Network traffic anomaly detection using EMD and Hilbert-Huan transform

Empirical Mode Decomposition (EMD) and Hilbert-Huang Transform (HHT) provide a means for adaptive data analysis. EMD extracts Intrinsic Mode Functions (IMFs) that represent the frequency and amplitude characteristics of a signal. HHT generates the marginal spectrum and energy density level of a signal. The IMFs, the marginal spectrum, and the energy density level characterize a signal from three different perspectives. This thesis proposes three novel parameters for network traffic anomaly detection based on the above three signal characteristics. Hurst parameter of network traffic is calculated based on the first IMF, and is expanded by introducing a weighted self-similarity based on the concept of entropy. Pearson’s distance is calculated based on the marginal spectrum to differentiate normal traffic from abnormal ones. Finally, the slopes of crosscorrelations are calculated based on the energy density level to detect the rate of energy change between normal and abnormal internet traffic

Thirty Years of Machine Learning: The Road to Pareto-Optimal Wireless Networks

Future wireless networks have a substantial potential in terms of supporting a broad range of complex compelling applications both in military and civilian fields, where the users are able to enjoy high-rate, low-latency, low-cost and reliable information services. Achieving this ambitious goal requires new radio techniques for adaptive learning and intelligent decision making because of the complex heterogeneous nature of the network structures and wireless services. Machine learning (ML) algorithms have great success in supporting big data analytics, efficient parameter estimation and interactive decision making. Hence, in this article, we review the thirty-year history of ML by elaborating on supervised learning, unsupervised learning, reinforcement learning and deep learning. Furthermore, we investigate their employment in the compelling applications of wireless networks, including heterogeneous networks (HetNets), cognitive radios (CR), Internet of things (IoT), machine to machine networks (M2M), and so on. This article aims for assisting the readers in clarifying the motivation and methodology of the various ML algorithms, so as to invoke them for hitherto unexplored services as well as scenarios of future wireless networks.Comment: 46 pages, 22 fig

SDR for Physical Layer Authentication

Wireless networks and devices are easy and useful solutions nowadays, regardless of the context in which they are implemented. However, it is in the broadcast nature of wireless networks that some vulnerabilities arise. To protect against these vulnerabilities, encryp- tion and authentication methods are commonly used. However, such methods come at the expense of their own complexity, requiring high enough computational power to solve, and introducing latency. To try to reduce the complexity of the conventional ways of user authentication, this work has studied mechanisms to implement reliable authentication at the physical layer, analyzing the various devices signal characteristics. To achieve this analysis, the GNU Radio platform was used to process incoming signals and extract the necessary features. Given the open source nature of GNU Radio, this provides a customiz- able and low-cost solution to signal processing and feature extraction. This research uses the GNU Radio to implement a feature extraction solution and constructs a feature vector with size 1 × 95. This thesis studies the extracted features of eleven IEEE 802.15.4 devices in regards to their separability and proposes a solution for feature reduction. The feature vectors are passed through a Random Forest and a Deep Neural Network (DNN) classifier, achieving accuracies as high as 99% for short distance communication.Redes e dispositivos sem fio são implementações úteis e fáceis de realizar atualmente, independentemente do contexto em que são desenvolvidas. No entanto, é na natureza de difusão destas redes que surgem algumas vulnerabilidades. Métodos de criptografia e autenticação são usualmente utilizados para proteger contra essas vulnerabilidades. No entanto, esses métodos apresentam uma complexidade inerente, necessitando de poder computacional e introduzindo latência. Para tentar reduzir a complexidade das formas convencionais de autenticação de utilizadores das redes, esta dissertação estudou me- canismos para implementar uma autenticação fiável na camada física, analisando as ca- racterísticas dos sinais dos diversos dispositivos que utilizam a rede. Para realizar esta análise, a plataforma GNU Radio foi utilizada para processar sinais recebidos e extrair as características necessárias. Dada a natureza de código aberto do GNU Radio, é possível desenvolver uma solução customizável e de baixo custo. Esta dissertação utiliza o GNU Radio para implementar uma solução de extração de características e constrói um vetor de características de tamanho 1×95. Esta dissertação estuda as características extraídas de onze dispositivos IEEE 802.15.4 em relação à separabilidade destas e propõe uma solução para redução de características. Os vetores são passados por um classificador de Florestas Aleatórias (Random Forest) e um classificador de Redes Neurais Profundas, atingindo precisões de até 99% para comunicação a curta distância

Advanced Radio Frequency Identification Design and Applications

Radio Frequency Identification (RFID) is a modern wireless data transmission and reception technique for applications including automatic identification, asset tracking and security surveillance. This book focuses on the advances in RFID tag antenna and ASIC design, novel chipless RFID tag design, security protocol enhancements along with some novel applications of RFID

Reflex syncope : an integrative physiological approach

Síncope, a forma mais comum de perda temporária de consciência é responsável por até 5% das idas aos serviços de emergência e até 3% dos internamentos hospitalares. É um problema médico frequente, com múltiplos gatilhos, incapacitante, potencialmente perigoso e desafiante em termos diagnósticos e terapêuticos. Assim, é necessária uma anamnese detalhada para primeiro estabelecer a natureza da perda de consciência, mas, após o diagnóstico, as medidas terapêuticas existentes são pouco eficazes. Embora a fisiopatologia da síncope vasovagal ainda não tenha sido completamente esclarecida, alguns mecanismos subjacentes foram já desvendados. Em última análise, a síncope depende de uma falha transitória na perfusão cerebral pelo que qualquer factor que afecte a circulação sanguínea cerebral pode determinar a ocorrência de síncope. Assim, o objectivo do presente estudo é caracterizar o impacto hemodinâmico e autonómico nos mecanismos subjacentes à síncope reflexa, para melhorar o diagnóstico, o prognóstico e a qualidade de vida dos doentes e dos seus cuidadores. Para isso, desenhámos e implementámos novas ferramentas matemáticas e computacionais que permitem uma avaliação autonómica e hemodinâmica integrada, de forma a aprofundar a compreensão do seu envolvimento nos mecanismos de síncope reflexa. Além disso, refinando a precisão do diagnóstico, a sensibilidade e a especificidade do teste de mesa de inclinação (“tilt test”), estabelecemos uma ferramenta preditiva do episódio iminente de síncope. Isso permitiu-nos estabelecer alternativas de tratamento eficazes e personalizadas para os doentes refractários às opções convencionais, sob a forma de um programa de treino de ortostatismo (“tilt training”), contribuindo para o aumento da sua qualidade de vida e para a redução dos custos directos e indirectos da sua assistência médica. Assim, num estudo verdadeiramente multidisciplinar envolvendo doentes com síncope reflexa refractária à terapêutica, conseguimos demonstrar uma assincronia funcional das respostas reflexas autonómicas e hemodinâmicas, expressas por um desajuste temporal entre o débito cardíaco e as adaptações de resistência total periférica, uma resposta baroreflexa atrasada e um desequilíbrio incremental do tónus autonómico que, em conjunto, poderão resultar de uma disfunção do sistema nervoso autónomo que se traduz por uma reserva simpática diminuída. Igualmente, desenhámos, testámos e implementámos uma plataforma computacional e respectivo software associado - a plataforma FisioSinal –incluindo novas formas, mais dinâmicas, de avaliação integrada autonómica e hemodinâmica, que levaram ao desenvolvimento de algoritmos preditivos para a estratificação de doentes com síncope. Além disso, na aplicação dessas ferramentas, comprovámos a eficácia de um tratamento não invasivo, não disruptivo e integrado, focado na neuromodulação das variáveis autonómicas e cardiovasculares envolvidas nos mecanismos de síncope. Esta terapêutica complementar levou a um aumento substancial da qualidade de vida dos doentes e à abolição dos eventos sincopais na grande maioria dos doentes envolvidos. Em conclusão, o nosso trabalho contribuiu para preencher a lacuna entre a melhor informação científica disponível e sua aplicação na prática clínica, sustentando-se nos três pilares da medicina translacional: investigação básica, clínica e comunidade.Syncope, the most common form of transient loss of consciousness, accounts for up to 5% of emergency room visits and up to 3% of hospital admissions. It is a frequent medical problem with multiple triggers, potentially dangerous, incapacitating, and challenging to diagnose. Therefore, a detailed clinical history is needed first to establish the nature of the loss of consciousness. However, after diagnosis, the therapeutic measures available are still very poor. Although the exact pathophysiology of vasovagal syncope remains to be clarified, some underlying mechanisms have been unveiled, dependent not only on the cause of syncope but also on age and various other factors that affect clinical presentation. Ultimately, syncope depends on a failure of the circulation to perfuse the brain, so any factor affecting blood circulation may determine syncope occurrence. Thus, the purpose of the present study is to understand the impact of the hemodynamic and autonomic functions on reflex syncope mechanisms to improve patients diagnose, prognosis and general quality of life. Bearing that in mind, we designed and implemented new mathematical and computational tools for autonomic and hemodynamic evaluation, in order to deepen the understanding of their involvement in reflex syncope mechanisms. Furthermore, by refining the diagnostic accuracy, sensitivity and specificity of the head-up tilt-table test, we established a predictive tool for the impending syncopal episode. This allowed us to establish effective and personalised treatment alternatives to patient’s refractory to conventional options, contributing to their increase in the quality of life and a reduction of health care and associated costs. In accordance, in a truly multidisciplinary study involving reflex syncope patients, we were able to show an elemental functional asynchrony of hemodynamic and autonomic reflex responses, expressed through a temporal mismatch between cardiac output and total peripheral resistance adaptations, a deferred baroreflex response and an unbalanced, but incremental, autonomic tone, all contributing to autonomic dysfunction, translated into a decreased sympathetic reserve. Through the design, testing and implementation of a computational platform and the associated software - FisioSinal platform -, we developed novel and dynamic ways of autonomic and hemodynamic evaluation, whose data lead to the development of predictive algorithms for syncope patients’risk stratification. Furthermore, through the application of these tools, we showed the effectiveness of a non-invasive, non-disruptive and integrated treatment, focusing on neuromodulation of the autonomic and cardiovascular variables involved in the syncope mechanisms, leading to a substantial increase of quality of life and the abolishment of syncopal events in a vast majority of the enrolled patients. In conclusion, our work contributed to fill the gap between the best available scientific information and its application in the clinical practice by tackling the three pillars of translational medicine: bench-side, bedside and community

Security performance and protocol consideration in optical communication system with optical layer security enabled by optical coding techniques

With the fast development of communication systems, network security issues have more and more impact on daily life. It is essential to construct a high degree of optical layer security to resolve the security problem once and for all. Three different techniques which can provide optical layer security are introduced and compared. Optical chaos can be used for fast random number generation. Quantum cryptography is the most promising technique for key distribution. And the optical coding techniques can be deployed to encrypt the modulated signal in the optical layer. A mathematical equation has been derived from information theory to evaluate the information-theoretic security level of the wiretap channel in optical coding schemes. And the merits and limitation of two coherent optical coding schemes, temporal phase coding and spectral phase coding, have been analysed. The security scheme based on a reconfigurable optical coding device has been introduced, and the corresponding security protocol has been developed. By moving the encryption operation from the electronic layer to the optical layer, the modulated signals become opaque to the unauthorised users. Optical code distribution and authentication is the one of the major challenges for our proposed scheme. In our proposed protocol, both of the operations are covered and defined in detail. As a preliminary draft of the optical code security protocol, it could be a useful guidance for further research

Acoustic-channel attack and defence methods for personal voice assistants

Personal Voice Assistants (PVAs) are increasingly used as interface to digital environments. Voice commands are used to interact with phones, smart homes or cars. In the US alone the number of smart speakers such as Amazon’s Echo and Google Home has grown by 78% to 118.5 million and 21% of the US population own at least one device. Given the increasing dependency of society on PVAs, security and privacy of these has become a major concern of users, manufacturers and policy makers. Consequently, a steep increase in research efforts addressing security and privacy of PVAs can be observed in recent years. While some security and privacy research applicable to the PVA domain predates their recent increase in popularity and many new research strands have emerged, there lacks research dedicated to PVA security and privacy. The most important interaction interface between users and a PVA is the acoustic channel and acoustic channel related security and privacy studies are desirable and required. The aim of the work presented in this thesis is to enhance the cognition of security and privacy issues of PVA usage related to the acoustic channel, to propose principles and solutions to key usage scenarios to mitigate potential security threats, and to present a novel type of dangerous attack which can be launched only by using a PVA alone. The five core contributions of this thesis are: (i) a taxonomy is built for the research domain of PVA security and privacy issues related to acoustic channel. An extensive research overview on the state of the art is provided, describing a comprehensive research map for PVA security and privacy. It is also shown in this taxonomy where the contributions of this thesis lie; (ii) Work has emerged aiming to generate adversarial audio inputs which sound harmless to humans but can trick a PVA to recognise harmful commands. The majority of work has been focused on the attack side, but there rarely exists work on how to defend against this type of attack. A defence method against white-box adversarial commands is proposed and implemented as a prototype. It is shown that a defence Automatic Speech Recognition (ASR) can work in parallel with the PVA’s main one, and adversarial audio input is detected if the difference in the speech decoding results between both ASR surpasses a threshold. It is demonstrated that an ASR that differs in architecture and/or training data from the the PVA’s main ASR is usable as protection ASR; (iii) PVAs continuously monitor conversations which may be transported to a cloud back end where they are stored, processed and maybe even passed on to other service providers. A user has limited control over this process when a PVA is triggered without user’s intent or a PVA belongs to others. A user is unable to control the recording behaviour of surrounding PVAs, unable to signal privacy requirements and unable to track conversation recordings. An acoustic tagging solution is proposed aiming to embed additional information into acoustic signals processed by PVAs. A user employs a tagging device which emits an acoustic signal when PVA activity is assumed. Any active PVA will embed this tag into their recorded audio stream. The tag may signal a cooperating PVA or back-end system that a user has not given a recording consent. The tag may also be used to trace when and where a recording was taken if necessary. A prototype tagging device based on PocketSphinx is implemented. Using Google Home Mini as the PVA, it is demonstrated that the device can tag conversations and the tagging signal can be retrieved from conversations stored in the Google back-end system; (iv) Acoustic tagging provides users the capability to signal their permission to the back-end PVA service, and another solution inspired by Denial of Service (DoS) is proposed as well for protecting user privacy. Although PVAs are very helpful, they are also continuously monitoring conversations. When a PVA detects a wake word, the immediately following conversation is recorded and transported to a cloud system for further analysis. An active protection mechanism is proposed: reactive jamming. A Protection Jamming Device (PJD) is employed to observe conversations. Upon detection of a PVA wake word the PJD emits an acoustic jamming signal. The PJD must detect the wake word faster than the PVA such that the jamming signal still prevents wake word detection by the PVA. An evaluation of the effectiveness of different jamming signals and overlap between wake words and the jamming signals is carried out. 100% jamming success can be achieved with an overlap of at least 60% with a negligible false positive rate; (v) Acoustic components (speakers and microphones) on a PVA can potentially be re-purposed to achieve acoustic sensing. This has great security and privacy implication due to the key role of PVAs in digital environments. The first active acoustic side-channel attack is proposed. Speakers are used to emit human inaudible acoustic signals and the echo is recorded via microphones, turning the acoustic system of a smartphone into a sonar system. The echo signal can be used to profile user interaction with the device. For example, a victim’s finger movement can be monitored to steal Android unlock patterns. The number of candidate unlock patterns that an attacker must try to authenticate herself to a Samsung S4 phone can be reduced by up to 70% using this novel unnoticeable acoustic side-channel

Security and Privacy for Modern Wireless Communication Systems

The aim of this reprint focuses on the latest protocol research, software/hardware development and implementation, and system architecture design in addressing emerging security and privacy issues for modern wireless communication networks. Relevant topics include, but are not limited to, the following: deep-learning-based security and privacy design; covert communications; information-theoretical foundations for advanced security and privacy techniques; lightweight cryptography for power constrained networks; physical layer key generation; prototypes and testbeds for security and privacy solutions; encryption and decryption algorithm for low-latency constrained networks; security protocols for modern wireless communication networks; network intrusion detection; physical layer design with security consideration; anonymity in data transmission; vulnerabilities in security and privacy in modern wireless communication networks; challenges of security and privacy in node–edge–cloud computation; security and privacy design for low-power wide-area IoT networks; security and privacy design for vehicle networks; security and privacy design for underwater communications networks

Darknet as a Source of Cyber Threat Intelligence: Investigating Distributed and Reflection Denial of Service Attacks

Cyberspace has become a massive battlefield between computer criminals and computer security experts. In addition, large-scale cyber attacks have enormously matured and became capable to generate, in a prompt manner, significant interruptions and damage to Internet resources and infrastructure. Denial of Service (DoS) attacks are perhaps the most prominent and severe types of such large-scale cyber attacks. Furthermore, the existence of widely available encryption and anonymity techniques greatly increases the difficulty of the surveillance and investigation of cyber attacks. In this context, the availability of relevant cyber monitoring is of paramount importance. An effective approach to gather DoS cyber intelligence is to collect and analyze traffic destined to allocated, routable, yet unused Internet address space known as darknet. In this thesis, we leverage big darknet data to generate insights on various DoS events, namely, Distributed DoS (DDoS) and Distributed Reflection DoS (DRDoS) activities. First, we present a comprehensive survey of darknet. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. In addition, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Second, we characterize darknet data. Such information could generate indicators of cyber threat activity as well as provide in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet inferred threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Third, we propose a DDoS inference and forecasting model that aims at providing insights to organizations, security operators and emergency response teams during and after a DDoS attack. Specifically, this work strives to predict, within minutes, the attacks’ features, namely, intensity/rate (packets/sec) and size (estimated number of compromised machines/bots). The goal is to understand the future short-term trend of the ongoing DDoS attacks in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Further, our work aims at investigating DDoS campaigns by proposing a clustering approach to infer various victims targeted by the same campaign and predicting related features. To achieve our goal, our proposed approach leverages a number of time series and fluctuation analysis techniques, statistical methods and forecasting approaches. Fourth, we propose a novel approach to infer and characterize Internet-scale DRDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring DDoS activities using darknet, this work shows that we can extract DoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DRDoS activities such as intensity, rate and geographic location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks and the expectation maximization and k-means clustering techniques in an attempt to identify campaigns of DRDoS attacks. Finally, we conclude this work by providing some discussions and pinpointing some future work