为了在多源、异构、海量的网络威胁入侵告警日志中快速准确定位到高优先级、亟需处理的攻击者IP并构建其特征,缓解安全分析人员的告警疲劳,提高安全运营效率,提出一种基于集成学习的局部异常因子(ensemble based local outlier factor,E...为了在多源、异构、海量的网络威胁入侵告警日志中快速准确定位到高优先级、亟需处理的攻击者IP并构建其特征,缓解安全分析人员的告警疲劳,提高安全运营效率,提出一种基于集成学习的局部异常因子(ensemble based local outlier factor,EBLOF)算法的攻击者IP分析系统。一方面,该系统通过提取和归并范式化的网络安全告警日志,从攻击者IP的属性维度和攻击行为维度构建特征工程,并借鉴集成学习的思路和传统异常检测算法LOF,构建了鲁棒的EBLOF算法模型,进而发现高威胁的攻击者IP。另一方面,该系统针对机器学习模型难以在线更新的问题,通过批量实时学习技术构建了一套在线学习的架构,从系统架构层面而非算法层面确保模型能够在线更新。将本文提出的算法模型在公共异常检测数据集ODD上开展模型的训练,并对模型的检测效果进行实验验证。实验结果表明,本文模型在不同数据分布下相比原始LOF模型具有更好的鲁棒性。将本文所提的系统应用在真实攻防场景中,通过与安全分析人员进行检出对比分析,验证了所提系统的有效性和可行性。展开更多
Security issues in networked control systems(NCSs) have received increasing attention in recent years.However, security protection often requires extra energy consumption, computational overhead, and time delays,whi...Security issues in networked control systems(NCSs) have received increasing attention in recent years.However, security protection often requires extra energy consumption, computational overhead, and time delays,which could adversely affect the real-time and energy-limited system. In this paper, random cryptographic protection is implemented. It is less expensive with respect to computational overhead, time, and energy consumption,compared with persistent cryptographic protection. Under the consideration of weak attackers who have little system knowledge, ungenerous attacking capability and the desire for stealthiness and random zero-measurement attacks are introduced as the malicious modification of measurements into zero signals. NCS is modeled as a stochastic system with two correlated Bernoulli distributed stochastic variables for implementation of random cryptographic protection and occurrence of random zero-measurement attacks; the stochastic stability can be analyzed using a linear matrix inequality(LMI) approach. The proposed stochastic stability analysis can help determine the proper probability of running random cryptographic protection against random zero-measurement attacks with a certain probability. Finally, a simulation example is presented based on a vertical take-off and landing(VTOL) system. The results show the effectiveness, robustness, and application of the proposed method, and are helpful in choosing the proper protection mechanism taking into account the time delay and in determining the system sampling period to increase the resistance against such attacks.展开更多
文摘为了在多源、异构、海量的网络威胁入侵告警日志中快速准确定位到高优先级、亟需处理的攻击者IP并构建其特征,缓解安全分析人员的告警疲劳,提高安全运营效率,提出一种基于集成学习的局部异常因子(ensemble based local outlier factor,EBLOF)算法的攻击者IP分析系统。一方面,该系统通过提取和归并范式化的网络安全告警日志,从攻击者IP的属性维度和攻击行为维度构建特征工程,并借鉴集成学习的思路和传统异常检测算法LOF,构建了鲁棒的EBLOF算法模型,进而发现高威胁的攻击者IP。另一方面,该系统针对机器学习模型难以在线更新的问题,通过批量实时学习技术构建了一套在线学习的架构,从系统架构层面而非算法层面确保模型能够在线更新。将本文提出的算法模型在公共异常检测数据集ODD上开展模型的训练,并对模型的检测效果进行实验验证。实验结果表明,本文模型在不同数据分布下相比原始LOF模型具有更好的鲁棒性。将本文所提的系统应用在真实攻防场景中,通过与安全分析人员进行检出对比分析,验证了所提系统的有效性和可行性。
基金supported by the National Natural Science Foundation of China(No.61433006)the Key Research Project of Zhejiang Province,China(No.2017C01062)+3 种基金the Open Research Project of the State Key Laboratory of Industrial Control Technology,Zhejiang University,China(No.ICT1800422)the Opening Project of Shanghai Key Laboratory of Integrated Administration Technologies for Information Security,China(No.AGK2018003)the Department of Education of Zhejiang Province,China(No.Y201840611)the Zhejiang Provincial Natural Science Foundation of China(No.LY16F020019)
文摘Security issues in networked control systems(NCSs) have received increasing attention in recent years.However, security protection often requires extra energy consumption, computational overhead, and time delays,which could adversely affect the real-time and energy-limited system. In this paper, random cryptographic protection is implemented. It is less expensive with respect to computational overhead, time, and energy consumption,compared with persistent cryptographic protection. Under the consideration of weak attackers who have little system knowledge, ungenerous attacking capability and the desire for stealthiness and random zero-measurement attacks are introduced as the malicious modification of measurements into zero signals. NCS is modeled as a stochastic system with two correlated Bernoulli distributed stochastic variables for implementation of random cryptographic protection and occurrence of random zero-measurement attacks; the stochastic stability can be analyzed using a linear matrix inequality(LMI) approach. The proposed stochastic stability analysis can help determine the proper probability of running random cryptographic protection against random zero-measurement attacks with a certain probability. Finally, a simulation example is presented based on a vertical take-off and landing(VTOL) system. The results show the effectiveness, robustness, and application of the proposed method, and are helpful in choosing the proper protection mechanism taking into account the time delay and in determining the system sampling period to increase the resistance against such attacks.
