Abstract
Attacker identification from network traffic is a common practice of cyberspace security management. However, network administrators cannot cover all security equipment due to the cyberspace management cost constraints, giving attackers the chance to escape from the surveillance of network security administrators by legitimate actions and to perform the attack in both physical domain and digital domain. Therefore, we proposed a hidden attack sequence detection method based on reinforcement learning to deal with the challenge through modeling the network administrators as an intelligent agent that learns their action policy from the interaction with the cyberspace environment. Following Deep Deterministic Policy Gradient (DDPG), the intelligent agent can not only discover the hidden attackers hiding in the legitimate action sequences but also reduce the cyberspace management cost. Furthermore, a dynamic reward DDPG method was proposed to improve defense performance, which set dynamic reward depending on the hidden attack sequences steps and agent’s check steps, compared to the fixed reward in common methods. Meanwhile, the method was verified in a simulated experimental cyberspace environment. Finally, the experimental results demonstrate that there are hidden attack sequences in cyberspace, and the proposed method can discover the hidden attack sequences. The dynamic reward DDPG shows superior performance in detecting hidden attackers, with a detection rate of 97.46%, which can improve the ability to discover hidden attackers and reduce the 6% cyberspace management cost compared to DDPG.
Highlights
In the era of cyberspace security management, it is a common practice to identify and prevent attackers from capturing, analyzing, and controlling the network traffic [1].e possible network security management approaches based on network traffic can be divided into three categories.e first is based on the basic information, such as source address, source port, destination address, destination port, and protocol. e security equipment would check this basic information and block the flows that are not allowed. e check can be performed by the deployment of firewalls, routers, or switches, where the check rules can be access control lists, routing tables, or VLAN tags. e approach is effective and easy to deploy
Academia and industry are putting forward a lot of effective algorithms and automating the malicious traffic feature extraction step by step, usually to judge malicious traffic on a single data or a single data stream and the lack of understanding of the entire cyberspace security situation. e third approach is to Security and Communication Networks capture, store, and analyze the network traffic centrally from multiple network links [6]. e typical products emerging in recent years are named security situational sense, which are able to use the information from more than one link and improve the identification precision of the multistep attack or coordinated attack
We want to prove that the proposed model can discover hidden attack sequences, and this experiment proves that the cyberspace has hidden attack sequences
Summary
In the era of cyberspace security management, it is a common practice to identify and prevent attackers from capturing, analyzing, and controlling the network traffic [1].e possible network security management approaches based on network traffic can be divided into three categories.e first is based on the basic information, such as source address, source port, destination address, destination port, and protocol. e security equipment would check this basic information and block the flows that are not allowed. e check can be performed by the deployment of firewalls, routers, or switches, where the check rules can be access control lists, routing tables, or VLAN tags. e approach is effective and easy to deploy. In the era of cyberspace security management, it is a common practice to identify and prevent attackers from capturing, analyzing, and controlling the network traffic [1]. E approach is effective and easy to deploy It is not flexible enough as it can only provide access control methods based on address or service. E second approach is to extract the characteristic information from a load of network traffic and map it to the high-level semantics to realize the identification of attackers. Academia and industry are putting forward a lot of effective algorithms and automating the malicious traffic feature extraction step by step, usually to judge malicious traffic on a single data or a single data stream and the lack of understanding of the entire cyberspace security situation. If there are not adequately monitored network links, it is difficult to identify hidden attackers accurately or precept the entire cyberspace security situation accurately
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
