Fenghua Li,Yongjun Li,Zhengkun Yang,Yunchuan Guo,Lihua Yin,Zhen Wang

DOI: https://doi.org/10.1109/icccn.2018.8487417

2018-01-01

Abstract:Countermeasure selection is a key process of the Intrusion Response System (IRS). Many cost-sensitive schemes have been proposed to select the optimal countermeasure to maximize security utility by attuning attack damage and response cost. However, existing schemes ignore the interaction between different countermeasures for different attack paths, and neglect the uncertainty between alerts and attacks, which may lead to excessive or insufficient responses. ignore the interaction between different countermeasures for multiple attack paths. To address this problem, in this paper, we propose a combined countermeasures selection scheme based on probabilistic attack tree (PAT). First, we employ Bayesian networks to calculate the probability of each atomic attack in the PAT. Next, the exploitation probability of each attack path is evaluated and multiple possible attack paths are identified. In addition, we quantify the damage of each identified attack path and formulate the countermeasure selection for single attack path as a multi-objective optimization problem. Finally, by considering the security utilities of the countermeasures for different attack paths, we use a greedy strategy to select the combined countermeasures and maximize overall security utility. The experimental results demonstrate the effectiveness of the proposed scheme.

Sheng Xu,Yongxiang Xia,Hui-Liang Shen

DOI: https://doi.org/10.1109/jsyst.2022.3150576

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In this article, we study how to resist malware attacks in cyber-physical power systems (CPPSs) through cyber protection. A model that incorporates the power flow analysis, the cyber monitoring and control, and the factor of cyber protection is proposed to simulate malware attacks in CPPSs. Meanwhile, an evaluation method is also developed to estimate the effectiveness of different cyber protection strategies. Through simulations, we conduct case studies in a test CPPS generated by coupling the IEEE 118 Bus System with a scale-free communication network. The protection effects of three heuristic cyber protection strategies, namely, target protection, random protection, and acquaintance protection are compared and analyzed. Simulation results reveal that compared with the other two strategies, target protection can suppress malware propagation and resist malware attacks more effectively. Moreover, we also investigate the optimal cyber protection problem in CPPSs and formulate it as a zero-one integer programming problem. We solve the problem by genetic algorithm and find that some low-degree cyber nodes also play a significant role in resisting malware attacks in CPPSs, especially when the protection budget is tight.

Bowen Xu,Mengxiang Liu,Rui Zhong,Ke Zuo,Ruilong Deng

DOI: https://doi.org/10.1109/tii.2024.3457037

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:In recent years, numerous studies have explored how to allocate limited defense resource among meters to increase difficulties for launching attacks in power systems. However, existing studies often simplify this problem by assuming the linearity of attack cost functions, which creates an inevitable gap between theoretical analysis and practical scenarios. In this article, general nonlinear attack cost functions are considered in the formulation of the optimal defense resource problem, resulting in a mixed-integer nonlinear programming problem. This poses a challenging task for numerical methods or popular commercial solvers. To address this issue, an advanced slime mould algorithm with specialized initialization and evolutionary schemes is proposed. Specifically, a customized initialization strategy is designed such that the population can be easily initialized within the nonconvex feasible region aligning with the nonlinear constraints. Besides, in the evolutionary process, the fitness function is well-designed to encourage the individuals violating nonlinear constraints to evolve toward feasible directions. Comprehensive case studies verify that, compared to the state-of-the-art solvers, the proposed approach can achieve satisfactory defense resource allocation results in terms of feasibility, optimality, and real-time performance.

Orly Stan,Ron Bitton,Michal Ezrets,Moran Dadon,Masaki Inokuchi,Yoshinobu Ohta,Tomohiko Yagyu,Yuval Elovici,Asaf Shabtai

DOI: https://doi.org/10.48550/arXiv.1906.10943

2019-06-26

Abstract:Selecting the optimal set of countermeasures is a challenging task that involves various considerations and tradeoffs such as prioritizing the risks to mitigate and costs. The vast majority of studies for selecting a countermeasure deployment are based on a limited risk assessment procedure that utilizes the common vulnerability scoring system (CVSS). Such a risk assessment procedure does not necessarily consider the prerequisites and exploitability of a specific asset, cannot distinguish insider from outsider threat actor, and does not express the consequences of exploiting a vulnerability as well as the attacker's lateral movements. Other studies applied a more extensive risk assessment procedure that relies on manual work and repeated assessment. These solutions however, do not consider the network topology and do not specify the optimal position for deploying the countermeasures, and therefore are less practical. In this paper we suggest a heuristic search approach for selecting the optimal countermeasure deployment under a given budget limitation. The proposed method expresses the risk of the system using an extended attack graph modeling, which considers the prerequisites and consequences of exploiting a vulnerability, examines the attacker's potential lateral movements, and express the physical network topology as well as vulnerabilities in network protocols. In addition, unlike previous studies which utilizes attack graph for countermeasure planning, the proposed methods does not require re-generating the attack graph at each stage of the procedure, which is computationally heavy, and therefore it provides a more accurate and practical countermeasure deployment planning process.

Cryptography and Security

MingChu Li,Wanyu Dong,Xiao Zheng,Anil Carie,Yuan Tian

DOI: https://doi.org/10.1007/978-981-19-0604-6_49

2022-01-01

Abstract:This paper proposes a method to enable a risk-averse and resource-constrained network defender to deploy security countermeasures in an optimal way to prevent multiple potential attackers with uncertain budgets. To solve the problem of information asymmetry between the attacker and the defender, a fake countermeasure (FC) is placed on the arc, and the situation of multiple attackers is also taken into consideration. This method is based on the risk aversion bi-level stochastic network interdiction model on the attack graph, which can easily map the path of attackers. Meanwhile, our method can minimize the weighted sum of all losses and minimize the risk of the defender's key nodes being destroyed. At the same time, in order to prevent the key node of the defender from being destroyed, the risk condition value measurement is taken into account in the stochastic programming model. We design a SA-CPLEX algorithm to provide a high-quality approximate optimal solution. And computational results suggest that our method provides better network interdiction decisions than traditional deterministic and risk-neutral models.

Mingchu Li,Yuanpeng Cao,Tie Qiu

DOI: https://doi.org/10.1109/UIC-ATC.2017.8397517

2017-01-01

Abstract:In recent years, terrorist organizations' activates are various (e.g., igniting a bomb, shooting). Thus, it is difficult to predict the target which will be attacked and how to implement attacks by attackers. Although security agencies may have some knowledge of adversaries, potential targets can't be covered by sufficient security resources all the time due to limited security resources. There are generally two forms of attacks. One is instantaneous attack such as igniting a bomb. The other is persistent attack like shooting and knife attack. Most studies assumed that the site of the deploying resources is completely protected, but ignored the attacker's attack ability will exceed defender's defense ability in the case of persistent attacks. An example of the typical persistent attack is a terrorist attack happening in Kunming, China on March 1, 2014, which caused large losses. In this paper, we first explore the attacker's persistent attack with multiple resources like Kunming attack and make four contributions: 1) A new Stackelberg game model to formulate the problem for attacker's persistent attack with multiple resources; 2) A novel algorithm to compute the optimal mixed patrol strategy for the defender; 3) A modified double-oracle algorithm to further scale up the algorithm; and 4) Extensive experiments to show solution quality and scalability of proposed algorithms.

Kang-Di Lu,Zheng-Guang Wu

DOI: https://doi.org/10.1109/tii.2021.3129487

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:As the next-generation power grids, smart grids are integrated with advanced information and communication technology (ICT) to make the grid more efficient and stable than conventional power systems. Given the mounting cyber-attack threats, these critical ICT systems create great security issues for smart grids. Additionally, the clever attackers have the ability to not only access and monitor the smart grid, but also hack it by launching well-established cyber-attacks. Thus, this article is devoted to understanding the potential stealthy cyber-attack and its countermeasure. First, this article proposes a stealthy sparse cyber-attack model in an ac smart grid by considering both the residual test-based detector and the interval-state-estimation-based detector, which is not considered in previous studies. The design model is formulated as a constrained optimization problem by minimizing the number of contaminated meters, where the characteristics of two types of detector are considered simultaneously as the constraints for the first time. A constrained differential evolution (CDE) is proposed as the solver because the optimization problem is NP-hard. Then, a generalized-cumulative-sum-based detector is developed to detect the proposed cyber-attacks, where a fractional-order state transition matrix is originally introduced into the estimator to describe the dynamics of the power system. Numerical studies illustrate the feasibility of CDE-based stealthy sparse cyber-attacks and the effectiveness of the proposed countermeasure.

Feiyang Hong,Zhejing Bao,Miao You

DOI: https://doi.org/10.1109/CCDC52312.2021.9601681

2021-01-01

Abstract:Recent studies show that the cyber-attacks such as false data injection attack (FDIA) are capable of severely threatening power system security, in such a way that the undetected errors are introduced into the states estimations by evading the conventional bad data detection (BDD) methods. This paper proposes a tri-level optimization model against the FDIA by formulating the attack actions and identifying the optimal defense strategies constrained by the limited resources. In the lower level, an economic dispatching is implemented to seek the operational strategy aiming at minimizing the operating costs under the given attack. The middle level formulates the behaviors of the attacker to discover the most destructive attack strategy intended by the attacker based on the defense strategy determined by the upper level. The upper level represents the actions of the planner and determines the optimal defense allocation on the measuring meters. The min-max-min tri-level model can be solved by the column-and-constraint generation (C&CG) algorithm. Simulations are implemented to identify the components which should be protected under the limited defense resources and severe attacks.

Xiaoyu Wang,Xiaorui Gong,Lei Yu,Jian Liu

DOI: https://doi.org/10.1109/trustcom53373.2021.00106

2021-10-01

Abstract:With the continuous improvement of attack methods, there are more and more distributed, complex, targeted attacks in which the attackers use combined attack methods to achieve the purpose. Advanced cyber attacks include multiple stages to achieve the ultimate goal. Traditional intrusion detection systems such as endpoint security management tools, firewalls, and other monitoring tools generate a large number of alerts during the attack. These alerts include attack clues, as well as many false positives unrelated to attacks. Security analysts need to analyze a large number of alerts and find useful clues from them and reconstruct attack scenarios. However, most traditional security monitoring tools cannot correlate alerts from different sources, so many multi-step attacks are still completely unnoticed, requiring manual analysis by security analysts like finding a needle in a haystack. We propose MAAC, a multi-step attack alert correlation system, which reduces repeated alerts and combines multi-step attack paths based on alert semantics and attack stages. The evaluation results of the real-world datasets show that MAAC can effectively reduce the alerts by 90% and find attack paths from a large number of alerts.

Yi-xi Xie,Li-xin Ji,Ling-shu Li,Zehua Guo,Thar Baker

DOI: https://doi.org/10.1080/09540091.2020.1832960

2020-01-01

Connection Science

Abstract:The expansion of information technology infrastructure is encountered with Advanced Persistent Threats (APTs), which can launch data destruction, disclosure, modification, and/or Denial of Service attacks by drawing upon vulnerabilities of software and hardware. Moving Target Defense (MTD) is a promising risk mitigation technique that replies to APTs via implementing randomisation and dynamic strategies on compromised assets. However, some MTD techniques adopt the blind random mutation, which causes greater performance overhead and worse defense utility. In this paper, we formulate the cyber-attack and defense as a dynamic partially observable Markov process based on dynamic Bayesian inference. Then we develop an Inference-Based Adaptive Attack Tolerance (IBAAT) system , which includes two stages. In the first stage, a forward–backward algorithm with a time window is employed to perform a security risk assessment. To select the defense strategy, in the second stage, the attack and defense process is modelled as a two-player general-sum Markov game and the optimal defense strategy is acquired by quantitative analysis based on the first stage. The evaluation shows that the proposed algorithm has about 10% security utility improvement compared to the state-of-the-art.

Yuyang Zhou,Guang Cheng,Shanqing Jiang,Yuyu Zhao,Zihan Chen

DOI: https://doi.org/10.1016/j.cose.2020.101976

IF: 5.105

2020-01-01

Computers & Security

Abstract:Moving Target Defense (MTD) has emerged as a game changer to reverse the asymmetric situation between attackers and defenders, and as one of the most effective countermeasures to mitigate DDoS attacks, shuffling-based MTD has gained ever-growing attention in cyber security. Despite the increased security, frequent shuffles would significantly bring heavy burden to the system. Moreover, most existing work has not adequately considered the impact of MTD techniques on the defender, and especially ignored that on legitimate users. Due to the lack of cost-effective shuffling methods, it is difficult to reach the optimal balance between the performance and overhead associated with the MTD deployment. Building on our preliminary work in this field, we propose a novel cost-effective shuffling method, which involves common users as a trilateral game for strategy generation and resists DDoS attacks with several MTh mechanisms. The novel game model extends our previous work to further describe the interaction among the attacker, the defender and users in detail, and we exploit Multi-Objective Markov Decision Processes to find the optimal MTh strategy by solving the trade-off problem between the effectiveness and cost of shuffling. By designing a trilateral game cost-effective shuffling algorithm, we capture the best MTD strategy and reach a balance between them in a given shuffling scenario. Simulation and experiments on an experimental software-defined network (SDN) indicate that our approach can effectively mitigate DDoS attacks with an acceptable overload, and exhibit better performance than other related and state of the art approaches. (C) 2020 Elsevier Ltd. All rights reserved.

Zhen Wang,Mengting Jiang,Yu Yang,Lili Chen,Hong Ding

DOI: https://doi.org/10.3389/fphy.2021.805584

IF: 3.718

2021-01-01

Frontiers in Physics

Abstract:Most critical infrastructure networks often suffer malicious attacks, which may result in network failures. Therefore, how to design more robust defense measures to minimize the loss is a great challenge. In recent years, defense strategies for enhancing the robustness of the networks are developed based on the game theory. However, the aforementioned method cannot effectively solve the defending problem on large-scale networks with a full strategy space. In this study, we achieve the purpose of protecting the infrastructure networks by allocating limited resources to monitor the targets. Based on the existing two-person zero-sum game model and the Double Oracle framework, we propose the EMSL algorithm which is an approximation algorithm based on a greedy search to compute effective mixed strategies for protecting large-scale networks. The improvement of our approximation algorithm to other algorithms is discussed. Experimental results show that our approximation algorithm can efficiently compute the mixed strategies on actual large-scale networks with a full strategy space, and the mixed defense strategies bring the highest utility to a defender on different networks when dealing with different attacks.

Alexander V. Outkin,Patricia V. Schulz,Timothy Schulz,Thomas D. Tarman,Ali Pinar

DOI: https://doi.org/10.48550/arXiv.2107.04075

2021-07-09

Abstract:Protecting against multi-step attacks of uncertain duration and timing forces defenders into an indefinite, always ongoing, resource-intensive response. To effectively allocate resources, a defender must be able to analyze multi-step attacks under assumption of constantly allocating resources against an uncertain stream of potentially undetected attacks. To achieve this goal, we present a novel methodology that applies a game-theoretic approach to the attack, attacker, and defender data derived from MITRE's ATT&CK Framework. Time to complete attack steps is drawn from a probability distribution determined by attacker and defender strategies and capabilities. This constraints attack success parameters and enables comparing different defender resource allocation strategies. By approximating attacker-defender games as Markov processes, we represent the attacker-defender interaction, estimate the attack success parameters, determine the effects of attacker and defender strategies, and maximize opportunities for defender strategy improvements against an uncertain stream of attacks. This novel representation and analysis of multi-step attacks enables defender policy optimization and resource allocation, which we illustrate using the data from MITRE's APT3 ATT&CK Evaluations.

Cryptography and Security,Computer Science and Game Theory

Hanyi Xu,Guozhen Cheng,Xiaohan Yang,Wenyan Liu,Dacheng Zhou,Wei Guo

DOI: https://doi.org/10.3390/electronics13030487

IF: 2.9

2024-01-25

Electronics

Abstract:Due to the fine-grained splitting of microservices and frequent communication between microservices, the exposed attack surface of microservices has exploded, facilitating the lateral movement of attackers between microservices. To solve this problem, a multi-dimensional moving target defense method based on an adaptive simulated annealing genetic algorithm (MD2RS) is proposed. Firstly, according to the characteristics of microservices in the cloud, a microservice attack graph is proposed to quantify the attack scenario of microservices in the cloud so as to conveniently and intuitively observe the vulnerability of microservices in the cloud and the dependency relationship between microservices. Secondly, the security gain and resource cost are quantified for the key nodes selected by measuring the degree of dependence of each node according to the degree centrality. Finally, the Adaptive Simulated Annealing Genetic Algorithm (ASAGA) is used to solve the optimal security configuration information of the moving target defense, that is, the combination of the number of copies of the multi-copy deployment and the rotation cycle of the dynamic rotation of microservices, in order to quickly evaluate the security risks of microservices and optimize the security policy. Experiments show that the defense return rate of MD2RS is 85.95% higher than that of the mainstream methods, and the experimental results are conducive to applying this method to the dynamic defense of microservices in the cloud.

engineering, electrical & electronic,computer science, information systems,physics, applied

Hui Xie,Kun Lv,Changzhen Hu

DOI: https://doi.org/10.1109/bdcloud.2018.00030

2018-01-01

Abstract:Optimal attack path planning has a significant impact on network security. According to an optimal attack path, an attacker can quickly and efficiently attack the target host. This article proposes a partition matching method (PM) to infer the optimal attack path. PM can avoid the problem of path loss and get the result quickly. PM has two steps: network partition and local path matching. The target of the network partition is to divide the network into certain parts and find out the key nodes. The local path matching aims to splice the local paths in partitioned networks into a full path. In the target network, every host has a weight matrix which includes host connect number, CVSS value and their respective priorities. A cost function is proposed to calculate evaluation values of optimal local paths and the evaluation value of full optimal attack path based on the weight matrix. Results of our experiment demonstrate the capabilities of PM which can generate an optimal attack path in one single run. The results obtained by PM show good performance and are compared with other methods.

Li Baojie,Lu Yuxin,Zeng Xiaoming,Chen Yufei,Zeng Xiangfeng,He Weisheng

DOI: https://doi.org/10.2991/jimec-17.2017.13

2017-01-01

Abstract:Recent years, an explosion of cyber-attack accidents once more sound the alarm on the significance of cyber-security issue. For the sake of establishing robust panoramic defense architecture in modern Cyber-Physical Power System (CPPS), an effective and quantitative vulnerability assessment of CPPS is in desperate demand. Consequently, based on the detailed induction and analysis of general framework of cyber-attack, a quantitative assessment method is proposed in the paper from the aspects of both attackers and defenders. In the first place, the probability of selecting access point from the attacker's view is quantized through the scoring of the three properties of information security, the penetration difficulty and the impact of vulnerability. Then, the impact assessment of defender and attacker strategies is discussed via the analysis of both positive and negative aspects. Afterwards, by means of the solving the linear programming issue, the optimal determination of strategy-selection is realized via Nash Equilibrium of Mixed Strategy(NEMS) algorithm. The reasonability of the proposed assessment framework together with future research work are demonstrated at the end of paper.

Guangyu Wu,Gang Wang,Jian Sun,Lu Xiong

DOI: https://doi.org/10.1109/tsmc.2019.2945067

2021-01-01

Abstract:The work analyzes dynamic responses of a healthy plant under optimal switching data-injection attacks on sensors and develops countermeasures from the vantage point of optimal control. This is approached in a cyber-physical system setting, where the attacker can inject false data into a selected subset of sensors to maximize the quadratic cost of states and the energy consumption of the controller at a minimal effort. A 0-1 integer program is formulated, through which the adversary finds an optimal sequence of sets of sensors to attack at optimal switching instants. Specifically, the number of compromised sensors per instant is kept fixed, yet their locations can be dynamic. Leveraging the embedded transformation and mathematical programming, an analytical solution is obtained, which includes an algebraic switching condition determining the optimal sequence of attack locations (compromised sensor sets), along with an optimal state-feedback-based data-injection law. To thwart the adversary, however, a resilient control approach is put forward for stabilizing the compromised system under arbitrary switching attacks constructed based on a set of state-feedback laws, each of which corresponds to a compromised sensor set. Finally, an application using power generators in a cyber-enabled smart grid is provided to corroborate the effectiveness of the resilient control scheme and the practical merits of the theory.

Xiaoyi Zhang,Zheng,Yueni Zhu,Kai-Yuan Cai

DOI: https://doi.org/10.1016/j.cor.2013.08.008

IF: 5.159

2013-01-01

Computers & Operations Research

Abstract:This paper focuses on the protection issues for supply systems involving random attacks, which are described as attacks whose targets cannot be predicted. We present the random-attack median fortification problem (RAMF) to identify the fortification strategy that minimizes the expected operation cost after random attacks. RAMF is formulated as an integer-linear program and solved directly using general-purpose MIP solver. Moreover, a more complex problem, the fortification median problem for disruptions caused by mixed types of attacks (FMMA), is introduced to find a balance between defending the worst-case attacks and random attacks. Solving FMMA can achieve good protection results, which are more practical in dealing with systems with mixed types of attacks, if the proportion between the types is properly estimated. We formulate FMMA as a non-linear bilevel program and extend a typical implicit enumeration (IE) algorithm to solve the problem. Finally, computational experiments demonstrate the effectiveness of both RAMF and FMMA in dealing with protective affairs involving random attacks. The efficiency of solving the formulations of RAMF and FMMA is also testified.

Thanh H. Nguyen,Arunesh Sinha

DOI: https://doi.org/10.48550/arXiv.2202.13424

2022-03-01

Abstract:This paper studies the problem of multi-step manipulative attacks in Stackelberg security games, in which a clever attacker attempts to orchestrate its attacks over multiple time steps to mislead the defender's learning of the attacker's behavior. This attack manipulation eventually influences the defender's patrol strategy towards the attacker's benefit. Previous work along this line of research only focuses on one-shot games in which the defender learns the attacker's behavior and then designs a corresponding strategy only once. Our work, on the other hand, investigates the long-term impact of the attacker's manipulation in which current attack and defense choices of players determine the future learning and patrol planning of the defender. This paper has three key contributions. First, we introduce a new multi-step manipulative attack game model that captures the impact of sequential manipulative attacks carried out by the attacker over the entire time horizon. Second, we propose a new algorithm to compute an optimal manipulative attack plan for the attacker, which tackles the challenge of multiple connected optimization components involved in the computation across multiple time steps. Finally, we present extensive experimental results on the impact of such misleading attacks, showing a significant benefit for the attacker and loss for the defender.

Artificial Intelligence,Computer Science and Game Theory

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.