|
|
Network defense strategy based on cyber attack behavior prediction |
REN Wu-ling1, ZHAO Cui-wen2, JIANG Guo-xin1,David Maimon3, Theodore Wilson3, Bertrand Sobesto3 |
1. Network Information Center, Zhejiang Gongshang University, Hangzhou 310018, China; 2.College of Computer and Information Engineering, Zhejiang Gongshang University, Hangzhou 310018, China; 3.Clark School of Engineering, University of Maryland, Maryland 20742, US |
|
|
Abstract A network defense strategy based on the prediction of cyber attacker’s behaviors was given in order to effectively prevent cyber attacks. Intruders’ behaviors have strong randomness and uncertainty. A network of high-interaction honeypots was deployed to collect attack data, especially the behavior data of the attacker after successfully intruding on the host system. By using the attack data, the attack state-transition diagram was generated. Then combining with hidden markov model (HMM) which has fairly precise likelihood probability characteristic, a cyber attacker’s behaviors prediction model was designed. With the prediction model and a generally-used intrusion prevention system (IPS), a network defense strategy and its prototype system were proposed. The prototype system was deployed to the real network for attacking test. Through training and verifying with real data over 5 months, the model obtained 80% the prediction accuracy rate. The result shows that the network defense strategy has good network attack confrontation and can be effectively used to prevent cyber attacks.
|
Published: 01 December 2014
|
|
基于攻击行为预测的网络防御策略
为了有效阻止网络攻击行为,提出一种基于攻击行为预测的网络攻击防御方法.针对入侵者的攻击行为具有强的随机性和不确定性,部署高交互蜜罐网络,采集入侵者攻入主机后的攻击数据, 构建攻击状态转移图;利用隐马尔可夫模型(HMM)具有较为精确的似然度概率计算的特点,设计网络攻击行为预测模型.以攻击行为预测模型为核心,结合常用的入侵防御系统,构建主动防御策略,并开发相应的原型系统,将之部署到真实的网络系统中进行攻击实验.通过累计5个月真实数据的训练和验证,预测模型的准确率达到80%.结果表明该策略具有良好的网络攻击对抗性,可有效地用于预防网络攻击.
|
|
[1] RAMSBROCK D, BERTHIER R, CUKIER M.Profiling Attacker Behavior Following SSH Compromises[C]∥ 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN07). Washington, DC, USA: IEEE Computer Society, 2007: 119-124.
[2] SALLES-LOUSTAU G, BERTHIER R, COLLANGE E, et al, Characterizing attackers and attacks: an empirical study[C] ∥ IEEE 17th Pacific Rim International Symposium on Dependable Computing. Washington, DC, USA: IEEE Computer Society, 2011: 174-183.
[3] ALOSEFER Y,RANA O. Automated state machines applied in client honeypots[C] ∥ 5th International Conference on Future Information Technology (Future-Tech).Washington, DC, USA: IEEE Computer Society, 2010: 18.
[4] ALOSEFER Y,RANA O. Predicting client-side attacks via behaviour analysis using honeypot data [C] ∥ NWeSP, 7th International Conference on Next Generation Web Services Practices. Washington, DC, USA: IEEE Computer Society, 2011: 31-36.
[5] 印鉴,张钢,陈忆群.基于Honeynet的网络入侵模式挖掘[J].计算机工程与应用,2004(11): 114-117.
YIN Jian, ZHANG Gang, CHEN Yi-qun. Intrusion mode mining on honeynet[J]. Computer Engineering and Applications, 2004(11): 114-117.
[6] SCHONLAU M, MOUCHEL W. Computer intrusion: Detecting masquerades[J]. Statistical Science, 2001, 16(1): 58-74.
[7] MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines[C] ∥ Proceedings of the International Conference on Dependable Systems and Networks. Washington, DC, USA: IEEE Computer Society, 2002: 219-228.
[8] LANE T, CARLA E B. An empirical study of two approaches to sequence learning for anomaly detection[J]. Machine Learning, 2003, 51(1): 73-107.
[9] YING J, KIRUBARAJAN T. A hidden Markov based algorithm for fault diagnosis with partial and imperfect tests [J]. IEEE Transactions on System, Man, and Cybernetics, 2000, 30(4): 463-473.
[10] RABINER L. A tutorial on hidden markov models and selected applications in speech recognition [J]. Proceedings of the IEEE, 1989, 77: 257-286.
[11] CURTIS A C. A methodology for using intelligent agents to provide automated intrusion response [C]∥ Proceedings of the IEEE Systems, Man, and Cybernetics Information Assurance and Security Work-shop. New York: IEEE, 2000: 110-116.
[12] 彭凌西,谢冬青,付颖芳,等.基于危险理论的自动入侵响应系统模型[J].通信学报,2012,33(1): 136-144.
PENG Ling-xi, XIE Dong-qing, FU Ying-fang, et al. Automated intrusion response system model based on danger theory[J].Journal on Communications, 2012, 33(1): 136-144. |
|
Viewed |
|
|
|
Full text
|
|
|
|
|
Abstract
|
|
|
|
|
Cited |
|
|
|
|
|
Shared |
|
|
|
|
|
Discussed |
|
|
|
|