A Survey of Cyber Attacks on Cyber Physical Systems: Recent Advances and Challenges

A cyber physical system (CPS) is a complex system that integrates sensing, computation, control and networking into physical processes and objects over Internet. It plays a key role in modern industry since it connects physical and cyber worlds. In order to meet ever-changing industrial requirements, its structures and functions are constantly improved. Meanwhile, new security issues have arisen. A ubiquitous problem is the fact that cyber attacks can cause significant damage to industrial systems, and thus has gained increasing attention from researchers and practitioners. This paper presents a survey of state-of-the-art results of cyber attacks on cyber physical systems. First, as typical system models are employed to study these systems, time-driven and event-driven systems are reviewed. Then, recent advances on three types of attacks, i.e., those on availability, integrity, and confidentiality are discussed. In particular, the detailed studies on availability and integrity attacks are introduced from the perspective of attackers and defenders. Namely, both attack and defense strategies are discussed based on different system models. Some challenges and open issues are indicated to guide future research and inspire the further exploration of this increasingly important area.      

BitTorrent网络的搭便车及恶意攻击研究

通过分析BitTorrent网络中BitThief、BitTyrant、Large View exploit、Sybil、声称自己拥有文件块、仅连接种子这6种搭便车攻击和发布虚假块、不合作、Eclipse这3种恶意攻击的主要策略和攻击方法,总结搭便车攻击和恶意攻击的特点与相同之处以及BitTorrent存在的问题,为改进BitTorrent网络协议提供参考。     

Risk Assessment of Malicious Attacks Against Power Systems

The new scenarios of malicious attack prompt for their deeper consideration and mainly when critical systems are at stake. In this framework, infrastructural systems, including power systems, represent a possible target due to the huge impact they can have on society. Malicious attacks are different in their nature from other more traditional cause of threats to power system, since they embed a strategic interaction between the attacker and the defender (characteristics that cannot be found in natural events or systemic failures). This difference has not been systematically analyzed by the existent literature. In this respect, new approaches and tools are needed. This paper presents a mixed-strategy game-theory model able to capture the strategic interactions between malicious agents that may be willing to attack power systems and the system operators, with its related bodies, that are in charge of defending them. At the game equilibrium, the different strategies of the two players, in terms of attacking/protecting the critical elements of the systems, can be obtained. The information about the attack probability to various elements can be used to assess the risk associated with each of them, and the efficiency of defense resource allocation is evidenced in terms of the corresponding risk. Reference defense plans related to the online defense action and the defense action with a time delay can be obtained according to their respective various time constraints. Moreover, risk sensitivity to the defense/attack-resource variation is also analyzed. The model is applied to a standard IEEE RTS-96 test system for illustrative purpose and, on the basis of that system, some peculiar aspects of the malicious attacks are pointed out.      

定向网络攻击追踪溯源层次化模型研究

定向网络攻击对网络空间安全构成了极大的威胁，甚至已经成为国家间网络对抗的一种主要形式。本文认为定向网络攻击难以避免，传统的以识别并阻断攻击为核心的防御体系不能很好地应对复杂先进的定向网络攻击，遂提出将追踪溯源作为威慑性防御手段。本文给出了定向网络攻击追踪溯源的形式化定义和分类；充分借鉴了网络欺骗等领域的研究成果，提出通过构建虚实结合的网络和系统环境，采用主被动相结合的方式，追踪溯源定向网络攻击；构建了包括网络服务、主机终端、文件数据、控制信道、行为特征和挖掘分析六个层次的定向网络攻击追踪溯源模型，并系统阐述了模型各层次的内涵及主要技术手段；以此模型为基础，建立了以"欺骗环境构建"、"多源线索提取"、"线索分析挖掘"为主线的追踪溯源纵深体系，多维度追踪溯源定向网络攻击；结合现有攻击模型、追踪溯源理论和典型溯源案例，论证了所建立的模型的有效性。     

分布式异构网络恶意攻击取证及预警方法研究

传统的网络恶意攻击取证方法对恶意攻击行为的检查不全面、恶意攻击行为相似度分辨准确性低。为此,提出了一种分布式异构网络恶意攻击取证及预警方法。利用CVSS计算器对网络恶意攻击行为的严重等级进行评估,结合灰关联分析法建立灰关联模型,对评估要素进行量化处理;在此基础上,获取并处理日志、事件、警告和证据信息,建立证据库。根据取证结果,结合TOP-K预警策略实现分布式异构网络恶意攻击的预警和预警信息储存。实验结果表明,所提方法对恶意攻击行为的查全率和恶意攻击行为相似度分辨的准确性较高,且预警反应耗时较短,不仅能够准确检测恶意攻击行为,还能够及时发出警报,有效维持分布式异构网络的安全性。     

针对网络恶意攻击并行入侵的仿真设计

为了解决传统网络攻击入侵方案在进行网络恶意攻击并行入侵时,存在攻击入侵成功率低、恶意攻击节点失效率高、网络攻击入侵耗时长的问题,提出针对网络恶意攻击并行入侵实验。分析网络恶意攻击中的重要攻击手段—虫洞攻击和并行入侵的网络结构;在抗原信号的基础上,利用树突状细胞算法构建异度方程,确定特征阈值,以确定的特征阈值作为选择入侵路径概率的基础,完成对网络恶意攻击并行入侵的估计。最后通过仿真设计,证明了所提方案相比传统方案的攻击入侵成功率高、恶意攻击节点失效率低、网络攻击入侵耗时短,说明了所提方案的攻击入侵效果更佳,可为今后的网络防御工作提供良好的参考。     

Chosen-name Attacks: An Overlooked Class of Type-flaw Attacks

In the context of Dolev-Yao style analysis of security protocols, we consider the capability of an intruder to dynamically choose and assign names to agents. This capability has been overlooked in all significant protocol verification frameworks based on formal methods. We identify and classify new type-flaw attacks arising from this capability.Several examples of protocols that are vulnerable to this type of attack are given, including Lowe's modification of KSL. The consequences for automatic verification tools are discussed.     

移动代理系统中恶意主机攻击模型的研究

作为一种新的分布式计算模式,移动代理技术具有广泛的应用前景。但在目前的移动代理系统中,恶意主机问题,即保护代理免受恶意主机的攻击是很棘手的问题。为了更好地理解该问题,我们提出了基于抽象机器模型的攻击模型（RASPS）。该模型有助于提出有效的移动代理保护方案,并可以作为评价各种保护方案的基础。本论文首先分析了恶意主机的攻击行为,并在此基础上提出了恶意主机的攻击模型,最后分析了攻击实例程序。     

对网络恐怖主义活动的犯罪社会学分析

本文从犯罪社会学的相关理论与国内国际网络恐怖主义活动发展的实际出发,分析网络恐怖主义活动的特点、形式、成因及反恐工作面临的挑战,并提出解决对策。     

一种恶意代码防护方法及其实现

提出了一种恶意代码防护方法，该方法能够限制来自不可信源(如网络、可移动磁盘等)的数据和执行代码的使用方式和行为，从而达到系统防护的目的。实验结果表明，这种方法不但能够防护各种已知的恶意代码，对新出现的恶意代码也能有效防护。它同时也是一种实时的恶意代码防护方法。     

一种新的恶意代码检测方法

基于主机的检测系统对文件检测能力更强．但是因为开销,成本过高,因此实际中基于网络的检测系统应用场景更广泛,可以部署的节点更多,提升网络恶意代码检测系统的检测能力可以更有效地为之后的恶意代码防御做出支持。但是其节点设备数量虽然多,却相对低端,单台成本更低,不能像主机检测一样将捕捉到的网络数据包还原,即使可以,也费时费力,处理速度跟不上网络流量,将会造成大量的丢包。因此,如果能让检测系统的前端主机在能够不重组数据包就检测出数据包是否为恶意代码意义重大,在不还原数据包的情况下,通过对单包的内容进行检测从而对有问题的包产生告警信息,可以显著增强基于网络的恶意代码检测系统前端主机的检测能力,使其在病毒种植过程中就能探测到异常。     

ResIoT: An IoT Social Framework Resilient to Malicious Activities

The purpose of the next internet of things (IoT) is that of making available myriad of services to people by high sensing intelligent devices capable of reasoning and real time acting. The convergence of IoT and multi-agent systems (MAS) provides the opportunity to benefit from the social attitude of agents in order to perform machine-to-machine (M2M) coopera-tion among smart entities. However, the selection of reliable partners for cooperation represents a hard task in a mobile and federated context, especially because the trustworthiness of devices is largely unreferenced. The issues discussed above can be synthesized by recalling the well known concept of social resilience in IoT systems, i.e., the capability of an IoT network to resist to possible attacks by malicious agent that potentially could infect large areas of the network, spamming unreliable infor-mation and/or assuming unfair behaviors. In this sense, social resilience is devoted to face malicious activities of software agents in their social interactions, and do not deal with the correct working of the sensors and other information devices. In this setting, the use of a reputation model can be a practicable and effective solution to form local communities of agents on the basis of their social capabilities. In this paper, we propose a framework for agents operating in an IoT environment, called ResIoT, where the formation of communities for collaborative purposes is performed on the basis of agent reputation. In order to validate our approach, we performed an experimental campaign by means of a simulated framework, which allowed us to verify that, by our approach, devices have not any economic convenience to performs misleading behaviors. Moreover, further experimental results have shown that our approach is able to detect the nature of the active agents in the systems (i.e., honest and malicious), with an accuracy of not less than 11% compared to the best competitor tested and highlighting a high resilience with respect to some malicious activities.      

基于语义分类和描述框架的网络攻击知识抽取研究及其应用

随着计算机技术的迅猛发展,自然语言处理成为计算机科学领域与人工智能领域中的一个重要方向,且文本知识获取(knowledge acquisition from text, KAT)是人工智能的重要研究内容。当前对于文本研究,大多采用关键字以及机器学习方法,准确率并不高。该文提出了一种基于语义文法的中文网络攻击事件知识获取方法。首先介绍参考FrameNet构建的语义分类和描述框架,它在现代汉语基本句模分类的基础上进行了扩充和改进。其次,重点介绍了攻击文本中最常见的遭受类语义类的设计和形成过程。然后将语义分类和描述框架应用在“网络安全”领域,形成“网络攻击语义类”,并介绍在建立“网络攻击语义类”时遇到的难题,包括文法的设计中对事元的确定、复合句的处理、“的是”结构句型的分析设计、谓词设计等。最后,使用国家某安全部门提供的真实数据进行网络攻击知识抽取,实验表明该方法具有较高的准确率。     

An Overview of Transnational Organized Cyber Crime

ABSTRACT

This essay discusses the nature of transnational organized crime (TOC) and its activities affecting today's electronic landscape. It is assumed that the reader is familiar with IT-related information security in general, and therefore the technicalities around networks and information systems will be avoided as many papers and books cover these subjects extensively. Most security practitioners are familiar with the technical aspects of IT-related attacks (referred to here as cyber attacks or crimes) but not so with the organization and structure of the groups behind these attacks. We will further explore the origins and evolution of TOC, and how it influences and is influenced by today's omnipresent ‘speed of thought’ digital society.     

一种恶意代码变种检测的有效方法

为了改变基于特征码病毒查杀存在的滞后性,以及对于恶意代码变种的无效性,提出了一种基于支持向量机和模糊推理技术的恶意代码及其变种的检测方法。基于Radux原型系统,通过使用多分类机,将恶意程序进一步细分为病毒、蠕虫和木马程序,然后进行恶意代码判定的模糊推理,使得未知病毒的检测概率进一步提升,对于已有恶意程序的检测率高达99.03%,对于恶意程序变种的检测率达到93.38%。     

一种有效的Return-Oriented-Programming攻击检测方法

Returned-Oriented-Programming (ROP)攻击能突破传统防御机制如DEP和W (+) X.目前ROP攻击检测误报率较高,无法准确区分ROP攻击与正常指令执行.ROP攻击需执行系统调用完成攻击,执行系统调用前寄存器须设置为正确的值,并且每条x86指令对应一个或多个gadget.基于上述特点,提出一种有效的二进制代码级ROP攻击检测方法:截获返回指令并作为起始点计算gadget数目,并在系统调用执行前判断寄存器是否被修改为与其参数类型相同的值.该方法不依赖启发式学习,能准确检测栈溢出的ROP攻击.通过动态插桩工具实现原型系统,对ROP攻击和正常程序进行了测试,实验结果表明系统漏报率和误报率较低,且性能损失较小.     

An RBAC Implementation and Interoperability Standard: The INCITS Cyber Security 1.1 Model

An operational definition for role-based access control (RBAC) is that permission assignment is based on the role a principal is assuming during a work session. The central underlying concept is thus that IT permissions are assigned to roles rather than directly to users. This level of indirection can provide simpler security administration and finer-grained access control policies.     

Scala Actors: Unifying thread-based and event-based programming

There is an impedance mismatch between message-passing concurrency and virtual machines, such as the JVM. VMs usually map their threads to heavyweight OS processes. Without a lightweight process abstraction, users are often forced to write parts of concurrent applications in an event-driven style which obscures control flow, and increases the burden on the programmer.In this paper we show how thread-based and event-based programming can be unified under a single actor abstraction. Using advanced abstraction mechanisms of the Scala programming language, we implement our approach on unmodified JVMs. Our programming model integrates well with the threading model of the underlying VM.