一种基于反馈神经网络的异常检测方法

目前的入侵检测系统缺乏从先前所观察到的进攻进行概括并检测已知攻击的细微变化 的能力。描述了一种基于最小二乘估计(LS)模型的入侵检测算法,该算法利用神经网络的特点,具 有从先前观测到的行为进行概括进而判断将来可能发生的行为的能力。提出了一种在异常检测中用 反馈神经网络构建程序行为的特征轮廓的思想,给出了神经网络算法的选择和应用神经网络的设计 方案。实验表明在异常检测中利用反馈神经网络构建程序行为的特征轮廓,能够提高检测系统对偶 然事件和入侵变异的自适应性和异常检测的速度。     

Rule revision with recurrent neural networks

Recurrent neural networks readily process, recognize and generate temporal sequences. By encoding grammatical strings as temporal sequences, recurrent neural networks can be trained to behave like deterministic sequential finite-state automata. Algorithms have been developed for extracting grammatical rules from trained networks. Using a simple method for inserting prior knowledge (or rules) into recurrent neural networks, we show that recurrent neural networks are able to perform rule revision. Rule revision is performed by comparing the inserted rules with the rules in the finite-state automata extracted from trained networks. The results from training a recurrent neural network to recognize a known non-trivial, randomly-generated regular grammar show that not only do the networks preserve correct rules but that they are able to correct through training inserted rules which were initially incorrect (i.e. the rules were not the ones in the randomly generated grammar)     

使用GNN与RNN实现用户行为分析

随着国家高性能计算环境(CNGrid)各个节点产生日志数量不断增加,采用传统的人工方式进行用户行为分析已不能满足日常的分析需求.近年来,深度学习在入侵检测、图像识别、自然语言处理和恶意软件检测等与计算机科学相关的关键任务中取得了良好的效果.演示了如何将深度学习模型应用于用户行为分析.为此,在CNGrid中对用户行为进行...     

A game design framework for avoiding phishing attacks

Game based education is becoming more and more popular. This is because game based education provides an opportunity for learning in a natural environment. Phishing is an online identity theft, which attempts to steal sensitive information such as username, password, and online banking details from its victims. To prevent this, phishing awareness needs to be considered. This research aims to develop a game design framework, which enhances user avoidance behaviour through motivation to protect users from phishing attacks. In order to do this, a theoretical model derived from Technology Thread Avoidance Theory (TTAT) was developed and used in the game design framework (Liang & Xue, 2010). A survey study was undertaken with 150 regular computer users to elicit feedback through a questionnaire. The study findings revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity, and perceived susceptibility elements should be addressed in the game design framework for computer users to avoid phishing attacks. Furthermore, we argue that this game design framework can be used not only for preventing phishing attacks but also for preventing other malicious IT attacks such as viruses, malware, botnets and spyware.     

A software environment for studying computational neural systems

UCLA-SFINX is a neural network simulation environment that enables users to simulate a wide variety of neural network models at various levels of abstraction. A network specification language enables users to construct arbitrary network structures. Small, structurally irregular networks can be modeled by explicitly defining each neuron and can be modeled by explicitly defining each neuron and corresponding connections. Very large networks with regular connectivity patterns can be implicitly specified using array constructs. Graphics support, based on X Windows System, is provided to visualize simulation results. Details of the simulation environment are described, and simulation examples are presented to demonstrate SFINX's capabilities     

复杂网络攻击的HMM检测模型

针对检测复杂网络攻击的难度,剖析复杂网络攻击的本质特征,提出一种基于HMM的入侵检测模型,通过关联分析不同网络监视器产生的报警事件序列,挖掘这些报警事件的内在联系,进而检测复杂网络攻击。实验结果表明,该模型能有效地识别复杂网络攻击的类别。     

一种基于Hopfield网络的异常检测方法

目前的入侵检测系统缺乏从先前所观察到的进攻进行概括并检测已知攻击的细微变化的能力。本文描述了一种基于最小二乘估计（LS）模型的入侵检测算法，该算法利用神经网络的特点，具有从先前观测到的行为追行概括进而判断将来可能发生的行为的能力。本文在前人工作的基础上提出了一种在异常检测中用反馈神经网络构建程序行为的特征轮廓的思想，给出了神经网络算法的选择和应用神经网络的设计方案。实验表明在异常检测中用反馈神经网络构建程序行为的特征轮廓，能够大大提高检测系统对偶然事件和入侵变异的自适应性和异常检测的速度。     

基于文本和DNS查询的非常规域名检测研究

在钓鱼网站、远控木马等网络攻击中常使用大量的非常规域名。面对海量域名,已有非常规域名检测方法准确性有待提高。基于对使用非常规域名的网络攻击特征,以及对已有非常规域名检测方法的研究,提出了域名伪装特征,分隔特征域名标签被数字分割的最大单元数,DNS查询特征:单次DNS查询返回的IP个数和DNS查询返回IP集合的平均杰卡德距离;改进了发音特征域名元音字母占比。此外,提出一种基于文本特征和DNS查询特征的非常规域名检测方法,其中选取了新定义的特征,以及若干其他域名基本特征、发音特征和分隔特征,并基于机器学习方法区分常规域名和非常规域名。实验结果表明,提出的非常规域名检测方法与部分已有方法相比准确率有较大提高,可用于检测使用了非常规域名的恶意网络攻击。     

Training a neural-network based intrusion detector to recognizenovel attacks

While many commercial intrusion detection systems (IDS) are deployed, the protection they afford is modest. State-of-the-art IDS produce voluminous alerts, most false alarms, and function mainly by recognizing the signatures of known attacks so that novel attacks slip past them. Attempts have been made to create systems that recognize the signature of “normal,” in the hope that they will then detect attacks, known or novel. These systems are often confounded by the extreme variability of nominal behavior. The paper describes an experiment with an IDS composed of a hierarchy of neural networks (NN) that functions as a true anomaly detector. This result is achieved by monitoring selected areas of network behavior, such as protocols, that are predictable in advance. While this does not cover the entire attack space, a considerable number of attacks are carried out by violating the expectations of the protocol/operating system designer. Within this focus, the NNs are trained using data that spans the entire normal space. These detectors are able to recognize attacks that were not specifically presented during training. We show that using small detectors in a hierarchy gives a better result than a single large detector. Some techniques can be used not only to detect anomalies, but to distinguish among them     

Next-generation cybersecurity through a blockchain-enabled federated cloud framework

Minimizing the breach detection gap (BDG) for cyber-attacks is a big concern for all organizations and governments. Cyber-attacks are discovered daily, many of which have gone undetected for days to years before the victim organizations detect and deploy the cyber defense. Cyber defense solutions are advancing to combat risks and attacks from traditional to next-generation advanced defense protection solutions. However, many individuals, organizations and businesses continue to be hit by new waves of global cyber-attacks. In this paper, we present a blockchain-enabled federated cloud computing framework that uses the Dempster–Shafer theory to reduce BDG by continuously monitoring and analyzing the network traffics against cyber-attacks. We evaluate the proposed approach using numerical results, and the proposed approach outperforms the traditional approaches.     

利用蚁群聚类检测应用层DDoS攻击的方法

提出了一种利用蚁群聚类检测应用层分布式拒绝服务攻击的方法,根据合法用户和攻击用户在浏览行为上的差异,从合法用户的Web日志中提取用户会话并计算不同会话间的相似度,运用一种蚁群聚类算法自适应地建立检测模型,利用该模型对待检测会话进行攻击识别。实验结果表明该方法能够有效地检测出攻击行为,并具有较好的适应性。     

社交网络中用户隐私推理与保护研究综述

如今微博和Twitter等社交网络平台被广泛地用于交流、创建在线社区并进行社交活动。用户所发布的内容可以被推理出大量隐私信息,这导致社交网络中针对用户的隐私推理技术的兴起。利用用户的文本内容及在线行为等知识可以对用户进行推理攻击,社交关系推理和属性推理是对社交网络用户隐私的两种基本攻击。针对推理攻击保护机制和方法的研究也在日益增加,对隐私推理和保护技术相关的研究和文献进行了分类并总结,最后进行了探讨和展望。     

Dynamic emotion modelling and anomaly detection in conversation based on emotional transition tensor

Conversational data in social media contain a great deal of useful information, and conversation anomaly detection is an important research direction in the field of sentiment analysis. Each user has his or her own specific emotional characteristic, and by studying the distribution and sampling the users’ emotional transitions, we can simulate specific emotional transitions in the conversations. Anomaly detection in conversation data refers to detecting users’ abnormal opinions and sentiment patterns as well as special temporal aspects of such patterns. This paper proposes a hybrid model that combines the convolutional neural network long short-term memory (CNN-LSTM) with a Markov chain Monte Carlo (MCMC) method to identify users’ emotions, sample users’ emotional transition and detect anomalies according to the transition tensor. The emotional transition sampling is implemented by improving the MCMC algorithm and the anomalies are detected by calculating the similarity between the normal transition tensor and the current transition tensor of the user. The experiment was carried on four corpora, and the results show that emotions can be well sampled to conform to user’s characteristics and anomaly can be detected by the proposed method. The model proposed can be used in intelligent conversation systems, such as simulating the emotional transition and detecting the abnormal emotions.     

Impact of Human Vulnerabilities on Cybersecurity

Today, security is a major challenge linked with computer network companies that cannot defend against cyber-attacks. Numerous vulnerable factors increase security risks and cyber-attacks, including viruses, the internet, communications, and hackers. Internets of Things (IoT) devices are more effective, and the number of devices connected to the internet is constantly increasing, and governments and businesses are also using these technologies to perform business activities effectively. However, the increasing uses of technologies also increase risks, such as password attacks, social engineering, and phishing attacks. Humans play a major role in the field of cybersecurity. It is observed that more than 39% of security risks are related to the human factor, and 95% of successful cyber-attacks are caused by human error, with most of them being insider threats. The major human factor issue in cybersecurity is a lack of user awareness of cyber threats. This study focuses on the human factor by surveying the vulnerabilities and reducing the risk by focusing on human nature and reacting to different situations. This study highlighted that most of the participants are not experienced with cybersecurity threats and how to protect their personal information. Moreover, the lack of awareness of the top three vulnerabilities related to the human factor in cybersecurity, such as phishing attacks, passwords, attacks, and social engineering, are major problems that need to be addressed and reduced through proper awareness and training.     

Privacy-preserving graph publishing with disentangled variational information bottleneck

Social networks collect enormous amounts of user personal and behavioral data, which could threaten users' privacy if published or shared directly. Privacy-preserving graph publishing (PPGP) can make user data available while protecting private information. For this purpose, in PPGP, anonymization methods like perturbation and generalization are commonly used. However, traditional anonymization methods are challenging in balancing high-level privacy and utility, ineffective at defending against both various link and hybrid inference attacks, as well as vulnerable to graph neural network (GNN)-based attacks. To solve those problems, we present a novel privacy-disentangled approach that disentangles private and non-private information for a better privacy-utility trade-off. Moreover, we propose a unified graph deep learning framework for PPGP, denoted privacy-disentangled variational information bottleneck (PDVIB). Using low-dimensional perturbations, the model generates an anonymized graph to defend against various inference attacks, including GNN-based attacks. Particularly, the model fits various privacy settings by employing adjustable perturbations at the node level. With three real-world datasets, PDVIB is demonstrated to generate robust anonymous graphs that defend against various privacy inference attacks while maintaining the utility of non-private information.     

Deep belief network based detection and categorization of malicious URLs

The Internet, web consumers and computing systems have become more vulnerable to cyber-attacks. Malicious uniform resource locator (URL) is a prominent cyber-attack broadly used with the intention of data, money or personal information stealing. Malicious URLs comprise phishing URLs, spamming URLs, and malware URLs. Detection of malicious URL and identification of their attack type are important to thwart such attacks and to adopt required countermeasures. The proposed methodology for detection and categorization of malicious URLs uses stacked restricted Boltzmann machine for feature selection with deep neural network for binary classification. For multiple classes, IBK-kNN, Binary Relevance, and Label Powerset with SVM are used for classification. The approach is tested with 27700 URL samples and the results demonstrate that the deep learning-based feature selection and classification techniques are able to quickly train the network and detect with reduced false positives.     

网络攻击技术及发展预测

近年来,网上泄密事件频频发生。概述网络攻击及入侵对象的特点,详细介绍口令攻击、特洛伊木马、安全漏洞攻击、ARP欺骗攻击、拒绝服务攻击等8种目前常见的网络攻击方法。此外,就未来网络攻击技术所呈现出的自动化、智能化、简单化等6个方面的发展趋势进行了总结。     

Human perspective to anomaly detection for cybersecurity

Traditionally signature-based network Intrusion Detection Systems (IDS) rely on inputs from domain experts and can only identify the attacks if they occur as individual event. IDS generate large number of alerts and it becomes very difficult for human users to go through each message. Previous researches have proposed analytics based approaches to analyze IDS alert patterns based on anomaly detection models, multi-steps models or probabilistic approaches. However, due to the complexities of network intrusions, it is impossible to develop all possible attack patterns or to avoid false positives. With the advance in technologies and popularity of networks in our daily life, it is becoming more and more difficult to detect network intrusions. However, no matter how rapid the technologies change, the human behaviors behind the cyber attacks stay relatively constant. This provides us an opportunity to develop an improved system to detect the unusual cyber attacks. In this paper, we developed four network intrusion models based on consideration of human factors. We then tested these models on ITOC Cyber Defense Competition (CDX) 2009 data. Our results are encouraging. These Models are not only able to recognize most network attacks identified by SNORT log alerts, they are also able to distinguish the non-attack network traffic that was potentially missed by SNORT as indicated by ground truth validation of the data.     

Energy efficient indoor tracking on smartphones

Continuously identifying a user’s location context provides new opportunities to understand daily life and human behavior. Indoor location systems have been mainly based on WiFi infrastructures which consume a great deal of energy mostly due to keeping the user’s WiFi device connected to the infrastructure and network communication, limiting the overall time when a user can be tracked. Particularly such tracking systems on battery-limited mobile devices must be energy-efficient to limit the impact on the experience of using a phone. Recently, there have been a lot of studies of energy-efficient positioning systems, but these have focused on outdoor positioning technologies. In this paper, we propose a novel indoor tracking framework that intelligently determines the location sampling rate and the frequency of network communication, to optimize the accuracy of the location data while being energy-efficient at the same time. This framework leverages an accelerometer, widely available on everyday smartphones, to reduce the duty cycle and the network communication frequency when a tracked user is moving slowly or not at all. Our framework can work for 14 h without charging, supporting applications that require this location information without affecting user experience.