Attack Signature

14,000,000 Leading Edge Experts on the ideXlab platform

Scan Science and Technology

Contact Leading Edge Experts & Companies

Scan Science and Technology

Contact Leading Edge Experts & Companies

The Experts below are selected from a list of 1497 Experts worldwide ranked by ideXlab platform

Xinping Guan - One of the best experts on this subject based on the ideXlab platform.

  • distributed detection and isolation of bias injection Attack in smart energy grid via interval observer
    Applied Energy, 2019
    Co-Authors: Xinyu Wang, Mingyue Zhang, Xinping Guan
    Abstract:

    Abstract With the integration in information and communication technologies, and advanced metering infrastructure, smart energy grid, as one of typical sustainable energy systems, addresses the energy and environment problems. However, the emergency of bias injection Attack aiming at destroying the energy management center, brings great security threat to the security of smart energy grid. To address risks in energy-cyber-physical systems, this paper proposes a distributed detection and isolation scheme against the bias injection Attack in smart energy grid. Considering the transmitted information of energy management centers in adjacent grid subareas, the proposed distributed detection and isolation scheme includes local and global steps. In the local-step, each local energy management center detects and isolates the possible sensor Attack set, based on the constructed local Attack Signature judgment logic matrix. In the global-step, the subarea Attack set is detected and isolated via the established global Attack Signature judgment logic matrix. Combining the above local and global detection and isolation framework, we can ensure the security of energy management center in smart energy system. This proposed distributed detection and isolation scheme examines some important practical aspects of deploying bias injection Attack detection including: the limitation of the precomputed threshold; the detection delay; the accuracy in detecting bias injection Attack. Finally, the effectiveness of the developed distributed detection and isolation scheme is demonstrated by using detailed studies on the IEEE 8-bus and IEEE 118-bus smart energy grid system.

  • Distributed detection and isolation of false data injection Attacks in smart grids via nonlinear unknown input observers
    International Journal of Electrical Power & Energy Systems, 2019
    Co-Authors: Xinyu Wang, Mingyue Zhang, Xinping Guan
    Abstract:

    Abstract In this paper, a distributed detection and isolation scheme against False Data Injection Attacks FDIAs in smart grids is studied. Taking the stealthy characteristics of FDIAs into account, we propose a nonlinear unknown input observer UIO -based distributed detection method. Through the capabilities of designed UIO to deal with the effects of the interconnected relations among the grid subareas and external disturbance, we can obtain the accurate estimation of internally physical state. To detect the FDIAs more quickly and avoid missed detection, an adaptive threshold is computed to replace the traditional precomputed threshold. A distributed isolation scheme against the FDIAs is proposed with two steps, by considering the exchanged information of adjacent grid subareas. In the first-step, each local control center of subareas is to isolate the possible actuator Attack set via the proposed local Attack Signature judgment logic matrix. In the second-step, the possible subarea Attack set is isolated by the established global Attack Signature judgment logic matrix. The distributed isolation logic decision against the FDIAs relays on the combination of isolation results in the first-step and second-step. Finally, the performance of the proposed distributed detection method on the IEEE 28-bus smart grid system is evaluated. And the effectiveness of the proposed distributed detection and isolation scheme on large-scale IEEE 128-bus smart grid system is illustrated.

  • Detection and Isolation of False Data Injection Attacks in Smart Grids via Nonlinear Interval Observer
    IEEE Internet of Things Journal, 2019
    Co-Authors: Xinyu Wang, Yuyan Zhang, Xinping Guan
    Abstract:

    The detection and isolation problem of false data injection (FDI) Attacks in large-scale smart grid systems, is investigated in this paper. The FDI Attacks can bypass the traditional bad data detection techniques, by falsifying the process of state estimation. For this reason, the emergency of FDI Attacks brings great risk to the security of smart grids. To address this crucial problem, a novel detection and isolation scheme against the FDI Attacks for the large-scale smart grid system is proposed. We first design an interval observer to estimate the interval state of internally physical system accurately, based on the constructed physical dynamics of grid systems. Taking the bounds of internal state and external disturbance into account, the detection criterion that an alarm is generated when the interval residuals does not include the zero value is proposed. To address the limitation of precomputed threshold, we use the interval residuals regarded as a nature detection threshold to replace the evaluation function and detection threshold used in traditional Attack detection methods. Furthermore, an Attack Signature logical judgment matrix-based isolation algorithm is further proposed to isolate the sensors, in which the FDI Attacks may be injected into the Attacked subarea. Finally, the effectiveness of the developed detection and isolation scheme is demonstrated by using detailed case studies on the IEEE 128-bus smart grid system.

Chia-tien Dan Lo - One of the best experts on this subject based on the ideXlab platform.

  • ARC - Highly Space Efficient Counters for Perl Compatible Regular Expressions in FPGAs
    Lecture Notes in Computer Science, 2008
    Co-Authors: Chia-tien Dan Lo
    Abstract:

    Signature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent sophisticated Attack Signatures. Recently, most NIDSs have adopted regular expressions such as Perl compatible regular expressions (PCREs) to describe an Attack Signature, especially for polymorphic worms. PCRE is a superset of traditional regular expression, in which no counters are involved. However, this overloads the performance of software-based NIDSs, causing a big portion of their execution time to be dedicated to pattern matching. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new Signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious Signatures are discovered, it becomes harder to map a complete set of malicious Signatures specified in PCREs to an FPGA chip. Even worse is that the counters used in PCREs typically take a great deal of hardware resources. Therefore, we propose a space efficient SelectRAM counter for PCREs that involve counting. The design takes advantage of components that consist of a configurable logic block, and thus optimizes space usage. A set of PCRE blocks has been built in hardware to implement PCREs used in Snort/Bro. Experimental results show that the proposed sheme outperforms existing designs by at least 5-fold. Performance results are reported in this paper.

  • Highly space efficient counters for perl compatible regular expressions in FPGAs
    Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2008
    Co-Authors: Chia-tien Dan Lo, Yi Gang Tai
    Abstract:

    Signature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent sophisticated Attack Signatures. Recently, most NIDSs have adopted regular expressions such as Perl compatible regular expressions (PCREs) to describe an Attack Signature, especially for polymorphic worms. PCRE is a superset of traditional regular expression, in which no counters are involved. However, this overloads the performance of software-based NIDSs, causing a big portion of their execution time to be dedicated to pattern matching. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new Signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious Signatures are discovered, it becomes harder to map a complete set of malicious Signatures specified in PCREs to an FPGA chip. Even worse is that the counters used in PCREs typically take a great deal of hardware resources. Therefore, we propose a space efficient SelectRAM counter for PCREs that involve counting. The design takes advantage of components that consist of a configurable logic block, and thus optimizes space usage. A set of PCRE blocks has been built in hardware to implement PCREs used in Snort/Bro. Experimental results show that the proposed sheme outperforms existing designs by at least 5-fold. Performance results are reported in this paper.

  • Reconfigurable Computing: Architectures, Tools and Applications
    Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 2008
    Co-Authors: Chia-tien Dan Lo, Yi Gang Tai
    Abstract:

    Signature based network intrusion detection systems (NIDS) rely on an underlying string matching engine that inspects each network packet against a known malicious pattern database. Traditional static pattern descriptions may not efficiently represent sophisticated Attack Signatures. Recently, most NIDSs have adopted regular expressions such as Perl compatible regular expressions (PCREs) to describe an Attack Signature, especially for polymorphic worms. PCRE is a superset of traditional regular expression, in which no counters are involved. However, this overloads the performance of software-based NIDSs, causing a big portion of their execution time to be dedicated to pattern matching. Over the past decade, hardware acceleration for the pattern matching has been studied extensively and a marginal performance has been achieved. Among hardware approaches, FPGA-based acceleration engines provide great flexibility because new Signatures can be compiled and programmed into their reconfigurable architecture. As more and more malicious Signatures are discovered, it becomes harder to map a complete set of malicious Signatures specified in PCREs to an FPGA chip. Even worse is that the counters used in PCREs typically take a great deal of hardware resources. Therefore, we propose a space efficient SelectRAM counter for PCREs that involve counting. The design takes advantage of components that consist of a configurable logic block, and thus optimizes space usage. A set of PCRE blocks has been built in hardware to implement PCREs used in Snort/Bro. Experimental results show that the proposed sheme outperforms existing designs by at least 5-fold. Performance results are reported in this paper. © 2008 Springer-Verlag Berlin Heidelberg.

Kaiqi Xiong - One of the best experts on this subject based on the ideXlab platform.

  • MILCOM - An SDN-supported collaborative approach for DDoS flooding detection and containment
    MILCOM 2015 - 2015 IEEE Military Communications Conference, 2015
    Co-Authors: Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong
    Abstract:

    Software Defined Networking (SDN) has the potential to enable novel security applications that support flexible, on-demand deployment of system elements. It can offer targeted forensic evidence collection and investigation of computer network Attacks. Such unique capabilities are instrumental to network intrusion detection that is challenged by large volumes of data and complex network topologies. This paper presents an innovative approach that coordinates distributed network traffic Monitors and Attack Correlators supported by Open Virtual Switches (OVS). The Monitors conduct anomaly detection and the Correlators perform deep packet inspection for Attack Signature recognition. These elements take advantage of complementary views and information availability on both the data and control planes. Moreover, they collaboratively look for network flooding Attack Signature constituents that possess different characteristics in the level of information abstraction. Therefore, this approach is able to not only quickly raise an alert against potential threats, but also follow it up with careful verification to reduce false alarms. We experiment with this SDN-supported collaborative approach to detect TCP SYN flood Attacks on the Global Environment for Network Innovations (GENI), a realistic virtual testbed. The response times and detection accuracy, in the context of a small to medium corporate network, have demonstrated its effectiveness and scalability.

  • An SDN-supported collaborative approach for DDoS flooding detection and containment
    Proceedings - IEEE Military Communications Conference MILCOM, 2015
    Co-Authors: Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong
    Abstract:

    Software Defined Networking (SDN) has the potential to enable novel security applications that support flexible, on-demand deployment of system elements. It can offer targeted forensic evidence collection and investigation of computer network Attacks. Such unique capabilities are instrumental to network intrusion detection that is challenged by large volumes of data and complex network topologies. This paper presents an innovative approach that coordinates distributed network traffic Monitors and Attack Correlators supported by Open Virtual Switches (OVS). The Monitors conduct anomaly detection and the Correlators perform deep packet inspection for Attack Signature recognition. These elements take advantage of complementary views and information availability on both the data and control planes. Moreover, they collaboratively look for network flooding Attack Signature constituents that possess different characteristics in the level of information abstraction. Therefore, this approach is able to not only quickly raise an alert against potential threats, but also follow it up with careful verification to reduce false alarms. We experiment with this SDN-supported collaborative approach to detect TCP SYN flood Attacks on the Global Environment for Network Innovations (GENI), a realistic virtual testbed. The response times and detection accuracy, in the context of a small to medium corporate network, have demonstrated its effectiveness and scalability.

Urjita Thakar - One of the best experts on this subject based on the ideXlab platform.

  • Pattern Analysis and Signature Extraction for Intrusion Attacks on Web Services
    International Journal of Network Security & Its Applications, 2010
    Co-Authors: Urjita Thakar, Nirmal Dagdee, Sudarshan Varma
    Abstract:

    The increasing popularity of web service technology is attracting hackers and Attackers to hack the web services and the servers on which they run. Organizations are therefore facing the challenge of implementing adequate security for Web Services. A major threat is that of intruders which may maliciously try to access the data or services. The automated methods of Signature extraction extract the binary pattern blindly resulting in more false positives. In this paper a semi automated approach is proposed to analyze the Attacks and generate Signatures for web services. For data collection, apart from the conventional SOAP data loggers, honeypots are also used that collect small data which is of high value. To filter out the most suspicious part of the data, SVM based classifier is employed to aid the system administrator. By applying an Attack Signature algorithm on the filtered data, a more balanced Attack Signature is extracted that results in fewer false positives and negatives. It helps the Security Administrator to identify the web services that are vulnerable or are Attacked more frequently.

  • HoneyAnalyzer–analysis and extraction of intrusion detection patterns & Signatures using honeypot
    Proceedings of the Second …, 2005
    Co-Authors: Urjita Thakar, Sarvesh Varma, Arun K. Ramani
    Abstract:

    A Honeypot is a security resource, which is intended to be Attacked and compromised to gain more information about the Attacker and his Attack techniques. A honeypot can also indicate about how to perform forensics. The information gathered by watching a honeypot being probed is invaluable. It gives information about Attacks and Attack patterns. Currently, the creation of intrusion detection Signatures is a tedious process that requires detailed knowledge of the traffic characteristics of the phenomenon to be detected. In this paper we address these issues. We have proposed, HoneyAnalyzer, a tool for analyzing honeyd-logs in a RDBMS with a web-based monitoring interface. The data collected from Honeypot is analyzed for possible Attacks, scans, and viruses. The system displays the honeyd logs as well as traffic analyzer (e.g. Tcpdump) logs in a well-defined graphical manner so that a security administrator can filter the data of honeypot's log. We also propose the use of a Signature extraction algorithm such as LCS (Longest Common Substring) on the data filtered out by the administrator. Thus the security administrator gets the flexibility to apply the Signature extraction algorithm on the data of his choice resulting in more precise Attack Signature extraction.

Hossain Shahriar - One of the best experts on this subject based on the ideXlab platform.

  • ICITST - Web service injection Attack detection
    2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017
    Co-Authors: Victor Clincy, Hossain Shahriar
    Abstract:

    Injection Attacks on web services can expose valuable information resources. To protect deployed web services against injection Attacks, it is important to have defense techniques. Intrusion Detection Systems (IDS) are popular defense techniques to mitigate network layer Attacks. This paper proposes an IDS for mitigating injection Attacks on web services. We apply Genetic Algorithm (GA) as part of new Attack Signature generation for web services. The approach has been applied to a prototype web service and was found effective in generation of new Attack Signatures.

  • DASC/PiCom/DataCom/CyberSciTech - Towards an Attack Signature Generation Framework for Intrusion Detection Systems
    2017 IEEE 15th Intl Conf on Dependable Autonomic and Secure Computing 15th Intl Conf on Pervasive Intelligence and Computing 3rd Intl Conf on Big Data, 2017
    Co-Authors: Hossain Shahriar, William Bond
    Abstract:

    Attacks on web services are major concerns and can expose organizations valuable information resources. Despite there are increasing awareness in secure programming, we still find vulnerabilities in web services. To protect deployed web services, it is important to have defense techniques. Signaturebased Intrusion Detection Systems (IDS) have gained popularity to protect applications against Attacks. However, Signature IDSs have limited number of Attack Signatures. In this paper, we propose a Genetic Algorithm (GA)-based Attack Signature generation approach and show its application for web services. GA algorithm has the capability of generating new member from a set of initial population. We leverage this by generating new Attack Signatures at SOAP message level to overcome the challenge of limited number of Attack Signatures. The key contributions include defining chromosomes and fitness functions. The initial results show that the GA-based IDS can generate new Signatures and complement the limitation of existing web security testing tools. The approach can generate new Attack Signatures for injection, privilege escalation, denial of service and information leakage.

  • Towards an Attack Signature Generation Framework for Intrusion Detection Systems
    2017 IEEE 15th Intl Conf on Dependable Autonomic and Secure Computing 15th Intl Conf on Pervasive Intelligence and Computing 3rd Intl Conf on Big Data, 2017
    Co-Authors: Hossain Shahriar, William Bond
    Abstract:

    Attacks on web services are major concerns and can expose organizations valuable information resources. Despite there are increasing awareness in secure programming, we still find vulnerabilities in web services. To protect deployed web services, it is important to have defense techniques. Signaturebased Intrusion Detection Systems (IDS) have gained popularity to protect applications against Attacks. However, Signature IDSs have limited number of Attack Signatures. In this paper, we propose a Genetic Algorithm (GA)-based Attack Signature generation approach and show its application for web services. GA algorithm has the capability of generating new member from a set of initial population. We leverage this by generating new Attack Signatures at SOAP message level to overcome the challenge of limited number of Attack Signatures. The key contributions include defining chromosomes and fitness functions. The initial results show that the GA-based IDS can generate new Signatures and complement the limitation of existing web security testing tools. The approach can generate new Attack Signatures for injection, privilege escalation, denial of service and information leakage.

  • Web service injection Attack detection
    2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), 2017
    Co-Authors: Victor Clincy, Hossain Shahriar
    Abstract:

    Injection Attacks on web services can expose valuable information resources. To protect deployed web services against injection Attacks, it is important to have defense techniques. Intrusion Detection Systems (IDS) are popular defense techniques to mitigate network layer Attacks. This paper proposes an IDS for mitigating injection Attacks on web services. We apply Genetic Algorithm (GA) as part of new Attack Signature generation for web services. The approach has been applied to a prototype web service and was found effective in generation of new Attack Signatures.