It is well known that distributed cyber attacks simultaneously launched from many hosts have caused the most serious problems in recent years including problems of privacy leakage and denial of services. Thus, how to ...
详细信息
ISBN:
(纸本)9781538675182
It is well known that distributed cyber attacks simultaneously launched from many hosts have caused the most serious problems in recent years including problems of privacy leakage and denial of services. Thus, how to detect those attacks at early stage has become an important and urgent topic in the cyber security community. For this purpose, recognizing C&C (Command & Control) communication between compromised bots and the C&C server becomes a crucially important issue, because C&C communication is in the preparation phase of distributedattacks. Although attack detection based on signature has been practically applied since long ago, it is well-known that it cannot efficiently deal with new kinds of attacks. In recent years, ML(Machine learning)-based detection methods have been studied widely. In those methods, feature selection is obviously very important to the detection performance. We once utilized up to 55 features to pick out C&C traffic in order to accomplish early detection of DDoS attacks. In this work, we try to answer the question that "Are all of those features really necessary?" We mainly investigate how the detection performance moves as the features are removed from those having lowest importance and we try to make it clear that what features should be payed attention for early detection of distributedattacks. We use honeypot data collected during the period from 2008 to 2013. SVM(Support Vector Machine) and PCA(Principal Component Analysis) are utilized for feature selection and SVM and RF(Random Forest) are for building the classifier. We find that the detection performance is generally getting better if more features are utilized. However, after the number of features has reached around 40, the detection performance will not change much even more features are used. It is also verified that, in some specific cases, more features do not always means a better detection performance. We also discuss 10 important features which have the biggest influ
Increasing efforts are being made in securing the communication infrastructure used in electric power systems. On the surface, this should greatly reduce the chances of successfully executing the type of coordinated a...
详细信息
ISBN:
(纸本)9781479949342
Increasing efforts are being made in securing the communication infrastructure used in electric power systems. On the surface, this should greatly reduce the chances of successfully executing the type of coordinated and distributed cyber attacks necessary to cause large-scale failures. However, existing communications security schemes in power control systems only consider explicit communications. In this paper, we show that there is a rich set of covert communication channels available to attackers for use in coordinating large scale attacks against power grids. Specifically, we present PHYCO, a novel covert channel that leverages physical substrates, e.g., line loads, within a power system, to transmit information between compromised device controllers. Using PHYCO, two compromised controllers that are miles apart can coordinate their efforts by manipulating relays to modify the power network's topology. This can be done without requiring the use of any explicit communication channels, e.g., power line communications, and can evade intrusion detection sensors aimed at overt traffic. We have evaluated PHYCO using real-world programmable logic controllers on a realistic simulated power grid. Our results show that PHYCO can bypass existing intrusion detection sensors as well as physical inspections by carefully crafting covert communications to have minimal exterior consequences within normal operating thresholds.
暂无评论