Redes neuronales aplicadas al proceso de aprendizaje de un sistema de respuestas a intrusiones automático

La contribución de este artículo es el uso de métodos de aprendizaje automático en la arquitectura realizada dentro del proyecto RECLAMO en trabajos previos. La arquitectura se basa en un AIRS (sistema de respuestas a intrusiones automático) que infiere la respuesta más apropiada a un ataque, teniendo en cuenta el tipo de ataque, la información de contexto del sistema y la red, y la reputación del IDS que ha reportado la alerta. También, es imprescindible conocer el ratio de éxito y fracaso de las respuestas lanzadas ante un ataque, de tal manera que, además de tener un sistema adaptativo, se consiga la capacidad de autoaprendizaje. En este ámbito es donde las redes neuronales entran en juego, aportando la clasificación de éxito/fracaso de las respuestas

System Health Monitoring and Proactive Response Activation

RÉSUMÉ Les services réseau sont de plus en plus étendus et de plus en plus complexes à gérer. Il est extrêmement important de maintenir la qualité de service pour les utilisateurs, en particulier le temps de réponse des applications et services critiques en forte demande. D'autre part, il y a une évolution dans la manière avec laquelle les attaquants accèdent aux systèmes et infectent les ordinateurs. Le déploiement d'un outil de détection d'intrusion (IDS) est donc essentiel pour surveiller et analyser les systèmes en opération. Une composante importante à associer à un outil de détection d'intrusion est un sous-système de calcul de la sévérité des attaques et de sélection d'une réponse adéquate au bon moment. Ce composant est nommé système d'intervention et de réponse aux intrusions (IRS). Un IRS doit évaluer avec précision la valeur de la perte que pourrait subir une ressource compromise ainsi que le coût des réponses envisagées. Sans cette information, un IRS automatique risque de sérieusement réduire les performances du réseau, déconnecter à tort les utilisateurs du réseau, causer un résultat impliquant des coûts élevés pour le rétablissement des services par les administrateurs, et ainsi devenir une attaque par déni de service de notre réseau. Dans cette thèse, nous abordons ces défis et nous proposons un IRS qui tient compte de ces coûts. Dans la première partie de cette thèse, nous présentons une évaluation dynamique des coûts de réponse. L'évaluation des coûts d'intervention est un élément important du système d'intervention et de réponse aux intrusion. Bien que de nombreux IRS automatisés aient été proposés, la plupart d'entre eux choisissent statiquement les réponses en fonction des attaques, évitant la nécessité d'une évaluation dynamique des coûts de réponse. Toutefois, avec une évaluation dynamique des réponses, on peut atténuer les inconvénients du modèle statique. En outre, il sera alors plus efficace de défendre un système contre une attaque car la réponse sera moins prévisible. Un modèle dynamique offre une meilleure réponse choisie selon la situation actuelle du réseau. Ainsi, l'évaluation des effets positifs et des effets négatifs des réponses doit être calculée en ligne, au moment de l'attaque, dans un modèle dynamique. Nous évaluons le coût de réponse en ligne en fonction des liens de dépendance entre les ressources, du nombre d'utilisateurs en ligne, et du niveau de privilège de chaque utilisateur. Dans la deuxième partie, un IRS a justement été proposé qui fonctionne avec une composante d'évaluation en ligne du risque d'attaque. Une coordination parfaite entre le mécanisme d'évaluation des risques et le système de réponse dans le modèle proposé a conduit à un cadre efficace qui est capable de : (1) tenter de réduire les risques d'intrusion, (2) calculer l'efficacité des réponses, et (3) décider de l'activation et la désactivation des réponses en fonction de facteurs dont plusieurs qui ont rarement été couverts dans les précédents modèles impliquant ce type de coopération. Pour démontrer l'efficacité et la faisabilité du modèle proposé dans les environnements de production réels, une attaque sophistiquée, exploitant une combinaison de vulnérabilités afin de compromettre un ordinateur cible, a été mise en oeuvre. Dans la troisième partie, nous présentons une méthode en ligne pour calculer le coût de l'attaque à l'aide d'une combinaison de graphe d'attaque dynamique et de graphe de dépendances de services en mode direct. Dans ce travail, la détection et la génération du graphe d'attaque sont basées sur les évènements d'une trace d'exécution au niveau du noyau, ce qui est nouveau dans ce travail. En effet, notre groupe (Laboratoire DORSAL) a conçu un traceur à faible impact pour le système d'exploitation Linux, appelé LTTng (Linux Trace Toolkit prochaine génération). Tous les cadres proposés sont basés sur le traceur LTTng. Le noyau Linux est instrumenté avec l'infrastructure des points de trace. Ainsi, il peut fournir beaucoup d'information sur les appels système. Aussi, ce mécanisme est disponible en espace utilisateur. Après avoir recueilli toutes les traces, il faut les synchroniser puisque chaque noeud sur lequel une trace est générée possè de sa propre horloge. Finalement, nous utilisons un algorithme d'abstraction pour faire face aux énormes fichiers de trace et synthétiser les informations utiles pour un mécanisme de détection d'attaques et de déclenchement de mesures correctives visant à atténuer l'effet des attaques.---------ABSTRACT Network services are becoming larger and increasingly complex to manage. It is extremely important to maintain the users QoS, the response time of applications, and critical services in high demand. On the other hand, we see impressive changes in the ways in which attackers gain access to systems and infect computers. Deployment of intrusion detection tools (IDS) is critical to monitor and analyze running systems. An important component needed to complement intrusion detection tools is a subsystem to evaluate the severity of each attack and select a correct response at the right time. This component is called Intrusion Response System (IRS). An IRS has to accurately assess the value of the loss incurred by a compromised resource and have an accurate evaluation of the responses cost. Otherwise, our automated IRS will reduce network performance, wrongly disconnect users from the network, or result in high costs for administrators reestablishing services, and become a DoS attack for our network, which will eventually have to be disabled. In this thesis, we address this challenges and we propose a cost-sensitive framework for IRS. In the rst part of this dissertation, we present a dynamic response cost evaluation. Response cost evaluation is a major part of the Intrusion Response System. Although many automated IRSs have been proposed, most of them use statically evaluated responses, avoiding the need for dynamic evaluation of response cost. However, by designing a dynamic evaluation for the responses, we can alleviate the drawbacks of the static model. Furthermore,it will be more eective at defending a system from an attack as it will be less predictable. A dynamic model oers the best response based on the current situation of the network. Thus, the evaluation of the positive eects and negative impacts of the responses must be computed online, at attack time, in a dynamic model. We evaluate the response cost online with respect to the resources dependencies and the number of online users. In the second part, an IRS has been proposed that works with an online risk assessment component. Perfect coordination between the risk assessment mechanism and the response system in the proposed model has led to an ecient framework that is able to: (1) manage risk reduction issues; (2) calculate the response Goodness; and (3) perform response activation and deactivation based on factors that have rarely been seen in previous models involving this kind of cooperation. To demonstrate the eciency and feasibility of using the proposed model in real production environments, a sophisticated attack exploiting a combination of vulnerabilities to compromise a target machine was implemented. In the third part, we present an online method to calculate the attack cost using a combination of dynamic attack graph and service dependency graph in live mode. In this work, detecting and generating the attack graph is based on kernel level events which is new in this work.Our group (DORSAL Lab) has designed a low impact tracer in the Linux operating system called LTTng (Linux Trace Toolkit next generation). All the proposed frameworks are based on the LTTng tracer. The Linux kernel is instrumented with the tracepoint infrastructure. Thus, it can provide a lot of information about system call entry and exit. Also, this mechanism is available at user-space level. After gathering all traces, we have to synchronize them because each trace is generated on a node with its own clock. We use an abstraction algorithm, to deal with huge trace les, to prepare useful information for the detection mechanism and nally to trigger corrective measures to mitigate attack

Hidden Markov Model Based Intrusion Alert Prediction

Intrusion detection is only a starting step in securing IT infrastructure. Prediction of intrusions is the next step to provide an active defense against incoming attacks. Most of the existing intrusion prediction methods mainly focus on prediction of either intrusion type or intrusion category. Also, most of them are built based on domain knowledge and specific scenario knowledge. This thesis proposes an alert prediction framework which provides more detailed information than just the intrusion type or category to initiate possible defensive measures. The proposed algorithm is based on hidden Markov model and it does not depend on specific domain knowledge. Instead, it depends on a training process. Hence the proposed algorithm is adaptable to different conditions. Also, it is based on prediction of the next alert cluster, which contains source IP address, destination IP range, alert type and alert category. Hence, prediction of next alert cluster provides more information about future strategies of the attacker. Experiments were conducted using a public data set generated over 2500 alert predictions. Proposed alert prediction framework achieved accuracy of 81% and 77% for single step and five step predictions respectively for prediction of the next alert cluster. It also achieved an accuracy of prediction of 95% and 92% for single step and five step predictions respectively for prediction of the next alert category. The proposed methods achieved 5% prediction accuracy improvement for alert category over variable length Markov based alert prediction method, while providing more information for a possible defense

Wide-Area Situation Awareness based on a Secure Interconnection between Cyber-Physical Control Systems

Posteriormente, examinamos e identificamos los requisitos especiales que limitan el diseño y la operación de una arquitectura de interoperabilidad segura para los SSC (particularmente los SCCF) del smart grid. Nos enfocamos en modelar requisitos no funcionales que dan forma a esta infraestructura, siguiendo la metodología NFR para extraer requisitos esenciales, técnicas para la satisfacción de los requisitos y métricas para nuestro modelo arquitectural. Estudiamos los servicios necesarios para la interoperabilidad segura de los SSC del SG revisando en profundidad los mecanismos de seguridad, desde los servicios básicos hasta los procedimientos avanzados capaces de hacer frente a las amenazas sofisticadas contra los sistemas de control, como son los sistemas de detección, protección y respuesta ante intrusiones. Nuestro análisis se divide en diferentes áreas: prevención, consciencia y reacción, y restauración; las cuales general un modelo de seguridad robusto para la protección de los sistemas críticos. Proporcionamos el diseño para un modelo arquitectural para la interoperabilidad segura y la interconexión de los SCCF del smart grid. Este escenario contempla la interconectividad de una federación de proveedores de energía del SG, que interactúan a través de la plataforma de interoperabilidad segura para gestionar y controlar sus infraestructuras de forma cooperativa. La plataforma tiene en cuenta las características inherentes y los nuevos servicios y tecnologías que acompañan al movimiento de la Industria 4.0. Por último, presentamos una prueba de concepto de nuestro modelo arquitectural, el cual ayuda a validar el diseño propuesto a través de experimentaciones. Creamos un conjunto de casos de validación que prueban algunas de las funcionalidades principales ofrecidas por la arquitectura diseñada para la interoperabilidad segura, proporcionando información sobre su rendimiento y capacidades.Las infraestructuras críticas (IICC) modernas son vastos sistemas altamente complejos, que precisan del uso de las tecnologías de la información para gestionar, controlar y monitorizar el funcionamiento de estas infraestructuras. Debido a sus funciones esenciales, la protección y seguridad de las infraestructuras críticas y, por tanto, de sus sistemas de control, se ha convertido en una tarea prioritaria para las diversas instituciones gubernamentales y académicas a nivel mundial. La interoperabilidad de las IICC, en especial de sus sistemas de control (SSC), se convierte en una característica clave para que estos sistemas sean capaces de coordinarse y realizar tareas de control y seguridad de forma cooperativa. El objetivo de esta tesis se centra, por tanto, en proporcionar herramientas para la interoperabilidad segura de los diferentes SSC, especialmente los sistemas de control ciber-físicos (SCCF), de forma que se potencie la intercomunicación y coordinación entre ellos para crear un entorno en el que las diversas infraestructuras puedan realizar tareas de control y seguridad cooperativas, creando una plataforma de interoperabilidad segura capaz de dar servicio a diversas IICC, en un entorno de consciencia situacional (del inglés situational awareness) de alto espectro o área (wide-area). Para ello, en primer lugar, revisamos las amenazas de carácter más sofisticado que amenazan la operación de los sistemas críticos, particularmente enfocándonos en los ciberataques camuflados (del inglés stealth) que amenazan los sistemas de control de infraestructuras críticas como el smart grid. Enfocamos nuestra investigación al análisis y comprensión de este nuevo tipo de ataques que aparece contra los sistemas críticos, y a las posibles contramedidas y herramientas para mitigar los efectos de estos ataques

Hidden Markov Model and Cyber Deception for the Prevention of Adversarial Lateral Movement

Advanced persistent threats (APTs) have emerged as multi-stage attacks that have targeted nation-states and their associated entities, including private and corporate sectors. Cyber deception has emerged as a defense approach to secure our cyber infrastructure from APTs. Practical deployment of cyber deception relies on defenders\u27 ability to place decoy nodes along the APT path optimally. This paper presents a cyber deception approach focused on predicting the most likely sequence of attack paths and deploying decoy nodes along the predicted path. Our proposed approach combines reactive (graph analysis) and proactive (cyber deception technology) defense to thwart the adversaries\u27 lateral movement. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace, and the second phase is determining optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. However, it is likely that the attacker will not follow that predicted path to move laterally. To address this challenge, we employ a Partially Observable Monte-Carlo Planning (POMCP) framework. POMCP helps the defender assess several defense actions to block the attacker when it deviates from the predicted path. The evaluation results show that our approach can predict the most likely attack paths and thwarts the adversarial lateral movement

Accelerated Forgetting in People with Epilepsy: Pathologic Memory Loss, Its Neural Basis, and Potential Therapies

While forgetting is vital to human functioning, delineating between normative and disordered forgetting can become incredibly complex. This thesis characterizes a pathologic form of forgetting in epilepsy, identifies a neural basis, and investigates the potential of stimulation as a therapeutic tool. Chapter 2 presents a behavioral characterization of the time course of Accelerated Long-Term Forgetting (ALF) in people with epilepsy (PWE). This chapter shows evidence of ALF on a shorter time scale than previous studies, with a differential impact on recall and recognition. Chapter 3 builds upon the work in Chapter 2 by extending ALF time points and investigating the role of interictal epileptiform activity (IEA) in ALF. These findings lend support for distinct forgetting patterns between recall and recognition memory. We also demonstrate the contribution of hippocampal IEA during slow-wave sleep to this aberrant forgetting. Chapter 4 investigates the potential of intracranial stimulation to ameliorate IEA burden. Our findings suggest that stimulation does not appear to have a direct effect on IEA rate. Further studies are necessary to explore the potential of stimulation as a therapeutic tool outside of seizure cessation. Overall, this thesis provides further evidence and classification of long-term memory impairment in epilepsy and identifies a neural correlate that can be targeted for future clinical intervention

Cyber Deception for Critical Infrastructure Resiliency

The high connectivity of modern cyber networks and devices has brought many improvements to the functionality and efficiency of networked systems. Unfortunately, these benefits have come with many new entry points for attackers, making systems much more vulnerable to intrusions. Thus, it is critically important to protect cyber infrastructure against cyber attacks. The static nature of cyber infrastructure leads to adversaries performing reconnaissance activities and identifying potential threats. Threats related to software vulnerabilities can be mitigated upon discovering a vulnerability and-, developing and releasing a patch to remove the vulnerability. Unfortunately, the period between discovering a vulnerability and applying a patch is long, often lasting five months or more. These delays pose significant risks to the organization while many cyber networks are operational. This concern necessitates the development of an active defense system capable of thwarting cyber reconnaissance missions and mitigating the progression of the attacker through the network. Thus, my research investigates how to develop an efficient defense system to address these challenges. First, we proposed the framework to show how the defender can use the network of decoys along with the real network to introduce mistrust. However, another research problem, the defender’s choice of whether to save resources or spend more (number of decoys) resources in a resource-constrained system, needs to be addressed. We developed a Dynamic Deception System (DDS) that can assess various attacker types based on the attacker’s knowledge, aggression, and stealthiness level to decide whether the defender should spend or save resources. In our DDS, we leveraged Software Defined Networking (SDN) to differentiate the malicious traffic from the benign traffic to deter the cyber reconnaissance mission and redirect malicious traffic to the deception server. Experiments conducted on the prototype implementation of our DDS confirmed that the defender could decide whether to spend or save resources based on the attacker types and thwarted cyber reconnaissance mission. Next, we addressed the challenge of efficiently placing network decoys by predicting the most likely attack path in Multi-Stage Attacks (MSAs). MSAs are cyber security threats where the attack campaign is performed through several attack stages and adversarial lateral movement is one of the critical stages. Adversaries can laterally move into the network without raising an alert. To prevent lateral movement, we proposed an approach that combines reactive (graph analysis) and proactive (cyber deception technology) defense. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace. The second phase determines the optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. The evaluation results show that our approach can predict the most likely attack paths and thwart adversarial lateral movement

AI-enabled modeling and monitoring of data-rich advanced manufacturing systems

The infrastructure of cyber-physical systems (CPS) is based on a meta-concept of cybermanufacturing systems (CMS) that synchronizes the Industrial Internet of Things (IIoTs), Cloud Computing, Industrial Control Systems (ICSs), and Big Data analytics in manufacturing operations. Artificial Intelligence (AI) can be incorporated to make intelligent decisions in the day-to-day operations of CMS. Cyberattack spaces in AI-based cybermanufacturing operations pose significant challenges, including unauthorized modification of systems, loss of historical data, destructive malware, software malfunctioning, etc. However, a cybersecurity framework can be implemented to prevent unauthorized access, theft, damage, or other harmful attacks on electronic equipment, networks, and sensitive data. The five main cybersecurity framework steps are divided into procedures and countermeasure efforts, including identifying, protecting, detecting, responding, and recovering. Given the major challenges in AI-enabled cybermanufacturing systems, three research objectives are proposed in this dissertation by incorporating cybersecurity frameworks. The first research aims to detect the in-situ additive manufacturing (AM) process authentication problem using high-volume video streaming data. A side-channel monitoring approach based on an in-situ optical imaging system is established, and a tensor-based layer-wise texture descriptor is constructed to describe the observed printing path. Subsequently, multilinear principal component analysis (MPCA) is leveraged to reduce the dimension of the tensor-based texture descriptor, and low-dimensional features can be extracted for detecting attack-induced alterations. The second research work seeks to address the high-volume data stream problems in multi-channel sensor fusion for diverse bearing fault diagnosis. This second approach proposes a new multi-channel sensor fusion method by integrating acoustics and vibration signals with different sampling rates and limited training data. The frequency-domain tensor is decomposed by MPCA, resulting in low-dimensional process features for diverse bearing fault diagnosis by incorporating a Neural Network classifier. By linking the second proposed method, the third research endeavor is aligned to recovery systems of multi-channel sensing signals when a substantial amount of missing data exists due to sensor malfunction or transmission issues. This study has leveraged a fully Bayesian CANDECOMP/PARAFAC (FBCP) factorization method that enables to capture of multi-linear interaction (channels × signals) among latent factors of sensor signals and imputes missing entries based on observed signals

Multi-scale navigation of large trace data: A survey

Dynamic analysis through execution traces is frequently used to analyze the runtime behavior of software systems. However, tracing long running executions generates voluminous data, which are complicated to analyze and manage. Extracting interesting performance or correctness characteristics out of large traces of data from several processes and threads is a challenging task. Trace abstraction and visualization are potential solutions to alleviate this challenge. Several efforts have been made over the years in many subfields of computer science for trace data collection, maintenance, analysis, and visualization. Many analyses start with an inspection of an overview of the trace, before digging deeper and studying more focused and detailed data. These techniques are common and well supported in geographical information systems, automatically adjusting the level of details depending on the scale. However, most trace visualization tools operate at a single level of representation, which are not adequate to support multilevel analysis. Sophisticated techniques and heuristics are needed to address this problem. Multi-scale (multilevel) visualization with support for zoom and focus operations is an effective way to enable this kind of analysis. Considerable research and several surveys are proposed in the literature in the field of trace visualization. However, multi-scale visualization has yet received little attention. In this paper, we provide a survey and methodological structure for categorizing tools and techniques aiming at multi-scale abstraction and visualization of execution trace data and discuss the requirements and challenges faced to be able to meet evolving user demands

The narrative of dream reports

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.Two questions are addressed: 1) whether a dream is meaningful as a whole, or whether the scenes are separate and unconnected, and 2) whether dream images are an epiphenomenon of a functional physiologicaL process of REM sleep, or whether they are akin to waking thought. Theories of REM sleep as a period of information-processing are reviewed. This is Linked with work on the relationship between dreaming and creativity, and between memory and imagery. Because of the persuasive evidence that REM sleep is implicated in the consolidation of memories there is a review of recent work on neural associative network models of memory. Two theories of dreams based on these models are described, and predictions with regard to the above two questions are made. Psychological evidence of relevance to the neural network theories is extensively reviewed. These predictions are compared with those of the recent application of structuralism to the study of dreams, which is an extension from its usual field of mythology and anthropology. The different theories are tested against four nights of dreams recorded in a sleep Lab. The analysis shows that not only do dreams concretise waking concerns as metaphors but that these concerns are depicted in oppositional terms, such as, for example, inside/outside or revolving/static. These oppositions are then permuted from one dream to the next until a resolution of the initial concern is achieved at the end of the night. An account of the use of the single case-study methodology in psychology is given, in addition to a replication of the analysis of one night's dreams by five independent judges. There is an examination of objections to the structuralist methodology, and of objections to the paradigm of multiple dream awakenings. The conclusion is drawn that dreams involve the unconscious dialectical step-by-step resolution of conflicts which to a great extent are consciously known to the subject. The similarity of dreams to day-dreams is explored, with the conclusion that the content of dreams is better explained by an account of metaphors we use when awake and by our daily concerns, than by reference to the physiology of REM sleep. It is emphasised that dreams can be meaningful even if they do not have a function.Ann Murray Award Fun