Network defense strategy based on cyber attack behavior prediction

doi:10.3785/j.issn.1008-973X.2014.12.007

JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE)

REN Wu-ling1, ZHAO Cui-wen2, JIANG Guo-xin1,David Maimon3, Theodore Wilson3, Bertrand Sobesto3

1. Network Information Center, Zhejiang Gongshang University, Hangzhou 310018, China; 2.College of Computer and Information Engineering, Zhejiang Gongshang University, Hangzhou 310018, China; 3.Clark School of Engineering, University of Maryland, Maryland 20742, US

Download:

PDF(2049KB) HTML
Export: BibTeX | EndNote (RIS)

Abstract

A network defense strategy based on the prediction of cyber attacker’s behaviors was given in order to effectively prevent cyber attacks. Intruders’ behaviors have strong randomness and uncertainty. A network of high-interaction honeypots was deployed to collect attack data, especially the behavior data of the attacker after successfully intruding on the host system. By using the attack data, the attack state-transition diagram was generated. Then combining with hidden markov model (HMM) which has fairly precise likelihood probability characteristic, a cyber attacker’s behaviors prediction model was designed. With the prediction model and a generally-used intrusion prevention system (IPS), a network defense strategy and its prototype system were proposed. The prototype system was deployed to the real network for attacking test. Through training and verifying with real data over 5 months, the model obtained 80% the prediction accuracy rate. The result shows that the network defense strategy has good network attack confrontation and can be effectively used to prevent cyber attacks.

Published: 01 December 2014

CLC:

TP 393

	Service
	E-mail this article
	Add to my bookshelf
	Add to citation manager
	E-mail Alert
	RSS
	Articles by authors

Cite this article:

REN Wu-ling, ZHAO Cui-wen, JIANG Guo-xin,David Maimon, Theodore Wilson, Bertrand Sobesto. Network defense strategy based on cyber attack behavior prediction. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2014, 48(12): 2144-2151.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2014.12.007 OR http://www.zjujournals.com/eng/Y2014/V48/I12/2144

基于攻击行为预测的网络防御策略

为了有效阻止网络攻击行为,提出一种基于攻击行为预测的网络攻击防御方法.针对入侵者的攻击行为具有强的随机性和不确定性,部署高交互蜜罐网络,采集入侵者攻入主机后的攻击数据, 构建攻击状态转移图；利用隐马尔可夫模型（HMM）具有较为精确的似然度概率计算的特点,设计网络攻击行为预测模型.以攻击行为预测模型为核心,结合常用的入侵防御系统,构建主动防御策略,并开发相应的原型系统,将之部署到真实的网络系统中进行攻击实验.通过累计5个月真实数据的训练和验证,预测模型的准确率达到80%.结果表明该策略具有良好的网络攻击对抗性,可有效地用于预防网络攻击.

［1］ RAMSBROCK D, BERTHIER R, CUKIER M.Profiling Attacker Behavior Following SSH Compromises［C］∥ 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN07). Washington, DC, USA: IEEE Computer Society, 2007: 119-124.
［2］ SALLES-LOUSTAU G, BERTHIER R, COLLANGE E, et al, Characterizing attackers and attacks: an empirical study［C］ ∥ IEEE 17th Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA: IEEE Computer Society, 2011: 174-183.
［3］ ALOSEFER Y,RANA O. Automated state machines applied in client honeypots［C］ ∥ 5th International Conference on Future Information Technology (Future-Tech).Washington, DC, USA: IEEE Computer Society, 2010: 18.
［4］ ALOSEFER Y,RANA O. Predicting client-side attacks via behaviour analysis using honeypot data ［C］ ∥ NWeSP, 7th International Conference on Next Generation Web Services Practices. Washington, DC, USA: IEEE Computer Society, 2011: 31-36.
［5］印鉴,张钢,陈忆群.基于Honeynet的网络入侵模式挖掘［J］.计算机工程与应用,2004(11): 114-117.
YIN Jian, ZHANG Gang, CHEN Yi-qun. Intrusion mode mining on honeynet［J］. Computer Engineering and Applications, 2004(11): 114-117.
［6］ SCHONLAU M, MOUCHEL W. Computer intrusion: Detecting masquerades［J］. Statistical Science, 2001, 16(1): 58-74.
［7］ MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines［C］ ∥ Proceedings of the International Conference on Dependable Systems and Networks. Washington, DC, USA: IEEE Computer Society, 2002: 219-228.
［8］ LANE T, CARLA E B. An empirical study of two approaches to sequence learning for anomaly detection［J］. Machine Learning, 2003, 51(1): 73-107.
［9］ YING J, KIRUBARAJAN T. A hidden Markov based algorithm for fault diagnosis with partial and imperfect tests ［J］. IEEE Transactions on System, Man, and Cybernetics, 2000, 30(4): 463-473.
［10］ RABINER L. A tutorial on hidden markov models and selected applications in speech recognition ［J］. Proceedings of the IEEE, 1989, 77: 257-286.
［11］ CURTIS A C. A methodology for using intelligent agents to provide automated intrusion response ［C］∥ Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Work-shop. New York: IEEE, 2000: 110-116.
［12］彭凌西,谢冬青,付颖芳,等.基于危险理论的自动入侵响应系统模型［J］.通信学报,2012,33(1): 136-144.
PENG Ling-xi, XIE Dong-qing, FU Ying-fang, et al. Automated intrusion response system model based on danger theory［J］.Journal on Communications, 2012, 33(1): 136-144.

[1]	YOU Lu-jin, LU Xing-jian, HE Gao-qi. Research on sub-health in cloud environment[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(6): 1181-1189.

[2]	LI Jian-li, DING Ding, LI Tao. Multi-objective hybrid cloud task scheduling using twice clustering[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(6): 1233-1241.

[3]	ZHANG Xin-xin, XU Ke, ZHONG Yi-Feng, SU Hui. Evolutionary game analysis on cooperative behaviors of internet service providers[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(6): 1214-1224.

[4]	WANG Yu-xiang, LI Sheng-jie, WANG Hao, MA Jun-yi, WANG Ya-sha, ZHANG Da-qing. Survey on Wi-Fi based contactless activity recognition[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(4): 648-654.

[5]	QIAN Liang-fang, ZHANG Sen-lin, LIU Mei-qin. Reservation-based MAC protocol for underwater wireless sensor networks with data train[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(4): 691-696.

[6]	LI Xiao-dong, ZHU Yue-fei, LIU Sheng-li, XIAO Rui-qing. Permission-based Android application security evaluation method[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(3): 590-597.

[7]	HUANG Yan, WANG Peng, XIE Gao hui, AN Jun xiu. Data center energy cost optimization in smart grid: a review[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2016, 50(12): 2386-2399.

[8]	YU Yang,XIA Chun he,YUAN Zhi chao,LI Zhong. Trust bootstrapping model for computer network collaborative defense system[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2016, 50(9): 1684-1694.

[9]	QI Ping, LI Long shu, LI Xue jun. Cloud resource scheduling algorithm with failure recovery mechanism[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2015, 49(12): 2305-2315.

[10]	SU Kai, MA Liang-li, SUN Yu-fei, GUO Xiao-ming. Non-negative matrix factorization model for Web service QoS prediction[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2015, 49(7): 1358-1366.

[11]	GAO Jian-xin, WU Xu-sheng, GAO Wei, ZHANG Wen-bing. Self-archiving model of trust data for mobile ad hoc network[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2015, 49(6): 1022-1030.

[12]	GAO Meng-zhou, FENG Dong-qin, LING Cong-li, CHU Jian. Vulnerability analysis of industrial control system based on attack graph[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2014, 48(12): 2123-2131.

[13]	I De-jun,WANG Gang,YANG Can-jun,JIN Bo,CHEN Yan-hu. NTP/IEEE1588-based time synchronization system in seafloor observatory network[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2014, 48(1): 1-7.

[14]	GUO Tong,LIN Feng. Bayesian network structure learning based on hybrid genetic and fish swarm algorithm[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2014, 48(1): 130-135.

[15]	LIU Duan-yang , Xie Jian-ping, CAO Yan-long. Research on divisible load scheduling algorithm based on energy model[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2013, 47(9): 1547-1553.

Viewed

Full text

Abstract

Cited

Shared

Discussed