Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Daojing He,Sammy Chan,Yan Zhang,Chunming Wu,Bing Wang

DOI: https://doi.org/10.1109/mis.2013.105

IF: 6.744

2014-01-01

IEEE Intelligent Systems

Abstract:Attack-defense models play an important role in the design of cybersecurity systems. Here, the authors review some traditional and prevailing attack-defense models along with their weaknesses. Then, they survey some recently proposed paradigm shifts to these models based on which more effective security strategies can be designed. Further, they provide some suggestions on how to adopt the new models, and present challenges that need to be addressed in this field.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Jiming Chen,Junkun Li,Ten H. Lai

DOI: https://doi.org/10.1109/tvt.2013.2254732

IF: 6.8

2013-01-01

IEEE Transactions on Vehicular Technology

Abstract:Mobile target detection is a significant application in wireless sensor networks (WSNs). In fact, it is rather expensive to require every part of the region of interest (RoI) to be covered in a large-scale WSN for target detection. Trap coverage has been proposed to trade off between sensing performance and the cost of sensor deployments. It restricts the farthest distance that a target can move without being detected rather than providing full coverage to the region. However, the results cannot be directly applied in a real WSN since the detection pattern of a sensor in practical scenarios follows a probabilistic sensing model. Moreover, the trap coverage model does not consider the various moving speeds of targets, which is important for trapping targets. To extend the concept of mobile target trapping into a real large-scale WSN, we analyze the detection probability of a mobile target in the sensor network theoretically and define probabilistic trap coverage in this paper, which restricts the farthest displacement of a mobile target with a detection probability less than the threshold. We develop the theory of circle graph, which can be generally applied in the area of intrusion detection such as trap coverage and barrier coverage. We further study the practical issue of how to schedule sensors to maximize the lifetime of a network while guaranteeing probabilistic trap coverage. A localized protocol is proposed to solve the problem, and the performance of the protocol is theoretically analyzed. The lower bound of lifetime acquired by the protocol is nearly half the optimum lifetime. To evaluate our design, we perform extensive simulations to compare our algorithm with the state-of-the-art solution and demonstrate the superiority of our algorithm.

WUChunming

DOI: https://doi.org/10.3969/j.issn.1009-6868.2016.01.009

2016-01-01

Abstract:Dynamic network proactive security defence is an effective method for solving the unknown vulnerabilities and back door attacks in the information system. In this paper, the evolution defense mechanism (EDM) is proposed. According to the security status, network system security needs, EDM can select the best network configuration change elements to deal with potential attacks and ensure the safety requirements of a specific level. Dynamic reconfiguration and changes of the network need to be considered in accordance with the security situation of the system and the possible network attacks. The key is how to detect and the security situation and network attacks. It proposes that study on dynamic network proactive security defense in China is in the initial stage, and there is stil much work to do.

Cheng Lei,Hong-Qi Zhang,Jing-Lei Tan,Yu-Chen Zhang,Xiao-Hu Liu

DOI: https://doi.org/10.1155/2018/3759626

IF: 1.968

2018-07-22

Security and Communication Networks

Abstract:As an active defense technique to change asymmetry in cyberattack-defense confrontation, moving target defense research has become one of the hot spots. In order to gain better understanding of moving target defense, background knowledge and inspiration are expounded at first. Based on it, the concept of moving target defense is analyzed. Secondly, literature analysis method is adopted to explain the design principles and system architecture of moving target defense. In addition, some relevant key techniques are introduced from the aspects of strategy generation, shuffling implementation, and performance evaluation. After that, the applications of moving target defense in different network architectures are illustrated. Finally, existing problems and future trend in this field are elaborated so as to provide a basis for further study.

computer science, information systems,telecommunications

Jiangxing Wu

DOI: https://doi.org/10.1007/978-3-030-29844-9_3

2020-01-01

Abstract:From the perspective of technology, the current cyberspace defense methods fall into three categories: the first category focuses on the protection of information by strengthening the system with such technologies as firewall, encryption and decryption, data authentication, and access control. They offer basic protection for normal network access, legitimate user identification and rights management, and the security of confidential data. The second category includes mainly intrusion detection and other technologies, such as vulnerability detection, data authentication, traffic analysis, and log auditing. They aim to perceive attacks in real time and initiate immediate defenses according to the known features of an attack. This category relies on dynamic monitoring and alarm system enabled by feature scanning, pattern matching, data comprehensive analysis, and other methods to block or eliminate threats. The third category is network spoofing, represented by honeypot and honeynet. Their basic approach is, before any attack is performed, to actively construct special preset monitoring and sensing environments, serving as “traps,” to lure potential attackers to enter for the purpose of carrying out analysis of possible attack moves and gathering information necessary for cracking down on, tracing back, or countering the attacks.

Yu Zheng,Zheng Li,Xiaolong Xu,Qingzhan Zhao

DOI: https://doi.org/10.1016/j.dcan.2021.07.006

IF: 6.348

2021-07-01

Digital Communications and Networks

Abstract:Driven by the rapid development of the Internet of Things, cloud computing and other emerging technologies, the connotation of cyber space is constantly expanding and becoming the fifth dimension of human activities. However, security problems in cyber space are becoming serious, and traditional defense measures (e.g., firewall, intrusion detection systems and security audit) often fall into a passive situation of being prone to attacks and difficult to take effect when responding to new types of network attacks with higher and higher degree of coordination and intelligence. By constructing and implementing the diverse strategy of dynamic transformation, the configuration characteristics of systems are constantly changing and the probability of vulnerability exposure is increasing. Therefore, the difficulty and cost of attack are increasing, which provides new ideas for reversing the asymmetric situation of defense and attack in cyber space. Nonetheless, there are few related works that systematically introduce dynamic defense mechanisms for cyber security. The related concepts and development strategies of dynamic defense are rarely analyzed and summarized. To bridge this gap, we conduct a comprehensive and concrete survey of recent research efforts on dynamic defense in cyber security. Specifically, we firstly introduce basic concepts and define dynamic defense in cyber security. Next, we review the architectures, enabling techniques and methods for moving target defense and mimic defense. This is followed with taxonomically summarizing the implementation and evaluation of dynamic defense. Finally, we discuss some open challenges and opportunities on dynamic defense in cyber security.

Yue Li,Teng Zhang,Xue Li,Ting Li

DOI: https://doi.org/10.1007/978-981-13-6621-5_10

2019-01-01

Abstract:AbstractThe targets of Advanced Persistent Threat (APT) are mainly concentrate on national key information infrastructure, key research institutes, and large commercial companies, for the purpose of stealing sensitive information, trade secrets or destroying important infrastructure. Traditional protection system is difficult to detect the APT attack, due to the method of the APT attack is unknown and uncertain. And the persisted evolution ability destroyed the traditional protection methods based on feature detection. Therefore, this paper based on the theory of red-blue confrontation, to construct the game model of attack and defense. And then combined the APT offense and defense experience, presents a model based on cyber threat detection to deal with APT attacks.

Luo Xingguo,Tong Qing,Zhang Zheng,Wu Jiangxing

DOI: https://doi.org/10.15302/j-sscae-2016.06.014

2016-01-01

Abstract:Cyberspace security is in an unbalanced state, in which it is easy to attack and difficult to defend. Active defense technology is a new direction in cyberspace security research, which is attracting increasing attention. This paper summarizes the development of active defense via the introduction of intrusion-tolerant technology and moving target defense technology. Furthermore, the theory, implementation, and testing of mimic defense are introduced. Based on a comparison of mimic defense with intrusion tolerance and moving target defense, the research direction and the key points of cybersecurity rebalancing strategy are proposed to provide a reference for the development of national cybersecurity.

Yuqing Li,Wenkuan Dai,Jie Bai,Xiaoying Gan,Jingchao Wang,Xinbing Wang

DOI: https://doi.org/10.1109/TIFS.2018.2847671

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Combined with many different attack forms, advanced persistent threats (APTs) are becoming a major threat to cyber security. Existing security protection works typically either focus on one-shot case, or separate detection from response decisions. Such practices lead to tractable analysis, but miss key inherent APTs persistence and risk heterogeneity. To this end, we propose a Lyapunov-based secur...

CHEN Rui-dong,ZHANG Xiao-song,NIU Wei-na,LAN Hao-yue

DOI: https://doi.org/10.3969/j.issn.1001-0548.2019.06.011

2019-01-01

Abstract:Advanced persistent threat (APT) is a new kind of cyber-attack as a growth security events. This paper analysis more than 150 typical APT cases happened during last decade, and constructs the analytical model of APT attack, indicates 4 major problems of APT attack detection and countering: the fragile penetration protection problem, the low detection accuracy, the difficulty of determining the attack forensic, and the slow response to the unknown attack problem. In the meanwhile, this paper analyzes typical APT attacks in recent years, mines the association based on attacking tools. According to the experiments, there are similarity patterns between the tools used by the same organization. In summary, the integral APT defense scheme in this paper includes the latest achievements of four types of defense schemes, plays an academic supporting role in building a unified attack detection and traceability countermeasure platform.

Zhihong Tian,Binxing Fang,Bin Li,Hongli Zhang

2005-01-01

Abstract:Intrusion detection systems are used to alert system administrators to malicious attacks. Unfortunately, running without any information of the network resources that they protect, intrusion detection systems are notorious for generating a large number of alerts that are either not related to malicious activity or not representative of a successful attack. To address this shortcoming, this paper presents a vulnerability-driven active alert verification approach that performs real-time verification of attacks detected by an intrusion detection system. By means of checking for the vulnerability that the attack attempts to exploit, we can verify whether the attack has succeeded or not. The Experimental evaluation illustrates that it is a useful tool for reducing the false positive rate.

Chengrong WU,Ming YAN,Haolin Jin,Wei LIU,Shiyong ZHANG,Jianping ZENG

DOI: https://doi.org/10.19363/j.cnki.cn10-1380/tn.2016.04.002

2016-01-01

Abstract:Traditional information security defense techniques have the feature of static and passive. Systems and security mechanisms are relatively fixed in a period of time. So attackers can continuously study the static target, and try to find the vulnerability of it. In order to improve the proactivity of security defense, some research programs that tried to“change the rules of the game”had been initialized throughout the world. MTD (moving target defense) and the Mimic-Defense are the emerging ideas of proactive defense. However, to achieve the purpose of proactive defense, in addition to the separate uses of techniques on key points, we also need a framework. Deferent defense mechanisms can be effectively cooperate in the framework to form a general “moving” and controlled proactive defense system. Traditional information system which does not have the build-in proactive defense mechanism can also run in this framework, and be benefited from the proac-tive defense mechanism to enhance the ability of defense. This paper presents a kind of framework that can effectively integrate different levels of proactive defense techniques and mechanisms, and is compatible with the traditional applica-tions. We call it self-transforming proactive defense network framework. This framework can archive the integration of build-in with bolt-on proactive defense techniques, the integration of multi-level and multi-granularity proactive defense techniques. It is compatible with traditional applications which do not have the build-in proactive defense mechanism, and provides ideas.to form a new generation of build-in proactive defense network architecture in the future.

Hao YIN,Dongchao GUO,Yongqiang LYU,Peng YANG,Zhiwei ZHAO,Yaoxue ZHANG

DOI: https://doi.org/10.1360/n112017-00171

2019-01-01

Abstract:Cyberspace security is vital to state interest. Recently, there are some challenges in cyber security. In architecture for instance, although protection mechanisms are introduced and applied everywhere, the modern network architecture (well connected and open) still has difficulty in completely ensuring cyber security. It is also observed that contemporary cyber security protection mechanism highly depends on the priori information of security threats and thus will hardly address unknown potential threats. In this paper, a novel cyberspace security protection framework is proposed. A dual-structural Internet scheme that integrates the current Internet architecture with a redundant secondary structure network characterized by its broad-storage scheme, heterogeneous structure, and dynamic protection mechanism is introduced. Also, a novel active defense mechanism that is knowledge-data driven and thus independent of the priori information of the security threat is proposed. Furthermore, some key techniques such as transparent access and prepositive active defense are introduced. The theoretical and technical work proposed in this paper offers a comprehensively evolutionary solution to constructing a cyberspace in which the protection mechanism is more independent and active.

Yushan Li,Jianping He,Cailian Chen,Xinping Guan

DOI: https://doi.org/10.48550/arXiv.1910.06461

2022-08-20

Abstract:The security issue of mobile robots has attracted considerable attention in recent years. In this paper, we propose an intelligent physical attack to trap mobile robots into a preset position by learning the obstacle-avoidance mechanism from external observation. The salient novelty of our work lies in revealing the possibility that physical-based attacks with intelligent and advanced design can present real threats, while without prior knowledge of the system dynamics or access to the internal system. This kind of attack cannot be handled by countermeasures in traditional cyberspace security. To practice, the cornerstone of the proposed attack is to actively explore the complex interaction characteristic of the victim robot with the environment, and learn the obstacle-avoidance knowledge exhibited in the limited observations of its behaviors. Then, we propose shortest-path and hands-off attack algorithms to find efficient attack paths from the tremendous motion space, achieving the driving-to-trap goal with low costs in terms of path length and activity period, respectively. The convergence of the algorithms is proved and the attack performance bounds are further derived. Extensive simulations and real-life experiments illustrate the effectiveness of the proposed attack, beckoning future investigation for the new physical threats and defense on robotic systems.

Robotics

Tiantian Zhu,Jinkai Yu,Tieming Chen,Jiayu Wang,Jie Ying,Ye Tian,Mingqi Lv,Yan Chen,Yuan Fan,Ting Wang

DOI: https://doi.org/10.48550/arXiv.2112.09008

2021-12-17

Abstract:Advanced Persistent Threat (APT) attack usually refers to the form of long-term, covert and sustained attack on specific targets, with an adversary using advanced attack techniques to destroy the key facilities of an organization. APT attacks have caused serious security threats and massive financial loss worldwide. Academics and industry thereby have proposed a series of solutions to detect APT attacks, such as dynamic/static code analysis, traffic detection, sandbox technology, endpoint detection and response (EDR), etc. However, existing defenses are failed to accurately and effectively defend against the current APT attacks that exhibit strong persistent, stealthy, diverse and dynamic characteristics due to the weak data source integrity, large data processing overhead and poor real-time performance in the process of real-world scenarios. To overcome these difficulties, in this paper we propose APTSHIELD, a stable, efficient and real-time APT detection system for Linux hosts. In the aspect of data collection, audit is selected to stably collect kernel data of the operating system so as to carry out a complete portrait of the attack based on comprehensive analysis and comparison of existing logging tools; In the aspect of data processing, redundant semantics skipping and non-viable node pruning are adopted to reduce the amount of data, so as to reduce the overhead of the detection system; In the aspect of attack detection, an APT attack detection framework based on ATT\&CK model is designed to carry out real-time attack response and alarm through the transfer and aggregation of labels. Experimental results on both laboratory and Darpa Engagement show that our system can effectively detect web vulnerability attacks, file-less attacks and remote access trojan attacks, and has a low false positive rate, which adds far more value than the existing frontier work.

Cryptography and Security

Hongchao Hu,Jiangxing Wu,Zhenpeng Wang,Guozhen Cheng

DOI: https://doi.org/10.1049/iet-ifs.2017.0086

2017-01-01

IET Information Security

Abstract:In recent years, both academia and industry in cyber security have tried to develop innovative defense technologies, expecting that to change the rules of the game between attackers and defenders. The authors start by analysing the root causes of security problems in cyberspace: (i) vulnerabilities in cyber systems are universal; (ii) current cyber systems are static, predictable and monoculture which allows adversaries to plan and launch attacks effectively; (iii) existing techniques cannot detect and eliminates attacks employing unknown vulnerabilities. Based on their analysis, they develop a novel defense framework, mimic defense (MD), that employs dynamic, heterogeneity, redundancy (DHR)' mechanism to defense cyber attacks. The main ideas behind MD are: constructing diverse functional equivalent variants for the protected target; scheduling some variants to run in parallel dynamically; and adopting policy-based arbitration mechanism to decide whose results of current running variants are correct. Theoretical analysis and simulation results show that DHR can significantly increase the difficulties for attackers and enhance the security of cyber systems, and the security enhancement can be more than ten times. They also present a proof-of-principle prototype that employ MD, mimic router, to examine its effectiveness. Finally, they conclude its limitations.

Kaigui Bian,Jung-Min Park,Ruiliang Chen

DOI: https://doi.org/10.1109/glocom.2006.266

2006-01-01

Abstract:Denial-of-Service (DoS) attacks pose a major threat to the availability of wireless ad hoc networks. Fault tolerant operation of wireless ad hoc networks will depend on the placement of DoS countermeasures in sufficiently robust form. In this paper, we describe a novel type of DoS attack called the Stasis Trap attack, and propose a technique for detecting such an attack. Stasis Trap attack has two distinguishing characteristics-it has a cross-layer design, and is stealthy. The Stasis Trap attack has a cross-layer design in that it is launched from the MAC layer but its aim is to degrade the end-to-end throughput of flows at the transport layer by exploiting TCP's congestion-control mechanism. Specifically, an adversary launches a Stasis Trap attack against neighboring nodes by periodically preempting the wireless channel in order to cause large variations in the round trip time (RTT) of TCP flows. Channel preemptions are carried out by manipulating the back-off mechanism of the Distributed Coordinating Function of the 802.11 MAC protocol. The periodic preemptions induce large RTT variations in the TCP flows that are within the transmission range of the adversary. This in turn causes a significant drop in the throughput of those flows, thereby creating a "stasis trap" around the adversary that entangles TCP flows. The aforementioned attack severely degrades end-to-end throughput but has very little effect on MAC-layer throughput, and hence it is very hard to detect at the MAC layer, which is its point of attack. In this sense, this attack is stealthy. To detect the Stasis Trap attack, we propose a minimax robust decentralized detection framework with robust hypothesis testing.

Cai Guilin,Wang Baosheng,Wang Tianzuo,Luo Yuebin,Wang Xiaofeng,Cui XinWu

DOI: https://doi.org/10.7544/issn1000-1239.2016.20150225

2016-01-01

Journal of Computer Research and Development

Abstract:Nowadays ,network configurations are typically deterministic ,static ,and homogeneous . These features reduce the difficulties for cyber attackers scanning the network to identify specific targets and gather essential information ,which gives the attackers asymmetric advantages of building up ,launching and spreading attacks .Thus the defenders are always at a passive position ,and the existing defense mechanisms and approaches cannot reverse this situation . Moving target defense (M TD) is proposed as a new revolutionary technology to alter the asymmetric situation of attacks and defenses .It keeps moving the attack surface of the protected target through dynamic shifting ,which can be controlled and managed by the administrator . In this way , the attack surface exposed to attackers appears chaotic and changes over time . Therefore , the work effort ,i .e ., the cost and complexity ,for the attackers to launch a successful attack ,will be greatly increased .As a result ,the probability of successful attacks will be decreased ,and the resiliency and security of the protected target will be enhanced effectively .In this paper ,we firstly introduce the basic concepts of M TD ,and classify the related works into categories according to their research field .Then ,under each category , we give a detailed description on the existing work ,and analyze and summarize them separately . Finally ,we present our understandings on M TD ,and summarize the current research status ,and further discuss the development trends in this field .