Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Yun Luo,Xiao Fu,Bin Luo,Xiaojiang Du,Mohsen Guizani

DOI: https://doi.org/10.1109/GLOBECOM42002.2020.9348178

2020-01-01

Abstract:Recent trends have shown that botnets have been active since the 1990s. Attackers use newer technologies to damage enterprises and individuals through identity theft, bank fraud, spam campaigns, malw are distribution, and distributed denial of service (DDoS) attacks. To identify the hidden details from a DDoS attack, we introduce a forensic model in this paper. This model uses NS2 to simulate the connectivity of real nodes in the network and uses Botnet and DDoS attack electronic evidence analysis methods. The botnet uses IRC channels as the basic unit. The analytical algorithm for Botnet uses election vectors to detect the split and transfer behavior of hackers. The analysis method for DDoS attacks uses attack vectors to detect whether Botnet is participating in a DDoS attack. On this basis, the fragmented packet marking method is added to track the source and path reconstruction of the router, thereby improving the scale recognition rate to 93%.

Shuhao Li,Xiaochun Yun,Zhiyu Hao,Yongzheng Zhang,Xiang Cui,Yipeng Wang

DOI: https://doi.org/10.1007/978-3-642-30436-1_22

2012-01-01

Abstract:In recent years, widely spreading botnets in social networks are becoming a major security threat to both social networking services and the privacy of their users. In order to have a better understanding of the dynamics of these botnets, defenders should model the process of their propagation. However, previous studies on botnet propagation model have tended to focus solely on characterizing the vulnerability propagation on one infection domain, and left two key properties (cross-domain mobility and user dynamics) untouched. In this paper, we formalize a new propagation model to reveal the general infection process of social engineering botnets in multiple social networks. This proposed model is based on stochastic process, and investigates two important factors involved in botnet propagation: (i) bot spreading across multiple domains, and (ii) user behaviors in social networks. Furthermore, with statistical data obtained from four real-world social networks, a botnet simulation platform is built based on OMNeT++ to test the validity of our model. The experimental results indicate that our model can accurately predict the infection process of these new advanced botnets with less than 5% deviation.

ZHANG Shao-jun,LI Jian-hua,CHEN Xiu-zhen,HU Wei

DOI: https://doi.org/10.3321/j.issn:1006-2467.2008.02.009

2008-01-01

Abstract:As one of the most notorious network attacks,distributed denial-of-service(DDoS) attack is famous for its easiness to launch and difficulty to defend.DDoS attack was regarded as a multistage game of incomplete information with observable actions and its extensive form was given out.It is pointed out that to attain the game's perfect Bayes equilibrium,the problem of computing and modifying the belief value of each player's type must be solved.As a practice of this viewpoint,a method of filtering attack stream according to its package rate and source address distribution characteristic was proposed.Finally, simulation was given out to demonstrate the effectiveness of the method.

Yuling Liu,Dengguo Feng,Yifeng Lian,Kai Chen,Yingjun Zhang

DOI: https://doi.org/10.1007/978-3-642-38033-4_4

2013-01-01

Abstract:In a typical DDoS attack and defense scenario, both the attacker and the defender will take actions to maximize their utilities. However, each player does not know his opponent’s investment and cannot adopt the optimal strategies. We formalize a Bayesian game model to handle these uncertainties and specify two problems usually faced by the defender when choosing defense measures. A nonlinear programming method is proposed to handle policies’ permutation in order to maximize the defender’s utility. Followed the Nash equilibrium, security administrators can take optimal strategies. Finally, the practicality and effectiveness of the model and method are illustrated by an example.

Zhaobin Li,Bin Yang,Xinyu Zhang,Chao Guo

DOI: https://doi.org/10.1155/2022/1886516

IF: 1.968

2022-01-07

Security and Communication Networks

Abstract:The centralized management of Software-Defined Network (SDN) brings convenience to Space-Air-Ground Integrated Networks (SAGIN), which also makes it vulnerable to Distributed Denial of Service (DDoS). At present, the popular detection methods are based on machine learning, but most of them are fixed detection strategies with high overhead and real-time control, so the efficiency is not high. This paper designs different defense methods for different DDoS attacks and constructs a multitype DDoS defense model based on a dynamic Bayesian game in the Software-Defined Space-Air-Ground Integrated Networks (SD-SAGIN). The proposed game model’s Nash equilibrium is solved based on the different costs and payoffs of each method. We simulated the attack and defense of DDoS in Ryu controller and Mininet. The results show that, under our model, the attacker and defender’s strategies are in a dynamic balance, and the controller can effectively reduce the defense cost while ensuring detection accuracy. Compared with the existing traditional Support Vector Machine (SVM) defense method, the performance of the proposed method is better, and it provides one of the references for DDoS defense in SD-SAGIN.

computer science, information systems,telecommunications

WANG Xuan-chun,ZHANG Zhao-xin,LI Bin,XU Zheng

DOI: https://doi.org/10.3969/j.issn.2095-6835.2011.02.056

2011-01-01

Abstract:By analyzing the implementation mechanism and principles of protocol adding of PDNS, and the botnet command controlling and communication on IRC protocol, this paper presents an abstract botnet model on PDNS. The botnet, worm and DDoS security events are combined on PDNS with different strategies, and it can simulate the spreading, controlling and attacking procedure of large-scale botnet easily. Experimental results show that the botnet model on PDNS can predict the botnet according to different scanning strategies, and it can provide specific data support for predicting network security trend.

Jichao Bi,Shibo He,Fengji Luo,Wenchao Meng,Luyue Ji,Da-Wen Huang

DOI: https://doi.org/10.1109/TII.2022.3231406

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:Industrial Internet of Things (IIoT) is vulnerable to advanced persistent threat (APT). In this article, we study a scenario in which APT is launched to attack IIoT devices. Considering the APTs lateral movement, a node-level state evolution model is established to calculate the probability of every device in an IIoT system to be compromised by APT. Based on this, a Stackelberg game model is proposed for the APT attacker and defender, which can accurately describe the gaming process. An effective computational approach is developed to obtain the potential Stackelberg equilibrium strategy pair of the game. Extensive case studies and comparison studies are conducted to validate the effectiveness of the proposed method.

Yuming Feng,Weizhe Zhang,Zijun Feng,Xiaoxiong Zhong,Fangming Liu

DOI: https://doi.org/10.1109/iwqos61813.2024.10682921

2024-01-01

Abstract:The widespread deployment of low-cost, vulnerable IoT devices allows attackers to exploit them to generate botnets and launch distributed denial-of-service (DDoS) attacks, which has become a serious security challenge for ensuring quality of service (QoS). For cost-effective defense against DDoS, we propose a novel hybrid defense method that includes proactive moving target defense (MTD) and passive security control to resist DDoS threats at different stages in IoT networks in this paper. We construct a multi-stage Markov game model to portray the game as a competition between the attacker and the defender for the control duration of the attack surface, and design an optimal defense strategy algorithm. In particular, we introduce a new parameter of action execution interval expectation in the game and add node importance evaluation in the reward quantification so that the optimal action execution interval of each defense technique can be output. We also consider the possibility that advanced attackers may launch DDoS on the SDN controller in the game. The experimental results demonstrate that our proposed method can defend against DDoS cost-effectively and ensure the QoS in IoT networks with acceptable overhead.

Xiao Liu,Zhao Huang,Quan Wang,Xiaohong Jiang,Yin Chen,Bo Wan

DOI: https://doi.org/10.3390/electronics12183903

IF: 2.9

2023-01-01

Electronics

Abstract:Proof of work (PoW) is one of the most widely used consensus algorithms in blockchain networks. It mainly uses the competition between mining nodes to obtain block rewards. However, this competition for computational power will allow malicious nodes to obtain illegal profits, bringing potential security threats to blockchain systems. A distributed denial of service (DDoS) attack is a major threat to the PoW algorithm. It utilizes multiple nodes in the blockchain network to attack honest miners to obtain illegal rewards. To solve this problem, academia has proposed a DDoS attack detection mechanism based on reinforcement learning methods and static game modeling methods based on mining pools. However, these methods cannot effectively make miners choose the strategy with the best profit over time when facing DDoS attacks. Therefore, this paper proposes a dynamic evolutionary game model for miners facing DDoS attacks under blockchain networks to solve the above problems for the first time. We address the model by replicating the dynamic equation to obtain a stable solution. According to the theorem of the Lyapunov method, we also obtain the only stable strategy for miners facing DDoS attacks. The experimental results show that compared with the static method, the dynamic method can affect game playing and game evolution over time. Moreover, miners' strategy to face DDoS attacks gradually shifts from honest mining to launching DDoS attacks against each other as the blockchain network improves.

Bingjing Yan,Pengchao Yao,Tao Yang,Boyang Zhou,Qiang Yang

DOI: https://doi.org/10.35833/mpce.2022.000524

IF: 4.469

2024-01-01

Journal of Modern Power Systems and Clean Energy

Abstract:Electric power grids are evolving into complex cyber-physical power systems (CPPSs) that integrate advanced information and communication technologies (ICTs) but face increasing cyberspace threats and attacks. This study considers CPPS cyberspace security under distributed denial of service (DDoS) attacks and proposes a nonzero-sum game-theoretical model with incomplete information for appropriate allocation of defense resources based on the availability of limited resources. Task time delay is applied to quantify the expected utility as CPPSs have high time requirements and incur massive damage DDoS attacks. Different resource allocation strategies are adopted by attackers and defenders under the three cases of attack-free, failed attack, and successful attack, which lead to a corresponding consumption of resources. A multidimensional node value analysis is designed to introduce physical and cybersecurity indices. Simulation experiments and numerical results demonstrate the effectiveness of the proposed model for the appropriate allocation of defense resources in CPPSs under limited resource availability.

engineering, electrical & electronic

Zenan Wu,Liqin Tian,Yi Zhang,Yan Wang,Yuquan Du

DOI: https://doi.org/10.1155/2021/4005877

IF: 1.968

2021-11-13

Security and Communication Networks

Abstract:At present, most network security analysis theory assumes that the players are completely rational. However, this is not consistent with the actual situation. In this paper, based on the effectiveness constraints on both sides with network attack and defense, with the help of stochastic Petri net and evolutionary game theory, the Petri net model of network attack and defense stochastic evolutionary game is reconstructed, the specific definition of the model is given, and the modeling method is given through the network connection relationship and attack and defense strategy set. Using this model, a quantitative analysis of network attack events is carried out to solve a series of indicators related to system security, namely, attack success rate, average attack time, and average system repair time. Finally, the proposed model and analysis method are applied to a classic network attack and defense process for experimental analysis, and the results verify the rationality and accuracy of the model and analysis method.

computer science, information systems,telecommunications

Yunlong Tang,Jing Sun,Huan Wang,Junyi Deng,Liang Tong,Wenhong Xu

DOI: https://doi.org/10.1016/j.cose.2024.103871

IF: 5.105

2024-04-01

Computers & Security

Abstract:Faced with the challenges of security strategy design brought about by the complexity of attack behavior and the dynamism of network structure, dynamic hierarchical intelligent defense methods have shown their effectiveness. However, in complex network environments, their application requires a higher level of coordination mechanisms. Therefore, this paper proposes a hierarchical multi-agent reinforcement learning network attack and defense game and cooperative defense decision-making method, which autonomously and efficiently completes the formulation of defense strategies and defense behavior responses. Firstly, we construct a Stackelberg hypergame model of cyberspace conflicts, and under the condition of information loss, characterize the multi-layer dynamic defense coordination response mechanism. Secondly, By utilizing a hierarchical multi-agent reinforcement learning method as the driving force for game evolution, we sequentially solve the Nash equilibrium of the game, and form a dynamic autonomous defense strategy. Finally, we construct a hierarchical multi-agent reinforcement learning framework, which decouples the defense decision problem, reduces the dimension of the defense action space and the exploration difficulty of the strategy space, and learns coordinated defense strategies more efficiently. We used the CybORG (Cyber Operations Research Gym) environment for simulation. We compared and analyzed the autonomously generated cyber defense strategies with other related works, verifying the superior coordination performance of our method in defense strategy generation and control.

computer science, information systems

Yuhan Zhao,Juntao Chen,Quanyan Zhu

2024-01-04

Abstract:The wide adoption of Internet of Things (IoT)-enabled energy devices improves the quality of life, but simultaneously, it enlarges the attack surface of the power grid system. The adversary can gain illegitimate control of a large number of these devices and use them as a means to compromise the physical grid operation, a mechanism known as the IoT botnet attack. This paper aims to improve the resiliency of cyber-physical power grids to such attacks. Specifically, we use an epidemic model to understand the dynamic botnet formation, which facilitates the assessment of the cyber layer vulnerability of the grid. The attacker aims to exploit this vulnerability to enable a successful physical compromise, while the system operator's goal is to ensure a normal operation of the grid by mitigating cyber risks. We develop a cross-layer game-theoretic framework for strategic decision-making to enhance cyber-physical grid resiliency. The cyber-layer game guides the system operator on how to defend against the botnet attacker as the first layer of defense, while the dynamic game strategy at the physical layer further counteracts the adversarial behavior in real time for improved physical resilience. A number of case studies on the IEEE-39 bus system are used to corroborate the devised approach.

Systems and Control

LI Qing-peng,ZHENG Lian-qing,YANG Tong,ZHANG Chuan-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.01.016

2012-01-01

Abstract:For the sake of defensing Botnets,methods of bot programming and network structures are researched.A bot is designed by analyzing the functional structure and working mechanism of Botnet.The program is broken down into four modules that are scan module,exploit module,upload module and communicate module.Then the four modules are implemented by programming,and performance of bot is tested in lab environment,the data show that,botnet can achieve the desired results.Finally,some kinds of prevention measures are presented.

El Mehdi Kandoussi,Adam Houmairi,Iman El Mir,Mostafa Bellafkih

DOI: https://doi.org/10.1007/s10586-024-04604-2

2024-06-15

Cluster Computing

Abstract:Security challenges in complex information technologies continue to grow and diversify. To improve network security, many researchers have explored the game theoretic approach as a hopeful modeling tool. Knowing that the attacker can take advantage of vulnerabilities and explore existing weaknesses in the network configuration to gain access to the system for a successful attack, our objective is to benefit from virtual machines' migration as a moving target defense technique and honeypot as a deceiving technique to increase the attack surface's dynamicity. This paper presents a game-theoretic framework for modeling attack-defense interaction. A model based on incomplete information game and attack graph is developed. Our main findings reveal in which case migration of virtual machines should be established in a architecture where a honeypot is deployed and identify the potential attack paths based on system security parameters. This provides network administrators with the ability to find unsecure nodes, avoid negative externality and more precisely inefficient migrations which impact the quality of service.

computer science, information systems, theory & methods

Jeffrey Pawlick,Quanyan Zhu

DOI: https://doi.org/10.48550/arXiv.1707.03708

2017-10-17

Abstract:While the Internet of things (IoT) promises to improve areas such as energy efficiency, health care, and transportation, it is highly vulnerable to cyberattacks. In particular, distributed denial-of-service (DDoS) attacks overload the bandwidth of a server. But many IoT devices form part of cyber-physical systems (CPS). Therefore, they can be used to launch "physical" denial-of-service attacks (PDoS) in which IoT devices overflow the "physical bandwidth" of a CPS. In this paper, we quantify the population-based risk to a group of IoT devices targeted by malware for a PDoS attack. In order to model the recruitment of bots, we develop a "Poisson signaling game," a signaling game with an unknown number of receivers, which have varying abilities to detect deception. Then we use a version of this game to analyze two mechanisms (legal and economic) to deter botnet recruitment. Equilibrium results indicate that 1) defenders can bound botnet activity, and 2) legislating a minimum level of security has only a limited effect, while incentivizing active defense can decrease botnet activity arbitrarily. This work provides a quantitative foundation for proactive PDoS defense.

Cryptography and Security

Gaoxin Qi,Jichao Li,Chi Xu,Gang Chen,Kewei Yang

DOI: https://doi.org/10.3390/e25010057

IF: 2.738

2022-12-29

Entropy

Abstract:Today, people rely heavily on infrastructure networks. Attacks on infrastructure networks can lead to significant property damage and production stagnation. The game theory provides a suitable theoretical framework for solving the problem of infrastructure protection. Existing models consider only the beneficial effects that the defender obtains from information gaps. If the attacker's countermeasures are ignored, the defender will become passive. Herein, we consider that a proficient attacker with a probability in the game can fill information gaps in the network. First, we introduce the link-hiding rule and the information dilemma. Second, based on the Bayesian static game model, we establish an attack–defense game model with multiple types of attackers. In the game model, we consider resource-consistent and different types of distributions of the attacker. Then, we introduce the solution method of our model by combining the Harsanyi transformation and the bi-matrix game. Finally, we conduct experiments using a scale-free network. The result shows that the defender can be benefited by hiding some links when facing a normal attacker or by estimating the distribution of the attacker correctly. The defender will experience a loss if it ignores the proficient attacker or misestimates the distribution.

physics, multidisciplinary

JIANG Jian,ZHUGE Jian-Wei,DUAN Hai-Xin,WU Jian-Ping

DOI: https://doi.org/10.3724/sp.j.1001.2012.04101

2012-01-01

Abstract:Botnets are one of the most serious threats to the Internet.Researchers have done plenty of research and made significant progress.However, botnets keep evolving and have become more and more sophisticated.Due to the underlying security limitation of current system and Internet architecture, and the complexity of botnet itself, how to effectively counter the global threat of botnets is still a very challenging issue.This paper first introduces the evolving of botnet's propagation, attack, command, and control mechanisms.Then the paper summarizes recent advances of botnet defense research and categorizes into five areas: Botnet monitoring, botnet infiltration, analysis of botnet characteristics, botnet detection and botnet disruption.The limitation of current botnet defense techniques, the evolving trend of botnet, and some possible directions for future research are also discussed.

Yichuan Wang,Yefei Zhang,Xinhong Hei,Wenjiang Ji,Weigang Ma

DOI: https://doi.org/10.1007/bf03391587

2017-01-01

Journal of Communications and Information Networks

Abstract:Integration of the IoT (Internet of Things) with Cloud Computing, termed as the CoT (Cloud of Things) can help achieve the goals of the envisioned IoT and future Internet. In a typical CoT infrastructure, the data collected from wireless sensor networks and IoTs is transmitted through a SG (Smart Gateway) to the cloud. The bandwidth between an IoT access point and SG becomes a bottleneck for information transmission between the IoT and the cloud. We propose a novel game theory model to describe the CoT attacker, who expects to use minimum set and energy consumption of IoT attack devices to occupy as many bandwidth resources as possible in a given time period; and the defender, who expects to minimize false alarms. By analyzing this model, we have found that the game theory model is a non-cooperative and repeated incomplete information game, and Nash equilibrium is existent, perfected by the subgame. The best strategy for each stage of the attack is to adjust the attack link number dynamically based on the comparison results of value ϵ and turning point ϵ0 for each time period. At the same time, the defender adjusts the threshold value β dynamically, based on the comparison results of the Load value and expected value of a for each time period. The simulation result shows that our strategy can significantly mitigate the harm of a distributed denial of service attack.