdeng Li,Xiaofan Yang,Luosheng Wen,Yingbo Wu,Yuan Yan Tang

DOI: https://doi.org/10.48550/arXiv.1707.03611

2017-07-12

Cryptography and Security

Abstract:This paper is devoted to measuring the security of cyber networks under advanced persistent threats (APTs). First, an APT-based cyber attack-defense process is modeled as an individual-level dynamical system. Second, the dynamic model is shown to exhibit the global stability. On this basis, a new security metric of cyber networks, which is known as the limit security, is defined as the limit expected fraction of compromised nodes in the networks. Next, the influence of different factors on the limit security is illuminated through theoretical analysis and computer simulation. This work helps understand the security of cyber networks under APTs.

Fei He,Jun Zhuang,Nageswara S. V. Rao

2012-01-01

Abstract:Critical infrastructures rely on cyber and physical components that are both subject to natural, incidental or intentional degradations. Game theory has been used in studying the strategic interactions between attackers and defenders for critical infrastructure protection, but has not been extensively used in complex cyber-physical networks. This paper fills the gap by modeling the probabilities of successful attacks in both cyber and physical spaces as functions of the number of components that are attacked and defended. The results show that the attack effort would first increase then decrease in (a) defense effort, (b) the probability of successful attack on each component, (c) the number of minimum required functioning resources, and (d) the maximum number of available resources. Comparing simultaneous and sequential games, our results show that the defender performs better when she moves first. Our research provides some novel insights into the survival of such infrastructures and optimal resource allocation under various costs and target valuations that players may have.

Hongchao Hu,Jiangxing Wu,Zhenpeng Wang,Guozhen Cheng

DOI: https://doi.org/10.1049/iet-ifs.2017.0086

2017-01-01

IET Information Security

Abstract:In recent years, both academia and industry in cyber security have tried to develop innovative defense technologies, expecting that to change the rules of the game between attackers and defenders. The authors start by analysing the root causes of security problems in cyberspace: (i) vulnerabilities in cyber systems are universal; (ii) current cyber systems are static, predictable and monoculture which allows adversaries to plan and launch attacks effectively; (iii) existing techniques cannot detect and eliminates attacks employing unknown vulnerabilities. Based on their analysis, they develop a novel defense framework, mimic defense (MD), that employs dynamic, heterogeneity, redundancy (DHR)' mechanism to defense cyber attacks. The main ideas behind MD are: constructing diverse functional equivalent variants for the protected target; scheduling some variants to run in parallel dynamically; and adopting policy-based arbitration mechanism to decide whose results of current running variants are correct. Theoretical analysis and simulation results show that DHR can significantly increase the difficulties for attackers and enhance the security of cyber systems, and the security enhancement can be more than ten times. They also present a proof-of-principle prototype that employ MD, mimic router, to examine its effectiveness. Finally, they conclude its limitations.