Janus: A Two-Sided Analytical Model for Multi-Stage Coordinated Attacks

  • Zonghua Zhang
  • Pin-Han Ho
  • Xiaodong Lin
  • Hong Shen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4296)


The multi-stage coordinated attack (MSCA) bring many challenges to the security analysts due to their special temporal an spacial characteristics. This paper presents a two-sided model, Janus, to characterize and analyze the the behavior of attacker and defender in MSCA. Their behavior is firstly formulated as Multi-agent Partially Observable Markov Decision Process (MPO-MDP), an ANTS algorithm is then developed from the perspective of attacker to approximately search attack schemes with the minimum cost, and another backward searching algorithm APD-BS is designed from the defender’s standpoint to seek the pivots of attack schemes in order to effectively countermine them by removing those key observations associated with the system state estimates. Two case studies are conducted to show the application of our models and algorithms to practical scenarios, some preliminary analysis are also given to validate their performance and advantages.


System State Attack Scenario Partially Observable Markov Decision Process Concurrent Action Attack Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aberdeen, D.: A Survey of Approximate Methods for Solving Partially Observable Markov Decision Processes, National ICT Australia Report, Canberra, Australia, December 8 (2003)Google Scholar
  2. 2.
    Braynov, S., Jadiwala, M.: Representation and Analaysis of Coordinated Attacks. In: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pp. 43–51 (2003)Google Scholar
  3. 3.
    Browne, H.K., Arbaugh, W.A., McHugh, J., Fithen, W.L.: A Trend Analysis of Exploitations. In: Proceedings of 2001 IEEE Symposium on Security and Privacy (S&P 2001), Oakland, California, USA, May 14-16, pp. 214–229 (2001)Google Scholar
  4. 4.
    Chen, S., Kalbarczyk, Z., Xu, J., Iyer, R.K.: A Data-Driven Finite State Machine Model for Analyzing Security Vulnerabilities. In: 2003 International Conference on Dependable Systems and Networks (DSN 2003), San Francisco, pp. 605–614 (2003)Google Scholar
  5. 5.
    Cordon, O., Herrera, F., Stutzle, T.: A Review on the Ant Colony Optimization Metaheuristic: Basis, Models and New Trends. Mathware and Soft Computing 9(2-3), 141–175 (2002)MATHMathSciNetGoogle Scholar
  6. 6.
    Daley, K., Larson, R., Dawkins, J.: A Structural Framework for Modeling Multi-Stage Network Attacks. In: Proceedings of the International Conference on Parallel Processing Workshops (ICPPW 2002), Vancouver, Canada, pp. 5–10 (2002)Google Scholar
  7. 7.
    Dorigo, M., Maniezzo, V., Colorni, A.: The Ant System: Optimization by a colony of cooperating agents. IEEE Trans. Syst. Man, Cyber. Part B 26, 29–41 (1996)CrossRefGoogle Scholar
  8. 8.
    Patrick Kreidl, O., Frazier, T.M.: Feedback Control Applied to Survivability: A Host-Based Autonomic Defense System. IEEE Trans. on Reliability 53(1), 148–166 (2004)CrossRefGoogle Scholar
  9. 9.
    Levy, E.: Worm Propagation and Genetric Attacks. IEEE Security and Privacy 3(2), 63–65 (2005)CrossRefGoogle Scholar
  10. 10.
    Liu, P., Zang, w., Yu, M.: Incentive-Based Modeling and Inference of Attacker Intent, Objectives, and strategies. ACM Transactions on Information and System Security 8(1), 78–118 (2005)CrossRefGoogle Scholar
  11. 11.
    Mathew, S., Shah, C., Upadhyaya, S.: An alert Fusion Framework for Situation Awareness of Coordinated Multistage Attacks. In: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA 2005), College Park, MD, USA, pp. 95–104 (2005)Google Scholar
  12. 12.
    Mirkovic, J., Dietrich, S., Dittrich, D., Reiher, P.: Internet Denial of Service: Attack and Defense Mechanisms. Prentice Hall, Englewood Cliffs (2005)Google Scholar
  13. 13.
    Ning, P., Cui, Y., Reeves, D.S., Xu, D.: Techniques and Tools for Analyzing Intrusion Alerts. ACM Trans. on Information and System Security 7(2), 274–318 (2004)CrossRefGoogle Scholar
  14. 14.
    Phillips, C., Swiler, L.: A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79 (1998)Google Scholar
  15. 15.
    Ritchey, R.W., Ammann, P.: Using Model Checking to Analyze Network Vulnerabilities. In: 2000 IEEE Symposium on Security and Privacy (S&P 2000), Oakland, California, USA, May 14-17, pp. 156–165 (2000)Google Scholar
  16. 16.
    Schneier, B.: Attack Tress. Dr. Dobb’s J. 12 (December 1999), http://www.ddj.com/articles/1999/9912
  17. 17.
    Sheyner, O., Haines, J., Jha, S., et al.: Automated Generation and Analysis of Attack Graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Oakland, California, USA, May 12-15, pp. 273–284 (2002)Google Scholar
  18. 18.
    Swiler, L., Phillips, C., Ellis, D., Chakerian, S.: Computer-attack graph generation tool. In: DARPA Information Survivability Conference and Exposition, Anaheim, California, pp. 146–161 (2001)Google Scholar
  19. 19.
    Valeur, F., Vigna, G., Kruegel, C., et al.: A Comprehensive Approach to Intrusion Detection Alert Correlation. IEEE Trans. on Dependable and Secure Computing 1(3), 146–169 (2004)CrossRefGoogle Scholar
  20. 20.
    Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM CCS workshop on Rapid Malcode (WORM 2003), Washington. DC, USA, pp. 11–18 (2003)Google Scholar
  21. 21.
    Xie, Y., Sekar, V., Maltz, D.A., Reiter, M.K., Zhang, H.: Worm Origin Identification Using Random Moonwalks. In: Proceedings of 2005 IEEE Symposium on Security and Privacy (S&P 2005), Oakland, CA, May 2005, pp. 242–256 (2005)Google Scholar
  22. 22.
    Zhang, Z., Shen, H.: Constructing Multi-Layered Boundary to Defend Against Intrusive Anomalies: An Autonomic Detection Coordinator. In: Proceedings of the 2005 International Conference on Dependable Systems and Networks (DSN 2005), Yokohama, Japan, June 2005, pp. 118–127 (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Zonghua Zhang
    • 1
  • Pin-Han Ho
    • 1
  • Xiaodong Lin
    • 1
  • Hong Shen
    • 2
  1. 1.Department of Electrical and Computer EngineeringUniversity of WaterlooOntarioCanada
  2. 2.Department of Computer and MathematicsManchester Metropolitan UniversityAll Saints, ManchesterEngland

Personalised recommendations