DDoS放大攻击原理及防护

分布式拒绝服务攻击（DDoS）是一种攻击强度大、危害比较严重的网络攻击。 DDoS放大攻击利用放大器对网络流量具有放大作用的技术,向被攻击目标发送大量的网络数据包,造成被攻击的目标网络资源和带宽被耗尽,使得正常的请求无法得到及时有效的响应。简单介绍DDoS放大攻击的原理,分析DDoS放大攻击的防护方法,从攻击源头、放大器、被攻击目标等三个方面采取防护措施,从而达到比较有效的防护效果。     

基于深度神经网络的对抗样本技术综述

深度学习在完成一些难度极高的任务中展现了惊人的能力,但深度神经网络难以避免对刻意添加了扰动的样本（称为“对抗样本”）进行错误的分类。“对抗样本”逐渐成为深度学习安全领域的研究热点。研究对抗样本产生的原因和作用机理,有助于从安全性和鲁棒性方面优化模型。在掌握对抗样本原理的基础上,对经典对抗样本攻击方法进行分类总结,根据不同的攻击原理将攻击方法分为白盒攻击与黑盒攻击两个大类,并引入非特定目标攻击、特定目标攻击、全像素添加扰动攻击和部分像素添加扰动攻击等细类。在ImageNet数据集上对几种典型攻击方法进行复现,通过实验结果,比较几种生成方法的优缺点,分析对抗样本生成过程中的突出问题。并对对抗样本的应用和发展作了展望。     

Evolution of cross site request forgery attacks

This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.     

深度学习中的后门攻击综述

随着深度学习研究与应用的迅速发展,人工智能安全问题日益突出。近年来,深度学习模型的脆弱性和不鲁棒性被不断的揭示,针对深度学习模型的攻击方法层出不穷,而后门攻击就是其中一类新的攻击范式。与对抗样本和数据投毒不同,后门攻击者在模型的训练数据中添加触发器并改变对应的标签为目标类别。深度学习模型在中毒数据集上训练后就被植入了可由触发器激活的后门,使得模型对于正常输入仍可保持高精度的工作,而当输入具有触发器时,模型将按照攻击者所指定的目标类别输出。在这种新的攻击场景和设置下,深度学习模型表现出了极大的脆弱性,这对人工智能领域产生了极大的安全威胁,后门攻击也成为了一个热门研究方向。因此,为了更好的提高深度学习模型对于后门攻击的安全性,本文针对深度学习中的后门攻击方法进行了全面的分析。首先分析了后门攻击和其他攻击范式的区别,定义了基本的攻击方法和流程,然后对后门攻击的敌手模型、评估指标、攻击设置等方面进行了总结。接着,将现有的攻击方法从可见性、触发器类型、标签类型以及攻击场景等多个维度进行分类,包含了计算机视觉和自然语言处理在内的多个领域。此外,还总结了后门攻击研究中常用的任务、数据集与深度学习模型,并介绍了后门攻击在数据隐私、模型保护以及模型水印等方面的有益应用,最后对未来的关键研究方向进行了展望。     

基于地址相关度的分布式拒绝服务攻击检测方法

分布式拒绝服务(DDoS)攻击检测是网络安全领域的研究热点.对DDoS攻击的研究进展及其特点进行了详细分析,针对DDoS攻击流的流量突发性、流非对称性、源IP地址分布性和目标IP地址集中性等本质特征提出了网络流的地址相关度(ACV)的概念.为了充分利用ACV,提高方法的检测质量,提出了基于ACV的DDoS攻击检测方法,通过自回归模型的参数拟合将ACV时间序列变换为多维空间内的AR模型参数向量序列来描述网络流状态特征,采用支持向量机分类器对当前网络流状态进行分类以识别DDoS攻击.实验结果表明,该检测方法能够有效地检测DDoS攻击,降低误报率.     

Hardening the Target

As enterprises increasingly depend on digitized data and seek commercial opportunities from accelerated digital access and transmission, senior management and boards of directors haven't sufficiently updated their enterprises' security protections on digitally stored information. Consequently, new and increasingly frequent attacks have occurred against their digital information assets. Enterprises must "harden the target" to protect against attacks against these assets.     

恶意攻击下基于分布式稀疏优化的安全状态估计

恶意生成的量测攻击信号是导致信息物理系统(Cyber-physical system,CPS)探测失效的主要原因,如何有效削弱其影响是实现精准探测、跟踪与感知的关键问题.分布式传感器网络(Distributed sensor network,DSN)依靠多传感器协作与并行处理突破单一监测节点的任务包线,能够显著提升探测...     

平稳与平衡--椭圆曲线密码体制抗旁信道攻击的策略与手段

旁信道攻击方法（side channel attack）通过对密码系统的一些特殊信息的获取来进行分析与攻击．对于椭圆曲线密码体制,最主要的就是要使标量乘能够抵抗旁信道攻击方式,密码学界的研究者在这方面做了很多具体且细致的工作,从各个不同的角度提出了很多新的算法与方案．综述了椭圆曲线密码体制上抗旁信道攻击的进展情况,以“平稳”与“平衡”作为两条线索,讨论了椭圆曲线密码系统上抗旁信道攻击的各种策略和方案,指出了它们各自的优劣以及适用范围,并在最后探讨了该领域未来研究和发展方向．     

Timing attack on NoC-based systems: Prime+Probe attack and NoC-based protection

Many authors have shown how to break the AES cryptographic algorithm with side channel attacks; specially the timing attacks oriented to caches, like Prime+Probe. In this paper, we present two practical timing attacks on NoC that improve Prime+Probe technique, the P+P Firecracker, and P+P Arrow. Our attacks target the communication between an ARM Cortex-A9 core and a shared cache memory. Furthermore, we evaluate a secure enhanced NoC as a countermeasure against the timing attack. Finally, we demonstrate that attacks on MPSoCs through the NoC are a real threat and need to be further explored.     

复杂网络攻击的HMM检测模型

针对检测复杂网络攻击的难度,剖析复杂网络攻击的本质特征,提出一种基于HMM的入侵检测模型,通过关联分析不同网络监视器产生的报警事件序列,挖掘这些报警事件的内在联系,进而检测复杂网络攻击。实验结果表明,该模型能有效地识别复杂网络攻击的类别。     

A novel intrusion detection framework for wireless sensor networks

Vehicle cloud is a new idea that uses the benefits of wireless sensor networks (WSNs) and the concept of cloud computing to provide better services to the community. It is important to secure a sensor network to achieve better performance of the vehicle cloud. Wireless sensor networks are a soft target for intruders or adversaries to launch lethal attacks in its present configuration. In this paper, a novel intrusion detection framework is proposed for securing wireless sensor networks from routing attacks. The proposed system works in a distributed environment to detect intrusions by collaborating with the neighboring nodes. It works in two modes: online prevention allows safeguarding from those abnormal nodes that are already declared as malicious while offline detection finds those nodes that are being compromised by an adversary during the next epoch of time. Simulation results show that the proposed specification-based detection scheme performs extremely well and achieves high intrusion detection rate and low false positive rate.     

New fault attacks using Jacobi symbol and application to regular right-to-left algorithms

Fast exponentiation algorithms are central in the implementation of public key cryptography. They should be secure as well as efficient. Nowadays physical attacks such as side channel analysis or fault attacks become big threats in the implementation of cryptographic algorithms. In this article, we propose two new fault attacks using Jacobi symbol. Furthermore we show that Joye's regular right-to-left algorithms are vulnerable to them.     

Optimal mixed block withholding attacks based on reinforcement learning

The vulnerabilities in cryptographic currencies facilitate the adversarial attacks. Therefore, the attackers have incentives to increase their rewards by strategic behaviors. Block withholding attacks (BWH) are such behaviors that attackers withhold blocks in the target pools to subvert the blockchain ecosystem. Furthermore, BWH attacks may dwarf the countermeasures by combining with selfish mining attacks or other strategic behaviors, for example, fork after withholding (FAW) attacks and power adaptive withholding (PAW) attacks. That is, the attackers may be intelligent enough such that they can dynamically gear their behaviors to optimal attacking strategies. In this paper, we propose mixed-BWH attacks with respect to intelligent attackers, who leverage reinforcement learning to pin down optimal strategic behaviors to maximize their rewards. More specifically, the intelligent attackers strategically toggle among BWH, FAW, and PAW attacks. Their main target is to fine-tune the optimal behaviors, which incur maximal rewards. The attackers pinpoint the optimal attacking actions with reinforcement learning, which is formalized into a Markov decision process. The simulation results show that the rewards of the mixed strategy are much higher than that of honest strategy for the attackers. Therefore, the attackers have enough incentives to adopt the mixed strategy.     

基于地址完整性检查的函数指针攻击检测

针对传统函数指针攻击检测技术无法检测面向返回编程(ROP)攻击的问题,提出了一种基于跳转地址完整性检查的新方法,在二进制代码层面能够检测多种类型的函数指针攻击。首先,通过静态分析得到函数地址信息,然后动态检查跳转目标地址是否位于合法函数区间。分析了非入口点跳转,提出一种动静结合方法检测ROP攻击。基于二进制代码插桩工具实现原型系统fpcheck,对真实攻击和正常程序进行了测试。实验结果表明fpcheck能够检测包括ROP在内的多种函数指针攻击,通过准确的检测策略,误报率显著下降,性能损失相比原始插桩仅升高10%~20%。     

API-level attacks on embedded systems

We have recently discovered a whole new family of attacks on the APIs (application programming interfaces) used by security processors. These attacks are economically important, as security processors are used to support a wide range of services - from ATMs (automated teller machines) to pre-payment utility metering - but designing APIs that resist such attacks is difficult     

一种基于多点传送树的拒绝服务攻击的安全方案

拒绝服务攻击严重威胁着Internet的安全,而且其入侵工具的发展是一种长期存在的趋势。文章介绍了一种新的拒绝服务攻击的安全方案,通过使用多点传送树作为基本的认证机制来进行IP多点传送认证,从而对拒绝服务攻击免疫。     

Winter is here! A decade of cache-based side-channel attacks,detection & mitigation for RSA

Timing-based side-channels play an important role in exposing the state of a process execution on underlying hardware by revealing information about timing and access patterns. Side-channel attacks (SCAs) are powerful cryptanalysis techniques that focus on the underlying implementation of cryptographic ciphers during execution rather than attacking the structure of cryptographic functions. This paper reviews cache-based software side-channel attacks, mitigation and detection techniques that target various cryptosystems, particularly RSA, proposed over the last decade (2007–2018). It provides a detailed taxonomy of attacks on RSA cryptosystems and discusses their strengths and weaknesses while attacking different algorithmic implementations of RSA. A threat model is presented based on the cache features that are being leveraged for such attacks across cache hierarchy in computing architectures. The paper also provides a classification of these attacks based on the source of information leakage. It then undertakes a qualitative analysis of secret key retrieval efficiency, complexity, and the features being exploited on target cryptosystems in these attacks. The paper also discusses the mitigation and detection techniques proposed against such attacks and classifies them based on their effectiveness at various levels in caching hardware and leveraged features. Finally, the paper discusses recent trends in attacks, the challenges involved in their mitigation, and future research directions needed to deal with side-channel information leakage.     

Security beyond cybersecurity: side-channel attacks against non-cyber systems and their countermeasures

Side-channels are unintended pathways within target systems that leak internal information, exploitable via side-channel attack techniques that extract the target information, compromising the system’s security and privacy. Side-channel attacks are well established within the cybersecurity domain, and thus their cyber-physical systems are actively defended with countermeasures. Non-cyber systems are equally as vulnerable to side-channel attacks; however, this is largely unrecognised and therefore countermeasures to defend them are limited. This paper surveys side-channel attacks against non-cyber systems and investigates the consequent security and privacy ramifications. Side-channel attack techniques rely on respective side-channel properties in order to succeed; therefore, countermeasures that disrupt each side-channel property are identified, effectively thwarting the side-channel attack. This principle is captured within a countermeasure algorithm: a systematic and extensible approach to identifying candidate countermeasures for non-cyber systems. We validate the output of this process by showing how the candidate countermeasures could be applied in the context of each non-cyber system and in the real world. This work provides an extensible platform for translating cybersecurity-derived side-channel attack research into defending systems from non-cyber domains.

     

传感网时间同步安全的健壮的统计方法

随着时间同步服务的盛行,它越来越成为恶意攻击的目标.鉴别了各种针对同步法则的攻击.因为这些攻击是多种多样的,而且许多难以预见的攻击能够迂回过传统的安全防范策略,所以建立一个针对故意破坏相对健壮的同步法则是个理想的选择.提出了一个能够容忍攻击的健壮的统计方法:它不需要参考节点,而是全网同步于一个虚拟时钟;采用最小中值平方的算法;能够建立成对、簇内和全网的有一定攻击容忍度的同步.     

基于P2P平台的DDoS攻击防御方法

P2P系统的分散性、匿名性和随机性等特点容易被利用发起大规模的分布式拒绝服务(DDoS)攻击。为此,提出一种分布式的防御方法。通过在应用层构建一套数据发送授权机制,使P2P平台中的节点在未得到目标节点授权之前不能向其发送大量数据,从而阻止攻击数据到达被攻击者。仿真实验结果证明,该模型可以抵御利用P2P软件发起的DDoS攻击。