基于分形加权维数的PUE攻击用户检测方法

针对主用户仿冒(PUE)攻击用户非法占用主用户信道而导致认知用户的可用频谱资源降低的问题,以辐射源的指纹特征为基础,定义分形加权维数,刻画通信信号码元包络的脉内起伏特征,提出了一种新的基于辐射源特征提取的PUE攻击检测方法。理论分析和实验结果表明,提出的检测方法能够有效地区分主用户和PUE攻击用户,并在信息安全领域发挥重要作用。     

基于频谱包络特征提取的PUE攻击检测研究

提出一种基于频谱包络特征提取的PUE(Primary User Emulation)攻击检测方法。在论证频谱包络起伏特征可以作为指纹特征提取的基础上,结合曲线拟合,选取特征参数,构建能够明显反映频谱包络起伏特征的向量,通过FCM聚类区分主用户和PUE攻击用户。仿真实验表明,该方法能够有效区分主用户和PUE攻击用户,具有较好的可行性和可靠性。     

基于码元S函数匹配的PUE攻击检测研究

为对主用户(PU)与仿冒主用户(PUE)的辐射源进行有效识别,采用S函数对码元包络上升沿进行曲线拟合及参数提取,提出一种将拟合参数作为辐射源指纹特征进行用户识别的方法。通过模拟构造不同用户的辐射源码元信息,利用S函数模型匹配拟合码元上升沿,提取合适的码元上升沿特征参数构建辐射源指纹特征向量,并采用模糊C均值聚类区分PU与PUE的辐射源。实验结果表明,该方法能快速准确地实现PUE攻击信号的检测,并且可靠性高、运算量小。     

基于码元上升沿特征提取的PUE攻击检测研究

为了有效解决PUE攻击检测问题,提出了一种基于码元上升沿特征提取的PUE攻击检测方法.在论证码元上升沿特征可以作为细微特征提取的基础上,结合统计分析,定义特征加权差,放大不同辐射源的特征差异,并以此构建新的PUE攻击检测方法.该方法运算简单有效,满足认知无线网的实时快速检测要求.仿真实验表明该方法具有较好的可靠性和稳定性.     

基于能量指纹匹配的无线认知网络仿冒主用户攻击检测

频谱感知是无线认知网络有效工作的基础,现有研究主要集中在提高频谱检测的效率,对于如何保证在不可信的网络环境中实现安全可靠的频谱感知还没有理想的解决方案。针对频谱感知过程中存在的一种典型攻击行为一仿冒主用户攻击,提出了一种基于能量指纹匹配的检测方案。认知用户利用自身的位置分布特征,使用能量检测生成主用户的能量指纹,以此作为节点的身份标识,分析不同用户对频谱资源的使用方式,最终实现对仿冒行为的检测。理论分析以及模拟测试表明,该方案在误检概率较低的前提下,可以有效地检测仿冒攻击行为,提高频谱感知的准确率。     

基于二维特征的认知无线电仿冒授权用户检测

针对认知无线电网络中传统方法信号特征检测性能较弱的问题,提出一种基于二维特征的信号检测方法,并将其用于仿冒授权用户检测。在传统决策理论的基础上,给出一种新的决策参数:零中心归一化瞬时能量绝对值的平均值,将其与盒维数构成一个二维特征参数矢量,作为支持向量机分类器的输入进行信号识别,判断仿冒授权用户攻击是否存在。仿真结果表明,在信噪比达到5 dB时,该算法能完全判别仿冒授权用户攻击是否存在。即使在信噪比为0的环境中,也能在保证对合法授权用户干扰很小的前提下,以较高的概率检测出仿冒授权用户攻击,具有较强的抗噪性能。     

基于深度自动编码器的托攻击集成检测方法

在采用协同过滤技术的推荐系统中,恶意用户通过注入大量虚假概貌使系统的推荐结果产生偏离,达到其攻击目的。为了检测托攻击,根据用户的评分值或基于攻击时间的集中性假设,从不同视角提取攻击概貌的特征。但是,这些基于人工特征的检测方法严重依赖于特征工程的质量,而且人工提取的检测特征多限于特定类型的攻击,提取特征也需要较高的知识成本。针对这些问题,从用户评分项目的时间偏好信息入手,提出一种利用深度稀疏自动编码器自动提取检测特征的托攻击集成检测方法。利用小波变换将项目在不同时间间隔内的流行度设定为多个等级,对用户的评分数据预处理得到用户-项目时间流行度等级矩阵。然后,采用深度稀疏自动编码器对用户-项目时间流行度等级矩阵自动进行特征提取,得到用户评分模式的低层特征表达,消除了传统的人工特征工程。以SVM作为基分类器,在深度稀疏自动编码器的每层提取特征并进行攻击检测,生成最终的集成检测结果。在Netflix数据集上的实验表明,提出的检测方法对均值攻击、AoP攻击、偏移攻击、高级项目攻击、高级用户攻击具有较好的检测效果。     

基于非负矩阵分解的托攻击检测算法

针对现有的无监督检测算法对正常用户误检率较高的问题,提出了一种基于矩阵分解的托攻击检测算法。对评分矩阵采用非负矩阵分解技术提取出用户的特征。采用K-means聚类方法对提取出的用户特征聚类,得到初始正常用户集和初始托用户集。利用初始正常用户集的特征对初始托用户集进行二次分类,进一步提高托攻击用户检测的准确率。实验结果表明,所提出的检测算法与其他检测算法相比较能够更有效地检测出托攻击。     

基于信道特征防御认知无线电网络中模仿主用户攻击策略

针对认知无线电网络中模仿主用户攻击,本文提出一种基于信道特征防御攻击策略。由于用户地理位置不同,信道冲激响应差别较大,可作为检测用户身份的特征。利用信道相干时间内,冲激响应基本不变原理,在信号周期小于相干时间的条件下,提取发送信号的冲激响应。通过冲激响应互相关系数检测发送方与主用户的相关性,从而判断发送方是否为主用户。实验结果表明,该策略能有效分辨主用户和攻击者,防御攻击性能较好。     

高斯函数在显著图像特征提取中的应用仿真

不同图像具有不同的特征和结构,为了更好分析和识别图像信息,提高特征分类精度,提出了基于高斯函数的显著图像特征提取方法。利用指数函数法感知显著图像轮廓边界,将图像变换到含有明暗信息的色彩空间,并锐化算子,判断抑制或增强范围,筛选出显著图像的信息。按照不同的目标函数计算映射矩阵,保留原空间数据点的局部信息,赋予最佳限制条件,提取显著图像的局部特征,结合高斯函数估算协方差矩阵获得高斯特征,完成全局特征提取。通过实验证明,所提方法对三个数据集的识别准确率在85%以上,且特征提取效果好,纹理细节清晰,保证图像信息完整。     

Cooperative detection of primary user emulation attacks in CRNs

Cognitive radio networks (CRNs) can improve the utilization of the spectrum by making use of licensed spectrum in an opportunistic manner. With such purpose, coexistence mechanisms among CRN nodes or secondary users and legitimate users of the spectrum or primary users are defined. However, due to the particular features of CRNs, new security threats arise, such as the primary user emulation (PUE) attack, which is the most challenging among all. With the aim of detecting such kind of attacks, in this paper we propose a cooperative localization method specifically suited to CRNs which relies on TDoA measurements and Taylor-series estimations. Simulations results show the goodness of the proposed method and its suitability to typical CRN scenarios.     

基于评分离散度的托攻击检测算法

检测托攻击的本质是对真实用户和虚假用户进行分类,现有的检测算法对于具有选择项的流行攻击、段攻击等攻击方式的检测鲁棒性较差。针对这一问题,通过分析真实用户和虚假用户的评分分布情况,结合ID3决策树提出基于用户评分离散度的托攻击检测Dispersion-C算法。算法通过用户评分极端评分比、去极端评分方差和用户评分标准差3个特征衡量用户评分离散度,并将其作为ID3决策树算法的分类特征,根据不同特征的信息增益选择特征作为分类属性,训练分类器。实验结果表明,Dispersion-C算法对各类托攻击均有良好的检测效果,具有较好的鲁棒性。     

基于流谱理论的SSL/TLS协议攻击检测方法

网络攻击检测在网络安全中扮演着重要角色。网络攻击检测的对象主要为僵尸网络、SQL注入等攻击行为。随着安全套接层/安全传输层（SSL/TLS）加密协议的广泛使用,针对SSL/TLS协议本身发起的SSL/TLS攻击日益增多,因此通过搭建网络流采集环境,构建了包含4种SSL/TLS攻击网络流与正常网络流的网络流数据集。针对当前网络攻击流检测的可观测性有限、网络流原始时空域分离性有限等问题,提出流谱理论,将网络空间中的威胁行为通过“势变”过程从原始时空域空间映射到变换域空间,具象为“势变谱”,形成可分离、可观测的特征表示集合,实现对网络流的高效分析。流谱理论在实际网络空间威胁行为检测中的应用关键是在给定变换算子的情况下,针对特定威胁网络流找到势变基底矩阵。由于SSL/TLS协议在握手阶段存在着强时序关系与状态转移过程,同时部分SSL/TLS攻击间存在相似性,因此对于SSL/TLS攻击的检测不仅需要考虑时序上下文信息,还需要考虑对SSL/TLS网络流的高分离度的表示。基于流谱理论,采用威胁模板思想提取势变基底矩阵,使用基于长短时记忆单元的势变基底映射,将SSL/TLS攻击网络流映射到流谱域空间。...     

On detecting primary user emulation attack using channel impulse response in the cognitive radio network

Cognitive radio is an effective technology to alleviate the spectrum resource scarcity problem by opportunistically allocating the spare spectrum to unauthorized users. However, a serious denial-of-service (DoS) attack, named the ‘primary user emulation attack (PUEA)’, exists in the network to deteriorate the system performance. In this paper, we propose a PUEA detection method that exploits the radio channel information to detect the PUEA in the cognitive radio network. In the proposed method, the uniqueness of the channel impulse response (CIR) between the secondary user (SU) and the signal source is used to determine whether the received signal is transmitted by the primary user (PU) or the primary user emulator (PUE). The closed-form expressions for the false-alarm probability and the detection probability of the proposed PUEA detection method are derived. In addition, a modified subspace-based blind channel estimation method is presented to estimate the CIR, in order for the proposed PUEA detection method to work in the scenario where the SU has no prior knowledge about the structure and content of the PU signal. Numerical results show that the proposed PUEA detection method performs well although the difference in channel characteristics between the PU and PUE is small.     

基于混合深度学习的多类型低速率DDoS攻击检测方法

低速率分布式拒绝服务攻击针对网络协议自适应机制中的漏洞实施攻击,对网络服务质量造成了巨大威胁,具有隐蔽性强、攻击速率低和周期性的特点。现有检测方法存在检测类型单一和识别精度低的问题,因此提出了一种基于混合深度学习的多类型低速率DDo S攻击检测方法。模拟不同类型的低速率DDo S攻击和5G环境下不同场景的正常流量,在网络入口处收集流量并提取其流特征信息,得到多类型低速率DDo S攻击数据集;从统计阈值和特征工程的角度,分别分析了不同类型低速率DDo S攻击的特征,得到了40维的低速率DDo S攻击有效特征集;基于该有效特征集采用CNN-RF混合深度学习算法进行离线训练,并对比该算法与LSTM-Light GBM和LSTM-RF算法的性能;在网关处部署CNN-RF检测模型,实现了多类型低速率DDo S攻击的在线检测,并使用新定义的错误拦截率和恶意流量检测率指标进行了性能评估。结果显示,在120 s的时间窗口下,所提方法能够在线检测出4种类型的低速率DDo S攻击,包括Slow Headers攻击、Slow Body攻击、SlowRead攻击和Shrew攻击,错误拦截率达到11.03%,恶...     

面向不平衡样本的物联网入侵检测方法

随着设备的迭代,网络流量呈现指数级别的增长,针对各种应用的攻击行为越来越多,从流量层面识别并对这些攻击流量进行分类具有重要意义。同时,随着物联网设备的激增,针对这些设备的攻击行为也逐渐增多,造成的危害也越来越大。物联网入侵检测方法可以从这些海量的流量中识别出攻击流量,从流量层面保护物联网设备,阻断攻击行为。针对现阶段各类攻击流量检测准确率低以及样本不平衡问题,提出了基于重采样随机森林（RF,random forest）的入侵检测模型——Resample-RF,共包含3种具体算法：最优样本选择算法、基于信息熵的特征归并算法、多分类贪心转化算法。在物联网环境中,针对不平衡样本问题,提出最优样本选择算法,增加小样本所占权重,从而提高模型准确率;针对随机森林特征分裂效率不高的问题,提出基于信息熵的特征归并算法,提高模型运行效率;针对随机森林多分类精度不高的问题,提出多分类贪心转化算法,进一步提高准确率。在两个公开数据集上进行模型的检验,在 IoT-23 数据集上 F1 达到0.99,在Kaggle数据集上F1达到1.0,均具有显著效果。从实验结果中可知,提出的模型具有非常好的效果,能从海量流量中有效识别出攻击流量,较好地防范黑客对应用的攻击,保护物联网设备,从而保护用户。     

DoS Attack Detection Based on Deep Factorization Machine in SDN

Software-Defined Network (SDN) decouples the control plane of network devices from the data plane. While alleviating the problems presented in traditional network architectures, it also brings potential security risks, particularly network Denial-of-Service (DoS) attacks. While many research efforts have been devoted to identifying new features for DoS attack detection, detection methods are less accurate in detecting DoS attacks against client hosts due to the high stealth of such attacks. To solve this problem, a new method of DoS attack detection based on Deep Factorization Machine (DeepFM) is proposed in SDN. Firstly, we select the Growth Rate of Max Matched Packets (GRMMP) in SDN as detection feature. Then, the DeepFM algorithm is used to extract features from flow rules and classify them into dense and discrete features to detect DoS attacks. After training, the model can be used to infer whether SDN is under DoS attacks, and a DeepFM-based detection method for DoS attacks against client host is implemented. Simulation results show that our method can effectively detect DoS attacks in SDN. Compared with the K-Nearest Neighbor (K-NN), Artificial Neural Network (ANN) models, Support Vector Machine (SVM) and Random Forest models, our proposed method outperforms in accuracy, precision and F1 values.     

Distributed Denial of Service (DDoS) detection by traffic pattern analysis

In this paper, we propose a behavior-based detection that can discriminate Distributed Denial of Service (DDoS) attack traffic from legitimated traffic regardless to various types of the attack packets and methods. Current DDoS attacks are carried out by attack tools, worms and botnets using different packet-transmission rates and packet forms to beat defense systems. These various attack strategies lead to defense systems requiring various detection methods in order to identify the attacks. Moreover, DDoS attacks can craft the traffics like flash crowd events and fly under the radar through the victim. We notice that DDoS attacks have features of repeatable patterns which are different from legitimate flash crowd traffics. In this paper, we propose a comparable detection methods based on the Pearson’s correlation coefficient. Our methods can extract the repeatable features from the packet arrivals in the DDoS traffics but not in flash crowd traffics. The extensive simulations were tested for the optimization of the detection methods. We then performed experiments with several datasets and our results affirm that the proposed methods can differentiate DDoS attacks from legitimate traffics.     

Physiological-physical feature fusion for automatic voice spoofing detection

Biometric speech recognition systems are often subject to various spoofing attacks, the most common of which are speech synthesis and speech conversion attacks. These spoofing attacks can cause the biometric speech recognition system to incorrectly accept these spoofing attacks, which can compromise the security of this system. Researchers have made many efforts to address this problem, and the existing studies have used the physical features of speech to identify spoofing attacks. However, recent studies have shown that speech contains a large number of physiological features related to the human face. For example, we can determine the speaker’s gender, age, mouth shape, and other information by voice. Inspired by the above researches, we propose a spoofing attack recognition method based on physiological-physical features fusion. This method involves feature extraction, a densely connected convolutional neural network with squeeze and excitation block (SE-DenseNet), and feature fusion strategies. We first extract physiological features in audio from a pre-trained convolutional network. Then we use SE-DenseNet to extract physical features. Such a dense connection pattern has high parameter efficiency, and squeeze and excitation blocks can enhance the transmission of the feature. Finally, we integrate the two features into the classification network to identify the spoofing attacks. Experimental results on the ASVspoof 2019 data set show that our model is effective for voice spoofing detection. In the logical access scenario, our model improves the tandem decision cost function and equal error rate scores by 5% and 7%, respectively, compared to existing methods.