Professor
Supervisor of Doctorate Candidates
Supervisor of Master's Candidates
E-Mail:
Administrative Position:复杂网络系统安全保障技术教育部工程研究中心主任
Education Level:With Certificate of Graduation for Doctorate Study
Gender:Male
Contact Information:yaoyu@mail.neu.edu.cn
Degree:博士
Alma Mater:东北大学
Discipline:Computer Applications Technology
Computer Software and Theory
Computer Architecture
Academic Honor:
2013 Excellent talents of the Ministry of education in the new century
The Last Update Time: ..
Hits:
Journal:IEEE Transactions on Information Forensics and Security.
Abstract:As the precursor of cyber-attacks, the campaigns of scanning groups are able to reflect the attack target and attack trend to a great extent, which provide highly valuable threat intelligence for cyber defenders to understand the current cyber security situation. However, how to identify scanning groups in the context of limited information, especially in the absence of relevant threat intelligence, remains a challenging problem. In this paper, we utilize the honeynet as the unique data source to propose a scanning group identification system, Scanner-Hunter, which focuses on identifying scanning groups targeting ICS devices. To better characterize scanning patterns, a novel traffic representation scheme for scanning traffic is proposed, which is composed of a set of feature vectors to describe all the ICS request packets. On this basis, we propose a novel self-expanding multi-class classification (SEMCC) model and the IP prefix judgment, which are deliberately integrated to cope with sophisticated scanning groups. Take the Modbus protocol as an example, we implement a prototype of Scanner-Hunter, and use six years of real-world honeynet datasets to evaluate its performance. The experimental results illustrate its effectiveness and superior performance compared with some popular machine learning methods and existing SOTA scanning group identification methods. In addition, Scanner-Hunter is further leveraged to investigate the group distribution and maliciousness of 506 unknown scanners, and some suspicious attack groups with APT characteristics are analyzed. Furthermore, accurate scanning group information will contribute to revealing potential attack organizations and supporting decision making to prevent or interrupt cyber-attacks in time.
Key Words:Integrated circuits, IP networks, Cyberattack, Behavioral sciences, Telescopes, Analytical models, Reconnaissance
Indexed by:CCF A类期刊
Note:https://ieeexplore.ieee.org/document/10415218
Document Type:JCR 一区
Translation or Not:no
Current position: