Genghong Lu,Dongqin Feng

DOI: https://doi.org/10.23919/icif.2018.8455208

2018-01-01

Abstract:Due to the wide implementation of communication networks, industrial control systems are vulnerable to malicious attacks, which could cause potentially devastating results. Adversaries launch integrity attacks by injecting false data into systems to create fake events or cover up the plan of damaging the systems. In addition, the complexity and nonlinearity of control systems make it more difficult to detect attacks and defense it. Therefore, a novel security situation awareness framework based on particle filtering, which has good ability in estimating state for nonlinear systems, is proposed to provide an accuracy understanding of system situation. First, a system state estimation based on particle filtering is presented to estimate nodes state. Then, a voting scheme is introduced into hazard situation detection to identify the malicious nodes and a local estimator is constructed to estimate the actual system state by removing the identified malicious nodes. Finally, based on the estimated actual state, the actual measurements of the compromised nodes are predicted by using the situation prediction algorithm. At the end of this paper, a simulation of a continuous stirred tank is conducted to verify the efficiency of the proposed framework and algorithms.

Yunpeng Li,Xi Li

DOI: https://doi.org/10.1155/2021/9921731

2021-05-07

Scientific Programming

Abstract:With the rapid development of the Internet, network attacks often occur, and network security is widely concerned. Searching for practical security risk assessment methods is a research hotspot in the field of network security. Network attack graph model is an active detection technology for the attack path. From the perspective of the attacker, it simulated the whole network attack scenario and then presented the dependency among the vulnerabilities in the target network in the way of directed graph. It is an effective tool for analyzing network vulnerability. This paper describes in detail the common methods and tools of network security assessment and analyzes the construction of theoretical model of attack graph, the optimization technology of attack graph, and the research status of qualitative and quantitative analysis technology of attack graph in network security assessment. The attack graph generated in the face of large-scale network is too complex to find the key vulnerability nodes accurately and quickly. Optimizing the attack graph and solving the key attack set can help the security manager better understand the security state of the nodes in the network system, so as to strengthen the security defense ability and guarantee the security of the network system. For all kinds of loop phenomena of directed attribute attack graph, the general method of eliminating loop is given to get an acyclic attack graph. On the basis of acyclic attack graph, an optimization algorithm based on path complexity is proposed, which takes atomic attack distance and atomic weight into consideration, and on the basis of simplified attack graph, minimum-cost security reinforcement is carried out for the network environment. Based on the ant colony algorithm, the adaptive updating principle of changing pheromone and the local searching strategy of the adaptive genetic algorithm are proposed to improve the ant colony algorithm. The experimental results show that compared with the ant colony algorithm, the improved ant colony algorithm can speed up the process of solving the optimal solution. When the number of attack paths is large, the advantages of the improved ant colony algorithm in solving accuracy and late search speed are more obvious, and it is more suitable for large-scale networks.

computer science, software engineering

Geng-hong LU,Dong-qin FENG

DOI: https://doi.org/10.13195/j.kzyjc.2016.0551

2017-01-01

Abstract:The attacks against the industrial control network have different types and various attack intensity. Under this circumstance, the traditional detection techniques cannot identify the multiple types of attacks effectively, and can not assess the security situations of the industrial control network comprehensively and accurately. Therefore, the industrial control network security situation awareness model is proposed. Firstly, the rule extraction can be done by applying the improved C-SVC algorithm to the multi-sensor data. Then with the application of decision fusion algorithm, the decision-level fusion is completed and the results of situation awareness are procured. The simulation experiment results show that the proposed model and algorithms can distinguish multiple types of attacks effectively, identify the attacks that are launched against the industrial control system accurately, and generate the results of situation awareness.

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Hongbin Gao,Shangxing Wang,Hongbin Zhang,Bin Liu,Dongmei Zhao,Zhen Liu

DOI: https://doi.org/10.1109/nana56854.2022.00102

2022-01-01

Abstract:This paper has a new network security evaluation method as an absorbing Markov chain-based assessment method. This method is different from other network security situation assessment methods based on graph theory. It effectively refinement issues such as poor objectivity of other methods, incomplete consideration of evaluation factors, and mismatching of evaluation results with the actual situation of the network. Firstly, this method collects the security elements in the network. Then, using graph theory combined with absorbing Markov chain, the threat values of vulnerable nodes are calculated and sorted. Finally, the maximum possible attack path is obtained by blending network asset information to determine the current network security status. The experimental results prove that the method fully considers the vulnerability and threat node ranking and the specific case of system network assets, which makes the evaluation result close to the actual network situation.

Guang Kou,Shuo Wang,Guangming Tang

DOI: https://doi.org/10.1049/cje.2018.10.007

IF: 1.019

2019-01-01

Chinese Journal of Electronics

Abstract:This paper analyzed the existing network security situation evaluation methods and discovered that they cannot accurately reflect the features of large-scale, synergetic, multi-stage gradually shown by network attack behaviors. For this purpose, the association between attack intention and network configuration information was deep analyzed. Then a network security situation evaluation method based on attack intention recognition was proposed. Unlike traditional method, the evaluation method was based on intruder. This method firstly made causal analysis of attack event and discovered and simplified intrusion path to recognize every attack phases, then realized situation evaluation based on the attack phases. Lastly attack intention was recognized and next attack phase was forecasted based on achieved attack phases, combined with vulnerability and network connectivity. A simulation experiments for the proposed network security situation evaluation model is performed by network examples. The experimental results show that this method is more accurate on reflecting the truth of attack. And the method does not need training on the historical sequence, so the method is more effective on situation forecasting.

engineering, electrical & electronic

Ying Liu,Dongqin Feng

DOI: https://doi.org/10.1109/iccasit48058.2019.8973161

2019-01-01

Abstract:Computer network technology has been increasingly infiltrated into the industrial control system and made the security problems more complex and changeable. Network security situation awareness technology can perceive the real-time threats that the network faced, and provide reliable basis for decision-making. This paper mainly focuses on the situation assessment and introduces finite state machine and fuzzy logic theory. Finite state machine can intuitively show the internal state transition of the industrial control system and detect the malicious packet attack's type and severity. Fuzzy logic balances the semantic fuzziness and event uncertainty in the process of situation assessment, fuses the output data of the state machine and obtains the threat level which is helpful for decision analysis. Proved, the method proposed in this paper can give a reasonable and accurate security assessment of industrial control system.

ZHANG Yong,TAN Xiao-Bin,CUI Xiao-Lin,XI Hong-Sheng

DOI: https://doi.org/10.3724/sp.j.1001.2011.03751

2011-01-01

Abstract:To accurately evaluate security situation states,this paper proposes an approach to network security situation awareness(NSSA) based on Hidden Markov Model(HMM).It gains standardized data of network structure information,assets,threats and vulnerabilities via fusing variety system security data collected by multi-sensors.For every asset,this paper associates its suffered threats with its vulnerabilities to analyze the sequence of its security incidents,establishes HMMs to analyze security situation factors of confidentiality,integrity and availability.Using sliding window mechanism it trains segmented sequence of security incidents and it gains the parameters of HMM's through update algorithm with forgetting factor.According to the HMMs and security incidents sequence it evaluates security situation factors of one asset's and entire network.Depending on the application background it evaluates security situation states of different network system.The investigation of evaluation to a specific network indicates that the approach is suitable for actual network environment and the evaluation result is precise and efficient.

WANG Chun-lei,FANG Lan,WANG Dong-xia,DAI Yi-qi

DOI: https://doi.org/10.1109/iccet.2010.5486194

2012-01-01

Computer Science

Abstract:Network security situation awareness provides the unique high level security view based upon the security alert events. But the complexities and diversities of security alert data on modern networks make such analysis extremely difficult. In this paper, we analyze the existing problems of network security situation awareness system and propose a framework for network security situation awareness based on knowledge discovery. The framework consists of the modeling of network security situation and the generation of network security situation. The purpose of modeling is to construct the formal model of network security situation measurement based upon the D-S evidence theory, and support the general process of fusing and analyzing security alert events collected from security situation sensors. The generation of network security situation is to extract the frequent patterns and sequential patterns from the dataset of network security situation based upon knowledge discovery method and transform these patterns to the correlation rules of network security situation, and finally to automatically generate the network security situation graph. Application of the integrated Network Security Situation Awareness system (Net-SSA) shows that the proposed framework supports for the accurate modeling and effective generation of network security situation.

Yehong Yang

DOI: https://doi.org/10.2991/WARTIA-16.2016.25

2016-05-14

Abstract:With the popularity of computers, the Internet has entered the production and all aspects of social life, but the attendant problem of network security has become the focus of widespread concern. Network security situation awareness to effectively respond to network security issues provide a viable solution: for complex network environments and malicious attacks, a comprehensive analysis of attacks against various parts of the network system, from a macro point of view of network security situation be assess and predict the future of network security situation based on this information. For the predictive accuracy of prediction system for network security situation has improved significantly, and network security situation prediction method based on machine learning for the network security situation prediction have a high degree feasible, in the real network security situation awareness applications have certain research and practical value. Introduction of Network Security Situational Awareness Network security situation is the current status and trends of the entire information from a variety of factors operating conditions of various network devices, network behavior and user behavior constituted. Network security situational awareness can acquire, understand and display the network environment of security elements. Through a series of technical means in time and space, are fully aware of network security and access and associated elements as possible in a pluralistic, and the establishment of a network based on complex behaviors modeling and simulation situational analysis and pre-side system, and then integrate and analyze vast amounts of security associated with the network-related data. Network security situation awareness is a scientific and effective network security situation assessment and use of relevant technologies to make reasonable predictions about trends over time network security, network management personnel in advance to remind the network system for network equipment, network peer node hosts and data resources to make reasonable adjustments, upgrades and backup, network environment to address the risk of possible future harm to the network system, losses may result down to an acceptable range . Extract information network security situation is carried out on the basis of situational awareness that only a comprehensive collection of data and the use of sophisticated index system, to ensure the correctness of the results of the assessment. Therefore, in the design process model or system must pay attention to select a metric system. Network security situation is a source of diverse, different collection methods, different devices collect data formats, network security situation letter from mainly contains configuration, operating status, traffic, user behavior and other information.

Computer Science

LI Jia-rui,LING Xiao-bo,LI Chen-xi,LI Zi-mu,YANG Jia-hai,ZHANG Lei,WU Cheng-nan

DOI: https://doi.org/10.11896/jsjkx.210800107

2022-01-01

Computer Science

Abstract:In order to overcome the difficulties that current attack graph model cannot reflect real-time network attack events,a method is proposed including a forward risk probability update algorithm and a forward-backward combined risk probability update algorithm,which meets the needs of real-time analyzing network security.It first performs specific quantitative analysis on the uncertainty of each node in the graph,and uses Bayesian networks to calculate their static probabilities.After that,it updates the dynamic probability of each node along the forward and backward paths according to the real-time network security events,instantly reflecting the changes of external conditions and assessing real-time risk levels across the network.Experimental results show that the method can calibrate and adjust the risk probability of each node according to the actual situation,which helps the network operator correctly understand the dangerous levels of the network and make better decision for defense and prevention of the next attack.

Zhaocui Li,Huichuan Liu,Chunyan Wu

DOI: https://doi.org/10.1080/23742917.2022.2120293

2022-09-10

Journal of Cyber Security Technology

Abstract:The traditional security detection and defense methods are relatively backward, and there are many problems, such as high false alarm and missed alarm rate, and detection lag, which have been difficult to meet the requirements of computer security defense. In order to strengthen the active defense of computer network security and improve the classification and prediction performance of computer network security events, a computer network security risk assessment model based on mrmr Ig feature selection model and attack graph model is proposed. The mrmr Ig feature selection model is used to classify the characteristics of security events, and the hidden Markov chain model and attack graph model are used to predict the attack intention. The experimental results show that the classification accuracy rate of the model is 99.79%, the false alarm rate and the false alarm rate are 0.11% and 0.18%, respectively. The model can accurately predict attacks in real time, and can provide reference for timely taking targeted computer network security reinforcement and active defense measures.

Wenhui Hu,Long Zhang,Xueyang Liu,Yu Huang,Minghui Zhang,Liang Xing

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00033

2020-01-01

Abstract:In view of the problem that the overall security of the network is difficult to evaluate quantitatively, we propose the edge authority attack graph model, which aims to make up for the traditional dependence attack graph to describe the relationship between vulnerability behaviors. This paper proposed a network security metrics based on probability, and proposes a network vulnerability algorithm based on vulnerability exploit probability and attack target asset value. Finally, a network security reinforcement algorithm with network vulnerability index as the optimization target is proposed based on this metric algorithm.

Hongyu Yang,Zixin Zhang,Lixia Xie,Liang Zhang

DOI: https://doi.org/10.1002/int.22867

IF: 8.993

2022-03-02

International Journal of Intelligent Systems

Abstract:To solve the problems that existing network security situation assessment (NSSA) methods are difficult to extract features and have poor timeliness, an NSSA method with network attack behavior classification (NABC) is proposed. First, an NABC model is designed. The model combines features and advantages of a parallel feature extraction network (PFEN), a bidirectional gate recurrent unit (BiGRU), and the attention mechanism (ATT). The PFEN module is composed of parallel sparse autoencoders which extract key data from different network attack behaviors. The BiGRU module gets the time‐series relationship from the state of three different time periods, finds potential representation rules from network attack behaviors. The ATT module pays more attention to the network traffic key information and improves the NABC accuracy. Second, the NABC detects and classifies attacks from network behaviors, the occurrence number of each attack behavior, and the error probability matrix are counted. Finally, the occurrence number of each attack behavior is corrected according to the error probability matrix, and the network security situation value is calculated through combining the severity factor of each attack behavior. The experimental results show that the precision and recall of the NABC model are improved by 5.28% and 5.65%, respectively, compared with the conventional method. The comparison experiment with the classical situation assessment method also proves that the proposed method can assess the overall situation of network security more effectively and comprehensively.

computer science, artificial intelligence

Xiaohong Shi,Chenglong Liu,Gong Chen,Huihui Tang,Song He

DOI: https://doi.org/10.1109/icetci55101.2022.9832324

2022-05-27

Abstract:The development of the Internet has brought a lot of convenience to people, but it also has some drawbacks and threats. For netizens, the study of the network security situation(SS) is the protection of privacy and security, as well as the maintenance of basic rights. Therefore, the research on network security situation assessment(NSSA) is based on security considerations. It can help people better understand this problem and take corresponding measures to control and prevent possible dangers. This article mainly uses experimental method and data method to carry out relevant research on AHP and NSSA and prediction technology(PT). Experimental results show. In the second to third time periods, the number of messages collected and the number of Trojan horse attacks changed inversely, and the fluctuations changed sharply. This shows that it is necessary to apply the analytic hierarchy process(AHP) for situation assessment.

Computer Science

Yukun Zheng,Kun Lv,Changzhen Hu

DOI: https://doi.org/10.1007/978-3-319-64701-2_25

2017-01-01

Abstract:With the rapid development of network, network security issues become increasingly important. It is a tough challenge to evaluate the network security due to the increasing vulnerabilities. In this paper, we propose a quantitative method for evaluating network security based on attack graph. We quantify the importance of nodes and the maximum reachable probability of nodes, and construct a security evaluation function to calculate the security risk score. Our approach focuses on the attacker's view and considers the most important factors that may affect the network security. The parameters we use are easily to be acquired in any network. Thus, the assessment score gotten through the evaluation function can comprehensively reflect the security level. According to the security risk value, security professionals can take appropriate countermeasures to harden the network. Experimental results prove that this model solves the security evaluation problem efficiently.

Junwei Zhang,Huamin Feng,Biao Liu,Dongmei Zhao

DOI: https://doi.org/10.3390/s23052608

IF: 3.9

2023-02-27

Sensors

Abstract:Network security situation awareness (NSSA) is an integral part of cybersecurity defense, and it is essential for cybersecurity managers to respond to increasingly sophisticated cyber threats. Different from traditional security measures, NSSA can identify the behavior of various activities in the network and conduct intent understanding and impact assessment from a macro perspective so as to provide reasonable decision support, predicting the development trend of network security. It is a means to analyze the network security quantitatively. Although NSSA has received extensive attention and exploration, there is a lack of comprehensive reviews of the related technologies. This paper presents a state-of-the-art study on NSSA that can help bridge the current research status and future large-scale application. First, the paper provides a concise introduction to NSSA, highlighting its development process. Then, the paper focuses on the research progress of key technologies in recent years. We further discuss the classic use cases of NSSA. Finally, the survey details various challenges and potential research directions related to NSSA.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Donghang Liu,Lihua Dong,Shaoqing Lv,Ying Dong,Fannv He,Chensi Wu,Yuqing Zhang,Hua Ma

DOI: https://doi.org/10.1007/978-3-319-64701-2_33

2017-01-01

Abstract:As an active topic in the research field, network security situation assessment can reflect the security situation from a global perspective. However, existing assessment approaches rely on detection threshold to make decisions, leading to massive false positives and false negatives. This paper proposes a confidence-based network security situation assessment approach that preserves the probability information in attack detection. We use the ensemble learning algorithm and D-S evidence theory to obtain the attack confidence, and calculate the network security situation value through the situation elements fusion. Experiment results demonstrate that this approach is effective and accurate.

Xiaochun Xiao,Huan Wang,Gendu Zhang

DOI: https://doi.org/10.1109/fcst.2008.26

2008-01-01

Abstract:The risk assessment for network information system has experienced a stage from rule-based questionnaire investigation to model-based assessment. Many graph-based models have been proposed and applied to risk assessment. Attack Graph is widely used one. But attack graphs grow exponentially with the size of the network. In this paper, we propose a comprehensive framework for network vulnerabilities modeling and risk assessment by policy rules violations based on the access graph. As a complement to the attack graph approach, the access graph grows polynomially with the number of hosts and so has the benefit of scaling better to more practical, realistic size networks. This paper presents a novel risk assessment model for network information system based access graph. Compared with related works, our approach improves the performance and reduces the computational cost.

Yonggang Wang,Yi Miao,Yang Yang,Zhong Chen,Jianbin Hu

2009-01-01

China Communications

Abstract:With the development of computer networks, the attacks with respect to them are increasing explosively. It is a very important problem for security testers to test the security situation of a specific network (i.e., to use a method to model all the possible attacks within the environment). Of all the modeling methods, the Network Attack Graph is widely used because of its Visual Intuition. Under this circumstance, this paper firstly introduces the construction methods of the Network Attack Graph, then describes its application in the network security, and lastly previews some research directions of the Network Attack Graph.