最优的防御策略应对理性的攻击

系统可靠性保护,通常采用投票算法和冗余策略。然而,考虑到系统外界存在攻击者时,系统的可靠性将面临威胁。在文中,主要研究介于系统防御策略和理性攻击者之间的系统可靠性。防御者保证系统可靠性不仅可采取投票算法,还可利用防御资源进行制造伪装组件或保护系统组件;攻击者利用攻击资源随机选择系统中某些簇中组件进行攻击。通过建立模型,解决在给定的攻防资源下,选择最优防御策略应对攻击策略,从而保证系统的可靠性。     

基于脆弱性变换的网络动态防御有效性分析方法

有效性分析对合理制订最优网络动态防御策略至关重要.首先利用随机抽样模型从脆弱性变换角度给出入侵成功概率计算公式,用于刻画变换空间、变换周期及脆弱性数量对网络入侵过程的影响;然后针对单、多脆弱性变换两种情况,分别给出相应的入侵成功概率极限定理并予以证明,同时给出两种情况下的最优变换空间计算方法;仿真结果表明,增大单条入侵路径上依次攻击的脆弱性数量、减小变换周期可持续提高网络动态防御有效性,而增大变换空间初始可以提升网络动态防御有效性,但是由于入侵成功概率会随变换空间的持续增大而逐渐收敛,在入侵成功概率收敛时,有效性无法持续提高.     

云原生下基于深度强化学习的移动目标防御策略优化方案

针对云原生环境下攻击场景的复杂性导致移动目标防御策略配置困难的问题,该文提出一种基于深度强化学习的移动目标防御策略优化方案(SmartSCR)。首先,针对云原生环境容器化、微服务化等特点,对其安全威胁及攻击者攻击路径进行分析;然后,为了定量分析云原生复杂攻击场景下移动目标防御策略的防御效率,提出微服务攻击图模型并对防御效率进行刻画。最后,将移动目标防御策略的优化问题建模为马尔可夫决策过程,并使用深度强化学习解决云原生应用规模较大时带来的状态空间爆炸问题,对最优移动目标防御配置进行求解。实验结果表明,SmartSCR能够在云原生应用规模较大时快速收敛,并实现逼近最优的防御效率。     

软件定义的L2/L3地址协同拟态伪装策略研究

从网络内部探测目标终端的脆弱性是网络攻击发起的主要途径,当前网络的静态特性利于攻击者目标侦察的实施,网络内部的L2/L3地址是攻击者期望侦察的主要信息.为了改变目标侦察阶段网络攻防的易攻难守态势,基于拟态伪装的思想,提出了一种L2和L3地址协同动态化技术,在不影响正常业务条件下有策略地隐藏真实网络主机.首先,建立网络侦察的博弈模型（CRG）,基于NASH均衡解指导L2/L3地址的拟态伪装策略,并给出最优的跳变周期计算公式;其次,基于软件定义网络架构,设计并实现了协同动态化的内网防护系统（CMID）,由SDN控制器协同控制L2/L3地址的伪装变换;最后,理论分析与实验结果表明：上述方法能够有效切断L2/L3地址与真实网络身份、上层服务的关联性,最大化地隐藏网络内部主机,延缓侦察速度,阻断网络攻击的连续性.     

基于Gnutella协议的P2P网络中DoS攻击防御机制

对基于Gnutella协议的P2P计算网络实施DoS攻击的特征进行了详细分析,通过设置攻击容忍度和防御起点,提出了一种简单的基于特征的DoS攻击防御策略,运用基于贝叶斯推理的异常检测方法发现攻击,使系统能根据DoS攻击的强弱,自适应调整防御机制,维持网络的服务性能.仿真结果表明,本文提出的防御策略能有效的防御恶意节点对网络发动的DoS攻击,使网络服务的有效性达到98%,正常请求包被丢弃的平均概率为1.83%,预防机制平均时间开销仅占网络总开销的6.5%.     

基于云计算平台的防御拒绝服务攻击方法

随着企业的关键核心数据及服务从企业网迁移到了云服务中心,更多的应用和集成业务开始依靠互联网,拒绝服务带来的后果和破坏将会明显地超过传统的企业网环境。在云计算环境下,具体的应用成为攻击目标,攻击者会使用针对具体应用的攻击方法来攻击受害者的在线服务。文章提出了一种基于云计算平台的处理拒绝服务攻击的策略,主要解决了在云计算平台上对具体应用进行HTTP拒绝服务攻击的问题。通过该策略,能够在即使黑客伪装为合法用户后仍然能够防御拒绝服务攻击。     

基于虚假响应的主机指纹隐藏方法

针对智慧城市关键基础设施面临日益严峻的网络攻击形势,传统被动式网络安全防护模式存在易被探测、攻易守难等问题,提出一种主机指纹隐藏的主动欺骗防御方法.通过分析对操作系统、服务软件两种类型的主机指纹探测攻击的过程,以及攻击工具指纹库的含义,设计指纹伪装流程,进行虚假响应,使攻击者获得错误的响应信息,达到主动防御的目的.试验...     

DNS攻击检测与防御技术研究

作为分布式数据库系统,DNS可以用来管理主机名字和地址信息,以便为人们更好应用网络提供支持。但是,由于设计缺陷的存在,DNS较容易受到攻击,继而给网络安全埋下了隐患。而采用先进的技术进行DNS攻击的检测和防御,则可以进一步确保网络的安全。因此,基于这种认识,文章对DNS攻击检测和防御技术进行研究,以便为关注这一话题的人们提供参考。     

DDOS攻击原理及其防御策略研究

阐述了DDOS攻击的原理;论述了目前主要的几种DDOS攻击方式即SYN／ACK Flood攻击。TCP全连接攻击和刷Script脚本攻击;针对这些主要的攻击方式提出了采用高性能的网络设备、尽量避免NAT的使用、使用网络和主机扫描工具检测脆弱性、采用网络入侵检测系统NIDS和探测器、增强操作系统的TCP／IP栈、速率限制法、调整服务器的各项参数等防御策略;并结合一个实际的DDOS攻击案例讨论了相应的解决措施．     

脉冲激光周向探测地面目标捕获建模与仿真

针对对地攻击火箭弹单发毁伤概率低的问题,设计了一种激光周向探测系统,旨在提高对地攻击火箭弹的目标捕获概率。推导了平面目标脉冲激光回波波形的解析式及最小可探测光功率,并结合对地攻击火箭弹的末端弹道特性,建立了激光周向探测系统的弹目交会模型。运用蒙特卡罗算法仿真分析了对地攻击火箭弹采用不同探测系统时目标捕获概率随脉冲激光重复频率和扫描转速的变化规律,探讨了弹速和命中精度对于目标捕获概率的影响,获得最佳激光重复频率与扫描转速。仿真结果表明:当脉冲激光重复频率为5 kHz,扫描转速为10000r/min时能实现目标的有效捕获;采用激光周向探测系统能有效提高目标捕获概率,提升单发毁伤效能,为激光周向探测系统在对地攻击火箭弹上的应用提供了理论依据。     

基于变电站的入侵防御网络安全评估模型

网络攻击是最重要的变电站安全问题之一,为了更好地识别易受攻击的变电站,首先需要对侦察活动进行建模。在此基础上研究相应的网络攻击和防御策略。利用马尔可夫决策过程建立了变电站控制权竞争中的入侵防御模型。在模型中考虑了目标变电站、入侵者和防御者的关键特征。因此,通过求解模型,可以得到入侵者和防御者的最优策略。通过这些策略可以对变电站的网络安全状态进行评估。仿真实验结果验证了所提出的模型以及相应策略的可行性。     

Single-Adversary Relaying Attack Defense Mechanism in Wireless Ad Hoc Networks

There have been many security protocols to provide authenticity and confidentiality in wireless ad hoc networks. However, they fail to defend networks against relaying attack in which attacker nodes simply broadcast received packets without compromising any legitimate nodes. Wormhole attack is a representative example of relaying attack, in which a pair of attacker nodes relay received packets to each other and selectively drop them. The wormhole attack is known to ruin routing and communication of a network considerably, however, is not very straightforward to be accomplished due to the pairwise nature. In this paper, we introduce two new types of relaying attack, called teleport and filtering attacks that require a single attacker node only for accomplishment. We describe their accomplishment conditions and impacts on the network performance in a formal manner. We then propose a countermeasure framework against these attacks called Single-Adversary Relaying Attack defense Mechanism (SARAM), which is composed of a bandwidth-efficient neighbor discovery customized for multi-hop environments and neighbor list management combined into an on-demand ad hoc routing protocol. SARAM does not require any special hardware such as location-aware equipments and tight synchronized clocks, thus is cost-efficient as well. We show via ns-2 simulation that the new relaying attacks deteriorate the network performance significantly and SARAM is effective and efficient in defending a network against these attacks.     

双重数字水印的抗攻击安全性分析

为了使计算机网络更好地为人类服务,必须很好地解决网络的信息安全问题。数字水印是实现版权保护的有效办法,但目前尚没有一个算法能够真正经得住攻击者所有种类的攻击。笔者通过对攻击原理进行分析,提出解决的对策,重点介绍了利用双水印技术对抗解释攻击的方法。了解这些攻击以及可能还会有的新的攻击方法将助于我们设计出更好的水印方案。     

Wormhole attacks in wireless networks

As mobile ad hoc network applications are deployed, security emerges as a central requirement. In this paper, we introduce the wormhole attack, a severe attack in ad hoc networks that is particularly challenging to defend against. The wormhole attack is possible even if the attacker has not compromised any hosts, and even if all communication provides authenticity and confidentiality. In the wormhole attack, an attacker records packets (or bits) at one location in the network, tunnels them (possibly selectively) to another location, and retransmits them there into the network. The wormhole attack can form a serious threat in wireless networks, especially against many ad hoc network routing protocols and location-based wireless security systems. For example, most existing ad hoc network routing protocols, without some mechanism to defend against the wormhole attack, would be unable to find routes longer than one or two hops, severely disrupting communication. We present a general mechanism, called packet leashes, for detecting and, thus defending against wormhole attacks, and we present a specific protocol, called TIK, that implements leashes. We also discuss topology-based wormhole detection, and show that it is impossible for these approaches to detect some wormhole topologies.     

SOS: an architecture for mitigating DDoS attacks

We propose an architecture called secure overlay services (SOS) that proactively prevents denial of service (DoS) attacks, including distributed (DDoS) attacks; it is geared toward supporting emergency services, or similar types of communication. The architecture uses a combination of secure overlay tunneling, routing via consistent hashing, and filtering. We reduce the probability of successful attacks by: 1) performing intensive filtering near protected network edges, pushing the attack point perimeter into the core of the network, where high-speed routers can handle the volume of attack traffic and 2) introducing randomness and anonymity into the forwarding architecture, making it difficult for an attacker to target nodes along the path to a specific SOS-protected destination. Using simple analytical models, we evaluate the likelihood that an attacker can successfully launch a DoS attack against an SOS-protected network. Our analysis demonstrates that such an architecture reduces the likelihood of a successful attack to minuscule levels. Our performance measurements using a prototype implementation indicate an increase in end-to-end latency by a factor of two for the general case, and an average heal time of less than 10 s.     

利用地址解析协议的地址空间欺骗技术

信息攻防之间的不对称性要求信息安全领域亟需一种新的解决方案.而信息欺骗技术可以有效地增加攻击者的负担,减低其攻击效率,同时为安全管理员提供攻击者的意图和攻击方法等信息.本文提出的利用地址解析协议实现地址空间的欺骗可以有效增加攻击者的攻击难度,并为后续攻击信息的获取提供基础.演示结果证明了该方法的有效性。     

针对Web-mail邮箱的跨站网络钓鱼攻击的研究

客户端脚本植入攻击是近年来攻击者常用的一种攻击手段,给Web应用程序带来了相当大的安全隐患。介绍了跨站脚本攻击和网络钓鱼攻击的原理及防御。分析了两种攻击在获取用户信息时的不全面,从而提出了一种针对Web-mail邮箱的跨站网络钓鱼攻击方法。这种攻击方法结合了跨站脚本攻击和网络钓鱼攻击,不仅能够获取用户邮箱的cookie、账号及密码,而且还可以获取用户的个人相关信息。最后,针对提出的攻击方法给出了防御措施。     

Distributed detection of replica node attacks with group deployment knowledge in wireless sensor networks

Several protocols have been proposed to mitigate the threat against wireless sensor networks due to an attacker finding vulnerable nodes, compromising them, and using these nodes to eavesdrop or undermine the operation of the network. A more dangerous threat that has received less attention, however, is that of replica node attacks, in which the attacker compromises a node, extracts its keying materials, and produces a large number of replicas to be spread throughout the network. Such attack enables the attacker to leverage the compromise of a single node to create widespread effects on the network. To defend against these attacks, we propose distributed detection schemes to identify and revoke replicas. Our schemes are based on the assumption that nodes are deployed in groups, which is realistic for many deployment scenarios. By taking advantage of group deployment knowledge, the proposed schemes perform replica detection in a distributed, efficient, and secure manner. Through analysis and simulation experiments, we show that our schemes achieve effective and robust replica detection capability with substantially lower communication, computational, and storage overheads than prior work in the literature.