小IP报文攻击的入侵检测方法研究

入侵检测技术是网络安全领域中的新技术,但它发展还不成熟,很多攻击方法利用它的缺陷进行攻击。其中小IP报文攻击利用Windows和Linux对有数据重叠的报文处理方式不一样进行攻击。论文提出了小IP报文攻击的入侵检测方法,并采用Snort工具进行实验,使得Snort和被保护主机对有数据重叠的报文的处理方式一致,从而使Snort发生误报、漏报的次数明显减少,为实现网络安全提供了有益的借鉴。     

新息序列驱动的无人机控制系统数据攻击检测

伴随物联网和自主系统的不断发展,信息物理系统的网络安全备受关注.无人机是一种典型的依靠通信和控制系统实现自主飞行的智能装置,其安全性尤为突出.本文针对无人机的状态估计算法,考虑其传感器和控制指令受到数据攻击,提出基于扩展卡尔曼滤波的新息序列状态估计检测方法.首先建立无人机信息物理模型,引入状态估计算法和数据攻击模型.然后,利用新息序列构造标量检测统计量用于数据攻击检测,并针对飞行器机动造成的状态跳变引入负无穷范数,用以降低数据攻击检测的误检率.最后,通过仿真实验验证所提出的检测方法能有效检测不同威胁模式下和状态下无人控制系统的数据攻击.     

A survey on the security of cyber-physical systems

Cyber-physical systems (CPSs) are integrations of computation, communication, control and physical processes. Typical examples where CPSs are deployed include smart grids, civil infrastructure, medical devices and manufacturing. Security is one of the most important issues that should be investigated in CPSs and hence has received much attention in recent years. This paper surveys recent results in this area and mainly focusses on three important categories: attack detection, attack design and secure estimation and control. We also discuss several future research directions including risk assessment, modeling of attacks and attacks design, counter-attack strategy and testbed and validation.     

信息物理融合系统网络安全综述

信息物理融合系统（cyber-physical systems， CPS）是集计算、通信和控制于一体的智能系统，实现网络和物理的深度协作和有机融合.目前CPS在关键的基础设施、政府机构等领域发挥着越来越重要的作用.由于物理限制，计算机和网络产生的安全漏洞会导致CPS遭受巨大的破坏，同时还会引起经济损失、社会动乱等连锁反应，所以研究CPS的安全问题对于确保系统安全运行具有重要意义.本文结合国内外的研究现状，概述了CPS安全控制和攻击检测的最新进展.首先本文总结了CPS典型的系统建模以满足对系统性能分析的需要.然后介绍了3种典型的网络攻击，即拒绝服务攻击、重放攻击和欺骗攻击.根据检测方法的类别，对CPS攻击检测的发展进行的概述.此外还讨论了系统的安全控制和状态估计.最后总结和展望了CPS网络安全面临的挑战和未来的研究方向.     

网络攻击检测的门控记忆网络方法

针对互联网大规模网络攻击检测难题,结合词向量特征表示与循环神经网络,提出了一种门控记忆网络检测方法。该方法首先将网络请求数据转化为低维实值向量序列表示,然后利用门控循环神经网络的长时记忆能力提取请求数据的特征,最后采用逻辑斯特回归分类器实现了对网络攻击的自动检测。在CSIC2010公开数据集上,达到了98.5%的10折交叉验证F1分数,与传统方法相比,较大幅度地提高了网络攻击检测的准确率和召回率。所提方法可自动检测网络攻击,具有良好的检测效果。     

Identification of vulnerable node clusters against false data injection attack in an AMI based Smart Grid

In today׳s Smart Grid, the power Distribution System Operator (DSO) uses real-time measurement data from the Advanced Metering Infrastructure (AMI) for efficient, accurate and advanced monitoring and control. Smart Grids are vulnerable to sophisticated data integrity attacks like the False Data Injection (FDI) attack on the AMI sensors that produce misleading operational decision of the power system (Liu et al., 2011 [1]). Presently, there is a lack of research in the area of power system analysis that relates the FDI attacks with system stability that is important for both analysis of the effect of cyber-attack and for taking preventive measures of protection.In this paper, we study the physical characteristics of the power system, and draw a relationship between the system stability indices and the FDI attacks. We identify the level of vulnerabilities of each AMI node in terms of different degrees of FDI attacks. In order to obtain the interdependent relationship of different nodes, we implement an improved Constriction Factor Particle Swarm Optimization (CF-PSO) based hybrid clustering technique to group the nodes into the most, the moderate and the least vulnerable clusters. With extensive experiments and analysis using two benchmark test systems, we show that the nodes in the most vulnerable cluster exhibit higher likelihood of de-stabilizing system operation compared to other nodes. Complementing research is the construction of FDI attacks and their countermeasures, this paper focuses on the understanding of characteristics and practical effect of FDI attacks on the operation of the Smart Grid by analysing the interdependent nature of its physical properties.     

面向物联网的一种自适应实时数据分发机制

针对物联网系统数据分发机制的缺陷,提出了一种新的自适应实时数据分发机制（ARTDDM）。它以发布/订阅模型为基础,采用两种机制相结合的方法,提供及时可靠的数据传输机制。首先利用语义感知通信机制减少计算和通信开销,使得订阅者在网速缓慢或网络不稳定时也能及时访问数据;其次在系统中加入了前馈—反馈控制,随着网络负载变化,系统能自适应动态调整传感器模型的精度,保证服务质量。仿真结果表明,ARTDDM不仅在数据传输效率和可靠性上有较大改善,而且对可变网络负载具有较强的适应性。     

A novel classification-based shilling attack detection approach for multi-criteria recommender systems

Recommender systems are emerging techniques guiding individuals with provided referrals by considering their past rating behaviors. By collecting multi-criteria preferences concentrating on distinguishing perspectives of the items, a new extension of traditional recommenders, multi-criteria recommender systems reveal how much a user likes an item and why user likes it; thus, they can improve predictive accuracy. However, these systems might be more vulnerable to malicious attacks than traditional ones, as they expose multiple dimensions of user opinions on items. Attackers might try to inject fake profiles into these systems to skew the recommendation results in favor of some particular items or to bring the system into discredit. Although several methods exist to defend systems against such attacks for traditional recommenders, achieving robust systems by capturing shill profiles remains elusive for multi-criteria rating-based ones. Therefore, in this study, we first consider a prominent and novel attack type, that is, the power-item attack model, and introduce its four distinct variants adapted for multi-criteria data collections. Then, we propose a classification method detecting shill profiles based on various generic and model-based user attributes, most of which are new features usually related to item popularity and distribution of rating values. The experiments conducted on three benchmark datasets conclude that the proposed method successfully detects attack profiles from genuine users even with a small selected size and attack size. The empirical outcomes also demonstrate that item popularity and user characteristics based on their rating profiles are highly beneficial features in capturing shilling attack profiles.     

分布式电网CPS 系统数据攻击下的状态估计

电力物理网络通过构建信息网络进行优化调控并构成信息物理融合系统, 实现大规模分布式系统的优化控制, 随之而来的问题是病毒、黑客入侵、拒绝服务等来自信息网络的威胁, 导致物理系统恶意破坏. 鉴于此, 以攻击可检测为前提, 建立攻击信号下的电力系统分布式动态模型, 设计动态状态估计器检测受攻击的信号, 并估计其原始信号. 最后通过3 机9 节点分布式电网系统仿真实验验证了所设计的状态估计器对于数据攻击检测的有效性.

     

Data-mining based SQL injection attack detection using internal query trees

Detecting SQL injection attacks (SQLIAs) is becoming increasingly important in database-driven web sites. Until now, most of the studies on SQLIA detection have focused on the structured query language (SQL) structure at the application level. Unfortunately, this approach inevitably fails to detect those attacks that use already stored procedure and data within the database system. In this paper, we propose a framework to detect SQLIAs at database level by using SVM classification and various kernel functions. The key issue of SQLIA detection framework is how to represent the internal query tree collected from database log suitable for SVM classification algorithm in order to acquire good performance in detecting SQLIAs. To solve the issue, we first propose a novel method to convert the query tree into an n-dimensional feature vector by using a multi-dimensional sequence as an intermediate representation. The reason that it is difficult to directly convert the query tree into an n-dimensional feature vector is the complexity and variability of the query tree structure. Second, we propose a method to extract the syntactic features, as well as the semantic features when generating feature vector. Third, we propose a method to transform string feature values into numeric feature values, combining multiple statistical models. The combined model maps one string value to one numeric value by containing the multiple characteristic of each string value. In order to demonstrate the feasibility of our proposals in practical environments, we implement the SQLIA detection system based on PostgreSQL, a popular open source database system, and we perform experiments. The experimental results using the internal query trees of PostgreSQL validate that our proposal is effective in detecting SQLIAs, with at least 99.6% of the probability that the probability for malicious queries to be correctly predicted as SQLIA is greater than the probability for normal queries to be incorrectly predicted as SQLIA. Finally, we perform additional experiments to compare our proposal with syntax-focused feature extraction and single statistical model based on feature transformation. The experimental results show that our proposal significantly increases the probability of correctly detecting SQLIAs for various SQL statements, when compared to the previous methods.     

数据注入攻击下ICPS的自适应事件触发弹性控制

为使工业信息物理系统(ICPS)抵御数据注入攻击, 本文研究了事件触发弹性控制策略, 采用自适应事件触发以减少通信资源, 构建攻击估计器以降低攻击对系统性能的影响. 通过H∞渐近稳定性准则推导估计器参数, 采用Lyapunov-Krasovskii函数推导事件触发、数据注入攻击、网络延迟和弹性控制器之间的定量关系. 以二自由度质量–弹簧–阻尼串联系统为被控对象, MATLAB仿真验证基于自适应事件触发的ICPS在数据注入攻击下的系统性能,结果表明所采取策略能保证系统的稳定性, 并有效减少通信资源.     

A novel approach for the detection of anomalous energy consumption patterns in industrial cyber-physical systems

Most scenarios emerging from the Industry 4.0 paradigm rely on the concept of cyber-physical production systems (CPPS), which allow them to synergistically connect physical to digital setups so as to integrate them over all stages of product development. Unfortunately, endowing CPPS with AI-based functionalities poses its own challenges: although advances in the performance of AI models keep blossoming in the community, their penetration in real-world industrial solutions has not so far developed at the same pace. Currently, 90% of AI-based models never reach production due to a manifold of assorted reasons not only related to complexity and performance: decisions issued by AI-based systems must be explained, understood and trusted by their end users. This study elaborates on a novel tool designed to characterize, in a non-supervised, human-understandable fashion, the nominal performance of a factory in terms of production and energy consumption. The traceability and analysis of energy consumption data traces and the monitoring of the factory's production permit to detect anomalies and inefficiencies in the working regime of the overall factory. By virtue of the transparency of the detection process, the proposed approach elicits understandable information about the root cause from the perspective of the production line, process and/or machine that generates the identified inefficiency. This methodology allows for the identification of the machines and/or processes that cause energy inefficiencies in the manufacturing system, and enables significant energy consumption savings by acting on these elements. We assess the performance of our designed method over a real-world case study from the automotive sector, comparing it to an extensive benchmark comprising state-of-the-art unsupervised and semi-supervised anomaly detection algorithms, from classical algorithms to modern generative neural counterparts. The superior quantitative results attained by our proposal complements its better interpretability with respect to the rest of algorithms in the comparison, which emphasizes the utmost relevance of considering the available domain knowledge and the target audience when design AI-based industrial solutions of practical value. Finally, the work described in this paper has been successfully deployed on a large scale in several industrial factories with significant international projection.     

一种公共网络攻击数据挖掘智能算法研究

公共网络的开放性和自组织特性导致网络容易受到病毒干扰和入侵攻击,对攻击数据的准确高效挖掘能确保网络安全。传统方法采用时频指向性波束特征聚类方法实现攻击数据挖掘,在信噪比较低时攻击数据准确挖掘概率较低。提出一种基于自适应滤波检测和时频特征提取的公共网络攻击数据挖掘智能算法。首先进行公共网络攻击数据的信号拟合和时间序列分析,对含噪的攻击数据拟合信号进行自适应滤波检测,提高信号纯度,对滤波输出数据进行时频特征提取,实现攻击数据的准确挖掘。仿真结果表明,采用该算法进行网络攻击数据挖掘,对攻击数据特征的准确检测性能较高,对干扰的抑制性能较强,能有效实现网络安全防御。     

Adaptive output-feedback resilient tracking control using virtual closed-loop reference model for cyber-physical systems with false data injection attacks

This work studies output-feedback resilient tracking control problems in cyber-physical systems (CPSs) with false data injection attacks via closed-loop model-reference adaptive control (MRAC) techniques. The control input signals in CPSs, directly and indirectly influenced by sensor and actuator false data injection attacks, could degrade the system's control performance seriously. Then a virtual closed-loop reference model is used as a mediator between the open-loop reference and actual systems to improve the ability to suppress attacks, and by the MRAC techniques, a novel adaptive output-feedback resilient tracking control scheme is proposed to ensure the reliability of the attacked systems. Different from the existing results, (a) the new one is with an adaptive attack compensator in a time-varying gain output-feedback form, which can automatically eliminate the impact of matched attacks by online adjusting the gain; and (b) the $L_2$-gain rejection property of mismatched attacks is achieved by the virtual closed-loop reference. Finally, an illustrative example validates the developed method.     

一种有效的无线传感器网络虚假数据过滤方案

虚假数据注入攻击是无线传感器网络的一种严重威胁,针对大多数虚假数据过滤方案没考虑节点身份攻击和中间节点被攻击者俘获的问题,提出了一种抗节点身份攻击的虚假数据过滤方案,方案不仅在数据转发过程中对转发的数据进行验证、过滤,同时对协作产生感知数据的节点的身份进行验证。安全性分析和性能评价表明,该方案不仅能抵抗各种攻击,而且在存储开销方面与其他方案相比,具有明显优势,并且随着数据包被转发跳数的增加,该方案的虚假数据过滤能力和能量节省也显著增加。     

Android系统权限提升攻击检测技术

权限机制是Android安全机制的核心,在对权限提升攻击原理分析的基础上,给出了一种权限提升攻击检测方案.充分利用组件间权限传递、通信连接的特点,从动态和静态两方面实现,其中基于缺陷的检测率高达78.7％,基于组件检测率也超过50％.实验结果表明:该方法能实现对提权攻击的有效检测,为解决提权攻击检测模型的可靠性问题提供了可行的解决途径.     

Fault detection via factorization approach

Problems of designing fault detection and identification filters in the frequency domain are formulated and solved. Using the factorization approach a characterization of all fault detection filters is derived. This enables the derivation of necessary and sufficient conditions for the existence of fault identification as well as detection and isolation filters. It is shown that these conditions are a generalization of existing results. The formulas of constructing the filters are also derived. In comparison with the algorithms given in previous work they are computationally straightforward and simple. Finally, the proposed method for designing fault identification filters is extended so that more practical cases can be handled.     

Improved solutions for ill-conditioned problems involved in set-membership estimation for fault detection and isolation

Set-membership (SM) estimation implies that the computed solution sets are guaranteed to contain all the feasible estimates consistent with the bounds specified in the model. Two issues often involved in the solution of SM estimation problems and their application to engineering case studies are considered in this paper. The first one is the estimation of derivatives from noisy signals, which in a bounded uncertainty framework means obtaining an enclosure by lower and upper bounds. In this paper, we improve existing methods for enclosing derivatives using Higher-Order Sliding Modes (HOSM) differentiators combining filtering. Our approach turns the use of high order derivatives more efficiently especially when the signal to differentiate has slow dynamics. The second issue of interest is solving linear interval equation systems, which is often an ill-conditioned problem. This problem is reformulated as a Constraint Satisfaction Problem and solved by the combination of the constraint propagation Forward Backward algorithm and the SIVIA algorithm. The two proposed methods are tested on illustrative examples. The two methods are then used in a fault detection and isolation algorithm based on SM parameter estimation that is applied to detect abnormal parameter values in a biological case study.     

基于图的数据挖掘在入侵检测系统中的应用

网络入侵检测系统(IDS)是保障网络安全的有效手段，但目前的入侵检测系统仍不能有效识别新型攻击，根据国内外最新的图数据挖掘理论，设计一个特征子图挖掘算法，并将其应用到入侵检测系统中，该算法挖掘出正常的特征子结构，与之偏离的子结构为异常结构。实验结果表明，该系统在识别新型攻击上具有较高检测率。     

DDOS攻击的分析、检测与防范技术

综述了DDOS的攻击方式的体系结构，并深入分析了DDOS的工作原理和实际的攻击工具，为进一步增强网络的安全性，根据DDOS的攻击的过程与特点，着重提出了一些DDOS的检测模型和防范DDOS攻击的技术手段。