EP3272075A2 - System und verfahren zur erkennung von angriffen auf mobilfunknetzwerke basierend auf netzwerkkontrollierbarkeitsanalyse - Google Patents

System und verfahren zur erkennung von angriffen auf mobilfunknetzwerke basierend auf netzwerkkontrollierbarkeitsanalyse

Info

Publication number
EP3272075A2
EP3272075A2 EP16812078.0A EP16812078A EP3272075A2 EP 3272075 A2 EP3272075 A2 EP 3272075A2 EP 16812078 A EP16812078 A EP 16812078A EP 3272075 A2 EP3272075 A2 EP 3272075A2
Authority
EP
European Patent Office
Prior art keywords
network
controllability
metrics
set forth
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP16812078.0A
Other languages
English (en)
French (fr)
Other versions
EP3272075A4 (de
Inventor
Gavin D. HOLLAND
Michael D. Howard
Chong DING
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HRL Laboratories LLC
Original Assignee
HRL Laboratories LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by HRL Laboratories LLC filed Critical HRL Laboratories LLC
Publication of EP3272075A2 publication Critical patent/EP3272075A2/de
Publication of EP3272075A4 publication Critical patent/EP3272075A4/de
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to a system for detecting attacks on nodes of
  • wireless networks and, more particularly, to a system for detecting attacks on nodes of wireless networks based on network controllability analysis.
  • a compromised node can send bad information to subvert the operation of the network (e.g., by advertising itself as the fastest route to get to every other node in the network, but throwing away every packet it gets, called a blackhole attack). This kind of attack does not violate protocol, so it is hard to detect with conventional techniques. [00012] Furthermore, current research in the detection of misbehaving nodes in mobile wireless networks is still predominantly focused on adapting and optimizing conventional network defense strategies that concentrate on behaviors at the lower layers of the networking stack (see the List of
  • the present invention relates to a system for detecting attacks on nodes of wireless networks and, more particularly, to a system for detecting attacks on nodes of wireless networks based on network controllability analysis.
  • the system comprises one or more processors and a memory having instructions such that when the instructions are executed, the one or more processors perform multiple operations.
  • a plurality of network controllability metrics on a representation of a communication network comprising a plurality of nodes are computed. Changes in the plurality of network controllability metrics are detected, the detected changes are used to detect attacks of misinformation on the communication network.
  • the representation includes network topology, network dependencies, and application dependencies within the communication network.
  • the plurality of network controllability metrics are
  • a machine learning classifier determines a threshold for attack detection based on differences between the baseline behavior and the attack behavior.
  • each network controllability metric is represented as a diode in a diode pattern panel, wherein network controllability metrics displaying attack behavior, as determined by the threshold for attack detection, are highlighted in the diode pattern panel.
  • the system upon detection of an attack of misinformation on the communication network, performs a mitigation action.
  • the mitigation action comprises isolating an attacking node from the rest of the communication network.
  • the mitigation action comprises informing every other node in the communication network to ignore anything that the attacking node transmits, and not to send anything to, or through, the attacking node.
  • features representing each of the plurality of network controllability metrics are output. Each feature is then converted into a binary indication of whether a value is anomalous or not anomalous, and the binary indication is used to detect changes in the plurality of network controllability metrics.
  • the representation is a graphical representation of network topology, network dependencies, and application dependencies within the communication network.
  • the plurality of network controllability metrics are
  • the present invention also comprises a method for causing a processor to perform the operations described herein.
  • the present invention also comprises a
  • FIG. 1 is a block diagram depicting the components of a system for detecting attacks on wireless networks according to some embodiments of the present disclosure
  • FIG. 2 is an illustration of a computer program product according to some embodiments of the present disclosure
  • FIG. 3 is an illustration of construction of the Exploitation Network (Xnet) according to some embodiments of the present disclosure
  • FIG. 4A is an illustration of results from attack detection and attribution in a 25 node baseline scenario using network controllability metrics according to some embodiments of the present disclosure
  • FIG. 4B is an illustration of results from attack detection and attribution in a 25 node attack behavior scenario using network controllability metrics according to some embodiments of the present disclosure
  • FIG. 5A is an illustration of use of a support vector machine (SVM) to find a threshold to classify attack behavior based on network controllability metrics according to some embodiments of the present disclosure
  • FIG. 5B is an illustration of the SVM learning to find a plane in feature hyperspace that can separate examples of baseline performance from attack behavior according to some embodiments of the present disclosure
  • FIG. 6A is an illustration of a diode pattern of 35 network metrics for
  • FIG. 6B is an illustration of a diode pattern of 35 network metrics during a hypertext transfer protocol (HTTP) flooding attack according to some embodiments of the present disclosure
  • FIG. 7A is an illustration of a diode pattern of 35 network metrics for
  • FIG. 7B is an illustration of a diode pattern of 35 network metrics during a drop-all attack according to some embodiments of the present disclosure
  • FIG. 8A is an illustration of a diode pattern of 35 network metrics for baseline activity according to some embodiments of the present disclosure
  • FIG. 8B is an illustration of a diode pattern of 35 network metrics during a reset-all attack according to some embodiments of the present disclosure
  • FIG. 9 is an illustration of a summary panel of diode patterns of 35 network metrics in three different layers for baseline, drop-all, and reset-all attacks according to some embodiments of the present disclosure.
  • FIG. 10 is an illustration depicting a relationship between modules of the Xnet model according to some embodiments of the present disclosure.
  • the present invention relates to a system for detecting attacks on nodes of wireless networks and, more particularly, to a system for detecting attacks on nodes of wireless networks based on network controllability analysis.
  • the following description is presented to enable one of ordinary skill in the art to make and use the invention and to incorporate it in the context of particular applications. Various modifications, as well as a variety of uses in different applications will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to a wide range of aspects. Thus, the present invention is not intended to be limited to the aspects presented, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
  • any element in a claim that does not explicitly state "means for” performing a specified function, or “step for” performing a specific function, is not to be interpreted as a "means” or “step” clause as specified in 35 U.S.C. Section 112, Paragraph 6.
  • the use of "step of or “act of in the claims herein is not intended to invoke the provisions of 35 U.S.C. 1 12, Paragraph 6.
  • the above labels may change their orientation.
  • the present invention has three "principal" aspects.
  • the first is a system for detecting attacks on wireless networks.
  • the system is typically in the form of a computer system operating software or in the form of a "hard-coded" instruction set. This system may be incorporated into a wide variety of devices that provide different functionalities.
  • the second principal aspect is a method, typically in the form of software, operated using a data processing system (computer).
  • the third principal aspect is a computer program product.
  • the computer program product generally represents computer-readable instructions stored on a non- transitory computer-readable medium such as an optical storage device, e.g., a compact disc (CD) or digital versatile disc (DVD), or a magnetic storage device such as a floppy disk or magnetic tape.
  • Other, non-limiting examples of computer-readable media include hard disks, read-only memory (ROM), and flash-type memories.
  • FIG. 1 A block diagram depicting an example of a system (i.e., computer system 100) of the present invention is provided in FIG. 1.
  • the computer system 100 is configured to perform calculations, processes, operations, and/or functions associated with a program or algorithm.
  • certain processes and steps discussed herein are realized as a series of instructions (e.g., software program) that reside within computer readable memory units and are executed by one or more processors of the computer system 100. When executed, the instructions cause the computer system 100 to perform specific actions and exhibit specific behavior, such as described herein.
  • the computer system 100 may include an address/data bus 102 that is configured to communicate information. Additionally, one or more data processing units, such as a processor 104 (or processors), are coupled with the address/data bus 102.
  • the processor 104 is configured to process information and instructions.
  • the processor 104 is a microprocessor.
  • the processor 104 may be a different type of processor such as a parallel processor, or a field programmable gate array.
  • the computer system 100 is configured to utilize one or more data storage units.
  • the computer system 100 may include a volatile memory unit 106 (e.g., random access memory (“RAM”), static RAM, dynamic RAM, etc.) coupled with the address/data bus 102, wherein a volatile memory unit 106 is configured to store information and instructions for the processor 104.
  • the computer system 100 further may include a non-volatile memory unit 108 (e.g., read-only memory (“ROM”), programmable ROM (“PROM”), erasable programmable
  • EPROM electrically erasable programmable ROM
  • flash memory etc.
  • EPROM electrically erasable programmable ROM
  • the computer system 100 may execute instructions retrieved from an online data storage unit such as in
  • the computer system 100 also may include one or more interfaces, such as an interface 1 10, coupled with the address/data bus 102.
  • the one or more interfaces are configured to enable the computer system 100 to interface with other electronic devices and computer systems.
  • the communication interfaces implemented by the one or more interfaces may include wireline (e.g., serial cables, modems, network adaptors, etc.) and/or wireless (e.g., wireless modems, wireless network adaptors, etc.) communication technology.
  • the computer system 100 may include an input device 112 coupled with the address/data bus 102, wherein the input device 1 12 is configured to communicate information and command selections to the processor 100.
  • the input device 1 12 is an alphanumeric input device, such as a keyboard, that may include alphanumeric and/or function keys.
  • the input device 112 may be an input device other than an alphanumeric input device.
  • the input device 112 may include one or more sensors, such as a camera for video or still images, a microphone, or a neural sensor.
  • Other example input devices 112 may include an accelerometer, a GPS sensor, or a gyroscope.
  • the computer system 100 may include a cursor control device 114 coupled with the address/data bus 102, wherein the cursor control device 114 is configured to communicate user input information and/or command selections to the processor 100.
  • the cursor control device 114 is implemented using a device such as a mouse, a track-ball, a track-pad, an optical tracking device, or a touch screen.
  • the cursor control device 1 14 is directed and/or activated via input from the input device 1 12, such as in response to the use of special keys and key sequence commands associated with the input device 112.
  • the cursor control device 1 14 is configured to be directed or guided by voice commands.
  • the computer system 100 further may include one or more
  • a storage device 1 16 coupled with the address/data bus 102.
  • the storage device 1 16 is configured to store information and/or computer executable instructions.
  • the storage device 116 is a storage device such as a magnetic or optical disk drive (e.g., hard disk drive (“HDD”), floppy diskette, compact disk read only memory (“CD-ROM”), digital versatile disk (“DVD”)).
  • a display device 1 18 is coupled with the address/data bus 102, wherein the display device 1 18 is configured to display video and/or graphics.
  • the display device 1 18 may include a cathode ray tube (“CRT'), liquid crystal display (“LCD”), field emission display (“FED”), plasma display, or any other display device suitable for displaying video and/or graphic images and alphanumeric characters recognizable to a user.
  • CTR' cathode ray tube
  • LCD liquid crystal display
  • FED field emission display
  • plasma display or any other display device suitable for displaying video and/or graphic images and alphanumeric characters recognizable to a user.
  • the computer system 100 presented herein is an example computing
  • the non-limiting example of the computer system 100 is not strictly limited to being a computer system.
  • an aspect provides that the computer system 100 represents a type of data processing analysis that may be used in accordance with various aspects described herein.
  • other computing systems may also be
  • one or more operations of various aspects of the present technology are controlled or implemented using computer-executable instructions, such as program modules, being executed by a computer.
  • program modules include routines, programs, objects, components and/or data structures that are configured to perform particular tasks or implement particular abstract data types.
  • an aspect provides that one or more aspects of the present technology are implemented by utilizing one or more distributed computing environments, such as where tasks are performed by remote processing devices that are linked through a communications network, or such as where various program modules are located in both local and remote computer-storage media including memory-storage devices.
  • FIG. 2 An illustrative diagram of a computer program product (i.e., storage device) embodying the present invention is depicted in FIG. 2.
  • the computer program product is depicted as floppy disk 200 or an optical disk 202 such as a CD or DVD.
  • the computer program product generally represents computer-readable instructions stored on any compatible non-transitory computer-readable medium.
  • the term "instructions” as used with respect to this invention generally indicates a set of operations to be performed on a computer, and may represent pieces of a whole program or individual, separable, software modules.
  • Non-limiting examples of "instruction” include computer program code (source or object code) and "hard-coded" electronics (i.e. computer operations coded into a computer chip).
  • the "instruction" is stored on any non-transitory computer-readable medium, such as in the memory of a computer or on a floppy disk, a CD-ROM, and a flash drive. In either event, the instructions are encoded on a non-transitory computer-readable medium.
  • This technique can identify dynamic structure dependency changes in Xnet that can signal suspicious nodes.
  • IDS intrusion detection systems
  • Current approaches include the following. Signature detection finds specific attack patterns known a priori, but this is ineffective against unknown attacks. With anomaly detection, effective classifiers are hard to construct due to network dynamics and have low to moderate accuracy. An immunology intrusion detection system learns to identify behaviors that are foreign, but this approach is protocol specific, hard to formulate, and has a high overhead. Extended finite state machine (FSM) models detect explicit violations in protocol state transitions, but this is protocol and implementation specific.
  • FSM Extended finite state machine
  • the exploitation Network is a hierarchical model of a network (a network of networks) that provides three different views of the network, linked together by directional links.
  • the network may be wired or wireless, and the topology may change dynamically. That is, nodes in the network can move, changing their pattern of connectivity to other nodes (i.e.,
  • MANET Mobile AdHoc Network
  • Its nodes include the physical radios communicating on the network as well as conceptual nodes that represent applications and network services. Edges between nodes are created whenever one of these nodes sends data to another (just the start and end node, not the intermediate nodes that forward the message datagrams). An edge exists until the message reaches its destination.
  • the Xnet model includes at least four unique
  • modules including the Xnet Dynamics (XD) module 1000, the Xnet
  • XCO Controllability/Observability
  • XE Xnet Evolvability
  • RE Reliability Estimation
  • different numbers of modules may be used to perform the same or similar functions.
  • the XD module 1000 identifies unreliable nodes based on the dynamics of social networks (with no dependency on protocol) to indicate the presence of malicious or damaged nodes altering control and data plane information in the network.
  • the XCO module 1002 identifies the optimal set of nodes required to passively monitor (observability) or actively probe
  • the XE module 1004 simulates a progression of failures to predict which nodes are most likely to be attacked next or should have trust reassessed.
  • the RE module 1006 fuses cross-layer and cross-plane
  • the unified trust metric is computed in a hybrid approach in which nodes combine normalized confidence and trust values based on direct experience and recommendations of other nodes. Such a hybrid approach avoids a centralized point of failure, ensures scalability, and renders the computation resilient to attacks targeting such computations.
  • the XD module 1000 identifies nodes that appear to be misbehaving.
  • the RE module 1006 gets a minimal set of driver and observer nodes from the XCO module 1002 for the suspect nodes.
  • the RE module 1006 uses the driver nodes to do active probing on the suspect nodes, and the observer nodes update a trust metric with the results.
  • the XE module 1004 simulates a spread of compromised nodes [00073]
  • the RE module 1006 formalizes and quantifies trust using a model that relies on local computations based on direct interactions with neighbors and also by incorporating recommendations (and experiences) of other nodes.
  • a formal subjective logic and trust model is leveraged for principled combination of evidence about how trustworthy a node is. Resilience to attacks is gained by adopting a hybrid distributed approach to compute trust, avoiding a single point of failure, and the approach is agnostic to control and/or data plane statistics being used.
  • the RE module's 1006 trust in a node falls below a certain level, it performs active probing on the node. To do that most efficiently the XCO module 1002 computes a minimal set of driver nodes to issue the challenges and observer nodes to observe the results.
  • the system also employs a two-pronged approach to discover sources of misinformation in the network, employing information dynamics identification of suspicious changes in Xnet dependencies, as well as trends in the appearance of such compromised nodes.
  • the XD module 1000 uses a unique information dynamic spectrum framework to predict system instability at critical transitions in complex systems, by analyzing Xnet time series data. This marks nodes for further inspection by the RE module 1006.
  • the XE module 1004 tracks trends in misbehaving nodes, and matches against simulations of contagion and cascading failures. The XE module 1004 will emit a confidence measure as to whether there is a pattern, and if so, the RE module 1006 can focus monitoring and testing resources on predicted next nodes to be attacked. System Administrators can use this information to focus preventative measures.
  • Network controllability analysis expands the scope of analysis beyond the node's immediate neighborhood to data based on indirect observations inferred from the direct data that it collects. For example, by monitoring the characteristics of the packets that a node handles it can infer architectural and dynamical properties of the larger network, such as the network size and dimension, and the dynamics of the communication patterns between nodes and reachability and connectivity.
  • the system described herein can be implemented in a wide variety of mobile wireless networks, non-limiting examples of which include mobile military and law enforcement networks (e.g., soldier-to-soldier, sensor-to-sensor, ground and aerial vehicle-to-vehicle); commercial vehicle-to-vehicle and vehicle-to- infrastructure networks (e.g., DSRC V2V/V2I, WiFi, active safety,
  • mobile military and law enforcement networks e.g., soldier-to-soldier, sensor-to-sensor, ground and aerial vehicle-to-vehicle
  • commercial vehicle-to-vehicle and vehicle-to- infrastructure networks e.g., DSRC V2V/V2I, WiFi, active safety
  • infotainment includes commercial mesh networks (metropolitan rooftop, WiMAX); and wireless infrastructure ISPs, cellular companies (e.g., extended data capacity).
  • commercial mesh networks mimetropolitan rooftop, WiMAX
  • wireless infrastructure ISPs e.g., extended data capacity
  • the system will significantly improve the security of these and other related networks, which currently rely predominantly on packet-level encryption to reduce the probability of external intrusion but do not detect or prevent "network insider” attacks. Specific details regarding the system are described in further detail below.
  • Xnet the hierarchical representation of a communications network, may created, such as in the form of data tables that describe the applications and services that are running on the network, their inter-dependencies, and the observable
  • a Network Controllability (NC) code module receives the Application Dependency (AppDep) and Network Dependency (NetDep) graph from Xnet.
  • AppDep Application Dependency
  • NetDep Network Dependency
  • graph in the context above refers to the abstract mathematical representation of the relationship between communicating entities in a physical network. Furthermore, in this context, “node” means an element in the graph.
  • node may reference a physical radio in the network.
  • network most often refers to a physical network.
  • FIG. 3 depicts the construction of Xnet 300.
  • Network (Xnet 300) database is loaded into the network at initialization.
  • the network is a physical radio network.
  • Each physical radio node gets all or a portion of the Xnet database, where the Xnet database is the physical instantiation of the abstract graph of Xnet 300.
  • An application (AppDep) dependency graph 302 and a network (NetDep) dependency graph 304, and their interdependencies (represented by dashed lines), are established a priori using expert domain knowledge or by automated inference using public domain tools, such as NSDMiner and Ettercap. Interdependencies between the AppDep dependency graph 302, the NetDep dependency graph 304, and the network topology (NetTopo) dependency graph 306 are based on the software configuration in the network.
  • the "nodes" on the left side of FIG. 3 Entity/Relationship Network of Networks Analysis
  • the "nodes" depicted in the Xnet 300 represent abstract nodes in the graph.
  • a maximum matching algorithm (see Literature Reference Nos. 1 and 2 for a description of the maximum matching algorithm) is employed to compute controllability.
  • the minimum number of inputs required to control the network (Nn, or number of driver nodes) is given by the total number of nodes minus the number of nodes in the maximum matching set. These nodes (that are members of the minimal set of nodes required to control the global state of the network) are called "driver nodes”.
  • Network controllability metrics are computed on a graphical representation of a pattern of communication between nodes during a time window, where the network events contained in the graph start before or at the start of a particular network event and end before the end of that particular network event.
  • a unique aspect of the approach described in the present disclosure is to analyze the wireless network activity by looking at the change in global and local controllability metrics, such as those listed in Table 1 below, over time.
  • Table 1 includes examples of controllability metrics used for attack detection and attribution. [00086] Table 1:
  • FIGs. 4A and 4B illustrate two metrics computed for a baseline 25 node scenario (in FIG. 4A) and for a flooding attack in an Army Research Lab 25 node scenario (in FIG. 4B).
  • the metrics are n c (fraction of eternal dilations) in the top rows of FIGs. 4A and 4B and AC(i) (authority centrality of each node) in the bottom rows of FIGs. 4A and 4B.
  • the results shown are from a flooding attack in transmission control protocol (TCP) traffic from 20% of the nodes in the network to a single node, starting at 100 seconds and lasting 130 seconds.
  • TCP transmission control protocol
  • MGEN developed by the Naval Research Laboratory (NRL) PROTocol Engineering Advanced Networking (PROTEAN) Research Group. MGEN provides the ability to perform IP network performance tests and measurements using TCP and user datagram protocol (UDP)/Internet protocol (IP) traffic.
  • UDP user datagram protocol
  • IP Internet protocol
  • FIG. 4B both the global network metric nc and the local network metric AC(i) display abnormal behavior compared to the baseline performance shown in FIG. 4A. The abnormality is apparent in the absence of metric values greater than zero in the simulation between 100 and 225 seconds.
  • the next paragraph describes how such a noisy graph can be smoothed to make the metric a definitive signal when the smoothed values reach zero.
  • the metric values can vary in a noisy way, so it is necessary to smooth the graph by some technique, such as a median filter. Then, a threshold can be selected such that there is a clear difference between the attack behavior and the baseline behavior. For example, in FIGs. 4A and 4B, both metrics actually go to zero around time 100 seconds for both the baseline (FIG. 4A) and attack (FIG. 4B). However, the baseline gap is quite short.
  • the smoothing filter should be configured so as to smooth over such a short time gap.
  • An automated machine learning system can be used to discover appropriate thresholds, given examples of smoothed baseline and attack metric data.
  • a support vector machine (SVM) was used for this purpose, although there are many other machine learning methods that could be applied.
  • SVM can leam to find a plane in feature hyperspace that can separate examples of baseline performance (FIG. 4A) from attack behavior (FIG. 4B), as depicted in FIG. 5B.
  • FIG. SA illustrates the training process 500 and the subsequent online
  • classification/detection process 502. A non-limiting example of the use of a SVM to find a threshold to classify baseline vs. attack behavior based on network controllability metrics on network communication activity is shown. Baseline activity is captured by running the network in the absence of attacks.
  • XAE 504 is an Xnet Analytics Engine, which turns the raw network packet data of training scenarios 506 to an Xnet graph.
  • the Xnet graph contains the NC module that extracts feature vectors 508 from the Xnet graph, which are the controllability metrics (currently 35 metrics), such as those listed in Table 1 above.
  • the feature vectors 508 will most conveniently be captured offline and stored as one vector of all metric values for each time window, resulting in a matrix when the feature vectors 508 for various time windows are captured and combined. Additionally, examples are provided of attacks by performing attacks on the baseline scenarios, and again running them through XAE 504 to extract feature vectors 508. Then, the SVM (i.e., svmjearn 510) is trained by presenting each feature vector 508 along with a binary vector indicating, for each time period, whether an attack is present or not, resulting in a trained classifier model 512. Once the SVM (i.e., svmjearn 510) is trained, it can be run during live online network operation (live online data 511) and will indicate when an attack is occurring in the classification/detection process 502.
  • live online network operation live online data 511
  • the XAE system 514 is used to extract sampled features 516 from current raw network packet data which, along with the trained model 512, is input to the SVM which can then be used to classify (i.e., svm classify 518) the sampled features 516 and make a prediction
  • the features that are output by XAE (508 during training and 516 when online testing) are one from each of the metrics in Table 1, smoothed as described above, and turned into a binary indication of whether the value is anomalous or not anomalous. This could be visualized as a visual panel of dots or diodes depicting a specific pattern to indicate whether an attack is present or not, and what kind of attack it is.
  • FIG. 5B depicts how the SVM leams to find a plane 520 in such a feature space 522 from an input space 524.
  • the plane 520 can separate examples of baseline performance 526 from examples of attack behavior 528.
  • An SVM is applied using a known kernel ⁇ 530 (e.g., see equation in FIG. 5B).
  • the kernel is a similarity function over pairs of data points (i.e., between a labeled training set point and an unlabeled test point). Training is done by presenting examples of attacks and examples of baseline (without attacks).
  • the SVM learns to separate attack situations from baseline by finding weights that can be described as defining a hyperplane separating baseline from attacks.
  • each circle represents a data point.
  • each data point is a value of the current 35-element feature vector.
  • FIG. 9 illustrates separate panels for HTTP, TCP, and connections layers of the network. Combining all diode patterns from different layers enables one to perform attack detection and attribution more accurately.
  • FIGs. 6A and 6B show an example of a diode pattern for attack detection and attribution using all the 35 network metrics, where each diode (circle) represents a network metric. Attribution during a network attack means identifying the attacking nodes. Specifically, FIG. 6A depicts 35 network metrics for baseline activity, and FIG. 6B depicts 35 network metrics during an HTTP flooding attack. A flooding attack causes nodes to broadcast messages, effectively using up the network bandwidth so that legitimate messages cannot get through. Those network metrics displaying abnormal behavior when the attack occurs are highlighted. In FIG. 6B (and similar figures), global and local metrics are represented by pattern filled circles 600 and solid filled circles 602, respectively.
  • FIG. 7A illustrates 35 network metrics for baseline activity
  • FIG. 7B illustrates 35 network metrics during a drop-all attack.
  • a node advertises itself as the shortest path to everywhere and then drops any packets it is asked to route to other nodes.
  • FIG. 8A illustrates 35 network metrics for baseline activity
  • FIG. 3B depicts 35 network metrics during a reset-all attack.
  • a reset attack is a man-in- the-middle attack where the attackers are destroying active TCP connections that they are aware of by sending forged TCP reset packets to the involved parties. This causes both of the participants in the TCP connection to believe that the other terminated the TCP connection.
  • FIGs. 6B, 7B, and 8B represent local metrics identified in Table 1 above.
  • the other nodes represent global metrics.
  • the different patterns in FIGs. 6B, 7B, and 8B reflects the fact that each attack affects the network differently.
  • Each metric measures a different aspect of network activity, so the patterns made in the panel of metrics is significantly indicative of different attacks. That is why it is useful to employ many metrics.
  • FIG. 9 summarizes results of attack detection and attribution for all the three attack models: flooding, drop-all and reset-all, using three different layers:
  • Mobile wireless networks are experiencing widespread use in applications such as mobile vehicle-to-vehicle networks, user-to-user networks, sensor-to- sensor networks, vehicle-to-infrastructure networks, commercial mesh networks, wireless infrastructure Internet service providers (ISPs), and cellular companies.
  • ISPs wireless infrastructure Internet service providers
  • the system after identifying the presence of misinformation in the network, the system performs an operation to attribute who is responsible for the attack. After attributing the attack to an entity, the system can take actions to mitigate the attack.
  • a non-limiting example of a mitigation action would be to isolate the attacking node (i.e., physical radio).
  • the action can include informing every other node in the network to simply ignore anything that the attacking node transmits, and not to send anything to, or through, the attacking node.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)
EP16812078.0A 2015-03-18 2016-03-18 System und verfahren zur erkennung von angriffen auf mobilfunknetzwerke basierend auf netzwerkkontrollierbarkeitsanalyse Pending EP3272075A4 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201562135142P 2015-03-18 2015-03-18
US201562135136P 2015-03-18 2015-03-18
PCT/US2016/023308 WO2016204839A2 (en) 2015-03-18 2016-03-18 System and method to detect attacks on mobile wireless networks based on network controllability analysis

Publications (2)

Publication Number Publication Date
EP3272075A2 true EP3272075A2 (de) 2018-01-24
EP3272075A4 EP3272075A4 (de) 2018-12-05

Family

ID=57546242

Family Applications (2)

Application Number Title Priority Date Filing Date
EP16812077.2A Pending EP3272102A4 (de) 2015-03-18 2016-03-18 System und verfahren zur detektion von angriffen auf mobile drahtlose netzwerke auf basis einer motivanalyse
EP16812078.0A Pending EP3272075A4 (de) 2015-03-18 2016-03-18 System und verfahren zur erkennung von angriffen auf mobilfunknetzwerke basierend auf netzwerkkontrollierbarkeitsanalyse

Family Applications Before (1)

Application Number Title Priority Date Filing Date
EP16812077.2A Pending EP3272102A4 (de) 2015-03-18 2016-03-18 System und verfahren zur detektion von angriffen auf mobile drahtlose netzwerke auf basis einer motivanalyse

Country Status (3)

Country Link
EP (2) EP3272102A4 (de)
CN (2) CN107409124B (de)
WO (2) WO2016204838A2 (de)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10897471B2 (en) 2018-01-30 2021-01-19 Hewlett Packard Enterprise Development Lp Indicating malicious entities based on multicast communication patterns
CN110706743A (zh) * 2019-10-14 2020-01-17 福建师范大学 一种平衡采样与图检索的蛋白质互作网络模体检测方法

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8327442B2 (en) * 2002-12-24 2012-12-04 Herz Frederick S M System and method for a distributed application and network security system (SDI-SCAM)
US7281270B2 (en) * 2003-04-01 2007-10-09 Lockheed Martin Corporation Attack impact prediction system
US7529187B1 (en) * 2004-05-04 2009-05-05 Symantec Corporation Detecting network evasion and misinformation
US20060230450A1 (en) * 2005-03-31 2006-10-12 Tian Bu Methods and devices for defending a 3G wireless network against a signaling attack
US7609625B2 (en) * 2005-07-06 2009-10-27 Fortinet, Inc. Systems and methods for detecting and preventing flooding attacks in a network environment
US20070180521A1 (en) * 2006-01-31 2007-08-02 International Business Machines Corporation System and method for usage-based misinformation detection and response
KR100767589B1 (ko) * 2006-07-20 2007-10-17 성균관대학교산학협력단 디렉티드 디퓨젼 기반의 센서 네트워크를 위한 퍼지 로직침입 탐지 기법
US8655939B2 (en) * 2007-01-05 2014-02-18 Digital Doors, Inc. Electromagnetic pulse (EMP) hardened information infrastructure with extractor, cloud dispersal, secure storage, content analysis and classification and method therefor
CN101309180B (zh) * 2008-06-21 2010-12-08 华中科技大学 一种适用于虚拟机环境的安全网络入侵检测系统
US8850578B2 (en) * 2008-08-06 2014-09-30 International Business Machines Corporation Network intrusion detection
US8312542B2 (en) * 2008-10-29 2012-11-13 Lockheed Martin Corporation Network intrusion detection using MDL compress for deep packet inspection
US8245301B2 (en) * 2009-09-15 2012-08-14 Lockheed Martin Corporation Network intrusion detection visualization
US8245302B2 (en) * 2009-09-15 2012-08-14 Lockheed Martin Corporation Network attack visualization and response through intelligent icons
CN101800989B (zh) * 2010-01-19 2013-07-10 重庆邮电大学 用于工业无线网络的防重放攻击系统
US8683591B2 (en) * 2010-11-18 2014-03-25 Nant Holdings Ip, Llc Vector-based anomaly detection
US8869309B2 (en) * 2011-04-14 2014-10-21 Lockheed Martin Corporation Dynamically reconfigurable 2D topology communication and verification scheme
US8560681B2 (en) * 2011-05-10 2013-10-15 Telefonica, S.A. Method of characterizing a social network communication using motifs
CN102869006B (zh) * 2012-09-13 2016-02-17 柳州职业技术学院 无线传感器网络层次型入侵诊断处理系统及其方法
WO2014118362A1 (en) * 2013-02-01 2014-08-07 Siemens Aktiengesellschaft Method and apparatus for monitoring security intrusion of a distributed computer system
CN104144063B (zh) * 2013-05-08 2018-08-10 朱烨 基于日志分析和防火墙安全矩阵的网站安全监控报警系统
CN104348811B (zh) * 2013-08-05 2018-01-26 深圳市腾讯计算机系统有限公司 分布式拒绝服务攻击检测方法及装置
CN103957525B (zh) * 2014-05-12 2018-02-27 江苏大学 车联网中基于分簇信任评估的恶意节点检测方法

Also Published As

Publication number Publication date
CN107409124A (zh) 2017-11-28
CN107251519B (zh) 2020-06-12
EP3272102A2 (de) 2018-01-24
EP3272075A4 (de) 2018-12-05
WO2016204838A2 (en) 2016-12-22
EP3272102A4 (de) 2018-11-14
CN107251519A (zh) 2017-10-13
WO2016204839A3 (en) 2017-01-26
WO2016204838A9 (en) 2017-06-15
WO2016204839A2 (en) 2016-12-22
WO2016204838A3 (en) 2017-01-26
CN107409124B (zh) 2020-09-15

Similar Documents

Publication Publication Date Title
US10091218B2 (en) System and method to detect attacks on mobile wireless networks based on network controllability analysis
JP6378395B2 (ja) 異常部分グラフの検出のための道探査及び異常/変更検出及び網状況認知のためのdns要求及びホストエージェントの使用
Heidari et al. Internet of Things intrusion detection systems: a comprehensive review and future directions
US11818146B2 (en) Framework for investigating events
US9979738B2 (en) System and method to detect attacks on mobile wireless networks based on motif analysis
CN107667505B (zh) 用于监控和管理数据中心的系统及方法
US20210273953A1 (en) ENDPOINT AGENT CLIENT SENSORS (cSENSORS) AND ASSOCIATED INFRASTRUCTURES FOR EXTENDING NETWORK VISIBILITY IN AN ARTIFICIAL INTELLIGENCE (AI) THREAT DEFENSE ENVIRONMENT
Kirubavathi et al. Botnet detection via mining of traffic flow characteristics
US10003985B1 (en) System and method for determining reliability of nodes in mobile wireless network
US20230171276A1 (en) Apparatus having engine using artificial intelligence for detecting bot anomalies in a computer network
Rawat et al. Rooted learning model at fog computing analysis for crime incident surveillance
Di Mauro et al. Improving SIEM capabilities through an enhanced probe for encrypted Skype traffic detection
Yang et al. Attack projection
WO2021236661A1 (en) Endpoint client sensors for extending network visibility
Holsopple et al. FuSIA: Future situation and impact awareness
Ali et al. Firewall policy reconnaissance: Techniques and analysis
CN107251519B (zh) 用于检测通信网络上的假信息的攻击的系统、方法和介质
Evancich et al. Network-wide awareness
US10187404B2 (en) System and method for detecting attacks on mobile ad hoc networks based on network flux
Li et al. Improved automated graph and FCM based DDoS attack detection mechanism in software defined networks
Shyu et al. A multiagent-based intrusion detection system with the support of multi-class supervised classification
US20230275908A1 (en) Thumbprinting security incidents via graph embeddings
Nakahara et al. Malware detection for IoT devices using hybrid system of whitelist and machine learning based on lightweight flow data
Wang et al. STC: exposing hidden compromised devices in networked sustainable green smart computing platforms by partial observation
Azer et al. Using Attack Graphs in Ad Hoc Networks-For Intrusion Prediction Correlation and Detection

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20170919

AK Designated contracting states

Kind code of ref document: A2

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20181025

RIC1 Information provided on ipc code assigned before grant

Ipc: H04L 12/26 20060101AFI20181020BHEP

Ipc: H04L 29/06 20060101ALI20181020BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20200204

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230525