22,185 research outputs found
An empirical approach to modeling uncertainty in intrusion analysis
Master of ScienceDepartment of Computing and Information SciencesXinming (Simon) OuA well-known problem in current intrusion detection tools is that they
create too many low-level alerts and system administrators find it
hard to cope up with the huge volume. Also, when they have to combine
multiple sources of information to confirm an attack, there is a
dramatic increase in the complexity. Attackers use sophisticated
techniques to evade the detection and current system monitoring tools
can only observe the symptoms or effects of malicious activities.
When mingled with similar effects from normal or non-malicious
behavior they lead intrusion analysis to conclusions of varying
confidence and high false positive/negative rates.
In this thesis work we present an empirical approach to the problem of
modeling uncertainty where inferred security implications of low-level
observations are captured in a simple logical language augmented with
uncertainty tags. We have designed an automated reasoning process
that enables us to combine multiple sources of system monitoring data
and extract highly-confident attack traces from the numerous possible
interpretations of low-level observations. We have developed our
model empirically: the starting point was a true intrusion that
happened on a campus network we studied to capture the essence of the
human reasoning process that led to conclusions about the attack. We
then used a Datalog-like language to encode the model and a Prolog
system to carry out the reasoning process. Our model and reasoning
system reached the same conclusions as the human administrator on the
question of which machines were certainly compromised. We then
automatically generated the reasoning model needed for handling Snort
alerts from the natural-language descriptions in the Snort rule
repository, and developed a Snort add-on to analyze Snort alerts.
Keeping the reasoning model unchanged, we applied our reasoning system
to two third-party data sets and one production network. Our results
showed that the reasoning model is effective on these data sets as
well. We believe such an empirical approach has the potential of
codifying the seemingly ad-hoc human reasoning of uncertain events,
and can yield useful tools for automated intrusion analysis
Malware in the Future? Forecasting of Analyst Detection of Cyber Events
There have been extensive efforts in government, academia, and industry to
anticipate, forecast, and mitigate cyber attacks. A common approach is
time-series forecasting of cyber attacks based on data from network telescopes,
honeypots, and automated intrusion detection/prevention systems. This research
has uncovered key insights such as systematicity in cyber attacks. Here, we
propose an alternate perspective of this problem by performing forecasting of
attacks that are analyst-detected and -verified occurrences of malware. We call
these instances of malware cyber event data. Specifically, our dataset was
analyst-detected incidents from a large operational Computer Security Service
Provider (CSSP) for the U.S. Department of Defense, which rarely relies only on
automated systems. Our data set consists of weekly counts of cyber events over
approximately seven years. Since all cyber events were validated by analysts,
our dataset is unlikely to have false positives which are often endemic in
other sources of data. Further, the higher-quality data could be used for a
number for resource allocation, estimation of security resources, and the
development of effective risk-management strategies. We used a Bayesian State
Space Model for forecasting and found that events one week ahead could be
predicted. To quantify bursts, we used a Markov model. Our findings of
systematicity in analyst-detected cyber attacks are consistent with previous
work using other sources. The advanced information provided by a forecast may
help with threat awareness by providing a probable value and range for future
cyber events one week ahead. Other potential applications for cyber event
forecasting include proactive allocation of resources and capabilities for
cyber defense (e.g., analyst staffing and sensor configuration) in CSSPs.
Enhanced threat awareness may improve cybersecurity.Comment: Revised version resubmitted to journa
Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study
Anomaly-based intrusion detection systems classify network traffic instances by comparing them with a model of the normal network behavior. To be effective, such systems are expected to precisely detect intrusions (high true positive rate) while limiting the number of false alarms (low false positive rate). However, there exists a natural trade-off between detecting all anomalies (at the expense of raising alarms too often), and missing anomalies (but not issuing any false alarms). The parameters of a detection system play a central role in this trade-off, since they determine how responsive the system is to an intrusion attempt. Despite the importance of properly tuning the system parameters, the literature has put little emphasis on the topic, and the task of adjusting such parameters is usually left to the expertise of the system manager or expert IT personnel. In this paper, we present an autonomic approach for tuning the parameters of anomaly-based intrusion detection systems in case of SSH traffic. We propose a procedure that aims to automatically tune the system parameters and, by doing so, to optimize the system performance. We validate our approach by testing it on a flow-based probabilistic detection system for the detection of SSH attacks
An Overview of Economic Approaches to Information Security Management
The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions
Some considerations on coastal processes relevant to sea level rise
The effects of potential sea level rise on the shoreline and shore environment
have been briefly examined by considering the interactions between sea level rise and
relevant coastal processes. These interactions have been reviewed beginning with a
discussion of the need to reanalyze previous estimates of eustatic sea level rise and
compaction effects in water level measurement. This is followed by considerations on
sea level effects on coastal and estuarine tidal ranges, storm surge and water level
response, and interaction with natural and constructed shoreline features. The
desirability to reevaluate the well known Bruun Rule for estimating shoreline recession
has been noted. The mechanics of ground and surface water intrusion with reference to
sea level rise are then reviewed. This is followed by sedimentary processes in the
estuaries including wetland response. Finally comments are included on some probable
effects of sea level rise on coastal ecosystems.
These interactions are complex and lead to shoreline evolution (under a sea level
rise) which is highly site-specific. Models which determine shoreline change on the
basis of inundation of terrestrial topography without considering relevant coastal
processes are likely to lead to erroneous shoreline scenarios, particularly where the
shoreline is composed of erodible sedimentary material.
With some exceptions, present day knowledge of shoreline response to hydrodynamic
forcing is inadequate for long-term quantitative predictions. A series of interrelated
basic and applied research issues must be addressed in the coming decades to
determine shoreline response to sea level change with an acceptable degree of
confidence. (PDF contains 189 pages.
OS diversity for intrusion tolerance: Myth or reality?
One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper we present a study with operating systems (OS) vulnerability data from the NIST National Vulnerability Database. We have analyzed the vulnerabilities of 11 different OSes over a period of roughly 15 years, to check how many of these vulnerabilities occur in more than one OS. We found this number to be low for several combinations of OSes. Hence, our analysis provides a strong indication that building a system with diverse OSes may be a useful technique to improve its intrusion tolerance capabilities
Game Theory Meets Network Security: A Tutorial at ACM CCS
The increasingly pervasive connectivity of today's information systems brings
up new challenges to security. Traditional security has accomplished a long way
toward protecting well-defined goals such as confidentiality, integrity,
availability, and authenticity. However, with the growing sophistication of the
attacks and the complexity of the system, the protection using traditional
methods could be cost-prohibitive. A new perspective and a new theoretical
foundation are needed to understand security from a strategic and
decision-making perspective. Game theory provides a natural framework to
capture the adversarial and defensive interactions between an attacker and a
defender. It provides a quantitative assessment of security, prediction of
security outcomes, and a mechanism design tool that can enable
security-by-design and reverse the attacker's advantage. This tutorial provides
an overview of diverse methodologies from game theory that includes games of
incomplete information, dynamic games, mechanism design theory to offer a
modern theoretic underpinning of a science of cybersecurity. The tutorial will
also discuss open problems and research challenges that the CCS community can
address and contribute with an objective to build a multidisciplinary bridge
between cybersecurity, economics, game and decision theory
Recommended from our members
Analysis of operating system diversity for intrusion tolerance
One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper, we present a study with operating system's (OS's) vulnerability data from the NIST National Vulnerability Database (NVD). We have analyzed the vulnerabilities of 11 different OSs over a period of 18 years, to check how many of these vulnerabilities occur in more than one OS. We found this number to be low for several combinations of OSs. Hence, although there are a few caveats on the use of NVD data to support definitive conclusions, our analysis shows that by selecting appropriate OSs, one can preclude (or reduce substantially) common vulnerabilities from occurring in the replicas of the intrusion-tolerant system
- …