DEFIDNET: A framework for optimal allocation of cyberdefenses in Intrusion Detection Networks

Intrusion Detection Networks (IDN) are distributed cyberdefense systems composed of different nodes performing local detection and filtering functions, as well as sharing information with other nodes in the IDN. The security and resilience of such cyberdefense systems are paramount, since an attacker will try to evade them or render them unusable before attacking the end systems. In this paper, we introduce a system model for IDN nodes in terms of their logical components, functions, and communication channels. This allows us to model different IDN node roles (e.g., detectors, filters, aggregators, correlators, etc.) and architectures (e.g., hierarchical, centralized, fully distributed, etc.). We then introduce a threat model that considers adversarial actions executed against particular IDN nodes, and also the propagation of such actions throughout connected nodes. Based on such models, we finally introduce a countermeasure allocation model based on a multi-objective optimization algorithm to obtain optimal allocation strategies that minimize both risk and cost. Our experimental results obtained through simulation with different IDN architectures illustrate the benefit of our framework to design and reconfigure cyberdefense systems optimally.     

Moderators of nonverbal indicators of deception: A meta-analytic synthesis.

In many legal proceedings, fact finders scrutinize the demeanor of a defendant or witness, particularly his or her nonverbal behavior, for indicators of deception. This meta-analysis investigated directly observable nonverbal correlates of deception as a function of different moderator variables. Although lay people and professionals alike assume that many nonverbal behaviors are displayed more frequently while lying, of 11 different behaviors observable in the head and body area, only 3 were reliably associated with deception. Nodding, foot and leg movements, and hand movements were negatively related to deception in the overall analyses weighted by sample size. Most people assume that nonverbal behaviors increase while lying; however, these behaviors decreased, whereas others showed no change. There was no evidence that people avoid eye contact while lying, although around the world, gaze aversion is deemed the most important signal of deception. Most effect sizes were found to be heterogeneous. Analyses of moderator variables revealed that many of the observed relationships varied as a function of content, motivation, preparation, sanctioning of the lie, experimental design, and operationalization. Existing theories cannot readily account for the heterogeneity in findings. Thus, practitioners are cautioned against using these indicators in assessing the truthfulness of oral reports. (PsycINFO Database Record (c) 2010 APA, all rights reserved)     

运用模式分类的雷达抗转发式距离欺骗干扰方法

针对雷达转发式欺骗干扰中的距离欺骗，提出了一种基于模式分类来识别目标与干扰的方法。该方法基于干扰和目标能量和起伏特性差异确定提取特征因子，再利用RBF神经网络方法进行分类。仿真结果表明，该方法具有较好的抗距离欺骗干扰性能。     

Binary rewriting and call interception for efficient runtime protection against buffer overflows

Buffer overflow vulnerabilities are one of the most commonly and widely exploited security vulnerabilities in programs. Most existing solutions for avoiding buffer overflows are either inadequate, inefficient or incompatible with existing code. In this paper, we present a novel approach for transparent and efficient runtime protection against buffer overflows. The approach is implemented by two tools: Type Information Extractor and Depositor (TIED) and LibsafePlus. TIED is first used on a binary executable or shared library file to extract type information from the debugging information inserted in the file by the compiler and reinsert it in the file as a data structure available at runtime. LibsafePlus is a shared library that is preloaded when the program is run. LibsafePlus intercepts unsafe C library calls such as strcpy and uses the type information made available by TIED at runtime to determine whether it would be ‘safe’ to carry out the operation. With our simple design we are able to protect most applications with a performance overhead of less than 10%. Copyright © 2006 John Wiley & Sons, Ltd.     

改进的基于身份认证密钥协商协议*

对标准模型下可证安全的基于身份认证密钥协商协议进行安全分析,指出由于传送消息存在冗余,协议不能抵御伪装攻击。为解决上述安全漏洞,提出一个改进的基于身份认证密钥协商协议,并在标准模型下分析其安全性。结果表明,新协议满足基于身份认证密钥协商协议的所有安全要求。     

可编程逻辑器件安全性漏洞检测平台设计与实现

芯片作为信息存储、传输、应用处理的基础设备,其安全性是信息安全的一个重要组成部分。可编程逻辑器件安全性漏洞检测平台正是为了检测出逻辑芯片内可能存在的攻击后门和设计缺陷而研制的,从而确保电子设备中信息安全可靠。文章研究可编程逻辑器件漏洞检测平台的设计与实现,简要介绍了检测平台的总体结构和运行机制,给出了检测平台的总体设计思想、实现方案及系统组成,并深入研究了漏洞检测平台设计与实现所涉及的相关技术。     

“舒特”攻击行动描述与效能评估探要

文章基于UML概念建模语言对“舒特”攻击行动进行了形式化描述,构建了“舒特”攻击行动效能评估指标体系,运用模糊层次分析法对“舒特”攻击行动的效能进行了评估,同时给出了应对“舒特”攻击的建议。     

基于代价敏感支持向量机的推荐系统托攻击检测方法

基于标准支持向量机的托攻击检测方法不能体现由于用户误分代价不同对分类效果带来的影响,提出了一种基于代价敏感支持向量机的托攻击检测新方法,该方法在代价敏感性学习机制下引入支持向量机作为分类工具,对支持向量机输出进行后验概率建模,建立了基于类别隶属度的动态代价函数,更准确地反映不同样本的分类代价,在此基础上设计了代价敏感支持向量机分类器。将该分类器应用在推荐系统托攻击检测中,并与标准的支持向量机方法、代价敏感支持向量机方法进行比较,实验结果表明,本方法可以更精确地控制代价敏感性,进一步提高对攻击用户的检测精度,降低总体的误分类代价。     

数据泄露风险的趋势分析

利用过去10年数据泄露事件的统计数据,对数据泄露的各种模式进行研究,对重点模式的数据泄露风险的趋势进行统计分析。结合信息安全领域的发展现状,对存在较大风险的数据泄露模式在未来几年将造成的威胁提出预警。     

面向可重构扫描网络的锁定隔离安全结构

为使可重构扫描网络免受未经授权的访问、恶意仪器对传输数据的窜改和嗅探3种安全攻击的影响,提出了锁定隔离安全结构.该结构首先把彼此不具有安全威胁的仪器分成一组,通过控制隔离信号实现组与组之间的单独访问,以防止恶意仪器对传输数据的窜改和嗅探.然后通过使用锁段插入位保护关键的仪器,只有扫描网络中处于特定位置的多个键值被设置成特定值(0,1序列)时锁段插入位才能打开,能加大未经授权访问的难度.此外,为解决仪器分组多导致硬件开销大和布线困难的问题,提出了仪器分组算法,根据仪器间的安全关系构建无向图,然后对无向图求极大独立集,能有效地减少仪器分组数.在ITC 02基准电路上的实验结果表明,与国际上同类方法相比,所提的安全结构打开锁段插入位所需要的时间增大了7倍,在面积、功耗和布线上的平均减少百分比分别为3.81%,9.02%和4.55%.