QIN Junning,HAN Jiajia,ZHOU Sheng,WU Chunming,CHEN Shuangxi,ZHAO Ruoyan,ZHANG Jiangyu

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020143

2020-01-01

Abstract:The unbalanced development status of network security was introduced.The main hazards and the mechanism model of penetration testing were described,and the inherent shortcomings of many existing traditional defense methods were analyzed.However,new method of the mimic defense model makes the attack information obtained invalid by dynamically selecting the executive set and adaptively changing the system composition.The same attack mode is difficult to be maintained or reproduced.Based on the attack chain model,the traditional defensetechnology and mimic defense technology were analyzed and compared,and it was demonstrated that it had a protective role in multiple stages of the attack chain.Finally,the effectiveness and superiority of the mimic defense was verified by experiments,and the model was summarized and prospected.

张宝军,潘雪增,王界兵,平玲娣

DOI: https://doi.org/10.3785/j.issn.1008-973X.2009.06.004

2009-01-01

Abstract:Real-time intrusion detection under current network environment exists the following problems: first, the scale of network is large, and a great deal of information needs to be processed, which requires large throughput to the intrusion detection system (IDS); second, the network environment is complex, and the data type is multiplex, accordantly, the intrusion detection system should has high accuracy. Aiming at these problems, a model of intrusion detection system was proposed. The model uses the distributed architecture based on multi-agent system and shows good expansibility, and can self-adjust according to the scale and bandwidth of network. The model uses technologies of anomaly intrusion detection and misuse intrusion detection together, and has low false alert rate and miss alert rate. Multi-attribute data abstraction is used in the model to grasp the feature of intrusion accurately and provide strong support for intrusion identification. The classifier is constructed with radial basis function (RBF) so as to have good extension to unknown intrusions, and can do effective judgment to unknown intrusions. Experimental results show that the system has large throughput and high accuracy, thus it is suitable for current network and has good practicability.

LIN Junhao,FENG Dongqin

DOI: https://doi.org/10.11959/j.issn.2096−6652.202006

2020-01-01

Abstract:Compared with traditional network security defense methods,industrial system security protection research based on process flow has become an important research direction in the field of industrial security.An improved backward cloud algorithm based on first order absolute central moment (BC-1stM) non-deterministic reverse cloud method was proposed,which was modeled by the time series and the normal state of the process flow.The security protection detection and alarm based on the process attack mode in the industrial system was realized,and Tennessee Eastman chemical process platform was adopted to validate the algorithm.The results show that the model had a high precision in the detection of attack behavior and detection of attack points,and improved the security protection capability of industrial systems.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

张恺伦,江全元

2013-01-01

Abstract:With the promotion and application of wide area measurement systems (WAMS) in power system, the security of its communication system is attracting a growing body of research. To analyze the vulnerability of WAMS communication infrastructures when facing network intrusions, an assessing method of vulnerability based on attack tree model is proposed. First, the attack tree model of WAMS communication system is established, which directly reflects the intrusion scenarios when the system is maliciously attacked. Second, a more reasonable assessing method for the vulnerability of passwords and ports is proposed, as well as the vulnerability of the system with all scenarios taken into consideration. Finally, the paper puts forth the concept of vulnerability sensitivity, which can quantitatively evaluate the effect of changes in the leaf vulnerability on the system, so as to find out the critical port.

CHEN Chun-xia,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2005.07.040

2005-01-01

Abstract:It needs to further investigate t echnology of network attack to protect the network security. Attack models can help in describing and analyzing the course of attack structurely and effectively, further more, they can help in sharing the security knowledge and improving the efficiency of attack detectio n and security prediction. This article analyzes and compares several attack mod els in common use at present,and then prospects the future directions of attack model research in the end.

Peng Ning,Sushil Jajodia,X. Sean Wang

DOI: https://doi.org/10.1007/978-1-4615-0467-2_6

2004-01-01

Abstract: In this chapter, we present a model to represent distributed attacks based on the concept of system view presented in Chapter 3. However, instead of developing a completely new model, we extend a model named ARMD [Lin et al., 1998, Lin, 1998], which was developed for host-based intrusion detection. There are several other models that could be used instead of ARMD, including rule based languages (e.g., P-BEST [Lindqvist and Porras, 1999] and RUSSEL [Mounji et al., 1995]), the State Transition Analysis Tool (STAT) [Il-gun et al., 1995, Vigna and Kermmerer, 1998, Vigna and Kemmerer, 1999], and the Colored Petri Automata (CPA) [Kumar, 1995, Kumar and Spafford, 1994].

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

yan fen,yin xinchun,huang hao

DOI: https://doi.org/10.1016/j.phpro.2012.02.260

2012-01-01

Physics Procedia

Abstract:In this paper, the method of modeling attack using attack tree is researched. The main goal is effectively using attack tree to model and express multi-stage network attacks. We expand and improve the traditional attack tree. The attack nodes in traditional attack tree are redefined, and the attack risk of leaf node is quantified. On those basis, the mentality and method of building MLL-AT (Multi-Level & Layer Attack Tree) are proposed. The improved attack tree can model attack more accurately, in particular to multi-stage network attacks. And the new model can also be used to evaluate system's risk, to distinguish between varying system security threat degrees caused by different attack sequences.

Haofang Zhang,Chunying Kang,Yao Xiao

DOI: https://doi.org/10.3390/s21144788

IF: 3.9

2021-07-13

Sensors

Abstract:To better understand the behavior of attackers and describe the network state, we construct an LSTM-DT model for network security situation awareness, which provides risk assessment indicators and quantitative methods. This paper introduces the concept of attack probability, making prediction results more consistent with the actual network situation. The model is focused on the problem of the time sequence of network security situation assessment by using the decision tree algorithm (DT) and long short-term memory(LSTM) network. The biggest innovation of this paper is to change the description of the network situation in the original dataset. The original label only has attack and normal. We put forward a new idea which regards attack as a possibility, obtaining the probability of each attack, and describing the network situation by combining the occurrence probability and attack impact. Firstly, we determine the network risk assessment indicators through the dataset feature distribution, and we give the network risk assessment index a corresponding weight based on the analytic hierarchy process (AHP). Then, the stack sparse auto-encoder (SSAE) is used to learn the characteristics of the original dataset. The attack probability can be predicted by the processed dataset by using the LSTM network. At the same time, the DT algorithm is applied to identify attack types. Finally, we draw the corresponding curve according to the network security situation value at each time. Experiments show that the accuracy of the network situation awareness method proposed in this paper can reach 95%, and the accuracy of attack recognition can reach 87%. Compared with the former research results, the effect is better in describing complex network environment problems.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Wenbo Wang,Peng Yi,Junfang Jiang,Peng Zhang,Xiang Chen

DOI: https://doi.org/10.1016/j.cose.2023.103533

IF: 5.105

2023-10-09

Computers & Security

Abstract:In recent years, the growing threat of cyber attacks has made more researchers focus on the study of alert correlation and attack prediction. While numerous solutions have been proposed, the existing works still have some shortcomings. Without aggregation, previous approaches directly put the excessive and duplicate alerts into models, ignoring the internal logic between adjacent payloads, which we believe is a significant clue to distinguish different types of attacks. In this paper, we propose a similarity based aggregation algorithm to correlate and aggregate alerts, then train a Transformer based model to handle input with variable length and complete the attack prediction. Additionally, a threat estimation method as well as its practical application has been proposed to assess the predicted output. Experimental results demonstrate that our proposed framework has the capability to effectively aggregate alerts, predict different attack intelligence in good mode as well as assess how much threat the administrator would face in the near future.

computer science, information systems

Zhijie Liu,Chongjun Wang,Shifu Chen

DOI: https://doi.org/10.1109/ISA.2008.11

2008-01-01

Abstract:Most cyber-attacks are not single attack actions. They are multi-step attacks composed by a set of attack actions. Although techniques used by attackers can be diverse, attack patterns are generally finite. So we need to find attack steps that are correlated in an attack scenario. By studying the patterns of multi-step cyber attacks, an algorithm is presented for correlating multi-step cyber attacks and constructing attack scenario system based on modeling multi-step cyber attacks. When alerts appear, the algorithm turns them into corresponding attack models based on the knowledge base and correlates them, whether alert or not is based on the weighted cost in the attack path graph and the attack degree of the corresponding host. And attack scenarios can be constructed by correlating the attack path graphs. Moreover, the model can detect intrusion alerts in real time and revise the attack scenarios. Experiments on the DARPA IDS test dataset show the validity of the algorithm.

Lijuan Xu,Bailing Wang,Xiaoming Wu,Dawei Zhao,Lei Zhang,Zhen Wang

DOI: https://doi.org/10.1109/tnse.2021.3130602

IF: 6.6

2022-03-01

IEEE Transactions on Network Science and Engineering

Abstract:By violating semantic constraints that the control process impose, the semantic attack leads the Industry Control Systems (ICS) into an undesirable state or critical state. The spread of semantic attack has caused huge economic losses and casualties to critical infrastructure. Therefore, detecting semantic attack is referred to an urgent and critical task. However, few existing detecting techniques can achieve satisfactory effects in detecting semantic attack of ICS, due to the high requirements of complete critical state-based semantic behavior features description, joint detection on multivariate type state variables, and validity of field states datasets under semantic attacks. In an effort to deal with above challenges, We label device states databases with temporal characteristics and divide impacts on states of field devices under semantic attacks into three categories, including absent in states set, confused sequences, irregular frequency. On this basis, we establish a behavioral model based on secondary labeling of states-duration evolution graph (BMSLS), then implement an adaptive secure state-based semantic attack detection framework furtherly. Compared with the traditional Auto Regression (AR) algorithm, the newer time series correlation graph model, and other five deep learning algorithms, our proposed framework demonstrates the superior effect on the detection of semantic attack.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Tran Tri Dang,Tran Khanh Dang

DOI: https://doi.org/10.48550/arXiv.1904.03320

2019-04-05

Cryptography and Security

Abstract:This paper proposes a novel visual model for web applications security monitoring. Although an automated intrusion detection system can shield a web application from common attacks, it usually cannot detect more complicated break-ins. So, a human-assisted monitoring system is an indispensable complement, following the "Defense in depth" strategy. To support human operators working more effectively and efficiently, information visualization techniques are utilized in this model. A prototype implementation of this model is created and is used to test against a popular open source web application. Testing results prove the model's usefulness, at least in understanding the web application security structure.

Hongtao Song,Shanshan Sui,Qilong Han,Hui Zhang,Zaiqiang Yang

DOI: https://doi.org/10.1177/1550147720912958

IF: 1.938

2020-03-01

International Journal of Distributed Sensor Networks

Abstract:Nodes in a wireless sensor network are normally constrained by hardware and environmental conditions and face challenges of reduced computing capabilities and system security vulnerabilities. This fact calls for special requirements for network protocol design, security assessment models, and energy-efficient algorithms. Data aggregation is an effective energy conservation technique, which removes redundant information from the data aggregated from neighbor sensor nodes. How to further improve the effectiveness of data aggregation plays an important role in improving data collection accuracy and reducing the overall network energy consumption. Unfortunately, sensor nodes are normally deployed in an open environment and thus are subject to various attacks conducted by adversaries. Consequently, data aggregation brings new challenges to wireless sensor network security. In this article, we propose a novel secure data aggregation solution based on autoregressive integrated moving average model, a time series analysis technique, to prevent private data from being learned by adversaries. We leverage the autoregressive integrated moving average model to predict the data volume in sensor nodes, and update and synchronize the model as needed. The experimental results demonstrate that our model provides accurate predictions and that, compared with competing methods, our solution achieves better security, lower computation and communication costs, and better flexibility.

computer science, information systems,telecommunications

Yaofang Zhang,Zibo Wang,Yingzhou Wang,Kuan Lin,Tongtong Li,Hongri Liu,Chao Li,Bailing Wang

DOI: https://doi.org/10.1007/s11227-023-05269-1

IF: 3.3

2023-04-22

The Journal of Supercomputing

Abstract:Although the expansion of attack types against industrial control systems is limited, the available means that violate the same security strategy emerge endlessly. However, the high availability and real-time requirements of industrial control systems restrict the application of some countermeasures that require massive resources. To solve this problem, this paper proposes a low learning-cost risk assessment model for similar scenarios, which enables the formulation of defense strategies for system risks in advance. To lay the foundation for this method, we firstly aggregate the attack means into limited attack types according to word clustering to address the classification challenge caused by unknown attacks. Then, similarity and statistical methods are combined to predict the next attack type. Subsequently, the hidden Markov model is used to map attack types and security states to obtain the forecasting results of the next security state. Based on this, the risk value is calculated through these prediction and forecasting results, and the system relevance and alert timeliness are considered in the assessment stage. We break the scenario limitations and verify the advantages of our model in a known scenario and another similar scenario with unknown attacks. The experimental results show that our model can deal with unknown attacks in similar scenarios and has excellent scenario migration ability. Meanwhile, the changing trend of the risk value is in consistence with the actual data, which also confirms that the assessment model can forecast the future risk situation of the system accurately and comprehensively.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Xiaohu Li,Shouhuai Xu

2007-01-01

Abstract:Traditional security analyses are often geared towards cryptographic primitives or protocols. Although such analyses are absolutely necessary, they cannot address a defender’s need for insight into which aspects of a networked system have a significant impact on its security, and how to tune its configurations or parameters so as to improve security, against coordinated internal and external attacks. Such insights may only be offered by appropriate theoretic security models, which have long been sought but not much progress has been made. This paper reports our first step towards modeling coordinated internal and external attacks against networked systems.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

Yanling Yuan,Zuyi Li,Kui Ren

DOI: https://doi.org/10.1109/tsg.2011.2123925

IF: 10.275

2011-01-01

IEEE Transactions on Smart Grid

Abstract:State estimation is a key element in today's power systems for reliable system operation and control. State estimation collects information from a large number of meter measurements and analyzes it in a centralized manner at the control center. Existing state estimation approaches were traditionally assumed to be able to tolerate and detect random bad measurements. They were, however, recently shown to be vulnerable to intentional false data injection attacks. This paper fully develops the concept of load redistribution (LR) attacks, a special type of false data injection attacks, and analyzes their damage to power system operation in different time steps with different attacking resource limitations. Based on damaging effect analysis, we differentiate two attacking goals from the adversary's perspective, i.e., immediate attacking goal and delayed attacking goal. For the immediate attacking goal, this paper identifies the most damaging LR attack through a max-min attacker-defender model. Then, the criterion of determining effective protection strategies is explained. The effectiveness of the proposed model is tested on a 14-bus system. To the author's best knowledge, this is the first work of its kind, which quantitatively analyzes the damage of the false data injection attacks to power system operation and security. Our analysis hence provides an in-depth insight on effective attack prevention with limited protection resource budget.