Shuang Xiang,Yanli Lv,Chunhe Xia,Yuanlong Li,Zhihuan Wang

DOI: https://doi.org/10.1007/978-981-10-0356-1_65

2016-01-01

Abstract:In the network security situation assessment based on hidden Markov model, the establish of state transition matrix is the key to the accuracy of the impact assessment. The state transition matrix is often given based on experience. However, it often ignores the current status of the network. In this paper, based on the game process between the security incidents and protect measures, we improve the efficiency of the state transition matrix by considering the defense efficiency. Comparative experiments show the probability of the network state generated by improved algorithm is more reasonable in network security situation assessment.

Xiaobin Tan,Yong Zhang,Xiaolin Cui,Hongsheng Xi

DOI: https://doi.org/10.1109/kamw.2008.4810531

2008-01-01

Abstract:Different from traditional risk management, real-time risk management describes system risk dynamically. It includes three phases: risk analysis, risk evaluation and risk prediction. This paper proposes a practical framework to real-time risk management. Risk evaluation is a quantitative analysis process of system security and risk, and it is a basis of real-time risk, management. This paper adopts continuous time hidden Markov model to evaluate system risk. The model evaluates system risk via the integrated analysis of system assets, threats, vulnerabilities and safety measures. Simulation results show that the model is suitable and efficient. The framework will be tested in actual network environment and improve it.

LIANG Li,YANG Jun-gang,ZHU Guang-liang,ZHANG Qian

DOI: https://doi.org/10.4156/jcit.vol8.issue2.41

2013-01-01

Abstract:To exactly assess the security risk of a network and enhance the performance,a hierarchical risk assessment method for network security based on real-time warning is presented.Firstly,a hierarchical risk assessment model for computer networks is developed.This model can provide three hierarchies: services,hosts and local networks.IDS(intrusion detection system) is as a data source.Then,the risk indexes of at service level,host level and local network level is calculated by weighting based on the value of threat object,attack frequency and vulnerability severity.Finally,the accuracy and validity of the proposed method are demonstrated by the experiments.

Genghong Lu,Dongqin Feng,Biao Huang

DOI: https://doi.org/10.1109/tie.2020.2965467

IF: 7.7

2021-01-01

IEEE Transactions on Industrial Electronics

Abstract:The problem of attack detection for Stuxnet in the industrial control system is discussed in this article. Different operating modes (normal and hazard modes) may occur in the nominal process. In this article, we consider that the transition between different modes follows a Markov chain model with a certain transition probability. However, when the Stuxnet attack is launched, the attack signals with random multitude and frequency will be injected to trigger more hazard modes, and finally, hasten fatigue of control devices. Under this unpredictable attack, the transition between operating modes will not follow the regular transition probabilities. Therefore, a hidden Markov model with time-varying transition probabilities is utilized to describe the Stuxnet attack. The transition probabilities are estimated based on the measurements. By recognizing operating modes and predicting the number of the occurrence of hazard modes, the Stuxnet attack can be detected earlier if the predicted value exceeds the threshold. In the operating mode recognition, the expectation maximization algorithm is used to estimate the parameters considering random packet dropouts caused by the unreliable network. A simulation is conducted to verify the effectiveness of the proposed method.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

XiaoLin Cui,Xiaobin Tan,Yong Zhang,Hongsheng Xi

DOI: https://doi.org/10.1109/CSSE.2008.949

2008-01-01

Abstract:Risk assessment is a very important tool to acquire a present and future security status of the network information system. Many risk assessment approaches consider the present system security status, while the future security status, which also has an impact on assessing the system risk, is not taken into consideration. In this paper we propose a novel risk assessment model based on Markov game theory. In this model, all of the possible risk in the future will impact on the present risk assessment. The farther away from now, the smaller impact on the risk assessment it has. After acquiring the system security status, we proposed an automatic generated reinforcement scheme which will provide a great convenience to the system administrator. A software tool is developed to demonstrate the performance of the risk assessment of a network information system and a simulation example shows the effectiveness of the proposed model. © 2008 IEEE.

Yong Zhang,Xiaobin Tan,Hongsheng Xi,Xin Zhao

DOI: https://doi.org/10.1109/wcica.2008.4593320

2008-01-01

Abstract:Real-time risk assessment, forecasting risk trend and dynamic risk management are main contents of the real-time risk management. It is a new research field of information security technology. This paper proposes a novel approach to real-time risk management framework. The framework consists of real-time risk assessment, risk prediction and dynamic risk management. The real-time risk assessment module adopts a multi-perspective evaluation model and it uses the description of system assets, security attacks, vulnerabilities and security services to assess the current risk. The risk prediction module studies the changes of risk and forecasts the future risk with time series model. Risk monitor and security strategy implement dynamic risk management. Risk monitor module monitors the system current risk and its trend. According to the relationship between future risk and risk threshold, it supervises security strategy module to dynamically adjust system security strategy. Security strategy module implements various security strategies and schemas. Simulation results show that the framework is suitable and efficient

Jie Ma,Zhi-tang Li,Hong-wu Zhang

DOI: https://doi.org/10.1109/AICI.2009.487

2009-01-01

Abstract:Current practice for real-time security risk assessment typically takes intrusion detection systems alerts as the only source of risk factor. Their assessment results are more likely to suffer from the impact of false positive alerts in the increasingly complex and severe network security environment. This paper proposes a novel online fusion model for dynamical network risk assessment by using multiple risk factors. The model is composed by three fusion levels. First, an online alert fusion algorithm is proposed and the redundancy of the raw alerts is dramatically reduced. Then, the model employs Dempster-Shafer theory to handle uncertainties and ignorance existed in the multiple risk factors. Threats in different kinds of severity levels are identified. Finally, the whole network risk distribution is dynamically calculated and reported by using HMM approach. Experiments show the effectiveness and validity of our method.

CHEN Hui-ming,CHEN Wen,LIANG Gang

DOI: https://doi.org/10.3969/j.issn.1671-0428.2012.10.003

IF: 5.105

2012-01-01

Computers & Security

Abstract:Traditional intrusion detection system faces the defects of huge alarm quantity and high false positives rate.In order to overcome the defects,a network security risk assessment-based intrusion detection method is proposed in this article.The method calculates network security risk uses the latest research results of artificial immune theory,which mainly include that the antibody concentration changes dynamic with strength of invasion.Then dynamicly set the alarm strategy based on real-time security risks faced by the current network.The experimental results show that the model can calculate host and network risk in real time and quantitative,the alarm quantity and the false positives rate is greatly reduced.

Li Hetian,Liu Yun,He Dequan

DOI: https://doi.org/10.1109/ICOSP.2006.345964

2006-01-01

Abstract:Risk assessment as one of the core technologies ensures IT system security. In this paper, the existing risk evaluation methods are briefly reviewed and analyzed. A Markov chain based model is presented to quantitatively evaluate security. Firstly, a model based on Markov chain is constructed to describe IT system behavior. Secondly, a Markov transition matrix is founded to quantitatively assess security risk factors. Finally, the proposed risk assessment methodology is applied on the Internet ticketing system to calculate the risk value for the system. The experiment shows this method is effective and efficient and can be used to quantify the security properties for IT system in practice.

Shi Jian,Guo Shanqing,Xie Li

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.01.034

2006-01-01

Abstract:Risk assessment is critical to establishing an effective Information Security Management System and it is the foundation of information system security systematism.After introducing information security risk assessment briefly,this paper provides a real-time risk assessment method using qualitative and quantitative assessment synthetically.By analyzing the assets,vulnerabilities and threats of information system,this method can evaluate the risk of the system in real time with the events produced by security devices.

LIU Gang,LI Qian-mu,LIU Feng-yu,ZHANG Hong

2012-01-01

Abstract:In order to predict the likelihood of network risks accurately and in real-time,and help the administrators to manage network risks effectively,a Time-Varying Markov Model(TVMM) for real-time risk probability prediction was proposed.A real-time risk probability prediction method,which is able to predict the probability of network risk in future exactly with a real-time-updating-state probability transition matrix of TVMM,was presented.Combined with the theory of feature extraction and statistical learning,the model was used to calculate the risk probability of the network at different risk level in network attack environment.The result shows that TVMM has higher real-time,objectivity and accuracy than the traditional Markov model.

ZHANG Yong,TAN Xiao-Bin,CUI Xiao-Lin,XI Hong-Sheng

DOI: https://doi.org/10.3724/sp.j.1001.2011.03751

2011-01-01

Abstract:To accurately evaluate security situation states,this paper proposes an approach to network security situation awareness(NSSA) based on Hidden Markov Model(HMM).It gains standardized data of network structure information,assets,threats and vulnerabilities via fusing variety system security data collected by multi-sensors.For every asset,this paper associates its suffered threats with its vulnerabilities to analyze the sequence of its security incidents,establishes HMMs to analyze security situation factors of confidentiality,integrity and availability.Using sliding window mechanism it trains segmented sequence of security incidents and it gains the parameters of HMM's through update algorithm with forgetting factor.According to the HMMs and security incidents sequence it evaluates security situation factors of one asset's and entire network.Depending on the application background it evaluates security situation states of different network system.The investigation of evaluation to a specific network indicates that the approach is suitable for actual network environment and the evaluation result is precise and efficient.

Huiying Lv,Yuanda Cao

DOI: https://doi.org/10.1109/ISISE.2008.109

2008-01-01

Abstract:A risk situation evaluation model for network security is proposed based on analyzing security threat status. This method first perceived and identified the characteristics of critical risk factors, such as asset, vulnerability and threat, from multi-security-sensors. Then a quantitative evaluation algorithm was presented to estimate current threats and potential threats. By analyzing their threat degree, the real-time status and dynamic evolvement trend of security risk was revealed. Sequentially, the security administrator can comprehend the situation about both the single entity and the overall network then timely and effectively make security decisions. Finally this method was illustrated and validated in an emulated network environment. © 2008 IEEE.

WANG Liang,LI Tao,LIANG Gang

DOI: https://doi.org/10.16208/j.issn1000-7024.2011.10.066

2011-01-01

Abstract:To solve an emerging need for improving the performance of risk evaluation for network security at high-speed network,a high-speed model of real-time risk evaluation based on multi-processor is proposed,and a load-balancing algorithm for intrusion detection is proposed to improve detection ability of intrusion detection.The model makes use of multi-processor network platform resources,and establishes a high-speed parallel processing of network traffic structure.This model is also based on immune theory as the theoretical basis,by simulating the immune cells of the external antigen recognition,clone selection,changes of antibody concentration to carry out risk assessment.Theoretical analysis and simulation results prove the model can evaluate the risk assessment for high-speed network and ensure the efficiency and the accuracy.

Zhaocui Li,Huichuan Liu,Chunyan Wu

DOI: https://doi.org/10.1080/23742917.2022.2120293

2022-09-10

Journal of Cyber Security Technology

Abstract:The traditional security detection and defense methods are relatively backward, and there are many problems, such as high false alarm and missed alarm rate, and detection lag, which have been difficult to meet the requirements of computer security defense. In order to strengthen the active defense of computer network security and improve the classification and prediction performance of computer network security events, a computer network security risk assessment model based on mrmr Ig feature selection model and attack graph model is proposed. The mrmr Ig feature selection model is used to classify the characteristics of security events, and the hidden Markov chain model and attack graph model are used to predict the attack intention. The experimental results show that the classification accuracy rate of the model is 99.79%, the false alarm rate and the false alarm rate are 0.11% and 0.18%, respectively. The model can accurately predict attacks in real time, and can provide reference for timely taking targeted computer network security reinforcement and active defense measures.

XU Chun,LI Tao,CHEN Xing-shu,LIU Nian,YANG Jin

DOI: https://doi.org/10.3969/j.issn.1001-0548.2007.06.021

2007-01-01

Abstract:A new method of risk evaluation about network security based on the danger signal is presented in this paper. In this method, the antigen necrosis produces the gain signal, and the antigen apoptosis produces restrain signal, the two signals influence to the process of antibody evolution. This model can detect the attacking by calculating the danger signal of the category of the antigen. Moreover, the model can also evaluate the network suffered attack risk by calculating the network risk. The result of simulative experiment shows that this method can quantitatively calculate the network risk, it has the features of most real-time process ability and lower false positive rate. It is a good solution for real-time risk evaluation for network security.

Yaofang Zhang,Zibo Wang,Yingzhou Wang,Kuan Lin,Tongtong Li,Hongri Liu,Chao Li,Bailing Wang

DOI: https://doi.org/10.1007/s11227-023-05269-1

IF: 3.3

2023-04-22

The Journal of Supercomputing

Abstract:Although the expansion of attack types against industrial control systems is limited, the available means that violate the same security strategy emerge endlessly. However, the high availability and real-time requirements of industrial control systems restrict the application of some countermeasures that require massive resources. To solve this problem, this paper proposes a low learning-cost risk assessment model for similar scenarios, which enables the formulation of defense strategies for system risks in advance. To lay the foundation for this method, we firstly aggregate the attack means into limited attack types according to word clustering to address the classification challenge caused by unknown attacks. Then, similarity and statistical methods are combined to predict the next attack type. Subsequently, the hidden Markov model is used to map attack types and security states to obtain the forecasting results of the next security state. Based on this, the risk value is calculated through these prediction and forecasting results, and the system relevance and alert timeliness are considered in the assessment stage. We break the scenario limitations and verify the advantages of our model in a known scenario and another similar scenario with unknown attacks. The experimental results show that our model can deal with unknown attacks in similar scenarios and has excellent scenario migration ability. Meanwhile, the changing trend of the risk value is in consistence with the actual data, which also confirms that the assessment model can forecast the future risk situation of the system accurately and comprehensively.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xiang GAO,Yue-fei ZHU,Sheng-li LIU,Jin-long FEI,Long LIU

2013-01-01

Abstract:Aiming at the complex in the process of network security risk assessment, the asset, vulnerability and threat were used as the major factors in security assessment to establish the hierarchical index system for security assessment. The concept of credibility was introduced, and the security risk assessment model and fuzzy reasoning algorithm based on fuzzy Petri net were also proposed, making use of fuzzy Petri nets method joined together with the AHP to analyze the question, and combining qualitative analysis and quantitative analysis together. The example analysis shows that the ob-tained results are more accurate and scientific compared with traditional assessment methods. Therefore, this method is an effective network system risk assessment method.

Zheng Tang,Xiao-Guang Gao,Ying Zhang

DOI: https://doi.org/10.1109/ICAL.2007.4338726

2007-01-01

Abstract:Evaluating radiant threat rank is an important part of situation assessment and attack decision. All factors which would affect the assessment are analyzed. The advantages of experts system based on dynamic Bayesian network are given. After that, the theoretical model and its algorithm based on dynamic Bayesian network are presented and discussed. Finally, the model is established and simulated according to the algorithm. The simulation results are discussed and the model shows that it is effective and it can reflect the real threat rank.