Chunhe Xia

A Game Theoretical Attack-Defense Model Oriented to Network Security Risk Assessment

How to quantify the threat probability in network security risk assessment is an important problem to be solved. Most of the existing methods tend to consider the attacker and defender separately. However, the decision to perform the attack is a trade-off between the gain from a successful attack and the possible consequences of detection; meanwhile, the defenderpsilas security strategy depends mostly on the knowledge of the intentions of the attacker. Therefore, ignoring the connections between the attacker and defenderpsilas decisions does not correspond to reality. Game theory is the study of the ways in which strategic interactions among rational players produce outcomes with respect to the utilities of those players. In this paper, a novel game theoretical attack-defense model (GTADM) which quantifies the probability of threats is proposed in order to construct a risk assessment framework. According to the cost-benefit analysis, we define the method of formulating the payoff matrix; the equilibrium of the model is also analyzed. In the end, a simple scenario is presented to illustrate the usage of GTADM in the risk assessment framework to show its efficiency.

A Network Security Risk Assessment Framework Based on Game Theory

Network security risk assessment depends on the prediction of attacker¿s behavioral decision. In computer network attack and defense area, this kind of decision is the optimal judgment for attackers and defenders themselves in consideration of the opponents¿ strategy spaces. Thus, The attack and defend behavior can be seen as a game process. In this paper, we studied how to bring game theory into the research area of network security risk assessment. First, we analyze the concept and the process of risk assessment to find the combining point where game theory can be used in network security risk assessment. Then we present a risk assessment framework based on game theory, and set up a risk assessment system using this framework. We emphatically introduce GTADM (game theoretical attack-defense model) and HRCM (hierarchical risk computing model) in the system, and provide detailed analysis and specification by a scenario.

An Algorithm for Generation of Attack Signatures Based on Sequences Alignment

This paper presents a new algorithm for generation of attack signatures based on sequence alignment. The algorithm is composed of two parts: a local alignment algorithm-GASBSLA (Generation of Attack Signatures Based on Sequence Local Alignment) and a multi-sequence alignment algorithm-TGMSA (Tri-stage Gradual Multi-Sequence Alignment). With the inspiration of sequence alignment used in Bioinformatics, GASBSLA replaces global alignment and constant weight penalty model by local alignment and affine penalty model to improve the generality of attack signatures. TGMSA presents a new pruning policy to make the algorithm more insensitive to noises in the generation of attack signatures. In this paper, GASBSLA and TGMSA are described in detail and validated by experiments.

ACRP: Ant-Colony-based Routing Protocol for DTMNs

Delay Tolerant Mobile Networks (DTMNs) focus on scenarios where most of the time contemporaneous end-to-end paths between source and destination do not exist, and mobility should be explored for message delivery. Ant colony optimization is based on reinforcement learning and is adaptive. In this paper, we propose ACRP: an Ant-Colony-based Routing Protocol for DTMNs. In the protocol, the forward ants and backward ants establish the pheromone trail; the data ants make forwarding decision according to the probability function composing both the pheromone and the heuristic information. We present simulation results measuring the performance of ACRP and compare it with other well-known routing protocols.

Modeling and global conflict analysis of firewall policy

The global view of firewall policy conflict is important for administrators to optimize the policy. It has been lack of appropriate firewall policy global conflict analysis, existing methods focus on local conflict detection. We research the global conflict detection algorithm in this paper. We presented a semantic model that captures more complete classifications of the policy using knowledge concept in rough set. Based on this model, we presented the global conflict formal model, and represent it with OBDD (Ordered Binary Decision Diagram). Then we developed GFPCDA (Global Firewall Policy Conflict Detection Algorithm) algorithm to detect global conflict. In experiment, we evaluated the usability of our semantic model by eliminating the false positives and false negatives caused by incomplete policy semantic model, of a classical algorithm. We compared this algorithm with GFPCDA algorithm. The results show that GFPCDA detects conflicts more precisely and independently, and has better performance.

Automatic Generation Algorithm of Penetration Graph in Penetration Testing

Penetration graph is a kind of attack graph which is widely used in penetration testing. It is an import tool to analyze security vulnerabilities in the network. However, the previous research on the generation methods of penetration graph have met a lot of challenges. Some methods are out of date and not applicable for practical scenarios, some may possibly leave out the import attack paths, some do not consider the probability of exploitation of each attack path and some failed to solve the problem of circle path and combination exploitation. We propose an automatic generation algorithm of penetration graph that optimizes the network topology before generating the penetration graph, which can reduce the redundant information effectively. We combine the penetration graph generation method with the CVSS (Common Vulnerability Scoring System) information together, increase the reliability of each attack path. Experiment result shows that the method can generates multi-path correctly and effectively, which can clearly show the structure of network, facilitates the testers analysis of the target network, and provides reference for executing penetration testing.

Descriptive model of peer-to-peer Botnet structures

Peer-to-peer (P2P) Botnets, which are more resilient and robust than centralized botnets, have emerged as the peer-to-peer technology evolves. Better understanding of this new phenomenon will help researchers develop detection and mitigation methods. Most of existing work is case study of typical P2P botnets. In this paper, we focus on systematically analyzing structures of P2P botnets. We propose a descriptive model of P2P botnet structures, which consists of features of P2P bot, definitions of structures, and structural properties. Firstly, we detail two key functionalities of P2P bot, command-and-control (C&C) functionality and peer-to-peer (P2P) functionality, and give several features of P2P bot. And then, we define two structures of P2P botnets: C&C structure and P2P structure. To characterize these structures, we propose several properties and corresponding quantitative methods. Finally, we conduct experiments to verify our results.

A Conflict-Related Rules Detection Tool for Access Control Policy

Conflict detection is an important issue of the Access Control Policy. Most conflict detection tools mainly focus on the two rules that have contrary actions, but there are also other rules which are necessary to the conflict situation, which is not considered in these tools. This paper defines all these rules related to the conflict situation as the concept “conflict-related rules”, and gives a conflict-related rules detection tool for Access Control Policy which can report the conflict situation more comprehensively. By giving the semantics model of the access control policy and the definition of conflict, we prove the necessary and sufficient condition of conflict, and then give the concept of “conflict-related rules” and deduce its extension. We implement conflict-related rules detection tool based on the description logic, and the experiment results validate the tool’s correctness and effectiveness. The results of the correctness experiment showed that instead of detecting the two rules with opposite actions only, it detected all the conflict-related rules for access control policy; the results of the effectiveness experiment showed that our tool’s response performance is better than VPN based tools.

An Evaluation Model of CNO Intelligence Information Confidence

Intelligence activity is one of the most important activities during Computer Network Operation (CNO) command and decision-making process. Specially, Evaluation of Intelligence Information Confidence is the basic element of intelligence activity and process. As intelligence is essential foundation when forming Course Of Action (COA), confidence evaluation, with the main function of determining facticity and reliability of intelligence, will effect the quality and efficiency of CNO command and decision-making. In this paper, an evaluation model of CNO intelligence information confidence IICEM was described with respect to the reliability of collectors and the credibility of the information content through analyzing the intelligence information evaluation role model IIERM. The results of experiments on the prototype based on IICEM show that different confidence information could be distinguished by IICEM, which affect the following analysis and production activities.

Modeling, conflict detection, and verification of a new virtualization role-based access control framework

In the last 10years, virtualization has become a widespread technique in cloud computing; however, few of the access control models have ever addressed the security issue of multi-domain and virtualized network management; this paper enhanced the classic role-based access control model through two concepts: domain and virtual machine. We defined a new model named VRBAC in which authorized users can migrate or copy virtual machines from one domain to another without causing a conflict. Domain users or groups are allowed to share permissions of not only resources like shared files but also virtual machines with others either from the same or a different domain. Three kinds of VRBAC policy conflicts are defined in forms of ontologies, which provide extra access to description logic reasoning and facilitate the policy conflict detection. The experimental results based on Microsoft Active Directory and VMware vSphere suggest that all policy conflicts can be detected effectively and efficiently. Moreover, the generated reports can provide conflict details such as conflict types, positions, and causes, which will serve as guidance for further resolution of the improper authorizations and access violations. Copyright