Shan Yao

Descriptive model of peer-to-peer Botnet structures

Peer-to-peer (P2P) Botnets, which are more resilient and robust than centralized botnets, have emerged as the peer-to-peer technology evolves. Better understanding of this new phenomenon will help researchers develop detection and mitigation methods. Most of existing work is case study of typical P2P botnets. In this paper, we focus on systematically analyzing structures of P2P botnets. We propose a descriptive model of P2P botnet structures, which consists of features of P2P bot, definitions of structures, and structural properties. Firstly, we detail two key functionalities of P2P bot, command-and-control (C&C) functionality and peer-to-peer (P2P) functionality, and give several features of P2P bot. And then, we define two structures of P2P botnets: C&C structure and P2P structure. To characterize these structures, we propose several properties and corresponding quantitative methods. Finally, we conduct experiments to verify our results.

An Evaluation Model of CNO Intelligence Information Confidence

Intelligence activity is one of the most important activities during Computer Network Operation (CNO) command and decision-making process. Specially, Evaluation of Intelligence Information Confidence is the basic element of intelligence activity and process. As intelligence is essential foundation when forming Course Of Action (COA), confidence evaluation, with the main function of determining facticity and reliability of intelligence, will effect the quality and efficiency of CNO command and decision-making. In this paper, an evaluation model of CNO intelligence information confidence IICEM was described with respect to the reliability of collectors and the credibility of the information content through analyzing the intelligence information evaluation role model IIERM. The results of experiments on the prototype based on IICEM show that different confidence information could be distinguished by IICEM, which affect the following analysis and production activities.

A Network Security Situation Analysis framework based on information fusion

With the rapid development of the Internet, the network structure becomes larger and more complicated and attacking methods are more sophisticated, too. To enhance network security, Network Security Situation Analysis (NSSA) technology is a research hot spot in the network security domain. But at present, the NSSA framework and model which not only analyze the affected results of the network security but also the process how the network security is affected are less. In this paper, a novel NSSA framework is presented. The framework includes two parts: calculate the Network Security Situation Value (NSSV) and discover intrusion processes. NSSA quantitative assesses the impact on network security caused by attacks upon Analytical Hierarchy Process (AHP) and hierarchical network structure. Based on attack classification, intrusion processes discover the process how network security is affected. At last from the experiments results, NSSV exactly changes as attacks take place and the accurate intrusion processes are discovered. The applicability of the framework and algorithms are verified.

Semantic similarity analysis model for CND policy and measure

In order to effectively deal with large-scale attacks on computer networks, Computer Network Defense (CND) policy refinement based on descriptive language is wildly used. However, its very difficult to figure out the semantic discrepancies between the measures and the predefined policy after the calculation with symbols by computers. A new method is presented to solve the discordance of semantic between the measures and the predefined policy automatically. Based on the establishment of the ontology of CND policy and measure (CNDPM), the CND policy and measure semantic similarity analysis model (CNDPMSSAM) is established, and then the termination of the two main components of CNDPMSSAM are proofed by the putdown automaton, and the prototype system of CNDPMSSAM is implemented. At last, we validate the validity of this method on analyzing semantic similarity of transferring from Computer Network Defense Policy Specification Language (CNDPSL) to Defense Measure Description Language (DMDL) with experiments.

A tactical intelligence production model of computer network self-organizing operations

In this paper, we define the concepts of targets information and intelligence activities for Computer Network Self-organizing Operations, propose a tactical intelligence production model of computer network self-organization operation and prove its reachability. In order to verify the model, we present the evaluating, analysis and interpreting algorithm based on rule-based reasoning. Then, we design and implement the tactical intelligence production prototype to verify the validity of the CNSOO-TIPM and algorithms. The experiment results show that the prototype provides timely and accurate intelligence information for the CNO decision and meets the most basic needs of cooperative operations between the CNO agents.