The attack graph methodology can be used to identify the potential attack paths that an attack can propagate. A risk assessment model based on Bayesian attack graph is presented in this paper. Firstly, attack graphs a...The attack graph methodology can be used to identify the potential attack paths that an attack can propagate. A risk assessment model based on Bayesian attack graph is presented in this paper. Firstly, attack graphs are generated by the MULVAL(Multi-host, Multistage Vulnerability Analysis) tool according to sufficient information of vulnerabilities, network configurations and host connectivity on networks. Secondly, the probabilistic attack graph is established according to the causal relationships among sophisticated multi-stage attacks by using Bayesian Networks. The probability of successful exploits is calculated by combining index of the Common Vulnerability Scoring System, and the static security risk is assessed by applying local conditional probability distribution tables of the attribute nodes. Finally, the overall security risk in a small network scenario is assessed. Experimental results demonstrate our work can deduce attack intention and potential attack paths effectively, and provide effective guidance on how to choose the optimal security hardening strategy.展开更多
The real-time of network security situation awareness(NSSA)is always affected by the state explosion problem.To solve this problem,a new NSSA method based on layered attack graph(LAG)is proposed.Firstly,network is div...The real-time of network security situation awareness(NSSA)is always affected by the state explosion problem.To solve this problem,a new NSSA method based on layered attack graph(LAG)is proposed.Firstly,network is divided into several logical subnets by community discovery algorithm.The logical subnets and connections between them constitute the logical network.Then,based on the original and logical networks,the selection of attack path is optimized according to the monotonic principle of attack behavior.The proposed method can sharply reduce the attack path scale and hence tackle the state explosion problem in NSSA.The experiments results show that the generation of attack paths by this method consumes 0.029 s while the counterparts by other methods are more than 56 s.Meanwhile,this method can give the same security strategy with other methods.展开更多
Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further use...Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.展开更多
Studies show that Graph Neural Networks(GNNs)are susceptible to minor perturbations.Therefore,analyzing adversarial attacks on GNNs is crucial in current research.Previous studies used Generative Adversarial Networks ...Studies show that Graph Neural Networks(GNNs)are susceptible to minor perturbations.Therefore,analyzing adversarial attacks on GNNs is crucial in current research.Previous studies used Generative Adversarial Networks to generate a set of fake nodes,injecting them into a clean GNNs to poison the graph structure and evaluate the robustness of GNNs.In the attack process,the computation of new node connections and the attack loss are independent,which affects the attack on the GNN.To improve this,a Fake Node Camouflage Attack based on Mutual Information(FNCAMI)algorithm is proposed.By incorporating Mutual Information(MI)loss,the distribution of nodes injected into the GNNs become more similar to the original nodes,achieving better attack results.Since the loss ratios of GNNs and MI affect performance,we also design an adaptive weighting method.By adjusting the loss weights in real-time through rate changes,larger loss values are obtained,eliminating local optima.The feasibility,effectiveness,and stealthiness of this algorithm are validated on four real datasets.Additionally,we use both global and targeted attacks to test the algorithm’s performance.Comparisons with baseline attack algorithms and ablation experiments demonstrate the efficiency of the FNCAMI algorithm.展开更多
According to the dynamic interaction process between cyber flow and power flow in grid cyber-physical systems(GCPS),attackers could gradually trigger large-scale power failures through cooperative cyber-attacks,subseq...According to the dynamic interaction process between cyber flow and power flow in grid cyber-physical systems(GCPS),attackers could gradually trigger large-scale power failures through cooperative cyber-attacks,subsequently forming cross-domain cascading failures(CDCF)that cross cyber-domain and power-domain and endanger the stable running of GCPS.To reveal the evolutionary mechanism of CDCF,an optimal attack scheme evaluation method is proposed,considering the spatiotemporal synergy of multiple attack-event-chains.First,in accordance with the spatiotemporal synergy of multiple attack-event-chains,the CDCF evolutionary mechanism is analyzed from the attackers'perspective,and a CDCF mathematical model is established.Furthermore,an attack graph model of CDCF evolution and its hazard calculation method are proposed.Then,the attackers'decision-making process for the optimal attack scheme of CDCF is deduced based on the attack graph model.Finally,both the evaluation and implementation processes of the optimal attack scheme are simulated in the GCPS experimental system based on IEEE-39 bus systems.展开更多
基于深度学习的网络攻击检测是对欧几里得数据进行建模,无法学习攻击数据中的结构特征。为此,提出一种基于改进图采样与聚合(graph sample and aggregate,GraphSAGE)的网络攻击检测算法。首先,将攻击数据从平面结构转换为图结构数据。其...基于深度学习的网络攻击检测是对欧几里得数据进行建模,无法学习攻击数据中的结构特征。为此,提出一种基于改进图采样与聚合(graph sample and aggregate,GraphSAGE)的网络攻击检测算法。首先,将攻击数据从平面结构转换为图结构数据。其次,对GraphSAGE算法进行了改进,包括在消息传递阶段融合节点和边的特征,同时在消息聚合过程中考虑不同源节点对目标节点的影响程度,并在边嵌入生成时引入残差学习机制。在两个公开网络攻击数据集上的实验结果表明,在二分类情况下,所提算法的总体性能优于E-GraphSAGE、LSTM、RNN、CNN算法;在多分类情况下,所提算法在大多数攻击类型上的F1值高于对比算法。展开更多
Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the sim...Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.展开更多
Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are co...Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.展开更多
Purpose:With the rapid development of Internet technology,cybersecurity threats such as security loopholes,data leaks,network fraud,and ransomware have become increasingly prominent,and organized and purposeful cybera...Purpose:With the rapid development of Internet technology,cybersecurity threats such as security loopholes,data leaks,network fraud,and ransomware have become increasingly prominent,and organized and purposeful cyberattacks have increased,posing more challenges to cybersecurity protection.Therefore,reliable network risk assessment methods and effective network security protection schemes are urgently needed.Design/methodology/approach:Based on the dynamic behavior patterns of attackers and defenders,a Bayesian network attack graph is constructed,and a multitarget risk dynamic assessment model is proposed based on network availability,network utilization impact and vulnerability attack possibility.Then,the selforganizing multiobjective evolutionary algorithm based on grey wolf optimization is proposed.And the authors use this algorithm to solve the multiobjective risk assessment model,and a variety of different attack strategies are obtained.Findings:The experimental results demonstrate that the method yields 29 distinct attack strategies,and then attacker’s preferences can be obtained according to these attack strategies.Furthermore,the method efficiently addresses the security assessment problem involving multiple decision variables,thereby providing constructive guidance for the construction of security network,security reinforcement and active defense.Originality/value:A method for network risk assessment methods is given.And this study proposed a multiobjective risk dynamic assessment model based on network availability,network utilization impact and the possibility of vulnerability attacks.The example demonstrates the effectiveness of the method in addressing network security risks.展开更多
基金Supported by the National Natural Science Foundation of China(61373176)the Natural Science Foundation of Shaanxi Province of China(2015JQ7278)the Scientific Research Plan Projects of Shaanxi Educational Committee(17JK0304,14JK1693)
文摘The attack graph methodology can be used to identify the potential attack paths that an attack can propagate. A risk assessment model based on Bayesian attack graph is presented in this paper. Firstly, attack graphs are generated by the MULVAL(Multi-host, Multistage Vulnerability Analysis) tool according to sufficient information of vulnerabilities, network configurations and host connectivity on networks. Secondly, the probabilistic attack graph is established according to the causal relationships among sophisticated multi-stage attacks by using Bayesian Networks. The probability of successful exploits is calculated by combining index of the Common Vulnerability Scoring System, and the static security risk is assessed by applying local conditional probability distribution tables of the attribute nodes. Finally, the overall security risk in a small network scenario is assessed. Experimental results demonstrate our work can deduce attack intention and potential attack paths effectively, and provide effective guidance on how to choose the optimal security hardening strategy.
基金National Natural Science Foundation of China(No.61772478)
文摘The real-time of network security situation awareness(NSSA)is always affected by the state explosion problem.To solve this problem,a new NSSA method based on layered attack graph(LAG)is proposed.Firstly,network is divided into several logical subnets by community discovery algorithm.The logical subnets and connections between them constitute the logical network.Then,based on the original and logical networks,the selection of attack path is optimized according to the monotonic principle of attack behavior.The proposed method can sharply reduce the attack path scale and hence tackle the state explosion problem in NSSA.The experiments results show that the generation of attack paths by this method consumes 0.029 s while the counterparts by other methods are more than 56 s.Meanwhile,this method can give the same security strategy with other methods.
文摘Network attack graphs are originally used to evaluate what the worst security state is when a concerned net-work is under attack. Combined with intrusion evidence such like IDS alerts, attack graphs can be further used to perform security state posterior inference (i.e. inference based on observation experience). In this area, Bayesian network is an ideal mathematic tool, however it can not be directly applied for the following three reasons: 1) in a network attack graph, there may exist directed cycles which are never permitted in a Bayesian network, 2) there may exist temporal partial ordering relations among intrusion evidence that can-not be easily modeled in a Bayesian network, and 3) just one Bayesian network cannot be used to infer both the current and the future security state of a network. In this work, we improve an approximate Bayesian posterior inference algorithm–the likelihood-weighting algorithm to resolve the above obstacles. We give out all the pseudocodes of the algorithm and use several examples to demonstrate its benefit. Based on this, we further propose a network security assessment and enhancement method along with a small network scenario to exemplify its usage.
基金supported by the Natural Science Basic Research Plan in Shaanxi Province of China(Program No.2022JM-381,2017JQ6070)National Natural Science Foundation of China(Grant No.61703256),Foundation of State Key Laboratory of Public Big Data(No.PBD2022-08)the Fundamental Research Funds for the Central Universities,China(Program No.GK202201014,GK202202003,GK201803020).
文摘Studies show that Graph Neural Networks(GNNs)are susceptible to minor perturbations.Therefore,analyzing adversarial attacks on GNNs is crucial in current research.Previous studies used Generative Adversarial Networks to generate a set of fake nodes,injecting them into a clean GNNs to poison the graph structure and evaluate the robustness of GNNs.In the attack process,the computation of new node connections and the attack loss are independent,which affects the attack on the GNN.To improve this,a Fake Node Camouflage Attack based on Mutual Information(FNCAMI)algorithm is proposed.By incorporating Mutual Information(MI)loss,the distribution of nodes injected into the GNNs become more similar to the original nodes,achieving better attack results.Since the loss ratios of GNNs and MI affect performance,we also design an adaptive weighting method.By adjusting the loss weights in real-time through rate changes,larger loss values are obtained,eliminating local optima.The feasibility,effectiveness,and stealthiness of this algorithm are validated on four real datasets.Additionally,we use both global and targeted attacks to test the algorithm’s performance.Comparisons with baseline attack algorithms and ablation experiments demonstrate the efficiency of the FNCAMI algorithm.
基金supported by National Natural Science Foundation of China(51977155 and 61833008).
文摘According to the dynamic interaction process between cyber flow and power flow in grid cyber-physical systems(GCPS),attackers could gradually trigger large-scale power failures through cooperative cyber-attacks,subsequently forming cross-domain cascading failures(CDCF)that cross cyber-domain and power-domain and endanger the stable running of GCPS.To reveal the evolutionary mechanism of CDCF,an optimal attack scheme evaluation method is proposed,considering the spatiotemporal synergy of multiple attack-event-chains.First,in accordance with the spatiotemporal synergy of multiple attack-event-chains,the CDCF evolutionary mechanism is analyzed from the attackers'perspective,and a CDCF mathematical model is established.Furthermore,an attack graph model of CDCF evolution and its hazard calculation method are proposed.Then,the attackers'decision-making process for the optimal attack scheme of CDCF is deduced based on the attack graph model.Finally,both the evaluation and implementation processes of the optimal attack scheme are simulated in the GCPS experimental system based on IEEE-39 bus systems.
文摘基于深度学习的网络攻击检测是对欧几里得数据进行建模,无法学习攻击数据中的结构特征。为此,提出一种基于改进图采样与聚合(graph sample and aggregate,GraphSAGE)的网络攻击检测算法。首先,将攻击数据从平面结构转换为图结构数据。其次,对GraphSAGE算法进行了改进,包括在消息传递阶段融合节点和边的特征,同时在消息聚合过程中考虑不同源节点对目标节点的影响程度,并在边嵌入生成时引入残差学习机制。在两个公开网络攻击数据集上的实验结果表明,在二分类情况下,所提算法的总体性能优于E-GraphSAGE、LSTM、RNN、CNN算法;在多分类情况下,所提算法在大多数攻击类型上的F1值高于对比算法。
基金the National High Technology Research and Development Programme of China(2006AA01Z452)
文摘Building attack scenario is one of the most important aspects in network security.This paper pro-posed a system which collects intrusion alerts,clusters them as sub-attacks using alerts abstraction,ag-gregates the similar sub-attacks,and then correlates and generates correlation graphs.The scenarios wererepresented by alert classes instead of alerts themselves so as to reduce the required rules and have the a-bility of detecting new variations of attacks.The proposed system is capable of passing some of the missedattacks.To evaluate system effectiveness,it was tested with different datasets which contain multi-stepattacks.Compressed and easily understandable Correlation graphs which reflect attack scenarios were gen-erated.The proposed system can correlate related alerts,uncover the attack strategies,and detect newvariations of attacks.
基金supported in part by the National Science Foundation award IIS-2202395ARMY Research Office award W911NF2110299Oracle Cloud credits and related resources provided by the Oracle for Research program.
文摘Early attack detection is essential to ensure the security of complex networks,especially those in critical infrastructures.This is particularly crucial in networks with multi-stage attacks,where multiple nodes are connected to external sources,through which attacks could enter and quickly spread to other network elements.Bayesian attack graphs(BAGs)are powerful models for security risk assessment and mitigation in complex networks,which provide the probabilistic model of attackers’behavior and attack progression in the network.Most attack detection techniques developed for BAGs rely on the assumption that network compromises will be detected through routine monitoring,which is unrealistic given the ever-growing complexity of threats.This paper derives the optimal minimum mean square error(MMSE)attack detection and monitoring policy for the most general form of BAGs.By exploiting the structure of BAGs and their partial and imperfect monitoring capacity,the proposed detection policy achieves the MMSE optimality possible only for linear-Gaussian state space models using Kalman filtering.An adaptive resource monitoring policy is also introduced for monitoring nodes if the expected predictive error exceeds a user-defined value.Exact and efficient matrix-form computations of the proposed policies are provided,and their high performance is demonstrated in terms of the accuracy of attack detection and the most efficient use of available resources using synthetic Bayesian attack graphs with different topologies.
基金supported in part by the National Natural Science Foundation of China(Nos.12271211,12071179)the National Natural Science Foundation of Fujian Province(Nos.2021J01861)+2 种基金the Project of Education Department of Fujian Province(No.JT180263)the Youth Innovation Fund of Xiamen City(3502Z20206020)the Open Fund of Digital Fujian Big Data Modeling and Intelligent Computing Institute,Pre-Research Fund of Jimei University.
文摘Purpose:With the rapid development of Internet technology,cybersecurity threats such as security loopholes,data leaks,network fraud,and ransomware have become increasingly prominent,and organized and purposeful cyberattacks have increased,posing more challenges to cybersecurity protection.Therefore,reliable network risk assessment methods and effective network security protection schemes are urgently needed.Design/methodology/approach:Based on the dynamic behavior patterns of attackers and defenders,a Bayesian network attack graph is constructed,and a multitarget risk dynamic assessment model is proposed based on network availability,network utilization impact and vulnerability attack possibility.Then,the selforganizing multiobjective evolutionary algorithm based on grey wolf optimization is proposed.And the authors use this algorithm to solve the multiobjective risk assessment model,and a variety of different attack strategies are obtained.Findings:The experimental results demonstrate that the method yields 29 distinct attack strategies,and then attacker’s preferences can be obtained according to these attack strategies.Furthermore,the method efficiently addresses the security assessment problem involving multiple decision variables,thereby providing constructive guidance for the construction of security network,security reinforcement and active defense.Originality/value:A method for network risk assessment methods is given.And this study proposed a multiobjective risk dynamic assessment model based on network availability,network utilization impact and the possibility of vulnerability attacks.The example demonstrates the effectiveness of the method in addressing network security risks.
