In order to enhance the accuracy of Air Traffic Control(ATC)cybersecurity attack detection,in this paper,a new clustering detection method is designed for air traffic control network security attacks.The feature set f...In order to enhance the accuracy of Air Traffic Control(ATC)cybersecurity attack detection,in this paper,a new clustering detection method is designed for air traffic control network security attacks.The feature set for ATC cybersecurity attacks is constructed by setting the feature states,adding recursive features,and determining the feature criticality.The expected information gain and entropy of the feature data are computed to determine the information gain of the feature data and reduce the interference of similar feature data.An autoencoder is introduced into the AI(artificial intelligence)algorithm to encode and decode the characteristics of ATC network security attack behavior to reduce the dimensionality of the ATC network security attack behavior data.Based on the above processing,an unsupervised learning algorithm for clustering detection of ATC network security attacks is designed.First,determine the distance between the clustering clusters of ATC network security attack behavior characteristics,calculate the clustering threshold,and construct the initial clustering center.Then,the new average value of all feature objects in each cluster is recalculated as the new cluster center.Second,it traverses all objects in a cluster of ATC network security attack behavior feature data.Finally,the cluster detection of ATC network security attack behavior is completed by the computation of objective functions.The experiment took three groups of experimental attack behavior data sets as the test object,and took the detection rate,false detection rate and recall rate as the test indicators,and selected three similar methods for comparative test.The experimental results show that the detection rate of this method is about 98%,the false positive rate is below 1%,and the recall rate is above 97%.Research shows that this method can improve the detection performance of security attacks in air traffic control network.展开更多
The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cy...The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cyber Threat Intelligence(CTI)can facilitate APT actors’profiling for an immediate response.However,it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature.Based on the Adversarial Tactics,Techniques and Common Knowledge(ATT&CK)of threat behavior description,this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network(HTN)and Graph Convolutional Network(GCN)to solve this issue.It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence.With the help of the Bidirectional EncoderRepresentation fromTransformers(BERT)pretraining model to analyze the contextual semantics of cyber threat intelligence,the task of threat behavior identification is transformed into a text classification task,which automatically extracts attack behavior in CTI,then identifies the malware and advanced threat actors.The experimental results show that F1 achieve 94.86%and 92.15%for the multi-label classification tasks of tactics and techniques.Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks.The F1 for malware and advanced threat actors identification task reached 98.45%and 99.48%,which are better than the benchmark model in the experiment and achieve state of the art.The model can effectivelymodel threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.展开更多
A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remot...A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.展开更多
To investigate the evacuation behaviors of pedestrians considering the action of guards and to develop an effective evacuation strategy in an artificial attack, an extended floor field model is proposed. In this model...To investigate the evacuation behaviors of pedestrians considering the action of guards and to develop an effective evacuation strategy in an artificial attack, an extended floor field model is proposed. In this model, the artificial attacker's assault on pedestrians, the death of pedestrians, and the guard's capture are involved simultaneously. An alternative evacuation strategy which can largely reduce the number of casualties is developed and the effects of several key parameters such as the deterrence radius and capture distance on evacuation dynamics are studied. The results show that congestion near the exit has dual effects. More specifically, the guard can catch all attackers in a short time because the artificial attackers have a more concentrated distribution, but more casualties can occur because it is hard for pedestrians to escape the assault due to congestion. In contrast, when pedestrians have more preference of approaching the guard, although the guard will take more time to capture the attackers resulting from the dispersion of the attackers, the death toll will decrease. One of the reasons is the dispersal of the crowd, and the decrease in congestion is beneficial for escape. The other is that the attackers will be caught before launching the attack on the people who are around the guard, in other words, the guard protects a large number of pedestrians from being killed. Moreover, increasing capture distance of the guard can effectively reduce the casualties and the catch time. As the deterrence radius reflecting the tendency of escaping from the guard for attackers rises, it becomes more difficult for the guard to catch the attackers and more casualties are caused. However, when the deterrence radius reaches a certain level, the number of deaths is reduced because the attackers prefer to stay as far away as possible from the guard rather than occupy a position where they could assault more people.展开更多
Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) atta...Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) attack intents: besides dealing with damaging or destroying facilities, the more essential purpose of APT attacks is to gather confidential data from target hosts by planting Trojans. Inspired by this idea and some in-depth analyses on recently happened APT attacks, five typical communication characteristics are adopted to describe application’s network behavior, with which a fine-grained classifier based on Decision Tree and Na ve Bayes is modeled. Finally, with the training of supervised machine learning approaches, the classification detection method is implemented. Compared with general methods, this method is capable of enhancing the detection and awareness capability of unknown Trojans with less resource consumption.展开更多
The service and application of a network is a behavioral process that is oriented toward its operations and tasks, whose metrics and evaluation are still somewhat of a rough comparison, This paper describes sce- nes o...The service and application of a network is a behavioral process that is oriented toward its operations and tasks, whose metrics and evaluation are still somewhat of a rough comparison, This paper describes sce- nes of network behavior as differential manifolds, Using the homeomorphic transformation of smooth differential manifolds, we provide a mathematical definition of network behavior and propose a mathe- matical description of the network behavior path and behavior utility, Based on the principle of differen- tial geometry, this paper puts forward the function of network behavior and a calculation method to determine behavior utility, and establishes the calculation principle of network behavior utility, We also provide a calculation framework for assessment of the network's attack-defense confrontation on the strength of behavior utility, Therefore, this paper establishes a mathematical foundation for the objective measurement and precise evaluation of network behavior,展开更多
The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools ...The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.展开更多
随着电力配变网络基础设施规模的不断扩大,各类安全二次设备、边缘终端节点和业务系统产生的信息通信流量数据在格式、协议、语义特征层面存在显著差异。主要存在现有缓解框架缺乏多源异构网络异常流量检测数据归一化处理算法,网络攻击...随着电力配变网络基础设施规模的不断扩大,各类安全二次设备、边缘终端节点和业务系统产生的信息通信流量数据在格式、协议、语义特征层面存在显著差异。主要存在现有缓解框架缺乏多源异构网络异常流量检测数据归一化处理算法,网络攻击行为分析依赖人工特征提取的规则引擎,以及难以确定有效的网络攻击缓解措施等痛点。针对以上痛点,提出了一种基于归一化处理和TrafficLLM的网络攻击缓解框架(Network Attack Mitigation Framework Based on Normalized Processing and TrafficLLM,NAMF-NPTLLM)。该框架涵盖数据解析、归一化处理、模型微调和生成攻击缓解方案4个核心阶段。首先,在特征选择阶段,通过构建集成学习模型,融合多类基学习器的特征评估结果,精准提取对分类结果影响较大的关键特征。其次,将选取的关键特征通过归一化处理,生成统一的自然语言token序列形式表达,为该网络攻击缓解框架的流量异常分析TrafficLLM模型提供标准化输入。然后,对TrafficLLM模型进行微调,使该模型能够理解提示词模板指令并学习攻击行为的流量模式。最后,通过微调后的大模型进行推理,生成攻击缓解指令,使得该框架能够根据攻击行为特征动态调整网络攻击缓解策略。通过在CIC-DDoS2019数据集上进行实验验证,与传统方法相比,该框架将网络攻击行为分类的准确率达到99.80%,提高了1.3%。实验结果表明,该框架对于缓解海量多源异构电力网络终端流量攻击,具有更好的准确性和有效性。展开更多
基金National Natural Science Foundation of China(U2133208,U20A20161)National Natural Science Foundation of China(No.62273244)Sichuan Science and Technology Program(No.2022YFG0180).
文摘In order to enhance the accuracy of Air Traffic Control(ATC)cybersecurity attack detection,in this paper,a new clustering detection method is designed for air traffic control network security attacks.The feature set for ATC cybersecurity attacks is constructed by setting the feature states,adding recursive features,and determining the feature criticality.The expected information gain and entropy of the feature data are computed to determine the information gain of the feature data and reduce the interference of similar feature data.An autoencoder is introduced into the AI(artificial intelligence)algorithm to encode and decode the characteristics of ATC network security attack behavior to reduce the dimensionality of the ATC network security attack behavior data.Based on the above processing,an unsupervised learning algorithm for clustering detection of ATC network security attacks is designed.First,determine the distance between the clustering clusters of ATC network security attack behavior characteristics,calculate the clustering threshold,and construct the initial clustering center.Then,the new average value of all feature objects in each cluster is recalculated as the new cluster center.Second,it traverses all objects in a cluster of ATC network security attack behavior feature data.Finally,the cluster detection of ATC network security attack behavior is completed by the computation of objective functions.The experiment took three groups of experimental attack behavior data sets as the test object,and took the detection rate,false detection rate and recall rate as the test indicators,and selected three similar methods for comparative test.The experimental results show that the detection rate of this method is about 98%,the false positive rate is below 1%,and the recall rate is above 97%.Research shows that this method can improve the detection performance of security attacks in air traffic control network.
基金supported by China’s National Key R&D Program,No.2019QY1404the National Natural Science Foundation of China,Grant No.U20A20161,U1836103the Basic Strengthening Program Project,No.2019-JCJQ-ZD-113.
文摘The continuous improvement of the cyber threat intelligence sharing mechanism provides new ideas to deal with Advanced Persistent Threats(APT).Extracting attack behaviors,i.e.,Tactics,Techniques,Procedures(TTP)from Cyber Threat Intelligence(CTI)can facilitate APT actors’profiling for an immediate response.However,it is difficult for traditional manual methods to analyze attack behaviors from cyber threat intelligence due to its heterogeneous nature.Based on the Adversarial Tactics,Techniques and Common Knowledge(ATT&CK)of threat behavior description,this paper proposes a threat behavioral knowledge extraction framework that integrates Heterogeneous Text Network(HTN)and Graph Convolutional Network(GCN)to solve this issue.It leverages the hierarchical correlation relationships of attack techniques and tactics in the ATT&CK to construct a text network of heterogeneous cyber threat intelligence.With the help of the Bidirectional EncoderRepresentation fromTransformers(BERT)pretraining model to analyze the contextual semantics of cyber threat intelligence,the task of threat behavior identification is transformed into a text classification task,which automatically extracts attack behavior in CTI,then identifies the malware and advanced threat actors.The experimental results show that F1 achieve 94.86%and 92.15%for the multi-label classification tasks of tactics and techniques.Extend the experiment to verify the method’s effectiveness in identifying the malware and threat actors in APT attacks.The F1 for malware and advanced threat actors identification task reached 98.45%and 99.48%,which are better than the benchmark model in the experiment and achieve state of the art.The model can effectivelymodel threat intelligence text data and acquire knowledge and experience migration by correlating implied features with a priori knowledge to compensate for insufficient sample data and improve the classification performance and recognition ability of threat behavior in text.
文摘A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.
基金Project supported by the National Key Research and Development Program of China(Grant No.2017YFC0804900)the National Natural Science Foundation of China(Grant Nos.71790613 and 51534008)
文摘To investigate the evacuation behaviors of pedestrians considering the action of guards and to develop an effective evacuation strategy in an artificial attack, an extended floor field model is proposed. In this model, the artificial attacker's assault on pedestrians, the death of pedestrians, and the guard's capture are involved simultaneously. An alternative evacuation strategy which can largely reduce the number of casualties is developed and the effects of several key parameters such as the deterrence radius and capture distance on evacuation dynamics are studied. The results show that congestion near the exit has dual effects. More specifically, the guard can catch all attackers in a short time because the artificial attackers have a more concentrated distribution, but more casualties can occur because it is hard for pedestrians to escape the assault due to congestion. In contrast, when pedestrians have more preference of approaching the guard, although the guard will take more time to capture the attackers resulting from the dispersion of the attackers, the death toll will decrease. One of the reasons is the dispersal of the crowd, and the decrease in congestion is beneficial for escape. The other is that the attackers will be caught before launching the attack on the people who are around the guard, in other words, the guard protects a large number of pedestrians from being killed. Moreover, increasing capture distance of the guard can effectively reduce the casualties and the catch time. As the deterrence radius reflecting the tendency of escaping from the guard for attackers rises, it becomes more difficult for the guard to catch the attackers and more casualties are caused. However, when the deterrence radius reaches a certain level, the number of deaths is reduced because the attackers prefer to stay as far away as possible from the guard rather than occupy a position where they could assault more people.
基金Supported by the National Natural Science Foundation of China (61202387, 61103220)Major Projects of National Science and Technology of China(2010ZX03006-001-01)+3 种基金Doctoral Fund of Ministry of Education of China (2012014110002)China Postdoctoral Science Foundation (2012M510641)Hubei Province Natural Science Foundation (2011CDB456)Wuhan Chenguang Plan Project(2012710367)
文摘Aiming at the difficulty of unknown Trojan detection in the APT flooding situation, an improved detecting method has been proposed. The basic idea of this method originates from advanced persistent threat (APT) attack intents: besides dealing with damaging or destroying facilities, the more essential purpose of APT attacks is to gather confidential data from target hosts by planting Trojans. Inspired by this idea and some in-depth analyses on recently happened APT attacks, five typical communication characteristics are adopted to describe application’s network behavior, with which a fine-grained classifier based on Decision Tree and Na ve Bayes is modeled. Finally, with the training of supervised machine learning approaches, the classification detection method is implemented. Compared with general methods, this method is capable of enhancing the detection and awareness capability of unknown Trojans with less resource consumption.
文摘The service and application of a network is a behavioral process that is oriented toward its operations and tasks, whose metrics and evaluation are still somewhat of a rough comparison, This paper describes sce- nes of network behavior as differential manifolds, Using the homeomorphic transformation of smooth differential manifolds, we provide a mathematical definition of network behavior and propose a mathe- matical description of the network behavior path and behavior utility, Based on the principle of differen- tial geometry, this paper puts forward the function of network behavior and a calculation method to determine behavior utility, and establishes the calculation principle of network behavior utility, We also provide a calculation framework for assessment of the network's attack-defense confrontation on the strength of behavior utility, Therefore, this paper establishes a mathematical foundation for the objective measurement and precise evaluation of network behavior,
文摘The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing new techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks and to take action to weaken those attacks appropriately before they have had time to propagate across the network. In this paper, we propose an SNMP MIB oriented approach for detecting attacks, which is based on two-tier GCT by analyzing causal relationship between attacking variable at the attacker and abnormal variable at the target. According to the abnormal behavior at the target, GCT is executed initially to determine preliminary attacking variable, which has whole causality with abnormal variable in network behavior. Depending on behavior feature extracted from abnormal behavior, we can recognize attacking variable by using GCT again, which has local causality with abnormal variable in local behavior. Proactive detecting rules can be constructed with the causality between attacking variable and abnormal variable, which can be used to give alarms in network management system. The results of experiment showed that the approach with two-tier GCT was proved to detect attacks early, with which attack propagation could be slowed through early detection.
文摘随着电力配变网络基础设施规模的不断扩大,各类安全二次设备、边缘终端节点和业务系统产生的信息通信流量数据在格式、协议、语义特征层面存在显著差异。主要存在现有缓解框架缺乏多源异构网络异常流量检测数据归一化处理算法,网络攻击行为分析依赖人工特征提取的规则引擎,以及难以确定有效的网络攻击缓解措施等痛点。针对以上痛点,提出了一种基于归一化处理和TrafficLLM的网络攻击缓解框架(Network Attack Mitigation Framework Based on Normalized Processing and TrafficLLM,NAMF-NPTLLM)。该框架涵盖数据解析、归一化处理、模型微调和生成攻击缓解方案4个核心阶段。首先,在特征选择阶段,通过构建集成学习模型,融合多类基学习器的特征评估结果,精准提取对分类结果影响较大的关键特征。其次,将选取的关键特征通过归一化处理,生成统一的自然语言token序列形式表达,为该网络攻击缓解框架的流量异常分析TrafficLLM模型提供标准化输入。然后,对TrafficLLM模型进行微调,使该模型能够理解提示词模板指令并学习攻击行为的流量模式。最后,通过微调后的大模型进行推理,生成攻击缓解指令,使得该框架能够根据攻击行为特征动态调整网络攻击缓解策略。通过在CIC-DDoS2019数据集上进行实验验证,与传统方法相比,该框架将网络攻击行为分类的准确率达到99.80%,提高了1.3%。实验结果表明,该框架对于缓解海量多源异构电力网络终端流量攻击,具有更好的准确性和有效性。
